Penetration Testing: Advanced Oracle Exploitation Page 1

Transcription

1 Penetration Testing: Advanced Oracle Exploitation Page 1

2 Course Index:: Day 1 Oracle RDBMS and the Oracle Network Architecture... 3» Introduction and Oracle Review...3» Service Information Enumeration:...3» First Avenues of Attack:...3 Day 1: Summary:... 3 Day 2 Attack Overview... 4» Auditing PLSQL Code...4» Attacking through PL/SQL...4» Real World Scenario: Exploiting DBMS_CDC_IMPDP...4 Day 2: Summary:... 4 Day 3 Attack Advancement... 5» Privilege Escalation...5» Advanced Techniques...5» Defeating Virtual Private Databases...5 Day 3: Summary:... 5 Day 4 Advanced Techniques... 6» Attacking PL/SQL Through WebAPPs...6» Running Operating System Commands...6» Using Oracle Network Capability...6 Day 4: Summary:... 6 FINAL ACTIVITY: ORALCLE SQL WARGAMES...7 Penetration Testing: Advanced Oracle Exploitation Page 2

3 Day 1 Oracle RDBMS and the Oracle Network Architecture» Introduction and Oracle Review Processes o Student will understand how oracle processes and permissions. The File System o Student will understand how oracle interacts with the filesystem. The Network o Student will learn about Oracles network capability from an infrastructural perspective.» Service Information Enumeration: The TNS Protocol Student will review the TNS protocol and how it is utilized by oracle. Enumerating Oracle Network Information Listener Version and Status Commands Using the TNS Protocol Version Using the XML Database Version Using Error Text Using the TTC Function» First Avenues of Attack: Attacking the TNS Listener and Dispatchers Aurora GOIP Server XML Database Attacking the Authentication Process Oracle Crypto Overview Default Login Values Account Enumeration and Brute Force Day 1: Summary: Day one starts off with a brief overview of the Oracle RDBMS and how it interacts with the operating system it resides on. Student will gain an overview of the process, file, and network capability built into oracle. Then the student will immediately be shown how to enumerate data about oracle version, and begin attacking a live oracle test-production server. Penetration Testing: Advanced Oracle Exploitation Page 3

4 Day 2 Attack Overview» Auditing PLSQL Code Dangerous Functionality, exploring PLSQL Syntax Understanding where PL/SQL lives in the Network Stack Examining Code for Interesting Problems» Attacking through PL/SQL Understanding PL/SQL Execution Privileges Oracle PL/SQL Wrapping PL/SQL Injection Flaw Reconnaissance API Hijacking in Relation to SQL Injection Race Conditions» Real World Scenario: Exploiting DBMS_CDC_IMPDP Understanding PL/SQL Execution Privileges Oracle PL/SQL Wrapping Direct PL/SQL Injection Example. Day 2: Summary: PL/SQL is a programming language for Oracle database servers. The PL in the acronym stands for Procedural Language, a fully featured programming language with built-in SQL capabilities and database objects such as packages, procedures, functions, triggers, and types - all written in PL/SQL. Because so many Oracle security issues relate in some way to PL/SQL, it is crucial for the Oracle security expert to understand PL/SQL. Day 2 explores PL/SQL in depth as a mechanism for attack against oracle servers. The student will explore injection theory and reconnaissance against SQL servers and how to inject into queries through process defenses. Additionally the student will learn to identify critical weak pots in the oracle PLSQL language, and will via a hands on scenario, be exploiting a DBMS_CDE_IMPDP exploitable scenario. Penetration Testing: Advanced Oracle Exploitation Page 4

5 Day 3 Attack Advancement» Privilege Escalation Student will earn to gain DBA Privileges Using o DBA from CREATE ANY Trigger o o DBA from CREATE ANY VIEW DBA from CREATE PROCEDURE» Advanced Techniques Exploiting Virtual Private Databases Oracle Confusion: Tricks to Access Policies» Defeating Virtual Private Databases Defeating VPDs using File Access Tricking Oracle into Dropping a Policy Exploiting General Privileges Day 3: Summary: A VPD is a security mechanism built into Oracle that allows fine-grained access control - or row-level security. There are a number of ways of defeating VPD. This day will start of with the student investigating some of these methods. The student will also be examining how some privileges can be abused to gain DBA privileges. Continuing from the last section, we'll look at the CREATE ANY TRIGGER privilege and how it can be used to elevate privileges. Additionally the student will be exposed to the dangers of many of the CREATE ANY privileges which typically can be leveraged to elevate an injection into DBA privileges. The student will additionally be exposed to the advanced methods used to gather policy information from the server utilizing custom exploitation methods. Penetration Testing: Advanced Oracle Exploitation Page 5

6 Day 4 Advanced Techniques» Attacking PL/SQL Through WebAPPs Recognizing the Oracle PL/SQL Gateway Verifying the Existance of the PL/SQL Gateway Attacking the Gateway» Running Operating System Commands Commands through Java Commands through the DBMS Scheduler Commands through the Job Scheduler Commands utilizing ALTER SYSTEM» Using Oracle Network Capability About UTL_TCP and UTL_HTTP Encrypting Data Prior to Extraction Attacking other Systems on the Network Java and the Network Database Links Day 4: Summary: The Oracle PL/SQL Gateway provides the capability to execute PL/SQL procedures in an Oracle database server via the web. It provides a gateway, a seamless path from the Internet, into a backend Oracle database server over the web. On Day 4 the user will be learning the attack methods used to exploit the PL/SQL gateway using cumulative learning from the previous 3 days, and newly introduced techniques. Additionally the student will be exposed to number of facilities for running operating system commands from the database server - some intentional and others "hacks." Commands can be executed in a variety of ways, by the end of the day the student will be able to attack and execute commands on the database with newly acquired techniques. The UTL_FILE package enables Oracle users to read and write to the file system. As already noted, access to files on the file system is achieved with the privileges of the Oracle user - so anything this user can read or write to can be read or written to by anyone else. Penetration Testing: Advanced Oracle Exploitation Page 6

7 FINAL ACTIVITY: ORALCLE SQL WARGAMES Student will use applied learning during this course to compete against other participants in a capture the flag tournament. Everyone gets the same image, the contest is to configure and secure your own image; and attack and take over the opponent host before the competition using the applied learning available in this course. Goal: Capture the most flags from network users and disable remote user retaliation. Pen-Test Winners Prize:» Grayscale Custom Oracle Hackers T-Shirt select utl_http.request(' /' (SELECT PASSWORDFROM DBA_USERS WHERE USERNAME='SYS')) from dual;» Free 1 Year License for Grayscales Web-Auditors Toolkit Penetration Testing: Advanced Oracle Exploitation Page 7