[WEB SECURITY] Database tools required

Adam Muntner adam.muntner at quietmove.com
Thu May 13 09:55:19 EDT 2010


Great post, Arian

Def try to reuse those credentials on every authentication interface, too.

Some db enumeration commands are archived at

http://code.google.com/p/fuzzdb/source/browse/#svn/trunk/attack-payloads/sql-injection/exploit

On Wed, May 12, 2010 at 10:24 AM, Arian J. Evans
<arian.evans at anachronic.com> wrote:
> Clarification will help. Did you find a function inside of a web
> application -- like a debug function that dumps connection strings,
> and hence you accessed the DB credentials through connection string
> info? Or something like default framework connection-string files
> (global.asax, etc.)?
>
> A) Are you asking how to connect *through* the web application running
> over HTTP to the back-end database?
>
> B) Or do you have raw sockets/TCP connectivity directly to the database?
>
> These are two very different scenarios.
>
> If B) many of the responses already provided will help you.
>
> If A) then using the credentials to gain elevated access to the
> database could be tricky or impossible, depending on how the
> application is built.
>
> Here are the things I would look for, if you are limited to HTTP-based
> web applications for attempting access:
>
> 1. "Debug" or administrative functions in the app that allow you to
> access the database impersonating the application. (these aren't very
> common)
>
>
> 2. Operating-system level exploits, shell access (like php_shell
> files), or command injection via the web application (most likely on
> the web server).
>
> Exploiting this level of access will allow you to connect and create
> arbitrary queries at the level of privilege of the credentials, since
> you know the appropriate DB drivers are already installed. If the
> application uses a middleware or managed-code abstraction layer (like
> .NET), then command injection/shell exploits at the web-server level
> could be of limited use. Your worker-threads (you gain shell with) are
> usually lower-privilege too.
>
>
> 3. RFI or LFI (file include) vulnerabilities. Upload your own
> script/SWF/etc. and plug directly into the DB.
>
>
> 4. Other vulnerable web applications. If you find other vulnerable web
> applications on the same network that have any of the above issues, up
> to and including OS Command Injector or SQL Injection, you may be able
> to connect to the database from the web/app server of another
> vulnerable web application in the same DMZ/LB pool. (Often you find
> it's the same DB cluster in production environments. :)
>
> --
>
> Even if you cannot exploit this finding, it is still valuable.
>
> In and of itself - this information can be a vulnerability on
> production systems. If network access to the DB is not segmented
> internally...anyone on the internal network can impersonate the
> application provided they have access to the database, which is a
> significantly concerning situation.
>
> Most organizations do not perform network-access layer logging on
> their databases, trusting the connection strings, so there is no
> repudiation for actions taken by any arbitrary entity with access to
> these credentials.
>
> Good luck,
>
> ---
> Arian Evans
> "If you really want to make things complicated - look no further than BSIMM"
>
>
>
> On Mon, May 10, 2010 at 10:37 PM, Parmendra Sharma
> <s.parmendra at gmail.com> wrote:
>> Hi All,
>>
>> While performing a VA / PT exercise of an application i got the database
>> credentials. Kindly suggest any tool which connects me to the database
>> through the application.
>>
>> --
>> Thanks and Regards:
>>
>> Parmendra Sharma
>> Computer Security Analyst
>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list