SlideShare una empresa de Scribd logo

Database Access Path to Network Ownage

Bernardo Damele A. G.
Bernardo Damele A. G.

The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation. These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.

Tecnología
1 de 21
Descargar para leer sin conexión
Got database access? Own the network! Bernardo Damele Assumpção Guimarães
Who I am Bernardo Damele Assumpção Guimarães Penetration tester @ Portcullis Computer Security Proud father, avid spear-fisher, bad photographer Open source enthusiast sqlmap lead developer – http://sqlmap.sf.net keimpx developer – http://code.google.com/p/keimpx Database takeover UDF repository AthCon 2010, Athens (Greece) June 3, 2010 2
Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! AthCon 2010, Athens (Greece) June 3, 2010 3
Scenario You have got access to a DBMS Direct connection – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the network? AthCon 2010, Athens (Greece) June 3, 2010 4
Command execution – State of art Microsoft SQL Server OPENROWSET can be abused to escalate privileges to DBA Token kidnapping to escalate privileges to SYSTEM Built-in xp_cmdshell to execute commands Oracle If you find an injection in a function owned by SYS and with authid definer, you can run PL/SQL statements as SYS Many ways to execute commands – DBMS_EXPORT_EXTENSION package, abuse Java functions, etc. AthCon 2010, Athens (Greece) June 3, 2010 5
Command execution – State of art MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages AthCon 2010, Athens (Greece) June 3, 2010 6
Code snippet of sys_eval() UDF sys_eval() executes a command and returns its stdout AthCon 2010, Athens (Greece) June 3, 2010 7
More than command execution Owning the database server is not only about OS command execution Out-of-band connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel TCP: Shell, Meterpreter, VNC – http://metasploit.com UDP: DNS tunnel – http://heyoka.sourceforge.net AthCon 2010, Athens (Greece) June 3, 2010 8
Stealth out-of-band connection On the attacker host Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database server Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter Anti-forensics technique – hard to track in a post- exploitation forensics investigation AthCon 2010, Athens (Greece) June 3, 2010 9
User-defined function sys_bineval() Works in DEP/NX-enabled systems Supports alphanumeric-encoded payloads Protects the DBMS if the payload crashes Shellcode is executed in a SEH frame Does not always fork a new process Spawns a new thread AthCon 2010, Athens (Greece) June 3, 2010 10
sys_bineval() vs DEP/NX Memory area for shellcode is allocated +rwx On Windows: VirtualAlloc() code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); On Unix: mmap() code = mmap(0, page_size, PROT_READ| PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0); AthCon 2010, Athens (Greece) June 3, 2010 11
sys_bineval() and alphanum payloads Supports alphanumeric-encoded payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() AthCon 2010, Athens (Greece) June 3, 2010 12
sys_bineval() and alphanum payloads Solution: Use the BufferRegister option when encoding the shellcode ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register before executing it __asm { MOV EAX, [lpPayload] CALL EAX } AthCon 2010, Athens (Greece) June 3, 2010 13
sys_bineval() avoids DBMS crashes Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } AthCon 2010, Athens (Greece) June 3, 2010 14
Code snippet of sys_bineval() UDF sys_bineval() executes an alphanumeric-encoded payload in-memory AthCon 2010, Athens (Greece) June 3, 2010 15
Am I really unprivileged? Your code, like any other within the DBMS process, runs with the privileges of the OS user running the DBMS Microsoft SQL Server can run as SYSTEM – Uncommon PostgreSQL and MySQL usually run as a unprivileged user MySQL on Windows runs as SYSTEM Regardless of the OS user running the DBMS, the attacker can escalate privileges AthCon 2010, Athens (Greece) June 3, 2010 16
I have got the power or… ways to get it! Some ways to escalate privileges Meterpreter has some built-in commands (getsystem) and scripts Including kitrap0d – Kernel flaw unpatched for ~17 years Abuse weak permissions on files, services, named pipes, LSASS design, etc. Memory corruption bugs “All Users” startup file trick Got luck? whoami is your friend! AthCon 2010, Athens (Greece) June 3, 2010 17
Want to execute fancier code on DBMS? sqlmap has a switch to inject your user-defined functions Write your own C/ASM code with the DBMS development libraries Compile as a shared object Fire up sqlmap with --udf-inject switch The tool will inject the UDFs you want and execute them onto the database server at your request AthCon 2010, Athens (Greece) June 3, 2010 18
Direct connection to the database From July 2006 to March 2010 sqlmap has been “yet another” SQL injection tool With some kick-ass features like BOF exploit via SQL injection, sys_bineval(), file system access, etc. All in all.. One-shot favorite script-kiddies tool™ Now, it is the only free tool able to takeover database servers via either web applications or direct connection AthCon 2010, Athens (Greece) June 3, 2010 19
But… Wasn’t it meant to deal with data? When you get access to a DBMS, you have good chances to own the operating system Once you have access to the system you can escalate privileges – kernel flaws, weak permissions, etc. When you are a high-privileged OS user you can dump users’ password hashes and spray them across the network perimeter to easily own other machines – http://code.google.com/p/keimpx or SSHatter You can also pivot traffic through the compromised database server to the Corporate network or DMZ AthCon 2010, Athens (Greece) June 3, 2010 20
Questions? bernardo.damele@gmail.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Thanks for your attention! AthCon 2010, Athens (Greece) June 3, 2010 21

Recomendados

It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 

Recomendados

It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Hacking (with) WebSockets
Hacking (with) WebSocketsHacking (with) WebSockets
Hacking (with) WebSocketsSergey Shekyan
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 

Más contenido relacionado

La actualidad más candente

Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Hacking (with) WebSockets
Hacking (with) WebSocketsHacking (with) WebSockets
Hacking (with) WebSocketsSergey Shekyan
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 

La actualidad más candente (20)

Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Hacking (with) WebSockets
Hacking (with) WebSocketsHacking (with) WebSockets
Hacking (with) WebSockets
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 

Destacado

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Ricardo L0gan
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engineVikrant Kansal
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlJosé Castro
 

Destacado (18)

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
SQLmap
SQLmapSQLmap
SQLmap
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 

Similar a Database Access Path to Network Ownage

ch2-system structure.ppt
ch2-system structure.pptch2-system structure.ppt
ch2-system structure.pptJohnColaco1
 
Ch2 system structure
Ch2 system structureCh2 system structure
Ch2 system structureAnkit Dubey
 
Principles of operating system
Principles of operating systemPrinciples of operating system
Principles of operating systemAnil Dharmapuri
 
Migrating the elastic stack to the cloud, or application logging @ travix
Migrating the elastic stack to the cloud, or application logging @ travix Migrating the elastic stack to the cloud, or application logging @ travix
Migrating the elastic stack to the cloud, or application logging @ travixRuslan Lutsenko
 
Evolution of the Windows Kernel Architecture, by Dave Probert
Evolution of the Windows Kernel Architecture, by Dave ProbertEvolution of the Windows Kernel Architecture, by Dave Probert
Evolution of the Windows Kernel Architecture, by Dave Probertyang
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)David Sweigert
 
Ch3 OS
Ch3 OSCh3 OS
Ch3 OSC.U
 
Operating System 4 1193308760782240 2
Operating System 4 1193308760782240 2Operating System 4 1193308760782240 2
Operating System 4 1193308760782240 2mona_hakmy
 
Operating System 4
Operating System 4Operating System 4
Operating System 4tech2click
 
Operating system Definition Structures
Operating system Definition StructuresOperating system Definition Structures
Operating system Definition Structuresanair23
 
OS - Ch2
OS - Ch2OS - Ch2
OS - Ch2sphs
 
Chapter 2 - Operating System Structures
Chapter 2 - Operating System StructuresChapter 2 - Operating System Structures
Chapter 2 - Operating System StructuresWayne Jones Jnr
 

Similar a Database Access Path to Network Ownage (20)

ch2-system structure.ppt
ch2-system structure.pptch2-system structure.ppt
ch2-system structure.ppt
 
Ch2 system structure
Ch2 system structureCh2 system structure
Ch2 system structure
 
Principles of operating system
Principles of operating systemPrinciples of operating system
Principles of operating system
 
01.osdoc
01.osdoc01.osdoc
01.osdoc
 
Migrating the elastic stack to the cloud, or application logging @ travix
Migrating the elastic stack to the cloud, or application logging @ travix Migrating the elastic stack to the cloud, or application logging @ travix
Migrating the elastic stack to the cloud, or application logging @ travix
 
Oct2009
Oct2009Oct2009
Oct2009
 
Evolution of the Windows Kernel Architecture, by Dave Probert
Evolution of the Windows Kernel Architecture, by Dave ProbertEvolution of the Windows Kernel Architecture, by Dave Probert
Evolution of the Windows Kernel Architecture, by Dave Probert
 
SQL Server on Linux
SQL Server on LinuxSQL Server on Linux
SQL Server on Linux
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, Capabilities
 
Operating system
Operating system Operating system
Operating system
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
Ch3 OS
Ch3 OSCh3 OS
Ch3 OS
 
OSCh3
OSCh3OSCh3
OSCh3
 
OS_Ch3
OS_Ch3OS_Ch3
OS_Ch3
 
Operating System 4 1193308760782240 2
Operating System 4 1193308760782240 2Operating System 4 1193308760782240 2
Operating System 4 1193308760782240 2
 
Operating System 4
Operating System 4Operating System 4
Operating System 4
 
Operating system Definition Structures
Operating system Definition StructuresOperating system Definition Structures
Operating system Definition Structures
 
Operating system1
Operating system1Operating system1
Operating system1
 
OS - Ch2
OS - Ch2OS - Ch2
OS - Ch2
 
Chapter 2 - Operating System Structures
Chapter 2 - Operating System StructuresChapter 2 - Operating System Structures
Chapter 2 - Operating System Structures
 

Último

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Último (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Database Access Path to Network Ownage

  • 1. Got database access? Own the network! Bernardo Damele Assumpção Guimarães
  • 2. Who I am Bernardo Damele Assumpção Guimarães Penetration tester @ Portcullis Computer Security Proud father, avid spear-fisher, bad photographer Open source enthusiast sqlmap lead developer – http://sqlmap.sf.net keimpx developer – http://code.google.com/p/keimpx Database takeover UDF repository AthCon 2010, Athens (Greece) June 3, 2010 2
  • 3. Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! AthCon 2010, Athens (Greece) June 3, 2010 3
  • 4. Scenario You have got access to a DBMS Direct connection – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the network? AthCon 2010, Athens (Greece) June 3, 2010 4
  • 5. Command execution – State of art Microsoft SQL Server OPENROWSET can be abused to escalate privileges to DBA Token kidnapping to escalate privileges to SYSTEM Built-in xp_cmdshell to execute commands Oracle If you find an injection in a function owned by SYS and with authid definer, you can run PL/SQL statements as SYS Many ways to execute commands – DBMS_EXPORT_EXTENSION package, abuse Java functions, etc. AthCon 2010, Athens (Greece) June 3, 2010 5
  • 6. Command execution – State of art MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages AthCon 2010, Athens (Greece) June 3, 2010 6
  • 7. Code snippet of sys_eval() UDF sys_eval() executes a command and returns its stdout AthCon 2010, Athens (Greece) June 3, 2010 7
  • 8. More than command execution Owning the database server is not only about OS command execution Out-of-band connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel TCP: Shell, Meterpreter, VNC – http://metasploit.com UDP: DNS tunnel – http://heyoka.sourceforge.net AthCon 2010, Athens (Greece) June 3, 2010 8
  • 9. Stealth out-of-band connection On the attacker host Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database server Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter Anti-forensics technique – hard to track in a post- exploitation forensics investigation AthCon 2010, Athens (Greece) June 3, 2010 9
  • 10. User-defined function sys_bineval() Works in DEP/NX-enabled systems Supports alphanumeric-encoded payloads Protects the DBMS if the payload crashes Shellcode is executed in a SEH frame Does not always fork a new process Spawns a new thread AthCon 2010, Athens (Greece) June 3, 2010 10
  • 11. sys_bineval() vs DEP/NX Memory area for shellcode is allocated +rwx On Windows: VirtualAlloc() code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); On Unix: mmap() code = mmap(0, page_size, PROT_READ| PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0); AthCon 2010, Athens (Greece) June 3, 2010 11
  • 12. sys_bineval() and alphanum payloads Supports alphanumeric-encoded payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() AthCon 2010, Athens (Greece) June 3, 2010 12
  • 13. sys_bineval() and alphanum payloads Solution: Use the BufferRegister option when encoding the shellcode ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register before executing it __asm { MOV EAX, [lpPayload] CALL EAX } AthCon 2010, Athens (Greece) June 3, 2010 13
  • 14. sys_bineval() avoids DBMS crashes Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } AthCon 2010, Athens (Greece) June 3, 2010 14
  • 15. Code snippet of sys_bineval() UDF sys_bineval() executes an alphanumeric-encoded payload in-memory AthCon 2010, Athens (Greece) June 3, 2010 15
  • 16. Am I really unprivileged? Your code, like any other within the DBMS process, runs with the privileges of the OS user running the DBMS Microsoft SQL Server can run as SYSTEM – Uncommon PostgreSQL and MySQL usually run as a unprivileged user MySQL on Windows runs as SYSTEM Regardless of the OS user running the DBMS, the attacker can escalate privileges AthCon 2010, Athens (Greece) June 3, 2010 16
  • 17. I have got the power or… ways to get it! Some ways to escalate privileges Meterpreter has some built-in commands (getsystem) and scripts Including kitrap0d – Kernel flaw unpatched for ~17 years Abuse weak permissions on files, services, named pipes, LSASS design, etc. Memory corruption bugs “All Users” startup file trick Got luck? whoami is your friend! AthCon 2010, Athens (Greece) June 3, 2010 17
  • 18. Want to execute fancier code on DBMS? sqlmap has a switch to inject your user-defined functions Write your own C/ASM code with the DBMS development libraries Compile as a shared object Fire up sqlmap with --udf-inject switch The tool will inject the UDFs you want and execute them onto the database server at your request AthCon 2010, Athens (Greece) June 3, 2010 18
  • 19. Direct connection to the database From July 2006 to March 2010 sqlmap has been “yet another” SQL injection tool With some kick-ass features like BOF exploit via SQL injection, sys_bineval(), file system access, etc. All in all.. One-shot favorite script-kiddies tool™ Now, it is the only free tool able to takeover database servers via either web applications or direct connection AthCon 2010, Athens (Greece) June 3, 2010 19
  • 20. But… Wasn’t it meant to deal with data? When you get access to a DBMS, you have good chances to own the operating system Once you have access to the system you can escalate privileges – kernel flaws, weak permissions, etc. When you are a high-privileged OS user you can dump users’ password hashes and spray them across the network perimeter to easily own other machines – http://code.google.com/p/keimpx or SSHatter You can also pivot traffic through the compromised database server to the Corporate network or DMZ AthCon 2010, Athens (Greece) June 3, 2010 20
  • 21. Questions? bernardo.damele@gmail.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Thanks for your attention! AthCon 2010, Athens (Greece) June 3, 2010 21