question

ronraley avatar image
0 Votes"
ronraley asked TomPhillips-1744 commented

SQL Injection using shutdown withnowait

Hypothetically, let's say a SQL server suffers a SQL injection attack using shutdown withnowait -- and it was successful!

Would this person be able to do ANYTHING on the server (Read, Write, Delete, etc)?

In the scenario above, is it safe to say successful shutdown is the result of leaving a single SQL user that has the highest level of access (sysadmin)?

Am I on the right track for a new client?

Thank you!
Ron

sql-server-generalsql-server-transact-sql
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanGuzman avatar image
0 Votes"
DanGuzman answered

Hypothetically, let's say a SQL server suffers a SQL injection attack using shutdown withnowait -- and it was successful!

Would this attacker be able to do ANYTHING on the server (Read, Write, Delete, etc)?

In the scenario above, is it safe to say successful shutdown is the result of leaving a single SQL user that has the highest level of access (sysadmin)?

SQL Server doesn't suffer from SQL injection; applications do. One should never use a privileged account for routine application access to mitigate risk should security vulnerability like SQL injection exist.

Given only sysadmin (and serveradmin) role members have permissions to execute SHUTDOWN, the account in your scenario must be a privileged user. A sysadmin role member has full SQL Server permissions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErlandSommarskog avatar image
0 Votes"
ErlandSommarskog answered

I'm not sure that I understand your question. A far more common problem is that applications run under a privileged account, in worst case, sa, and the application has an SQL injection hole. This permits the attacker run anything on the server.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ronraley avatar image
0 Votes"
ronraley answered TomPhillips-1744 commented

Much appreciated Dan and Erland for your input.

Erland, I believe that this is precisely what is happening with this particular client. They used the system admin account for online web applications without any SQL injection safeguards.

Thank you,
Ron

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It is highly likely if someone has successfully used SQL injection to shutdown your server, they have discovered they have full control over the SQL Server and have done other things. Like download all the data in your database. This is a very common probing bot attack. It then logs to the hacker, it was successful and they can move on to phase 2.


1 Vote 1 ·