Is it possible to exploit a sql injection vulnerability with a select only permission, if I knew admin credentials?

Question

A friend pointed out a sql injection vulnerability one an application I work with.

This search parameter:

'; exec xp_cmdshell 'dir';  --

Returned the message:

The EXECUTE permission was denied on the object 
   'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

Because the search is run from an account that only has select permissions on a few tables and stored procedures.

I was wondering, if a malicious user happened to know the login information of an admin account for the sql server, would it be possible for them use the credentials get to root access to the machine through the cmd shell, or some other naughty work?

"through the cmd shell" <-- Do you mean that the 'attacker' would have access to the CLI of the machine? Or do you mean the SQL Query Interface? What SQL server? And why not just fix the injection vulnerability?! — Chris S, Oct 16 '12 at 14:13
@ChrisS I am going to get that done, I'm just wondering if someone better at this sort of thing could exploit this to get a raise in privilege on the machine. — asawyer, Oct 16 '12 at 14:26

score 2 · Accepted Answer · answered Oct 16 '12 at 14:46

2

It's possible an SQL Injection could change to a higher privilidged user on the SQL server using exec as {credentials}. However, the original user running the query would have to have IMPERSONATE permissions for the user they're trying to switch up to. This is not a default configuration, you would have to add it (it would be rather odd to add this as well).

answered Oct 16 '12 at 14:46

Chris S

77,945
11
124
216

`'; execute as login = 'adminlogin'; exec xp_cmdshell 'dir'; revert; --` is returning a permission error so I suppose things could be worse. – asawyer Oct 16 '12 at 15:30
This could still be used to query any information in the database... So I wouldn't underestimate the importance of fixing the injection vulnerability. But at least nobody is going to pwN your machine this way. – Chris S Oct 16 '12 at 15:53
I had also identified a possible man in the middle vector that could expose admin credentials this morning, which is what prompted the question. It's been a bad morning so far. – asawyer Oct 16 '12 at 16:01

score 1 · Answer 2 · answered Oct 16 '12 at 14:12

1

It really doesn't matter if it is possible or not, you have a legit problem here that you should be looking to solve. This command should not have even been posted back to the server.

answered Oct 16 '12 at 14:12

Brent Pabst

6,069
2
24
36

I certainly agree, this scares the hell out of me, but this doesn't really answer the question. – asawyer Oct 16 '12 at 14:24
The only real answer to this question was a profound `YES`, of course it could and will happen given long enough for someone to find. – Brent Pabst Oct 16 '12 at 16:33
Fair enough point. – asawyer Oct 16 '12 at 17:06

Is it possible to exploit a sql injection vulnerability with a select only permission, if I knew admin credentials?

2 Answers2