Advanced MySQL Exploitation. Muhaimin Dzulfakar Blackhat U.S.A 2009 Las Vegas

Similar documents
Advanced SQL injection to operating system full control

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

How to hack a website with Metasploit

UQC103S1 UFCE Systems Development. uqc103s/ufce PHP-mySQL 1

Web Application Attacks And WAF Evasion

Webapps Vulnerability Report

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Installing buzztouch Self Hosted

SQL Injection January 23, 2013

ClickCartPro Software Installation README

Certified Cyber Security Expert V Web Application Development

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

HUNTING ASYNCHRONOUS VULNERABILITIES. James Kettle

Penetration Testing with Kali Linux

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Penetration Testing Report Client: Business Solutions June 15 th 2015

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

1. Building Testing Environment

Lucid Key Server v2 Installation Documentation.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Contents 1 Description 2 Installation

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Short notes on webpage programming languages

PowerShell for Penetration Testers

VESZPROG ANTI-MALWARE TEST BATTERY

BSIDES Las Vegas Secret Pentesting Techniques Shhh...

DBMS Project. COP Spring Final Submission Report

PHP/MySQL SQL Injections: Understanding MySQL Union Poisoining. Jason A. Medeiros :: CEO :: Presented for DC619 All Content Grayscale Research 2008

Playing with Web Application Firewalls

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

vtiger CRM 4.2 Installation Guide for Linux OS

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

Online Backup Linux Client User Manual

Architecture and Mode of Operation

Internal Penetration Test

Securing and Accelerating Databases In Minutes using GreenSQL

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Installation Instructions

SQL Injection Attack

Simbirsk Technologies Ltd.

LAMP [Linux. Apache. MySQL. PHP] Industrial Implementations Module Description

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

Pwning Intranets with HTML5

Learn Ethical Hacking, Become a Pentester

PowerShell. It s time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) Twitter: dave_rel1k

1. Product Information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Executive Summary On IronWASP

About This Document 3. Integration and Automation Capabilities 4. Command-Line Interface (CLI) 8. API RPC Protocol 9.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Why File Upload Forms are a Major Security Threat

Pre-authentication XXE vulnerability in the Services Drupal module

Online Backup Client User Manual Linux

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

LDAPCON Sébastien Bahloul

Installing Drupal on Your Local Computer

RecoveryVault Express Client User Manual

Security Products Development. Leon Juranic

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Database Security. Principle of Least Privilege. DBMS Security. IT420: Database Management and Organization. Database Security.

Online Backup Client User Manual

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

DFW Backup Software. Whitepaper DFW Backup Agent

Easy Method: Blind SQL Injection

Vulnerability Assessment and Penetration Testing

IP Application Security Manager and. VMware vcloud Air

Network Monitoring Tool with LAMP Architecture

Online Backup Client User Manual

Build it with Drupal 8

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

TAO Installation Guide v0.1. September 2012

Zoner Online Backup. Whitepaper Zoner Backup Agent

Web Application Report

Audience. Pre-Requisites

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Lesson 7 - Website Administration

VP-ASP Shopping Cart QUICK START GUIDE Version th Feb 2010 Rocksalt International Pty Ltd

DIPLOMA IN WEBDEVELOPMENT

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

LAMP : THE PROMINENT OPEN SOURCE WEB PLATFORM FOR QUERY EXECUTION AND RESOURCE OPTIMIZATION. R. Mohanty Mumbai, India

Ahsay Backup Software. Whitepaper Ahsay Backup Agent

Media Upload and Sharing Website using HBASE

david d. rude Affiliated Computer Services Penetration Tester <bannedit0 [ at ] gmail.com> Develop Codes for stuff

Automated CPanel Backup Script. for home directory backup, remote FTP backup and Amazon S3 backup

MYSQL DATABASE ACCESS WITH PHP

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis

Penetration Testing Lessons Learned. Security Research

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Transcription:

Advanced MySQL Exploitation Muhaimin Dzulfakar Blackhat U.S.A 2009 Las Vegas 1

Who am I Muhaimin Dzulfakar Security Consultant Security-Assessment.com 2

SQL Injection An attack technique used to exploit web sites that construct SQL statement from user input Normally it is used to read, modify and delete database data In some cases, it is able to perform remote code execution 3

What is a stacked query? Condition where multiple SQL statements are allowed. SQL statements are separated by semicolon Stack query commonly used to write a file onto the machine while conducting SQL Injection attack Blackhat Amsterdam 2009, Bernando Damele demonstrated remote code execution performed through SQL injection on platforms with stacked query Today I will demonstrate how to conduct remote code execution through SQL injection without stacked query MySQL-PHP are widely use but stacked query is not allowed by default to security reason 4

Abusing stacked queries on MySQL query.aspx?id=21; create table temp(a blob); insert into temp values ( 0x789c 414141 )-- query.aspx?id=21; update temp set a = replace (a, 414141, 9775..71 )-- query.aspx?id=21; select a from temp into dumpfile /var/lib/ mysql/lib/udf.so -- query.aspx?id=21; create function sys_exec RETURNS int SONAME 'udf.so -- 5

Stacked query table ASP.NET ASP PHP MySQL Supported Not supported Not Supported MSSQL Supported Supported Supported Postgresql Supported Supported Supported 6

Remote command execution on MySQL-PHP Traditionally, simple PHP shell is used to execute command Weak and has no strong functionality We need a reliable shell! Metasploit contains variety of shellcodes Meterpreter shellcode for post exploitation process VNC shellcode for GUI access on the host 7

File read/write access on MySQL-PHP platform SELECT.. LOAD_INFILE is used to read file SELECT.. INTO OUTFILE/DUMPFILE is used to write file Remote code execution technique on MySQL-PHP platform Upload the compressed arbitrary file onto the web server directory Upload the PHP scripts onto the web server directory Execute the PHP Gzuncompress function to decompress the arbitrary file Execute the arbitrary file through the PHP System function 8

Challenge on writing arbitrary file through UNION SELECT GET request is limited to 8190 bytes on Apache May be smaller when Web Application firewall in use Data from the first query query can overwrite the file header Data from extra columns can add extra unnecesary data into our arbitrary data. This can potentially corrupt our file 9

Fixing the URL length issue PHP Zlib module can be used to compress the arbitrary file 9625 bytes of executable can be compressed to 630 bytes which is able to bypass the max limit request Decompress the file on the destination before the arbitrary file is executed 10

Removal of unnecessary data UNION SELECT will combine the result from the first query with the second query query.php?id=21 UNION SELECT 0x34.3234,null,null-- First Query Second Query Result from the first query can overwrite the file header Non existing data can be injected in the WHERE clause 11

Result from first query data + executable code First Query Executable code 12

Fixing the columns issue In UNION SELECT, the second query required the same amount of columns as the first query Compressed arbitrary data should be injected in the first column to prevent data corruption Zlib uses Adler32 checksum and this value is added at the end of our compressed arbitrary data Any injected data after the Adler32 checksum will be ignored during the decompression process query.php?id=44444 UNION SELECT 0x0a0e13 4314324,0x00,0x00, into outfile /var/www/upload/meterpreter.exe 13

Random data after the Adler32 checksum Adler32 Checksum 14

Remote code execution on LAMP (Linux, Apache, MySQL, PHP) By default, any directory created in Linux is not writable by mysql /web server users When the mysql user has the ability to upload a file onto the web server directory, this directory can be used to upload our arbitrary file By default, uploaded file on the web server through INTO DUMPFILE is not executable but readable. This file is owned by a mysql user Read the file content as a web server user and write it back onto the web server directory Chmod the file to be executable and execute using the PHP system function 15

Remote code execution on WAMP (Windows, Apache, MySQL, PHP) By default, MySQL runs as a Local System user By default, this user has the ability to write into any directory including the web server directory Any new file created by this user is executable PHP system function can be used to execute this file 16

MySqloit MySqloit is a MySQL injection takeover tool Features SQL Injection detection Detect SQL Injection through deep blind injection method Fingerprint Dir Fingerprint the web server directory Fingerprint OS Fingerprint the Operating System Payload Create a shellcode using Metasploit Exploit Upload the shellcode and execute it 17

Demo \ / @ oo /\ /\ / (,,,, ) /^\) ^\/ _) ) /^\/ _) ) _ / / _) MySqloit /\ )/\/ )_) < > (,,) ) ) / \) )\ \ ( ) ) ) \ ( ;;; ;;; 18

\ / @ oo /\ /\ / (,,,, ) /^\) ^\/ _) ) /^\/ _) ) _ / / _) Questions? /\ )/\/ )_) < > (,,) ) ) / \) )\ \ ( ) ) ) \ ( ;;; ;;; 19

\ / @ oo /\ /\ / (,,,, ) /^\) ^\/ _) ) /^\/ _) ) _ / / _) Thank You /\ )/\/ )_) < > (,,) ) ) muhaimindz@gmail.com / \) )\ \ ( ) ) ) \ ( ;;; ;;; 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information