April 27, 2009 at 7:40 am
I see a script:
exec(decrypt(0x6C89....))
it run OK. run in Ms Sql server 2000 / 2005
i want you: the decrypt is ? , what is in that DLL?
April 27, 2009 at 7:51 am
There is no decrypt function in SQL Server 2005.
If you have this function, someone has added to your server. We have no way of determining what is in the DLL.
http://msdn.microsoft.com/en-us/library/ms189826(SQL.90).aspx
April 27, 2009 at 8:05 am
No! it in standard Ms Sql Server, I test it in some PC, it run OK!
That is a example:
--HIDE PROCEDURE PC_GET_NEXT_KEY
exec(decrypt(0x6C89D9ED5855DC612DE79ACF1375757E59F829474465741AE290B37283AE8A3B4079CF902499C8C01E87AA18EA1BD875F37F51E8A8769E5921320BEC7993E8376E87DE01CF
8B10B0CC46648A5ED011C474BC6C69A498B68F4FB2500D3D12BE7CB60CC7C20A0B31069EBF931B5B422CBE8D9B961011917CAF9F697503E29FDE8B15004A24CD37D6F897378A4718397410B3
E0DE5663A8ADB53506C788C1A61E29BDF7B1BF6ED04561017B936D14E84B08AF60E06570D5E7451FA24A41AE824049C14CC14C2517922F55629E08D9012EAA26FBEA95ACE7D0C19D3696FCA5B
8E2D3A9DEC5B8138A4AB24343004AF740369A5401C0B83B442BE20FCA47571B19145146803BAAB1B970469D7F78B43F3E31BB101C25C4BDEFB45661B2C7DC88799E19E1EEA37DC9123F05DF69EFD
93A8226868EB725DB120A7205E8C4B8A49D569CAC2D417DD3FD4161DD6C5BFC97FC89E73A9C421D4FEBB42696F91021F90ACE184083C89763016802016DC63D5BCF7F4F445EB2CB66615D2E72D78E2A465072731E23C73A152AE22E16D470C43C38726FBC1F81B64C443B6
85E1F3801CBDEE2289143F30291F3F630095CB8008A6C07A0FAE1D03282E5462C829F32A293E287BCBD090524303C4FC8815B2683918E4B8EA77DC0DD70A3C4BFA68A40E83436ADD07A9D9077D12DA33359E6E9618C6613667798818B04578FEFE7199337D084CBFACF99CA7
643DEE5B95D0B98F44E8BA3DC94E480FEFA5E5DE7B7DE40F43C947B76802D436C58BF02274F4E886BAE3E71532294739443C2FC8A0DA18D0049F7420E9548B794757AFB33D75A8A5C38757F2ECE5C86AD213857C7C13D90B034C340954A3D7C48637794B1CF70D3D7F40EA36A
6D292DCA76C27817166CC523130308E49AD5080A41610C7BE9D5A53BCC6CFF4F1252A50CA497B1E917DAA16662C6F2
))
go
--GRANT EXECUTE ON PC_GET_NEXT_KEY to PRIVUSER;
It run OK, anywhere PC has Ms Sql Server.
April 27, 2009 at 8:35 am
was this post just a way to infect a computer by executing code you don't know what it does?
Lowell
April 27, 2009 at 8:56 am
interesting;
i used the default trace and my own DML trace to see what it was doing.
the code you posted executes and created a stored procedure.,
the procedure gets encrypted, so you have to unencrypt it to see the text.
this is all the procedure says:
create procedure pc_get_next_key
@pkey_name varchar(30),
@pseq_num integer OUTPUT
as
begin transaction
update nextkey set key_seq_num = key_seq_num + 1 where key_name=@pkey_name
if @@error > 0 or @@rowcount 1
return
select @pseq_num=key_seq_num-1 from nextkey where key_name=@pkey_name
commit transaction
I've seen some code that was similar, where a "key table" is maintained to keep track of a field's next value instead of using an identity .
Lowell
May 2, 2009 at 8:20 am
Thank you.
It executes and created a stored procedure, proc "pc_get_next_key". but I want ask you, the DECRYPT in exec( DECRYPT (0x6C89....)) is ? It in what DLL of Ms Sql Server, it is UnDocument funtion ?
I don't see it in "SQL Server Books Online".
Van Hien
May 2, 2009 at 8:28 am
definitely a built in function, especially considering both encrypt() and decrypt() show up with syntax highlighting.
I googled a bit and I guess you are right that they are undocumented/unsupported.
Lowell
May 2, 2009 at 10:41 am
It's possible that it's undocumented, in which case, I can't point you to a reference.
I would not recommend you use this.
May 5, 2009 at 8:49 am
Thanks
Because I want to cypher script according to this way. Regret due to who do not find out it.
Thank you!
Van Hien
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply