think differently about database hacking
play

Think differently about database hacking SELECT presenter FROM - PowerPoint PPT Presentation

Oct 20, 2023 •264 likes •1.27k views

Think differently about database hacking SELECT presenter FROM DeepSecSpeakers WHERE name = Lszl Tth ' and ' Ferenc Spala ' or 1=1-- 29/11/2012 @ DeepSec 2012 Thursday, November 29, 12 Who are we? @Work: Deloitte . Hungary Pentests,

  1. Think differently about database hacking SELECT presenter FROM DeepSecSpeakers WHERE name = László Tóth ' and ' Ferenc Spala ' or 1=1-- 29/11/2012 @ DeepSec 2012 Thursday, November 29, 12

  2. Who are we? • @Work: Deloitte . Hungary Pentests, Security audits, Config reviews, Consulting ... • László • 12+ years itsec • 5+ years Oracle research • Ferenc • 5+ years itsec • 3+ years database security • Members of Hacktivity Team • Co-founders of Hekkcamp Thursday, November 29, 12

  3. Where does the fun begin? Client world • Hacking the Oracle client Network world • Hijacking database connections Server world • Metasploit feat. oradebug • Using oradebug to get Meterpreter session • Using Metasploit to run oradebug commands MS world • Playing with MSSQL connections Thursday, November 29, 12

  4. Part 1 Hacking the Oracle client if you play with DLL injection you may find dirty things in the OCI driver Thursday, November 29, 12

  5. What’s the point? • DLL injection is pretty old • The OCI driver ships with symbol file C F K f o k r a m e d a r t d e r e t s i g e r a s i o g o l e h T • Hijacking the “connect” function is boring Thursday, November 29, 12

  6. Fancy, huh? • Debug the OCI driver • Get the interesting functions • Do some memory kung-fu • Wrap-up your DLL • Get/Write an injector & apply your hooks • Enjoy the silence Thursday, November 29, 12

  7. Fancy, huh? Beware when x64 in scope! • Debug the OCI driver • Get the interesting functions • Do some memory kung-fu • Wrap-up your DLL • Get/Write an injector & apply your hooks • Enjoy the silence Thursday, November 29, 12

  8. Fancy, huh? Beware when x64 in scope! • Debug the OCI driver OCIAttrSet, OCIServerAttach • Get the interesting functions • Do some memory kung-fu • Wrap-up your DLL • Get/Write an injector & apply your hooks • Enjoy the silence Thursday, November 29, 12

  9. Fancy, huh? Beware when x64 in scope! • Debug the OCI driver OCIAttrSet, OCIServerAttach • Get the interesting functions Follow the pointer that points a pointer.... • Do some memory kung-fu • Wrap-up your DLL • Get/Write an injector & apply your hooks • Enjoy the silence Thursday, November 29, 12

  10. Fancy, huh? Beware when x64 in scope! • Debug the OCI driver OCIAttrSet, OCIServerAttach • Get the interesting functions Follow the pointer that points a pointer.... • Do some memory kung-fu Different DLLs for different archs! • Wrap-up your DLL • Get/Write an injector & apply your hooks • Enjoy the silence Thursday, November 29, 12

  11. Fancy, huh? Beware when x64 in scope! • Debug the OCI driver OCIAttrSet, OCIServerAttach • Get the interesting functions Follow the pointer that points a pointer.... • Do some memory kung-fu Different DLLs for different archs! • Wrap-up your DLL Can be tricky in x64 envs! • Get/Write an injector & apply your hooks • Enjoy the silence Thursday, November 29, 12

  12. Fancy, huh? Beware when x64 in scope! • Debug the OCI driver OCIAttrSet, OCIServerAttach • Get the interesting functions Follow the pointer that points a pointer.... • Do some memory kung-fu Different DLLs for different archs! • Wrap-up your DLL Can be tricky in x64 envs! • Get/Write an injector & apply your hooks Most of the time you get nothing! • Enjoy the silence Thursday, November 29, 12

  13. So, what’s the point?? Get the username and the password from a single SQL statement execution m o c . g a g 9 / / : p t t h : e c r u o S Thursday, November 29, 12

  14. So, what’s the point?? Get the username and the password from a single SQL statement execution m o c . g a g 9 / / : p t t h : e c r u o S OCIStmtExecute is your friend Thursday, November 29, 12

  15. How? Thursday, November 29, 12

  16. How? Thursday, November 29, 12

  17. How? Thursday, November 29, 12

  18. Where is my golden egg? Thursday, November 29, 12

  19. Where is my golden egg? Thursday, November 29, 12

  20. Where is my golden egg? Points to the username Thursday, November 29, 12

  21. Where is my golden egg? Length of the username Points to the username Thursday, November 29, 12

  22. Where is my golden egg? Length of the username Points to the username Marker Thursday, November 29, 12

  23. Where is my golden egg? Length of the username Points to the username Marker Encryption key Thursday, November 29, 12

  24. Where is my golden egg? Length of the username Points to the username Marker Encryption key Encrypted password Thursday, November 29, 12

  25. Who should I shoot at? This security flaw lies in the OCI driver itself DEMO Thursday, November 29, 12

  26. Part 2 Hijacking Oracle sessions all roads lead to us Thursday, November 29, 12

  27. History • In 2009 pytnsproxy was released @ Hacktivity conference by László Tóth • Hijacking oracle sessions • Downgrading auth protocols • Log authentication data for o ffl ine brute-force • In 2012 tnspoison attack details were revealed by Joxean Koret • Great research paper • Working PoC Thursday, November 29, 12

  28. History • In 2009 pytnsproxy was released @ Hacktivity conference by László Tóth You have to redirect the client, e.g.: arp-cache poisoning • Hijacking oracle sessions • Downgrading auth protocols • Log authentication data for o ffl ine brute-force • In 2012 tnspoison attack details were revealed by Joxean Koret • Great research paper • Working PoC Thursday, November 29, 12

  29. History • In 2009 pytnsproxy was released @ Hacktivity conference by László Tóth You have to redirect the client, e.g.: arp-cache poisoning • Hijacking oracle sessions • Downgrading auth protocols • Log authentication data for o ffl ine brute-force • In 2012 tnspoison attack details were revealed by Joxean Koret • Great research paper It works with SIDs 6 characters long • Working PoC Thursday, November 29, 12

  30. What? Listener Victim tnspoison Thursday, November 29, 12

  31. What? Listener Connect Resend Connect Accept Victim tnspoison Thursday, November 29, 12

  32. What? Listener Authentication Victim Data tnspoison Thursday, November 29, 12

  33. What? Listener Victim tnspoison Thursday, November 29, 12

  34. What? Listener Register Register Victim tnspoison Thursday, November 29, 12

  35. What? Listener Connect Register Register Victim tnspoison Thursday, November 29, 12

  36. What? Listener Connect Redirect Register Register Victim tnspoison Thursday, November 29, 12

  37. What? Listener Connect Redirect Register Register Victim tnspoison proxy Thursday, November 29, 12

  38. What? Listener Connect There is no patch!! Redirect Register Register Victim tnspoison proxy Thursday, November 29, 12

  39. What? • You can redirect a certain percentage of the Oracle clients • The tra ffi c goes through you so you can do anything with it • Sni ff it • Alter it • Send your own SQL commands Thursday, November 29, 12

  40. What? • You can redirect a certain percentage of the Oracle clients • The tra ffi c goes through you so you can do anything with it • Sni ff it • Alter it This is where pytnsproxy can help you! • Send your own SQL commands Thursday, November 29, 12

  41. Hijack Victim Listener tnspoison pytnsproxy Attacker Thursday, November 29, 12

  42. Hijack Register Victim Listener tnspoison pytnsproxy Attacker Thursday, November 29, 12

  43. Hijack Register Victim Listener tnspoison Register pytnsproxy Attacker Thursday, November 29, 12

  44. Hijack Connect Register Victim Listener tnspoison Register pytnsproxy Attacker Thursday, November 29, 12

  45. Hijack Connect Register Victim Listener tnspoison Redirect Register pytnsproxy Attacker Thursday, November 29, 12

  46. Hijack Connect Register Victim Listener tnspoison Redirect Register Connect Connect pytnsproxy Attacker Thursday, November 29, 12

  47. Hijack Connect Register Victim Listener tnspoison Redirect Register Connect Auth Connect Authentication pytnsproxy Attacker Thursday, November 29, 12

  48. Hijack Connect Register Victim Listener tnspoison Redirect Register Connect Auth Data Connect Authentication pytnsproxy Data Attacker Thursday, November 29, 12

  49. Hijack Connect Register Victim Listener tnspoison Redirect Register pytnsproxy Attacker Thursday, November 29, 12

  50. Hijack Connect Register Victim Listener tnspoison Redirect Register Quit pytnsproxy Attacker Thursday, November 29, 12

  51. Hijack Connect Register Victim Listener tnspoison Redirect Register Quit pytnsproxy thread Attacker Thursday, November 29, 12

  52. Hijack Connect Register Victim Listener tnspoison Redirect Register Quit pytnsproxy thread Conn. simulation Attacker Thursday, November 29, 12

  53. Hijack Connect Register Victim Listener tnspoison Redirect Register Quit pytnsproxy thread Conn. simulation Auth. simulation Attacker Thursday, November 29, 12

  54. Hijack Connect Register Victim Listener tnspoison Redirect Register Quit Data pytnsproxy thread Conn. simulation Auth. simulation Data Attacker Thursday, November 29, 12

Recommend

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com) July 2010 Agenda Introduction to Oracle Database Vault What is Oracle Database Vault, What changes introduce, Oracle Database Vault

688 views • 49 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
SQL Hacking I NTRODUCTION Data theft is becoming a major threat. Criminals have identified

SQL Hacking I NTRODUCTION Data theft is becoming a major threat. Criminals have identified

SQL Hacking I NTRODUCTION Data theft is becoming a major threat. Criminals have identified where the gold is. In the last year many databases from fortune 500 companies were compromised. Database vulnerabilities affect all database

297 views • 8 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
ESNZ AGM PRESENTATION 2020 FOCUS TODAY Finances Thinking differently Post Covid-19

ESNZ AGM PRESENTATION 2020 FOCUS TODAY Finances Thinking differently Post Covid-19

ESNZ AGM PRESENTATION 2020 FOCUS TODAY Finances Thinking differently Post Covid-19 Strategic our why and our what Change the Rein Database Update General Regulation Changes Constitution Review

824 views • 36 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

486 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on the Menu Bar DC/Win Database Utilities Options Vary Depending on Database Two Types of Databases Sequel (SQL) Database Access Database

460 views • 6 slides
Do Not Resuscitate! The Mode derni nise se or Die Challenge To Do Things Differently

Do Not Resuscitate! The Mode derni nise se or Die Challenge To Do Things Differently

Do Not Resuscitate! The Mode derni nise se or Die Challenge To Do Things Differently Mark Mark Farm armer r Industry Transformation Agenda Auckland, 6 th March 2018 Q: Why Do We Need To Do Things Differently? 2 A: Business

761 views • 46 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation Organization =How to implement a database system and have fun doing it ;-) 01: Introduction Boris Glavic Slides: adapted from a course taught by

199 views • 7 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
We Do That Differently* Now * Because better, faster and cheapercan be wrong Peter

We Do That Differently* Now * Because better, faster and cheapercan be wrong Peter

We Do That Differently* Now * Because better, faster and cheapercan be wrong Peter Coffee VP & Head of Platform Research salesforce.com inc. Activity is not Accomplishment Orwell's Inversion: Confusion of Input and Output A

410 views • 25 slides
1 Outline Economics in Mariposa Apply a microeconomic paradigm for 1. Assumptions for DDBMS

1 Outline Economics in Mariposa Apply a microeconomic paradigm for 1. Assumptions for DDBMS

Why is Mariposa Important? Mariposa: A wide-area distributed database Wide-area ( WAN ) differ from Local-area ( LAN ) databases. Each individual site is set up differently: with different access methods. with different data

332 views • 5 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides

More recommend