The following excerpt, courtesy of Wiley Publishing, is from Chapter 22 of the book "The Database Hacker's Handbook: Defending Database Servers" written by David Litchfield, Chris Anley, John Heasman and Bill Grindlay. Click for the complete book excerpt series or purchase the book.
The OPENROWSET command can be utilized as a rudimentary port scanner that can be used to determine services running on other hosts within the SQL Server's network. The query
select * from OPENROWSET('SQLOLEDB', 'uid=sa;pwd=foobar;Network=DBMSSOCN;Address=192.168.0.1,80;timeout=5', '')
will return the message "General network error. Check your network documentation," if the port is found to be open. A closed port gives "SQL Server does not exist or access denied." Whether or not the five-second timeout is expended depends on the behavior of the listening service.
It would obviously be extremely time consuming to map an entire subnet using this method, although it is useful for pinpointing specific services. Because SQL Server will repeatedly attempt connections for the duration of the timeout period, this technique can also be used as a denial-of-service attack. The same query with an extended timeout value will make rapid connections to the service on the specified port, and could prevent legitimate users from connecting.
SQL Server supports query batching, which allows a number of semicolon separated queries to be submitted for execution in a single request. Although this is a convenient feature that is unavailable in other database servers such as Oracle and MySQL, it does increase SQL Server's exposure to SQL injection attacks. This is because the Web application's query can be terminated with an injected semicolon followed by an additional query that will be executed subsequently.
Click for the next excerpt in this series: Defending against SQL injection
Click for the complete book excerpt series.