6 comments on “A look at some MS-SQL attacks (overview)

  1. I understand the Brute Force method…i.e. iterating over username/passwords until they get lucky…but I fail to see how the SQL Command attack works. If they can’t login how can they execute any SQL Commands?

    • Hi Dan,

      This particular attack is relying on being able to guess the root user’s password. How to protect yourself from the cna12.dll MySQL attacks lists the four conditions that need to be met for this particular attack to work.

      Speaking about security attacks in general, a number of attacks work by exploiting a vulnerability in a particular application/service. These vulnerabilities often allow the attacker to change the instructions that the victim computer is running, usually resulting in the victim application/service running instructions that are provided by the attacker. You will often see these vulnerabilities described as ‘allowing execution of arbitrary code’. The code that the attacker runs can do anything that the application/service is able to do, as it is running as the application/service. Depending on where in the application/service the vulnerability lies, it may be exploitable before/without authentication.

      Say, for example, that the MySQL service had such a vulnerability. If an attacker sent what is often described as a ‘specially crafted request’ (or packet), it could exploit the vulnerability and cause the MySQL server to run instructions/code that the attacker wants it to run. These instructions aren’t MySQL/SQL commands, but are assembly language/machine code instructions.

      Such assembly language/machine code instructions have access to the same Windows (operating system) functions that the MySQL server has access to, and as such the exploit can create files, delete files, download and run more malicious software, change registry settings (to automatically start any downloaded malicious software, for instance), and the list goes on.


  2. Pingback: Azure Virtual Machines and SQL Server—Mind Your Endpoints | The SQL Herald

  3. Great write-up! Had a production SQL server show failed logins in event viewer today. after searching the most used login ID’s I came across this post. SA, KISADMIN, DJAPPLE, VICE, CHRED1433, all from an originating ip in china. Glad you setup the honeypot because I was REALLY curios to see what sorts of things would happen if the credentials were guessed. 😉

  4. Pingback: New(ish) Mirai Spreader Poses New Risks - Securelist

Leave a Reply