Connecting to Other Servers with Sybase
The legitimate method using sp_addserver is probably the easiest to use. To set up a connection to a remote Sybase ASE server with a specified username and password, execute the following:
sp_addserver 'TEST', null, '192.168.1.12:5000'
The server TEST has now been set up with the physical address being the IPv4 address 192.168.1.12, TCP port 5000.
You can then specify credentials for the remote server, specifying which local account maps to which credential set on the remote host:
sp_addexternlogin 'TEST', 'sa', 'sa', 'password'
Assuming you are logged in as sa to the local Sybase server, you can now test the connection to the remote host. If you have a direct connection to the local server, you can simply execute the statement
connect to TEST
to enter pass-through mode, which forwards all queries to TEST. You should be able to select @@version to determine the version of the remote host. To exit pass-through mode, type disconnect.
If you do not have a reliable direct connection to the local server (for example, you are working via SQL injection) you can make use of the sp_remotesql stored procedure to execute SQL on the newly added server:
sp_remotesql 'TEST', 'select 123'
You can use this syntax to create procedures and tables on the remote server.
In SQL injection terms, the web request to make a call to sp_remotesql would look like this:
http://sybase.example.com/servlet/BookQuery?search=')+exec+sp_remotesql+'TEST',' create+table+doodah(a+int)'-- ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
