SlideShare a Scribd company logo

PeopleSoft: HACK THE Planet^W university

Download as PPTX, PDF
Dmitry Iudin
Dmitry Iudin

This document summarizes security vulnerabilities in PeopleSoft systems. It describes how an attacker could potentially gain remote code execution on the PeopleSoft web server and application server. It then explains how the attacker could use this access to decrypt database credentials and escalate their privileges to compromise sensitive user data and business systems. The document provides details on specific bugs like buffer overflows and hardcoded credentials that could be exploited at different points in this attack chain. It aims to demonstrate a potential "hardcore" attack scenario and the risks of unpatched PeopleSoft instances.

Internet
1 of 73
PeopleSoft: HACK THE Planet^W universityby Dmitry Iudin, Security Researcher at ERPScan
Security Researcher Dmitry Yudin @ret5et
PeopleSoft Used by: Universities Government and its institutions Large enterprises, etc.
PeopleSoft Campus solutions Human Capital Management Financial Management Supplier Relationship Management …
Attack Targets  Personal information  SSN  Salary data  Payment information  Credit card data  Bank account data Bidding information - RFP - Prices
Attack Targets  Espionage  Theft of financial information  Corporate trade secret theft  Theft of supplier and customer lists  Stealing HR data (employee data theft)  Sabotage  Denial of service  Tampering with financial reports Fraud - False transactions - Modification of master data
PeopleSoft
A Bit of Theory
PeopleSoft Pure Internet Architecture
The Web Server
Web Server • Host PeopleSoft Servlets • Communicates with AppServer • Front end
PeopleSoft Application Server
DATABASE
Configuration and Deployment Options AppServer and database on same server
Configuration and Deployment Options
PeopleSoft Pure Internet Architecture  These 3 main components are common for all PeopleSoft applications.  All applications mainly differ only in business logic that exists in a database.  Pwning these components is equal to Pwning all application types.
Attack from Internet hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials. 1. Gain low level access to a database. Get and decrypt high-level DB credentials from the db. AccessID - «this account is the key to the kingdom» 1. Profit
Find PeopleSoft CS systems in WWW
Or other PeopleSoft Systems ...
Default PeopleSoft Servlets on WebServer  PORTAL.war - PeopleSoft Interaction Hub  PSEMHUB.war - Environment Management Framework  PSIGW.war - Integration gateway  PSINTERLINKS.war - Business Interlinks  PSPC.war - PeopleSoft PortletContainer Servlet.
Most Critical Known Bugs  CVE-2017-10061 - RCE (CVSS v3 score – 8.3)  CVE-2017-10366 – RCE (CVSS v3 score – 9.8)  Any SSRF + lack authentication from localhost in PeopleSoft Apache Axis component equal RCE  SSRF bugs: CVE-2013-3800, CVE-2013-3821, CVE-2017-3548,CVE- 2017-3547 ...
RCE on PeopleSoft WebServer is not a PROBLEM
RCE on PeopleSoft WebServer is not a PROBLEM
PSIGW.war  CVE-2017-10061  CVSS Severity (version 3.0): 8.3 High  CVSS Version 3 Metrics:  Attack Vector (AV): Network  Attack Complexity (AC): Low
DEMO
Find AppSvr in internal network $ pwd /home/psadm2/apps/PORTAL.war $ cat WEB-INF/psftdocs/ps/webprof/config_prop | grep -i appserver -A 1 <string>appServer</string> <string>192.168.56.101:9033</string>
 CVE-2017-10146 - Directory Traversal  Attack Vector (AV):  Network  Attack Complexity (AC):  Low  Privileges Required (PR):  None Find AppSvr in internal network
Find AppSvr in internal network
Remote attack: hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom» 1. Profit
PeopleSoft AppServer
Some Theory
PeopleSoft AppServer An application server consists of numerous PeopleSoft services and server processes.
PeopleSoft AppServer processes  PSAPPSRV  PSQCKSRV  PSQRYSRV  PSSAMSRV  PSOPTENG  PSMSGDSP  PSMSGHND  PSPUBDSP  PSPUBHND  PSSUBDSP  PSSUBHND  WSL  WSH  JSL  JSH  RMI Services  etc.
PeopleSoft AppServer  Many processes = large attack surface  But … most of them are binary, native code applications.
PeopleSoft AppServer  After some research, we have found some interesting bugs. Now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
PeopleSoft AppServer  After some research, we have found some interesting bugs and now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
Remote attack hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 2. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from the db. AccessID - «this account is the key to the kingdom» 1. Profit
BUT ...
AppServer RMI service We have PeopleSoft RMI service with hardcoded credentials...
AppServer RMI service Java Remote Method Invocation (Java RMI) is a Java API that performs remote method invocation, the object-oriented equivalent of remote procedure calls (the RPC), with the support for direct transfer of serialized Java classes and distributed garbage-collection.
PeopleSoft AppServer
AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
AppServer RMI service In some cases, access to AppServer logs can lead to a leakage of an authentication token. For example, if debug logging is enabled on the server side.
AppServer RMI service DEMO
 RCE on PeopleSoft WebServer side  We can read TOKEN from AppServer log:  If debug mode is on  It seems that debug mode is not common for PeopleSoft production servers  If we are lucky enough, we can get access to some account tokens. What we have?
What we have? 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 1. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials We got partial “access” to Application Server 1. Gain low-level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom»
What do we have here?
But we can exploit another bug...
DEMO
PeopleSoft Application Server buffer over-read We can disclose user passwords in plain text, remotely.
PeopleSoft Application Server buffer over-read
Attack Scenario  Get access to PeopleSoft web server  Recon AppServer  Passively dump credentials from AppServer  Collect user names and passwords.  Find accounts with high business roles in the system  …  Profit
What if we had RCE on the AppServer The main target of those pentesting AppServer is psappsvr.cfg But values in psappsvr.cfg are «encrypted».
psappsrv.cfg  UserPswd=sC33X45qyMXPEbKTYHrJ06Fd31PfKYBdSEgL5e0i1vE=  ConnectPswd=gizrWPhLwsI5KYakWwvJDLtoEGNNNG4lFfq8W5x/NpM=  DomainConnectionPwd=iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5Ah ...
psappsrv.cfg „decryption“ $ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= jahce6queiXeevoo1quo0nano #decrtypted password
ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
psappsrv.cfg  DBName=...  DBType=...  UserId=PS - # default PeopleSoft admin  UserPswd=<encrypted password> # admin password  ConnectID=people # default connection id  ConnectPswd=<encrypted password>
PeopleSoft Administrator Role (PS user) This role does NOT have any access to critical business data.
ConnectID  Real Database ID  Required to establish the initial connection to the database  Used by AppServer for initial authentication with PeopleSoft database  Access to encrypted “AccessID”
PeopleSoft AppServer Sign In  Initial connection.  The application server uses the ConnectID and UserId specified in its configuration file (PSAPPSRV.CFG) to perform the initial connection to the database.  The server performs a SQL Select statement on the security tables.  Check UserID and UserPswd  The server reconnects using the AccessID.  The application server begins the persistent connection to the database that all users use to access the database.
Getting encrypted AccesID $ sqlplus «ConnecId»@«db ip address»:1522/«dbname»
$ select STM_ACCESS_PART1, STM_ACCESS_PART2, STM_ACCESS_ID, STM_ACCESS_PSWD from SYSADM.PSACCESSPROFILE; Getting encrypted AccesID
$ stmdecr <STM_ACCESS_PART1> <STM_ACCESS_PART2> <STM_ACCESS_ID> <STM_ACCESS_PSWD> Getting encrypted AccesID
stmdecr stmdecr will be published soon … :|
Conclusion • Implement latest CPUs • Perform external Security Audits
Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 EMEA: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com Thank you Dmitry Yudin Security Researcher at ERPScan d.yudin@erpscan.com
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W university

Recommended

Alexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoftAlexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
DefconRussia
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS Drivers
Kique Nissim
 
Duyệt, sửa, xóa đơn hàng
Duyệt, sửa, xóa đơn hàngDuyệt, sửa, xóa đơn hàng
Duyệt, sửa, xóa đơn hàng
Getfly CRM
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Westward expansion test
Westward expansion testWestward expansion test
Westward expansion test
LilDipper
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
Jeffrey Holden
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
CODE BLUE
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 

Recommended

Alexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoftAlexey Tyurin - HR Hacking — bugs in PeopleSoft
Alexey Tyurin - HR Hacking — bugs in PeopleSoft
DefconRussia
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS Drivers
Kique Nissim
 
Duyệt, sửa, xóa đơn hàng
Duyệt, sửa, xóa đơn hàngDuyệt, sửa, xóa đơn hàng
Duyệt, sửa, xóa đơn hàng
Getfly CRM
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Westward expansion test
Westward expansion testWestward expansion test
Westward expansion test
LilDipper
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
Jeffrey Holden
 
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
[CB21] NAS as Not As Secure by Ta-Lun Yen and Shirley Kuo
CODE BLUE
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
nitayart
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
CongDoanVan1
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
New York Technology Council
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
Tiki.vn
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
Patrick Coble
 
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAYĐề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
Palo alto-networks-product-summary-specsheet
Palo alto-networks-product-summary-specsheetPalo alto-networks-product-summary-specsheet
Palo alto-networks-product-summary-specsheet
grammershazil
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
DV Viết Luận văn luanvanmaster.com ZALO 0973287149
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2
Adnan Rashid
 
SQL injection
SQL injectionSQL injection
SQL injectionPhong Tử
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
Yossi Sassi
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 

More Related Content

What's hot

NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
nitayart
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
CongDoanVan1
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
New York Technology Council
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
Tiki.vn
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
Patrick Coble
 
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAYĐề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Dịch vụ viết bài trọn gói ZALO 0917193864
 
Palo alto-networks-product-summary-specsheet
Palo alto-networks-product-summary-specsheetPalo alto-networks-product-summary-specsheet
Palo alto-networks-product-summary-specsheet
grammershazil
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
DV Viết Luận văn luanvanmaster.com ZALO 0973287149
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2
Adnan Rashid
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
Yossi Sassi
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 

What's hot (20)

NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
[Khóa luận tốt nghiệp] - Tìm hiểu và triển khai Snort/SnortSam
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAYĐề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
Đề tài: Nghiên cứu kỹ thuật tấn công mạng LAN và giải pháp, HAY
 
Palo alto-networks-product-summary-specsheet
Palo alto-networks-product-summary-specsheetPalo alto-networks-product-summary-specsheet
Palo alto-networks-product-summary-specsheet
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
Báo Cáo Thực Tập Nghiên Cứu Kỹ Thuật Tấn Công Mạng Lan Và Giải Pháp Đảm B...
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Suricata
SuricataSuricata
Suricata
 

Similar to PeopleSoft: HACK THE Planet^W university

Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
Dan Diephouse
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
Darren Sim
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
Avi Shulman
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
IndumathySK
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
Vladimir Bacvanski, PhD
 
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
confluent
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
Cedar Consulting
 
Web Security
Web SecurityWeb Security
Web Security
Chatree Kunjai
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
NARESH GUMMAGUTTA
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
Matthew Turland
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
Inho Kang
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
Oracle Korea
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
VMware Tanzu
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
Arjun Kumawat
 

Similar to PeopleSoft: HACK THE Planet^W university (20)

Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
 
Top 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must HaveTop 7 Skills PHP Developer Must Have
Top 7 Skills PHP Developer Must Have
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2
 
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
Keynote: The Database Is Only Half Done (Ben Stopford, Confluent) London 2019...
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Web Security
Web SecurityWeb Security
Web Security
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
CQRS and Event Sourcing
CQRS and Event Sourcing CQRS and Event Sourcing
CQRS and Event Sourcing
 
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
[Hands-on] CQRS(Command Query Responsibility Segregation) 와 Event Sourcing 패턴 실습
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
My Saminar On Php
My Saminar On PhpMy Saminar On Php
My Saminar On Php
 

Recently uploaded

存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 

Recently uploaded (20)

存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 

PeopleSoft: HACK THE Planet^W university

  • 1. PeopleSoft: HACK THE Planet^W universityby Dmitry Iudin, Security Researcher at ERPScan
  • 3.
  • 4.
  • 5. PeopleSoft Used by: Universities Government and its institutions Large enterprises, etc.
  • 6. PeopleSoft Campus solutions Human Capital Management Financial Management Supplier Relationship Management …
  • 7. Attack Targets  Personal information  SSN  Salary data  Payment information  Credit card data  Bank account data Bidding information - RFP - Prices
  • 8. Attack Targets  Espionage  Theft of financial information  Corporate trade secret theft  Theft of supplier and customer lists  Stealing HR data (employee data theft)  Sabotage  Denial of service  Tampering with financial reports Fraud - False transactions - Modification of master data
  • 10. A Bit of Theory
  • 11. PeopleSoft Pure Internet Architecture
  • 13. Web Server • Host PeopleSoft Servlets • Communicates with AppServer • Front end
  • 16. Configuration and Deployment Options AppServer and database on same server
  • 18. PeopleSoft Pure Internet Architecture  These 3 main components are common for all PeopleSoft applications.  All applications mainly differ only in business logic that exists in a database.  Pwning these components is equal to Pwning all application types.
  • 19. Attack from Internet hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials. 1. Gain low level access to a database. Get and decrypt high-level DB credentials from the db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 20. Find PeopleSoft CS systems in WWW
  • 21. Or other PeopleSoft Systems ...
  • 22. Default PeopleSoft Servlets on WebServer  PORTAL.war - PeopleSoft Interaction Hub  PSEMHUB.war - Environment Management Framework  PSIGW.war - Integration gateway  PSINTERLINKS.war - Business Interlinks  PSPC.war - PeopleSoft PortletContainer Servlet.
  • 23. Most Critical Known Bugs  CVE-2017-10061 - RCE (CVSS v3 score – 8.3)  CVE-2017-10366 – RCE (CVSS v3 score – 9.8)  Any SSRF + lack authentication from localhost in PeopleSoft Apache Axis component equal RCE  SSRF bugs: CVE-2013-3800, CVE-2013-3821, CVE-2017-3548,CVE- 2017-3547 ...
  • 24. RCE on PeopleSoft WebServer is not a PROBLEM
  • 25. RCE on PeopleSoft WebServer is not a PROBLEM
  • 26. PSIGW.war  CVE-2017-10061  CVSS Severity (version 3.0): 8.3 High  CVSS Version 3 Metrics:  Attack Vector (AV): Network  Attack Complexity (AC): Low
  • 27. DEMO
  • 28. Find AppSvr in internal network $ pwd /home/psadm2/apps/PORTAL.war $ cat WEB-INF/psftdocs/ps/webprof/config_prop | grep -i appserver -A 1 <string>appServer</string> <string>192.168.56.101:9033</string>
  • 29.  CVE-2017-10146 - Directory Traversal  Attack Vector (AV):  Network  Attack Complexity (AC):  Low  Privileges Required (PR):  None Find AppSvr in internal network
  • 30. Find AppSvr in internal network
  • 31. Remote attack: hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in internal network 1. Get RCE on Application Server On AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 34. PeopleSoft AppServer An application server consists of numerous PeopleSoft services and server processes.
  • 35. PeopleSoft AppServer processes  PSAPPSRV  PSQCKSRV  PSQRYSRV  PSSAMSRV  PSOPTENG  PSMSGDSP  PSMSGHND  PSPUBDSP  PSPUBHND  PSSUBDSP  PSSUBHND  WSL  WSH  JSL  JSH  RMI Services  etc.
  • 36. PeopleSoft AppServer  Many processes = large attack surface  But … most of them are binary, native code applications.
  • 37. PeopleSoft AppServer  After some research, we have found some interesting bugs. Now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
  • 38. PeopleSoft AppServer  After some research, we have found some interesting bugs and now we are trying to write exploits for them.  But we don’t have RCE on AppServer yet.
  • 39. Remote attack hardcore scenario 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 2. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials 1. Gain low level access to a database. Get and decrypt «AccessID» from the db. AccessID - «this account is the key to the kingdom» 1. Profit
  • 40.
  • 42. AppServer RMI service We have PeopleSoft RMI service with hardcoded credentials...
  • 43. AppServer RMI service Java Remote Method Invocation (Java RMI) is a Java API that performs remote method invocation, the object-oriented equivalent of remote procedure calls (the RPC), with the support for direct transfer of serialized Java classes and distributed garbage-collection.
  • 45. AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
  • 46. AppServer RMI service By using this service, we can get: • AppSvr runtime info • AppSvr Network statistic • Java Memory pool info • CPU Load info • FileStore Information • ... • Access to AppServer logs
  • 47. AppServer RMI service In some cases, access to AppServer logs can lead to a leakage of an authentication token. For example, if debug logging is enabled on the server side.
  • 49.  RCE on PeopleSoft WebServer side  We can read TOKEN from AppServer log:  If debug mode is on  It seems that debug mode is not common for PeopleSoft production servers  If we are lucky enough, we can get access to some account tokens. What we have?
  • 50. What we have? 1. Get RCE on Peoplesoft WebServer Recon Application Server in the internal network 1. Get RCE on Application Server On the AppSvr side decrypt low level DB credentials We got partial “access” to Application Server 1. Gain low-level access to a database. Get and decrypt «AccessID» from db. AccessID - «this account is the key to the kingdom»
  • 51. What do we have here?
  • 52. But we can exploit another bug...
  • 53. DEMO
  • 54. PeopleSoft Application Server buffer over-read We can disclose user passwords in plain text, remotely.
  • 56. Attack Scenario  Get access to PeopleSoft web server  Recon AppServer  Passively dump credentials from AppServer  Collect user names and passwords.  Find accounts with high business roles in the system  …  Profit
  • 57. What if we had RCE on the AppServer The main target of those pentesting AppServer is psappsvr.cfg But values in psappsvr.cfg are «encrypted».
  • 59. psappsrv.cfg „decryption“ $ ubbgen -decr iSTwU6g03N1UlzIng6I+fsXdd6L02b3iQrAW5AhSeOo= jahce6queiXeevoo1quo0nano #decrtypted password
  • 60. ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
  • 61. ubbgen utility UBBGEN’s usage prompt doesn’t show “-decr” and “-encr” options, it seems that are «hidden».
  • 62. psappsrv.cfg  DBName=...  DBType=...  UserId=PS - # default PeopleSoft admin  UserPswd=<encrypted password> # admin password  ConnectID=people # default connection id  ConnectPswd=<encrypted password>
  • 63. PeopleSoft Administrator Role (PS user) This role does NOT have any access to critical business data.
  • 64. ConnectID  Real Database ID  Required to establish the initial connection to the database  Used by AppServer for initial authentication with PeopleSoft database  Access to encrypted “AccessID”
  • 65. PeopleSoft AppServer Sign In  Initial connection.  The application server uses the ConnectID and UserId specified in its configuration file (PSAPPSRV.CFG) to perform the initial connection to the database.  The server performs a SQL Select statement on the security tables.  Check UserID and UserPswd  The server reconnects using the AccessID.  The application server begins the persistent connection to the database that all users use to access the database.
  • 66. Getting encrypted AccesID $ sqlplus «ConnecId»@«db ip address»:1522/«dbname»
  • 67. $ select STM_ACCESS_PART1, STM_ACCESS_PART2, STM_ACCESS_ID, STM_ACCESS_PSWD from SYSADM.PSACCESSPROFILE; Getting encrypted AccesID
  • 68. $ stmdecr <STM_ACCESS_PART1> <STM_ACCESS_PART2> <STM_ACCESS_ID> <STM_ACCESS_PSWD> Getting encrypted AccesID
  • 69. stmdecr stmdecr will be published soon … :|
  • 70. Conclusion • Implement latest CPUs • Perform external Security Audits
  • 71. Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ Subscribe to our newsletters eepurl.com/bef7h1 USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone 650.798.5255 EMEA: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone +31 20 8932892 erpscan.com inbox@erpscan.com Thank you Dmitry Yudin Security Researcher at ERPScan d.yudin@erpscan.com