Dirty Tricks

使用低权限Oracle数据库账户得到OS访问权限

I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

With Oracle 11g, Oracle introduced some  security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…

#Trace: 仅供参考，不全正确。

#Trace: Sid总结的。补充的在留言里贴吧。

Trace注：里面对sqlmap一些功能的实现做了分析。

Metasploit Auxiliary module for Oracle FTP Script Write/Binary Download/Execute via Oracle Packages.

As DBA (yea for SQLI) we use UTL_FILE to write out our FTP download script, using DBMS_SCHEDULER we create a job to run the script to download our binary and create a 2nd job to execute our binary and get our meterpreter shell. Oracle...Unbreakable.

In SQL server 2005, if you are not ’sa’ you can’t do much. This is primarily because openrowset is by default not available unless you are privileged. Stored procedure sp_who is available for public(in mssql 2000 and 2005). This procedure “provides information about current Microsoft® SQL Server™ users and processes”.

#Trace: Good paper.

Over the last few months I've been teaching free classes for the ISSA Kentuckiana chapter in Louisville Kentucky. After doing one on Nmap and another on Sniffers, I talked it over with my buddies Brian and Jeff and decided that the next one should be on web application vulnerabilities. Now the question becomes what to test against in a classroom environment? To tell the truth, I'm not as up on web application security as I think I need to be to teach the class yet, and I don't want to have to develop my own insecure code just to have something to test against in the lab. I could look through BugTraq for good candidates and install old venerable versions of  apps like phpBB but I did not think that would be the clearest way to illustrate some concepts. What I wanted was a "one stop shop" for a bunch of common vulnerabilities. It also occurred to me to use one of the many online wargame/hacker challenge sites, but there are a few major problems with that approach:

Oracle 9i 在8i的基础上对,union all 函数的改进.

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

Microsoft SQL Server是一款流行的SQL数据库系统。

SQL Server的sp_replwritetovarbin扩展存储过程中存在堆溢出漏洞。如果远程攻击者在参数中提供了未初始化变量的话，就可以触发这个溢出，向可控的位置写入内存，导致以有漏洞SQL Server进程的权限执行任意代码。

在默认的配置中，任何用户都可以访问sp_replwritetovarbin过程。通过认证的用户可以通过直接的数据库连接或SQL注入来利用这个漏洞。