SQL Injection Attacks and Defense - 2009

206 Chapter 4 • Exploiting SQL Injection
What happens here? Because bcp is a command-line utility, you can only call it with
xp_cmdshell (or with an equivalent method you might have created; see Chapter 6). The first
parameter that is passed to bcp is the query, which can be any T-SQL that returns a result
set. The queryout parameter is used to provide maximum flexibility, because it can handle
bulk copying of data. Then you specify the output file, which is the file where the data must
be written and which must reside where it can be accessed with an HTTP connection in
this exploit scenario. The –c switch indicates that a character data type must be used. If you
need to transfer binary data, you should use the –n switch instead.
The –T switch deserves a deeper explanation. Because bcp.exe is a command-line utility
that needs to talk with a running installation of SQL Server, it will need to provide some
form of authentication to perform its job. Usually, such authentication is performed with
a username and password using the –U and –P parameters, but during a real attack you
might not know (yet) such pieces of information. By using the –T switch, you tell bcp to
connect to SQL Server with a trusted connection using Windows integrated security.
That is, the credentials of the user executing the queries will be used.
If everything goes according to plan, the entire sql_logins table will be copied into hashes.
txt, ready to be accessed with your browser, as shown in Figure 4.17.
Figure 4.17 Extracting an Entire Database Table to the File System