The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation. These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.

1. Got database access?
Own the network!
Bernardo Damele Assumpção Guimarães

2. Who I am
Bernardo Damele Assumpção Guimarães
Penetration tester @ Portcullis Computer Security
Proud father, avid spear-fisher, bad photographer
Open source enthusiast
sqlmap lead developer – http://sqlmap.sf.net
keimpx developer – http://code.google.com/p/keimpx
Database takeover UDF repository
AthCon 2010, Athens (Greece) June 3, 2010 2

3. Introduction
Database management systems are powerful
applications
Store and interact with data
Interact with the file system and operating system
When they can’t by design, you can force them to
When they can’t due to limited user’s privileges, you can
exploit them!
AthCon 2010, Athens (Greece) June 3, 2010 3

4. Scenario
You have got access to a DBMS
Direct connection – provided account, weak
passwords, brute-forcing credentials
SQL injection – web application, stand-alone client,
cash machine ☺, …
What to do now other than enumerating data?
Own the underlying operating system
Why not even other servers within the network?
AthCon 2010, Athens (Greece) June 3, 2010 4

5. Command execution – State of art
Microsoft SQL Server
OPENROWSET can be abused to escalate privileges to
DBA
Token kidnapping to escalate privileges to SYSTEM
Built-in xp_cmdshell to execute commands
Oracle
If you find an injection in a function owned by SYS and
with authid definer, you can run PL/SQL statements
as SYS
Many ways to execute commands –
DBMS_EXPORT_EXTENSION package, abuse Java
functions, etc.
AthCon 2010, Athens (Greece) June 3, 2010 5

6. Command execution – State of art
MySQL and PostgreSQL support user-defined
functions: custom function that can be evaluated in
SQL statements
UDF can be created from shared libraries that are
compiled binary files
Dynamic-link library on Windows
Shared object on Linux
PostgreSQL supports also procedural languages
AthCon 2010, Athens (Greece) June 3, 2010 6

7. Code snippet of sys_eval() UDF
sys_eval() executes a command and returns its stdout
AthCon 2010, Athens (Greece) June 3, 2010 7

8. More than command execution
Owning the database server is not only about OS
command execution
Out-of-band connection between the attacker host
and the database server
Database used as a stepping stone to establish this
covert channel
TCP: Shell, Meterpreter, VNC – http://metasploit.com
UDP: DNS tunnel – http://heyoka.sourceforge.net
AthCon 2010, Athens (Greece) June 3, 2010 8

9. Stealth out-of-band connection
On the attacker host
Forge a shellcode with msfpayload
Encode it with msfencode
Run msfcli with multi/handler exploit
On the database server
Create a UDF that executes a payload in-memory
Execute the UDF providing the payload as a parameter
Anti-forensics technique – hard to track in a post-
exploitation forensics investigation
AthCon 2010, Athens (Greece) June 3, 2010 9

10. User-defined function sys_bineval()
Works in DEP/NX-enabled systems
Supports alphanumeric-encoded payloads
Protects the DBMS if the payload crashes
Shellcode is executed in a SEH frame
Does not always fork a new process
Spawns a new thread
AthCon 2010, Athens (Greece) June 3, 2010 10

11. sys_bineval() vs DEP/NX
Memory area for shellcode is allocated +rwx
On Windows: VirtualAlloc()
code = (char *) VirtualAlloc(NULL,
4096,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
On Unix: mmap()
code = mmap(0, page_size, PROT_READ|
PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_ANONYMOUS, 0, 0);
AthCon 2010, Athens (Greece) June 3, 2010 11

12. sys_bineval() and alphanum payloads
Supports alphanumeric-encoded payloads
Metasploit’s msfencode has alphanumeric encoders to
encode the payload
Problem: It is not able to produce pure
alphanumeric payloads due to get_pc()
AthCon 2010, Athens (Greece) June 3, 2010 12

13. sys_bineval() and alphanum payloads
Solution:
Use the BufferRegister option when encoding the
shellcode
./msfencode BufferRegister=EAX –e x86/alpha_mixed …
Put the payload address in EAX register before
executing it
__asm
{
MOV EAX, [lpPayload]
CALL EAX
}
AthCon 2010, Athens (Greece) June 3, 2010 13

14. sys_bineval() avoids DBMS crashes
Spawn a new thread
WaitForSingleObject(CreateThread(NULL, 0,
ExecPayload, CodePointer,
0, &pID),
INFINITE);
Wrap the payload in a SEH frame
__try {
__asm {
MOV EAX, [lpPayload]
CALL EAX
}
}
AthCon 2010, Athens (Greece) June 3, 2010 14

15. Code snippet of sys_bineval() UDF
sys_bineval() executes an alphanumeric-encoded payload in-memory
AthCon 2010, Athens (Greece) June 3, 2010 15

16. Am I really unprivileged?
Your code, like any other within the DBMS process,
runs with the privileges of the OS user running the
DBMS
Microsoft SQL Server can run as SYSTEM – Uncommon
PostgreSQL and MySQL usually run as a unprivileged
user
MySQL on Windows runs as SYSTEM
Regardless of the OS user running the DBMS, the
attacker can escalate privileges
AthCon 2010, Athens (Greece) June 3, 2010 16

17. I have got the power or… ways to get it!
Some ways to escalate privileges
Meterpreter has some built-in commands
(getsystem) and scripts
Including kitrap0d – Kernel flaw unpatched for ~17 years
Abuse weak permissions on files, services, named
pipes, LSASS design, etc.
Memory corruption bugs
“All Users” startup file trick
Got luck? whoami is your friend!
AthCon 2010, Athens (Greece) June 3, 2010 17

18. Want to execute fancier code on DBMS?
sqlmap has a switch to inject your user-defined
functions
Write your own C/ASM code with the DBMS
development libraries
Compile as a shared object
Fire up sqlmap with --udf-inject switch
The tool will inject the UDFs you want and execute
them onto the database server at your request
AthCon 2010, Athens (Greece) June 3, 2010 18

19. Direct connection to the database
From July 2006 to March 2010 sqlmap has been “yet
another” SQL injection tool
With some kick-ass features like BOF exploit via SQL
injection, sys_bineval(), file system access, etc.
All in all.. One-shot favorite script-kiddies tool™
Now, it is the only free tool able to takeover
database servers via either web applications or direct
connection
AthCon 2010, Athens (Greece) June 3, 2010 19

20. But… Wasn’t it meant to deal with data?
When you get access to a DBMS, you have good
chances to own the operating system
Once you have access to the system you can escalate
privileges – kernel flaws, weak permissions, etc.
When you are a high-privileged OS user you can dump
users’ password hashes and spray them across the
network perimeter to easily own other machines –
http://code.google.com/p/keimpx or SSHatter
You can also pivot traffic through the compromised
database server to the Corporate network or DMZ
AthCon 2010, Athens (Greece) June 3, 2010 20

21. Questions?
bernardo.damele@gmail.com
http://bernardodamele.blogspot.com
http://sqlmap.sourceforge.net
Thanks for your attention!
AthCon 2010, Athens (Greece) June 3, 2010 21