SlideShare a Scribd company logo

Expanding the control over the operating system from the database

Bernardo Damele A. G.
Bernardo Damele A. G.

Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved. There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection. These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.

1 of 31

Download presentation

Your download has started
Downloaded 772 times
1
Expanding the control over the operating system from the database Bernardo Damele Assumpção Guimarães Guido Landi Barcelona (Spain) – September 21, 2009
2
Who we are Bernardo Damele Assumpção Guimarães Proud father Penetration tester / security researcher at Portcullis Computer Security Ltd sqlmap lead developer Guido Landi Reverse engineer Exploit writer Vulnerability researcher SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 2
3
Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 3
4
Scenario You have got access to a database Direct access – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the DMZ? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 4
5
State of art – File system access Microsoft SQL Server Read: BULK INSERT Write: xp_cmdshell / debug.exe MySQL Read: LOAD_FILE() Write: SELECT … INTO DUMPFILE PostgreSQL Read: COPY / UDF Write: Large object’s lo_export() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 5
6
State of art – Command execution Microsoft SQL Server OPENROWSET can be abused to escalate privileges Built-in xp_cmdshell to execute commands Oracle If you find a SQL injection in a function owned by SYS and with authid definer, you can run PL/SQL as SYS Many ways to execute commands. Example: DBMS_EXPORT_EXTENSION package’s GET_DOMAIN_INDEX_TABLES() function SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 6
7
State of art – Command execution MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 7
8
Demonstration Operating system command execution by exploiting a SQL injection vulnerability in a web application Further information on these techniques can be found on http://tinyurl.com/sqlmap1 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 8
9
More than command execution Owning the underlying operating system is not only about command execution Full-duplex connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel Shell, Meterpreter, VNC – http://metasploit.com DNS tunnel – http://heyoka.sourceforge.net SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 9
10
Establish the channel On your box Forge a stand-alone payload stager with msfpayload Encode it with msfencode to bypass AV Run msfcli with multi/handler exploit On the database server Upload it to the file system temporary folder Execute it via UDF, xp_cmdshell, … SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 10
11
Getting stealth Anti-forensics technique as an option to upload the stand-alone payload stager executable On your box Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 11
Most read
12
User-defined function sys_bineval() Execute an arbitrary payload from the database management system memory Features Works in DEP/NX-enabled systems Supports alphanumeric payloads Protects the DBMS if the payload crashes It does not fork a new process SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 12
13
sys_bineval() vs DEP/NX Use VirtualAlloc() to allocate an +RWX memory region code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 13
14
sys_bineval() and alphanum payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 14
15
sys_bineval() and alphanum payloads Solution: Use the BufferRegister option ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register __asm { MOV EAX, [lpPayload] CALL EAX } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 15
Most read
16
sys_bineval(): avoid DBMS crash Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 16
Most read
17
Demonstration Exploit a SQL injection vulnerability in a web application to establish an out-of-band channel in-memory via a custom UDF SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 17
18
Hands on the Windows registry Microsoft SQL Server Built-in stored procedures, xp_reg(read|write|delete) MySQL and PostgreSQL Upload and execute a bat file that executes reg (query|add|delete) Upload and execute a file and pass it to regedit SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 18
19
MS09-004: Memory corruption Discovered by Bernhard Mueller, it affects Microsoft SQL Server up to 2005 SP2 Triggered by a call to sp_replwritetovarbin No authentication and no privileges needed "Limited Memory Overwrite Vulnerability" could allow remote code execution "Limited Memory Overwrite"… Actually a pretty huge heap-based buffer overflow, ~4000 bytes SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 19
20
Exploiting MS09-004 Target heap metadata Could be hard/unreliable even if Microsoft SQL Server uses a custom allocator Target application specific data Function pointers, C++ object pointers, etc. Luckily for us Microsoft SQL Server tries hard to not crash by graceful handling exceptions… SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 20
21
Exploiting MS09-004 …this gives us more than one code path to achieve code execution: An almost arbitrary 4-bytes overwrite: MOV DWORD PTR DS:[EAX+4], EDI An object pointer overwrite: MOV EDX,DWORD PTR DS:[ESI] [...] MOV EAX,DWORD PTR DS:[EDX+10] [...] CALL EAX SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 21
22
Bypass hardware-enforced DEP Use ret2libc to call ZwSetInformationProcess() Make ESP point to our buffer: PUSH ESI POP ESP RET No need for a fake stack frame, just return in the middle of LdrpCheckNXCompatibility() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 22
23
Bypass hardware-enforced DEP LdrpCheckNXCompatibility() […] MOV DWORD PTR SS:[EBP-4],2 PUSH 4 LEA EAX,DWORD PTR SS:[EBP-4] PUSH EAX PUSH 22 PUSH -1 CALL ntdll.ZwSetInformationProcess […] DEP is now disabled for the current process …then jump to the shellcode. Game over? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 23
24
Avoid crash The original stack address is gone, ESP and EBP point to our buffer Even if Microsoft SQL Server tries hard to handle exceptions, it will eventually crash We need to restore ESP and EBP Is there a generic way? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 24
25
Thread Environment Block TEB stores information about the currently running thread: 0:000> !teb TEB at 7ffdd000 ExceptionList: 0012fd04 StackBase: 00130000 StackLimit: 0012e000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdd000 EnvironmentPointer: 00000000 ClientId: 00000d2c RpcHandle: 00000000 Tls Storage: 00000000 […] SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 25
26
TEB: Restore the Stack Pointer(s) Contains 3 pointers to the current thread’s stack Addressable through the FS segment register Just prepend the shellcode with a little stub: MOV ESP, DWORD PTR FS:[0] MOV EBP, ESP SUB ESP, 20 Game Over! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 26
27
Demonstration Own the system by exploiting MS09-004 vulnerability via a SQL injection vulnerability in a web application with back-end Microsoft SQL Server SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 27
28
But… Wasn’t it meant to deal with data? Once you get access to a database you can compromise the whole system in most cases With a comfortable, fast and stable channel Once you have access to the system you can escalate privileges (token kidnapping, software bugs, kernel flaws, weak privileges, etc.) When you are root/Administrator/SYSTEM you can crack users’ passwords or impersonate them to get access to other servers within the network perimeter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 28
29
Credits Our mums for buying our first pre-school computers Alessandro Tanasi and Oliver Gruskovnjak for the technical discussions skape and skywing for their paper on DEP bypass H D Moore and the Metasploit development team Stacy Thayer and the SOURCE Conference team SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 29
30
Questions? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 30
31
Thanks for your attention! Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com bda@portcullis-security.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Guido Landi lists@keamera.org http://www.pornosecurity.org http://milw0rm.com/author/1413 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 31
Expanding the control over the operating system from the database Bernardo Damele Assumpção Guimarães Guido Landi Barcelona (Spain) – September 21, 2009
Who we are Bernardo Damele Assumpção Guimarães Proud father Penetration tester / security researcher at Portcullis Computer Security Ltd sqlmap lead developer Guido Landi Reverse engineer Exploit writer Vulnerability researcher SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 2
Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 3
Scenario You have got access to a database Direct access – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the DMZ? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 4
State of art – File system access Microsoft SQL Server Read: BULK INSERT Write: xp_cmdshell / debug.exe MySQL Read: LOAD_FILE() Write: SELECT … INTO DUMPFILE PostgreSQL Read: COPY / UDF Write: Large object’s lo_export() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 5
State of art – Command execution Microsoft SQL Server OPENROWSET can be abused to escalate privileges Built-in xp_cmdshell to execute commands Oracle If you find a SQL injection in a function owned by SYS and with authid definer, you can run PL/SQL as SYS Many ways to execute commands. Example: DBMS_EXPORT_EXTENSION package’s GET_DOMAIN_INDEX_TABLES() function SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 6
State of art – Command execution MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 7
Demonstration Operating system command execution by exploiting a SQL injection vulnerability in a web application Further information on these techniques can be found on http://tinyurl.com/sqlmap1 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 8
More than command execution Owning the underlying operating system is not only about command execution Full-duplex connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel Shell, Meterpreter, VNC – http://metasploit.com DNS tunnel – http://heyoka.sourceforge.net SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 9
Establish the channel On your box Forge a stand-alone payload stager with msfpayload Encode it with msfencode to bypass AV Run msfcli with multi/handler exploit On the database server Upload it to the file system temporary folder Execute it via UDF, xp_cmdshell, … SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 10
Getting stealth Anti-forensics technique as an option to upload the stand-alone payload stager executable On your box Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 11
User-defined function sys_bineval() Execute an arbitrary payload from the database management system memory Features Works in DEP/NX-enabled systems Supports alphanumeric payloads Protects the DBMS if the payload crashes It does not fork a new process SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 12
sys_bineval() vs DEP/NX Use VirtualAlloc() to allocate an +RWX memory region code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 13
sys_bineval() and alphanum payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 14
sys_bineval() and alphanum payloads Solution: Use the BufferRegister option ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register __asm { MOV EAX, [lpPayload] CALL EAX } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 15
sys_bineval(): avoid DBMS crash Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 16
Demonstration Exploit a SQL injection vulnerability in a web application to establish an out-of-band channel in-memory via a custom UDF SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 17
Hands on the Windows registry Microsoft SQL Server Built-in stored procedures, xp_reg(read|write|delete) MySQL and PostgreSQL Upload and execute a bat file that executes reg (query|add|delete) Upload and execute a file and pass it to regedit SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 18
MS09-004: Memory corruption Discovered by Bernhard Mueller, it affects Microsoft SQL Server up to 2005 SP2 Triggered by a call to sp_replwritetovarbin No authentication and no privileges needed "Limited Memory Overwrite Vulnerability" could allow remote code execution "Limited Memory Overwrite"… Actually a pretty huge heap-based buffer overflow, ~4000 bytes SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 19
Exploiting MS09-004 Target heap metadata Could be hard/unreliable even if Microsoft SQL Server uses a custom allocator Target application specific data Function pointers, C++ object pointers, etc. Luckily for us Microsoft SQL Server tries hard to not crash by graceful handling exceptions… SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 20
Exploiting MS09-004 …this gives us more than one code path to achieve code execution: An almost arbitrary 4-bytes overwrite: MOV DWORD PTR DS:[EAX+4], EDI An object pointer overwrite: MOV EDX,DWORD PTR DS:[ESI] [...] MOV EAX,DWORD PTR DS:[EDX+10] [...] CALL EAX SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 21
Bypass hardware-enforced DEP Use ret2libc to call ZwSetInformationProcess() Make ESP point to our buffer: PUSH ESI POP ESP RET No need for a fake stack frame, just return in the middle of LdrpCheckNXCompatibility() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 22
Bypass hardware-enforced DEP LdrpCheckNXCompatibility() […] MOV DWORD PTR SS:[EBP-4],2 PUSH 4 LEA EAX,DWORD PTR SS:[EBP-4] PUSH EAX PUSH 22 PUSH -1 CALL ntdll.ZwSetInformationProcess […] DEP is now disabled for the current process …then jump to the shellcode. Game over? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 23
Avoid crash The original stack address is gone, ESP and EBP point to our buffer Even if Microsoft SQL Server tries hard to handle exceptions, it will eventually crash We need to restore ESP and EBP Is there a generic way? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 24
Thread Environment Block TEB stores information about the currently running thread: 0:000> !teb TEB at 7ffdd000 ExceptionList: 0012fd04 StackBase: 00130000 StackLimit: 0012e000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdd000 EnvironmentPointer: 00000000 ClientId: 00000d2c RpcHandle: 00000000 Tls Storage: 00000000 […] SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 25
TEB: Restore the Stack Pointer(s) Contains 3 pointers to the current thread’s stack Addressable through the FS segment register Just prepend the shellcode with a little stub: MOV ESP, DWORD PTR FS:[0] MOV EBP, ESP SUB ESP, 20 Game Over! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 26
Demonstration Own the system by exploiting MS09-004 vulnerability via a SQL injection vulnerability in a web application with back-end Microsoft SQL Server SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 27
But… Wasn’t it meant to deal with data? Once you get access to a database you can compromise the whole system in most cases With a comfortable, fast and stable channel Once you have access to the system you can escalate privileges (token kidnapping, software bugs, kernel flaws, weak privileges, etc.) When you are root/Administrator/SYSTEM you can crack users’ passwords or impersonate them to get access to other servers within the network perimeter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 28
Credits Our mums for buying our first pre-school computers Alessandro Tanasi and Oliver Gruskovnjak for the technical discussions skape and skywing for their paper on DEP bypass H D Moore and the Metasploit development team Stacy Thayer and the SOURCE Conference team SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 29
Questions? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 30
Thanks for your attention! Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com bda@portcullis-security.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Guido Landi lists@keamera.org http://www.pornosecurity.org http://milw0rm.com/author/1413 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 31

Recommended

Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
Miroslav Stampar
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 

More Related Content

What's hot (20)

sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
Miroslav Stampar
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
Miroslav Stampar
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 

Viewers also liked (20)

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
__x86
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
Bernardo Damele A. G.
 
Index chrome
Index chromeIndex chrome
Index chrome
Heverton Peres
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
Bernardo Damele A. G.
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
__x86
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
_mr_me
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
Bernardo Damele A. G.
 
Index chrome
Index chromeIndex chrome
Index chrome
Heverton Peres
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
Bernardo Damele A. G.
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 

Similar to Expanding the control over the operating system from the database (20)

Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Benjamin Cabé
 
Readme
ReadmeReadme
Readme
rec2006
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbai
aadi Surve
 
Squeak DBX
Squeak DBXSqueak DBX
Squeak DBX
ESUG
 
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCome costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Codemotion
 
Dessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudDessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloud
Massimiliano Dessì
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
Jameel Nabbo
 
Handout2o
Handout2oHandout2o
Handout2o
Shahbaz Sidhu
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
UGIF
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Nicolas Desachy
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
n|u - The Open Security Community
 
Visual studio.net
Visual studio.netVisual studio.net
Visual studio.net
Satish Verma
 
Mainframe Technology Overview
Mainframe Technology OverviewMainframe Technology Overview
Mainframe Technology Overview
Haim Ben Zagmi
 
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Alex Thissen
 
Lec 04 intro assembly
Lec 04 intro assemblyLec 04 intro assembly
Lec 04 intro assembly
Abdul Khan
 
Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning
Jim Dowling
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginners
Dominique Dumont
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
Orbit One - We create coherence
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
Hajime Tazaki
 
New Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21cNew Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21c
Markus Flechtner
 
Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Programming for Lego Mindstorms using Eclipse to take you back to your childh...
Benjamin Cabé
 
Readme
ReadmeReadme
Readme
rec2006
 
Php classes in mumbai
Php classes in mumbaiPhp classes in mumbai
Php classes in mumbai
aadi Surve
 
Squeak DBX
Squeak DBXSqueak DBX
Squeak DBX
ESUG
 
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCome costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Codemotion
 
Dessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudDessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloud
Massimiliano Dessì
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
Jameel Nabbo
 
Handout2o
Handout2oHandout2o
Handout2o
Shahbaz Sidhu
 
UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70UGIF 12 2010 - features11.70
UGIF 12 2010 - features11.70
UGIF
 
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Informix User Group France - 30/11/2010 - Fonctionalités IDS 11.7
Nicolas Desachy
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
n|u - The Open Security Community
 
Visual studio.net
Visual studio.netVisual studio.net
Visual studio.net
Satish Verma
 
Mainframe Technology Overview
Mainframe Technology OverviewMainframe Technology Overview
Mainframe Technology Overview
Haim Ben Zagmi
 
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Alex Thissen
 
Lec 04 intro assembly
Lec 04 intro assemblyLec 04 intro assembly
Lec 04 intro assembly
Abdul Khan
 
Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning Building Hopsworks, a cloud-native managed feature store for machine learning
Building Hopsworks, a cloud-native managed feature store for machine learning
Jim Dowling
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginners
Dominique Dumont
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
Orbit One - We create coherence
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
Hajime Tazaki
 
New Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21cNew Features for Multitenant in Oracle Database 21c
New Features for Multitenant in Oracle Database 21c
Markus Flechtner
 

Recently uploaded (20)

Gihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai TechnologyGihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai Technology
zainkhurram1111
 
Introducing Ensemble Cloudlet vRouter
Introducing Ensemble Cloudlet vRouterIntroducing Ensemble Cloudlet vRouter
Introducing Ensemble Cloudlet vRouter
Adtran
 
ECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptx
ECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptxECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptx
ECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptx
Jasper Oosterveld
 
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Lorenzo Miniero
 
Dr Jimmy Schwarzkopf presentation on the SUMMIT 2025 A
Dr Jimmy Schwarzkopf presentation on the SUMMIT 2025 ADr Jimmy Schwarzkopf presentation on the SUMMIT 2025 A
Dr Jimmy Schwarzkopf presentation on the SUMMIT 2025 A
Dr. Jimmy Schwarzkopf
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk Leadership Forum Wien - 20.05.2025Splunk Leadership Forum Wien - 20.05.2025
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk TechniciansOffshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
john823664
 
Contributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptxContributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptx
Patrick Lumumba
 
Cyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptxCyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptx
Ghimire B.R.
 
Master tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 Professio
Master tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 ProfessioMaster tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 Professio
Master tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 Professio
Kari Kakkonen
 
Talk: On an adventure into the depths of Maven - Kaya Weers
Talk: On an adventure into the depths of Maven - Kaya WeersTalk: On an adventure into the depths of Maven - Kaya Weers
Talk: On an adventure into the depths of Maven - Kaya Weers
Kaya Weers
 
Microsoft Build 2025 takeaways in one presentation
Microsoft Build 2025 takeaways in one presentationMicrosoft Build 2025 takeaways in one presentation
Microsoft Build 2025 takeaways in one presentation
Digitalmara
 
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure ModesCognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Dr. Tathagat Varma
 
Create Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent BuilderCreate Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent Builder
DianaGray10
 
Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...
Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...
Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...
Aaryan Kansari
 
SDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhereSDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhere
Adtran
 
Grannie’s Journey to Using Healthcare AI Experiences
Grannie’s Journey to Using Healthcare AI ExperiencesGrannie’s Journey to Using Healthcare AI Experiences
Grannie’s Journey to Using Healthcare AI Experiences
Lauren Parr
 
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCPMCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
Sambhav Kothari
 
Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025
Prasta Maha
 
Dev Dives: System-to-system integration with UiPath API Workflows
Dev Dives: System-to-system integration with UiPath API WorkflowsDev Dives: System-to-system integration with UiPath API Workflows
Dev Dives: System-to-system integration with UiPath API Workflows
UiPathCommunity
 
Gihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai TechnologyGihbli AI and Geo sitution |use/misuse of Ai Technology
Gihbli AI and Geo sitution |use/misuse of Ai Technology
zainkhurram1111
 
Introducing Ensemble Cloudlet vRouter
Introducing Ensemble Cloudlet vRouterIntroducing Ensemble Cloudlet vRouter
Introducing Ensemble Cloudlet vRouter
Adtran
 
ECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptx
ECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptxECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptx
ECS25 - The adventures of a Microsoft 365 Platform Owner - Website.pptx
Jasper Oosterveld
 
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Lorenzo Miniero
 
Dr Jimmy Schwarzkopf presentation on the SUMMIT 2025 A
Dr Jimmy Schwarzkopf presentation on the SUMMIT 2025 ADr Jimmy Schwarzkopf presentation on the SUMMIT 2025 A
Dr Jimmy Schwarzkopf presentation on the SUMMIT 2025 A
Dr. Jimmy Schwarzkopf
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk Leadership Forum Wien - 20.05.2025Splunk Leadership Forum Wien - 20.05.2025
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk TechniciansOffshore IT Support: Balancing In-House and Offshore Help Desk Technicians
Offshore IT Support: Balancing In-House and Offshore Help Desk Technicians
john823664
 
Contributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptxContributing to WordPress With & Without Code.pptx
Contributing to WordPress With & Without Code.pptx
Patrick Lumumba
 
Cyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptxCyber Security Legal Framework in Nepal.pptx
Cyber Security Legal Framework in Nepal.pptx
Ghimire B.R.
 
Master tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 Professio
Master tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 ProfessioMaster tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 Professio
Master tester AI toolbox - Kari Kakkonen at Testaus ja AI 2025 Professio
Kari Kakkonen
 
Talk: On an adventure into the depths of Maven - Kaya Weers
Talk: On an adventure into the depths of Maven - Kaya WeersTalk: On an adventure into the depths of Maven - Kaya Weers
Talk: On an adventure into the depths of Maven - Kaya Weers
Kaya Weers
 
Microsoft Build 2025 takeaways in one presentation
Microsoft Build 2025 takeaways in one presentationMicrosoft Build 2025 takeaways in one presentation
Microsoft Build 2025 takeaways in one presentation
Digitalmara
 
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure ModesCognitive Chasms - A Typology of GenAI Failure Failure Modes
Cognitive Chasms - A Typology of GenAI Failure Failure Modes
Dr. Tathagat Varma
 
Create Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent BuilderCreate Your First AI Agent with UiPath Agent Builder
Create Your First AI Agent with UiPath Agent Builder
DianaGray10
 
Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...
Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...
Agentic AI Explained: The Next Frontier of Autonomous Intelligence & Generati...
Aaryan Kansari
 
SDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhereSDG 9000 Series: Unleashing multigigabit everywhere
SDG 9000 Series: Unleashing multigigabit everywhere
Adtran
 
Grannie’s Journey to Using Healthcare AI Experiences
Grannie’s Journey to Using Healthcare AI ExperiencesGrannie’s Journey to Using Healthcare AI Experiences
Grannie’s Journey to Using Healthcare AI Experiences
Lauren Parr
 
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCPMCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
MCP Dev Summit - Pragmatic Scaling of Enterprise GenAI with MCP
Sambhav Kothari
 
Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025Kubernetes Cloud Native Indonesia Meetup - May 2025
Kubernetes Cloud Native Indonesia Meetup - May 2025
Prasta Maha
 
Dev Dives: System-to-system integration with UiPath API Workflows
Dev Dives: System-to-system integration with UiPath API WorkflowsDev Dives: System-to-system integration with UiPath API Workflows
Dev Dives: System-to-system integration with UiPath API Workflows
UiPathCommunity
 

Expanding the control over the operating system from the database

  • 1. Expanding the control over the operating system from the database Bernardo Damele Assumpção Guimarães Guido Landi Barcelona (Spain) – September 21, 2009
  • 2. Who we are Bernardo Damele Assumpção Guimarães Proud father Penetration tester / security researcher at Portcullis Computer Security Ltd sqlmap lead developer Guido Landi Reverse engineer Exploit writer Vulnerability researcher SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 2
  • 3. Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 3
  • 4. Scenario You have got access to a database Direct access – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the DMZ? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 4
  • 5. State of art – File system access Microsoft SQL Server Read: BULK INSERT Write: xp_cmdshell / debug.exe MySQL Read: LOAD_FILE() Write: SELECT … INTO DUMPFILE PostgreSQL Read: COPY / UDF Write: Large object’s lo_export() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 5
  • 6. State of art – Command execution Microsoft SQL Server OPENROWSET can be abused to escalate privileges Built-in xp_cmdshell to execute commands Oracle If you find a SQL injection in a function owned by SYS and with authid definer, you can run PL/SQL as SYS Many ways to execute commands. Example: DBMS_EXPORT_EXTENSION package’s GET_DOMAIN_INDEX_TABLES() function SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 6
  • 7. State of art – Command execution MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 7
  • 8. Demonstration Operating system command execution by exploiting a SQL injection vulnerability in a web application Further information on these techniques can be found on http://tinyurl.com/sqlmap1 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 8
  • 9. More than command execution Owning the underlying operating system is not only about command execution Full-duplex connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel Shell, Meterpreter, VNC – http://metasploit.com DNS tunnel – http://heyoka.sourceforge.net SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 9
  • 10. Establish the channel On your box Forge a stand-alone payload stager with msfpayload Encode it with msfencode to bypass AV Run msfcli with multi/handler exploit On the database server Upload it to the file system temporary folder Execute it via UDF, xp_cmdshell, … SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 10
  • 11. Getting stealth Anti-forensics technique as an option to upload the stand-alone payload stager executable On your box Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 11
  • 12. User-defined function sys_bineval() Execute an arbitrary payload from the database management system memory Features Works in DEP/NX-enabled systems Supports alphanumeric payloads Protects the DBMS if the payload crashes It does not fork a new process SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 12
  • 13. sys_bineval() vs DEP/NX Use VirtualAlloc() to allocate an +RWX memory region code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 13
  • 14. sys_bineval() and alphanum payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 14
  • 15. sys_bineval() and alphanum payloads Solution: Use the BufferRegister option ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register __asm { MOV EAX, [lpPayload] CALL EAX } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 15
  • 16. sys_bineval(): avoid DBMS crash Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 16
  • 17. Demonstration Exploit a SQL injection vulnerability in a web application to establish an out-of-band channel in-memory via a custom UDF SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 17
  • 18. Hands on the Windows registry Microsoft SQL Server Built-in stored procedures, xp_reg(read|write|delete) MySQL and PostgreSQL Upload and execute a bat file that executes reg (query|add|delete) Upload and execute a file and pass it to regedit SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 18
  • 19. MS09-004: Memory corruption Discovered by Bernhard Mueller, it affects Microsoft SQL Server up to 2005 SP2 Triggered by a call to sp_replwritetovarbin No authentication and no privileges needed "Limited Memory Overwrite Vulnerability" could allow remote code execution "Limited Memory Overwrite"… Actually a pretty huge heap-based buffer overflow, ~4000 bytes SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 19
  • 20. Exploiting MS09-004 Target heap metadata Could be hard/unreliable even if Microsoft SQL Server uses a custom allocator Target application specific data Function pointers, C++ object pointers, etc. Luckily for us Microsoft SQL Server tries hard to not crash by graceful handling exceptions… SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 20
  • 21. Exploiting MS09-004 …this gives us more than one code path to achieve code execution: An almost arbitrary 4-bytes overwrite: MOV DWORD PTR DS:[EAX+4], EDI An object pointer overwrite: MOV EDX,DWORD PTR DS:[ESI] [...] MOV EAX,DWORD PTR DS:[EDX+10] [...] CALL EAX SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 21
  • 22. Bypass hardware-enforced DEP Use ret2libc to call ZwSetInformationProcess() Make ESP point to our buffer: PUSH ESI POP ESP RET No need for a fake stack frame, just return in the middle of LdrpCheckNXCompatibility() SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 22
  • 23. Bypass hardware-enforced DEP LdrpCheckNXCompatibility() […] MOV DWORD PTR SS:[EBP-4],2 PUSH 4 LEA EAX,DWORD PTR SS:[EBP-4] PUSH EAX PUSH 22 PUSH -1 CALL ntdll.ZwSetInformationProcess […] DEP is now disabled for the current process …then jump to the shellcode. Game over? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 23
  • 24. Avoid crash The original stack address is gone, ESP and EBP point to our buffer Even if Microsoft SQL Server tries hard to handle exceptions, it will eventually crash We need to restore ESP and EBP Is there a generic way? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 24
  • 25. Thread Environment Block TEB stores information about the currently running thread: 0:000> !teb TEB at 7ffdd000 ExceptionList: 0012fd04 StackBase: 00130000 StackLimit: 0012e000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdd000 EnvironmentPointer: 00000000 ClientId: 00000d2c RpcHandle: 00000000 Tls Storage: 00000000 […] SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 25
  • 26. TEB: Restore the Stack Pointer(s) Contains 3 pointers to the current thread’s stack Addressable through the FS segment register Just prepend the shellcode with a little stub: MOV ESP, DWORD PTR FS:[0] MOV EBP, ESP SUB ESP, 20 Game Over! SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 26
  • 27. Demonstration Own the system by exploiting MS09-004 vulnerability via a SQL injection vulnerability in a web application with back-end Microsoft SQL Server SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 27
  • 28. But… Wasn’t it meant to deal with data? Once you get access to a database you can compromise the whole system in most cases With a comfortable, fast and stable channel Once you have access to the system you can escalate privileges (token kidnapping, software bugs, kernel flaws, weak privileges, etc.) When you are root/Administrator/SYSTEM you can crack users’ passwords or impersonate them to get access to other servers within the network perimeter SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 28
  • 29. Credits Our mums for buying our first pre-school computers Alessandro Tanasi and Oliver Gruskovnjak for the technical discussions skape and skywing for their paper on DEP bypass H D Moore and the Metasploit development team Stacy Thayer and the SOURCE Conference team SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 29
  • 30. Questions? SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 30
  • 31. Thanks for your attention! Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com bda@portcullis-security.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Guido Landi lists@keamera.org http://www.pornosecurity.org http://milw0rm.com/author/1413 SOURCE Conference 2009, Barcelona (Spain) September 21, 2009 31

Download presentation

Your download has started