[Dailydave] One Click Ownage [White Paper and Scripts]
Ferruh Mavituna
ferruh at mavituna.com
Sat Jul 4 04:59:04 EDT 2009
>
> To sum up the paper: You base64 a callback executable into a VBS script and
> then send it over to be executed by xp.cmdshell.
Yeah, whole idea was making it easier and making it easier allows to carry
out new attacks such as combining it with CSRF. Even better you don't have
to configure an application to carry out such an attack you just need to
copy paste a request. So it's a big optimization over any known way to do
this.
is something that injects into SQL Server and then can be talked to with
> MOSDEF or some other ping-pong protocol via the initial SQL Injection so you
> can get real access to the DB layer.
>
You can send any executable you want (*if it's too big you might need to
separate the request*) so you might use DNS Tunnelling. Most of the database
servers still can resolve DNS so it should be all right, otherwise you stuck
with less efficient ways get an interactive shell.
2009/7/4 Dave Aitel <dave at kof.immunityinc.com>
> To sum up the paper: You base64 a callback executable into a VBS script and
> then send it over to be executed by xp.cmdshell.
>
> What would be more useful, since DB servers are rarely routable to the
> internet, is something that injects into SQL Server and then can be talked
> to with MOSDEF or some other ping-pong protocol via the initial SQL
> Injection so you can get real access to the DB layer. This wouldn't be that
> hard really.
>
>
> -dave
>
> On Fri, Jul 3, 2009 at 6:49 AM, Ferruh Mavituna <ferruh at mavituna.com>wrote:
>
>> This is a different and more practical approach to get a reverse shell or
>> code execution in SQL Injections (*particularly in MSSQL*). The idea is
>> simple. Getting a reverse shell from an SQL Injection with one HTTP request
>> without using an extra channel such as TFTP, FTP to upload the initial
>> payload.
>>
>> White paper explains the steps and the details of the attack. Scripts got
>> all the tools you need to create your HTTP request with your own payload.
>>
>>
>> *White Paper:
>> *http://ferruh.mavituna.com/papers/oneclickownage.pdf
>>
>> *Scripts:
>> *http://ferruh.mavituna.com/papers/OneClickOwnageScripts.zip
>>
>> *Presentation (IT Underground 2009):
>> *http://www.slideshare.net/fmavituna/one-click-ownage-1660539
>>
>>
>>
>> Regards,
>>
>>
>> --
>> http://ferruh.mavituna.com
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
--
http://ferruh.mavituna.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090704/4e47884a/attachment-0001.htm
More information about the Dailydave
mailing list