1
Jul
The new version of bsqlbf is now available for download. The new addition is the execution of any metasploit payload after executing OS code against Oracle database server by exploiting SQL Injection from web apps.
A colleague of mine(Aleks) forwarded me a russian presentation on exploiting SQL Injection:
http://devteev.blogspot.com/2009/10/advanced-sql-injection-lab-full-pack.html
Of all the slides, i particular liked the one in which the author demonstrates that if the mysql error messages have been enabled (using mysql_error() function), then it is possible to retrieve the data from the back-end database using the ExtractValue() function:
——————————————
>SELECT 1 AND ExtractValue(1, CONCAT(0×5c, (SELECT @@VERSION)))
produces:
Error Code : 1105
XPATH syntax error: ‘\5.1.44-community’
———————-
This should not be confused with the php errors. While the php errors are usually enabled its not “very” common to see developers printing the mysql errors using mysql_error() function. However, its still good to know and could sometimes come handy.
Overall, very nice presentation.
25
Jun
This year, i will be talking at Blackhat and Defcon. The talk is titled “Hacking Oracle From Web Apps”. The details about the talk can be found here. I am also releasing a small teaser video of the new bsqlbf version which i will be releasing soon. See you in Vegas!
22
Apr
Its that time of the year. If you are attending Infosec 2010 in London, it will be a good time to meet up. I will at stand G42. I will also be giving a talk titled:
Latest From the world of Hacking
The talk shows a number of recently released exploits in action. These include:
* Oracle 10g/11g DBMS_JVM_EXP_PERMS exploit
* ie aurora exploit
* KiTrap0D exploit (windows local privilege escalation)
* Java Web Start client side exploit
* Remote Code execution in SMB v2 (MS09-050)
* Linux Kernel 2.x sock_sendpage() Local Ring0 root exploit
* Some PDF exploits
…and many more…
See you there!
13
Apr
I have updated bsqlbf and the latest version (2.5), has the following 2 additions:
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), with DBA Privs (11g R1 and R2)
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions (10g R2, 11g R1 and R2)
For more details about these 2 attack vectors, please refer to the paper, Hacking Oracle From Web
Enjoy!
