Procedure Invocations and SQL Administration

The attacker can use built-in stored procedures (functions supplied by the database to perform administrative and maintenance tasks) to write or read files, or to invoke programs in the database’s computer. For example, the xp_cmdshell stored procedure invokes shell commands on the server’s computer, like dir, copy, move, rename, and so on. Using the same scenario from the previous section, an attacker can enter someusername as the username and a’ exec master..xp_cmdshell ‘del c:\winnt\system32\*.dll’ as the password, which will cause the database to delete all DLLs in the specified directory. Table 26-1 lists some stored procedures and SQL commands that can be used to further elevate an attack.

Don't use plagiarized sources. Get Your Custom Essay on
Procedure Invocations and SQL Administration
Just from $13/Page
Order Essay
ORDER NOW »»

and taste our undisputed quality.