***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/ptp-analyzing-tool-and-script-output/blob/main/README.md) >

## CompTIA PenTest+ - Course Material 2022
###### Topic: ``Analyzing Tool and Script Output``
***

Course material for the ``CompTIA PenTest+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Analyzing Tool and Script Output](#aa) <br/><br/>
<hr width=50%;>

### [Procedures in Scripts](#E) <br/><br/>
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="aa"></a>
***
### Analyzing Tool and Script Output
***

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="E"></a>
***
### Procedures in Scripts
*** 

![image.png](attachment:image.png)

Stored procedures are a precompiled set of one or more SQL statements, and they're called stored procedures because they're stored on the SQL server itself hosting the database. 

This comes with the added benefit of being much more efficient in terms of retrieval time for executing and getting the results of an SQL statement, as opposed to executing an arbitrary SQL statement that hasn't been precompiled.

Since stored procedures are stored on the SQL server itself, they're executed server-side, which further adds to the efficiency in terms of their execution time and since they are executed server-side, they don't need to communicate over the network to perform their actions, so it reduces the amount of network traffic that's flooded into the network in terms of requesting and responding to the database itself.

![image.png](attachment:image.png)

A stored procedure will be configured to accept a set of input parameters and then perform some sort of operation based on those input parameters and then, once it's completed, have a set of output parameters that are returned based on the operation it's performed. 

These stored procedures can perform all the standard operations on a database like selecting, inserting, updating, deleting or dropping tables. All of these can be done with stored procedures.

![image.png](attachment:image.png)

There are many different types of stored procedures, such as system-defined stored procedures, and these are the stored procedures that are predefined on the SQL server itself. 

They are built into the system's schema itself for the database and oftentimes have a prefix starting with ``sp_``, which is important to remember when creating your own stored procedures, since the system-defined ones shouldn't conflict with your own personal ones, it's important that the ``sp_`` is reserved only for system-defined procedures and you don't use that when naming your own stored procedures. 

A few examples of some very useful system-defined stored procedures include ``sp_rename``, which is used whenever you want to rename any kind of object within a database such as a table.

Another useful one is ``sp_helptext``, which will output the details of a stored procedure and help understand how the stored procedure is actually used.

``sp_changedbowner``, which is used when you want to change which user owns a certain database object.

![image.png](attachment:image.png)

Next, we have extended stored procedures and these are designed to provide a way for stored procedures to interface with external programs outside of the database. 

A common example of an extended procedure is for logging purposes. Oftentimes you want to log the activities that are going on in your database, who's requesting what, what kind of records are being created or removed, and you want those logs stored either on a log server or somewhere outside of your database, so in order to interact with these external log systems, we might have an extended procedure that provides an interface to some external logging server and we can log those events that way and they're not stored inside the database and then you would set up the extended procedure to be triggered on a certain event, so if you wanted to specifically record ``select`` statements happening on a specific table, you could set up a trigger so that whenever that table has a ``select`` statement run against it, you run the extended procedure to log that somewhere.

![image.png](attachment:image.png)

We have user-defined stored procedures and these are custom procedures created by users in the database and they can provide a wide array of functionality depending on what the user wants

![image.png](attachment:image.png)

Finally, we have the CLR-stored procedure - CLR stands for Common Language Runtime, and it's a way of integrating your stored procedures into the ``.NET`` framework because it allows you a little bit more flexibility with your syntax to define the stored procedure with common programming languages that are compatible with .NET like C#.

![image.png](attachment:image.png)

Improperly formatted stored procedures can have vulnerabilities latent inside of them. Just like a normal SQL statement, a stored procedure can have the potential to be vulnerable to an SQL injection attack, where a user is able to input their own arbitrary data and trick your SQL server into running different commands that it wasn't intended to run. 

This can present opportunities for permission elevation or database corruption or data exfiltration, so it's important to evaluate your stored procedures and make sure to treat them with the due diligence that they require in order to avoid these vulnerabilities.

However, stored procedures do come with the added benefit that if they are properly set up to parameterize their user input and properly sanitize all their user input, then the fact that those stored procedures are used over and over again means that there is less risk of an SQL injection attack because different commands aren't being used by different people -they're all using the same standard stored procedure, so if that stored procedure is secure and resilient against SQL injection attacks, that can go a long way toward increasing the security of your database, so while it's important to recognize the potential vulnerabilities with stored procedures, it's also important to recognize the benefits that can come with well-crafted stored procedures.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;skillsoft, "Analyzing Tool and Script Output," [skillsoft.com](https://web.archive.org/web/20220403100053/https://www.skillsoft.com/), n.d..

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK