Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 23rd, 2024, 9:58pm
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   penetration test
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: penetration test  (Read 5221 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
penetration test
« on: Dec 4th, 2009, 7:40pm »
Quote | Modify

1. Apache+php+oci8
2. 10gR2
3. Script with sql injectable param
4. pl/sql function with sql injection Smiley
 
I have a dba escalating privs with a sql injection in a local procedure created for  admin panel to show current sessions and jobs, acces to listener i do not have. I test it from the web not from user net. I create a function with pragma and execute immediate i transmit it pl/sql but not all is executed and simple dml sql like "select user from dual" too... I do not understand where search a problem. IDS used, but i evade it chr()+base64+cursor and i grant to me a dba but i cant perform a simple DML  Grin
Magic?
 
 
Sorry for my bad english
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #1 on: Dec 4th, 2009, 11:18pm »
Quote | Modify

SELECT PRIVILEGE FROM SESSION_PRIVS
 
 
CREATE CLUSTER
CREATE INDEXTYPE
CREATE OPERATOR
CREATE PROCEDURE
CREATE SEQUENCE
CREATE SESSION
CREATE TABLE
CREATE TRIGGER
CREATE TYPE
UNLIMITED TABLESPACE
 
____________________________________________
SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
 
ADM_USER
CONNECT
DBA
RESOURCE  
 
 
 
I try to select from dba_role_privs and i do not have privs...
Maybe default role is problem?
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #2 on: Dec 6th, 2009, 9:26am »
Quote | Modify

Hi DSU,
 
you didnt show the exploit sequence so its hard to see, but the session privs you have look like CONNECT and RESOURSE. Did you log out and log back in to see if DBA is available? - try logging out otherwise simply set the role dba when you have logged in. Its granted to your user and should not be password protected so try these two things.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #3 on: Dec 6th, 2009, 5:29pm »
Quote | Modify

on Dec 6th, 2009, 9:26am, Pete Finnigan wrote:
Hi DSU,
 
you didnt show the exploit sequence so its hard to see, but the session privs you have look like CONNECT and RESOURSE. Did you log out and log back in to see if DBA is available? - try logging out otherwise simply set the role dba when you have logged in. Its granted to your user and should not be password protected so try these two things.
 
cheers
 
Pete

 
 
Hi Pete  
 
This is problen because i do not have connect to listener, its php script he login and connect all when when it is start. I try execute immediate ('declare pragma... execute inmmediate ''set role dba'' )
Do not work... maybe problem is created functions its is authid, but in other schema?
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #4 on: Dec 6th, 2009, 7:21pm »
Quote | Modify

and i can show public function and proc with sql injection its a private code and post this on public forum...  
But injection is on point like this
 
"... 'begin '||proc_name||'('||param1||','||param2||'...)
 
inject like this
select mmm.sql_func(' sql_inject_proc(...); proc_name,param1,param2,param3...) from dual
Func return string if is ok 'Y' when others 'N'
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #5 on: Dec 7th, 2009, 8:28am »
Quote | Modify

Hi DSU,
 
This sounds strange that DBA is not available for your exploit user. Its unlikely that the DBA role is not a default role as i have never seen a database like this in many many years. Its possible of course just not likely. The first issue is the most likely. sometimes when an exploit grants DBA to the same user running the exploit the DBA role is not available in the same session; you have to log out and log back in to see it. you showed that it was granted so logging out will not ungrant it; if you log back in and its still not enabled then it must be the case that its not a default role.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #6 on: Dec 7th, 2009, 8:36am »
Quote | Modify

Hi Pete thanks for answer
 
It's a php cms coded in 2003 year, its re-login all time when perform a serach Smiley yes its bad but not me write scripts
 
I try to set the default role if i can... i find a vulnerable proc owned by sys.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #7 on: Dec 7th, 2009, 8:46am »
Quote | Modify

GRANTED_ROLE     default_role
 
 
ADM_USER  YES
CONNECT    YES
DBA       NO
 
 
Sad
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #8 on: Dec 7th, 2009, 9:59am »
Quote | Modify

OK, so that answers the issue, we now know its because the DBA role is not a default role for the exploited user.  
 
If you cannot issue a SET ROLE, then simply re-run the exploit, except this time dont set the payload to "GRANT DBA TO {...}" and instead modify it to ALTER USER {...} DEFAULT ROLE ALL". That way when you log back in again the DBA role will be enabled.
 
Let us know if it works.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #9 on: Dec 7th, 2009, 12:26pm »
Quote | Modify

I know about alter user and default role but i do not know result. This vulnerable proc work strange, i execute from it vulnerable function owned by sys (proc is too owned by sys Smiley ) DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC and nothing has changed.
 
I open a oracle documentation to search the answer, hour later just for interes i select from role_privs and ...
GRANTED_ROLE default_role
DBA YES
 
I do not understand maybe i on server is installed memcashe and role is set but webserver give a respond from cache...
 
And Pete, exist a metod to denied "alter user" with "default role" to all? I think this is good step method to secure a oracle database...
 
Thanks Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #10 on: Dec 7th, 2009, 12:44pm »
Quote | Modify

Hi DSU,
 
Glad it works!
 
The protection is to prevent a user from having the ALTER USER system privilege; without it he cannot set his onw default roles or any other users default roles. Oracle have silently allowed certain system privileges to work even if they are not granted such as ALTER SESSION where you can issue all comments except to set trace. With ALTER USER you can issue it to change your own password but not to set default roles:
 
SQL> connect system/xxxxxx@ora11
Connected.
SQL> create user rol identified by rol;
 
User created.
 
SQL> grant dba to rol;
 
Grant succeeded.
 
SQL> connect rol/rol@ora11
Connected.
SQL> select * from user_role_privs;
 
USERNAME        GRANTED_ROLE    ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
ROL        DBA        NO  YES NO
 
SQL> connect system/xxxxx@ora11
Connected.
SQL> alter user rol default role none;
 
User altered.
 
SQL> connect rol/rol@ora11
ERROR:
ORA-01045: user ROL lacks CREATE SESSION privilege; logon denied
 
 
Warning: You are no longer connected to ORACLE.
SQL> connect system/xxxxx@ora11
Connected.
SQL> grant create session to rol;
 
Grant succeeded.
 
SQL> connect rol/rol@ora11
Connected.
SQL> select * from user_role_privs;
 
USERNAME        GRANTED_ROLE    ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
ROL        DBA        NO  NO  NO
 
SQL> alter user rol default role all;
alter user rol default role all
*
ERROR at line 1:
ORA-01031: insufficient privileges
 
 
SQL> alter user rol identified by rol;
 
User altered.
 
SQL>
 
So basically dont allow any user to have ALTER USER.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: penetration test
« Reply #11 on: Dec 7th, 2009, 2:15pm »
Quote | Modify

I understand... but if search and find sql inj. on sys or other users with dba. I search try to search on *.sql scripts and *.ora maybe exist method to complet disable a alter user "default role ..." or this is a core function of oracle?
 
 
Thanks for answers Smiley
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues