Execute a Command Line App from Stored Procedure
-
Hi All, I need to execute a command line executable from a stored procedure, any ideas on how I would do this? Thanks Kevin
-
Hi All, I need to execute a command line executable from a stored procedure, any ideas on how I would do this? Thanks Kevin
It is an unwise thing to do because it is a security risk but you can use: xp_cmdshell[^]
Upcoming Scottish Developers events: * Glasgow: Tell us what you want to see in 2007 My: Website | Blog | Photos
-
It is an unwise thing to do because it is a security risk but you can use: xp_cmdshell[^]
Upcoming Scottish Developers events: * Glasgow: Tell us what you want to see in 2007 My: Website | Blog | Photos
Thanks, works great. Whats the security risk?
-
Thanks, works great. Whats the security risk?
A sql injection attack may use that to run any code on your server. Read Colin's article on SQL Injection attacks.
Blog Have I http:\\www.frankkerrigan.com
-
Thanks, works great. Whats the security risk?
Kevin Nicol wrote:
Whats the security risk?
Allowing external commands to function outside of SQL Server opens some holes in a data based application. If a poorly written front appliction is attacked, or a firewall misconfigured, it is possible for an attacker to gain access to the SQL server and then from there launch commands on the server. The problem is exacerbated by the fact that many SQL Server installations are runing in the System Account. (If I remember correctly, this was the default before Service Pack 3. After that Full SQL Server installations suggested you create a specific account for SQL Server process to run in, however they still kept a nice handy radio button to swap it back to the system account - many lazy DBAs install SQL Server to use the system account). The system account has greater authority than the Admin account on the box. For example, did you ever notice in RegEdit that there are apparently empty folders called SECURITY in various locations? If you launch RegEdit in the system account you can see what's in there. But try it with an admin account and they look empty again. In my SQL Injection Attack presentations I use xp_cmdshell to show how an attacker can go in through a web application and rip a full directory listing off the hard disk. I could continue the presentation and actually have it stream a file that has been routed through SQL Server into the web application then over HTTP. I don't go that far because the directory listing trick is enough to get people to sit up and consider security more seriously.
Upcoming Scottish Developers events: * Glasgow: Tell us what you want to see in 2007 My: Website | Blog | Photos