Exploiting MS09-004 via SQL injection

Monday, January 24th, 2011

Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability. The vulnerability allowed us to conduct a degree of fingerprinting on the remote server; however, the Microsoft SQL Server back-end database didn’t allow to execute commands via the well known xp_cmdshell stored procedure.

Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise.

All indicated that the server was vulnerable to MS09-004 vulnerability. However, it was not possible to get direct access to the database. Moreover no authentication credentials were discovered during the course of the assessment.

This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf.

Penetration testing - SQL injection exploitation

The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit.

If interested, get the scripts from our security tools area.

Tags: exploitation, metasploit, MS09-004, SECFORCE, sql injection, Tools
Posted in Penetration Testing, Tools, exploit | No Comments »

Metasploit and SQL injection

Monday, January 17th, 2011

SECFORCE has released a set of scripts for enhancing Metasploit functionality exploiting SQL injection vulnerabilities. This is particularly useful in two scenarios:

• When an attacker achieves command execution on a database via SQL injection, but he wants all the functionality offered by Metasploit.
• The attacker identifies that the backend SQL server is vulnerable to MS_09004 but has no credentials or direct access to the database.

Tags: metasploit, MS09004, Penetration Testing, sql injection, Tools
Posted in Penetration Testing, SECFORCE, Tools | No Comments »

Cisco config retrieval tool and password reuse

Wednesday, October 8th, 2008

The other day we were at a client site doing a penetration test. This was a very big deployment with almost 100 routers. At some point during the test we managed to get the read/write community string of one of the routers, as there was a script with the hard-coded credentials.

We managed to connect to the router with the SNMP credentials and pulled the Cisco config file. After that, we decoded the telnet and enable passwords and we were ready to go. We tried (with no much hope initially) a couple of other routers reusing the telnet password and they all worked. Every single router was protected with exactly the same password.

We had limited time and the prospect of telneting 100 routers pulling config files was not very appealing so we wrote a nice python script to pull them for us. We released the tool in our research section, so check it out if you are interested.

The lesson to learn here is that no matter how confident you are about the strength of your password because it can be potentially compromise and if you are reusing it, the impact for the business becomes critical.

Tags: cisco, cisco config, Penetration Testing, Tools
Posted in Penetration Testing, Tools | No Comments »