OLE Automation
The OLE automation stored procedures provide access to the Component Object Model (COM), which grants Visual Basic functionality to T-SQL scripts. When used by a skilled attacker, they are very powerful and could be used to manipulate Microsoft Office documents, utilize other COM-compatible code, or send e-mails.
- xp_dsninfo: Displays an ODBC datasource's settings.
- xp_enumdsn: Lists all ODBC datasources on the server.
- sp_OACreate: Used to instantiate an OLE object. Methods of the object can then be called, allowing its functionality to be exploited.
- sp_OADestroy: Used to destroy an OLE object.
- sp_OAGetErrorInfo: Returns error information for the most recent OLE automation stored procedure call.
- sp_OAGetProperty: Gets the value of a property in the OLE object.
- sp_OAMethod: Calls a method of the OLE object. These are routines that perform a certain function.
- sp_OASetProperty: Sets the value of a property in the OLE object.
- sp_OAStop: Stops the OLE automation environment, and disables T-SQL access to COM components.
- sp_sdidebug: Used to debug T-SQL statements; could reveal confidential information.
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
