Oracle Exploitation – Privilege Escalation

September 7, 2013 Leave a comment

 

Many times during Penetration Tests, we found a limited account for the Oracle database server.  The next step would be to find a SQL injection vulnerability to obtain DBA privileges. There are a number of Metasploit modules that we can use to escalate to DBA privileges.  The Metasploit modules scripts below are for different varying versions of Oracle database servers. I cant remember which Metasploit modules are for which versions.

Metasploit Oracle SQL Injection Modules

To speed things up, I wrote a script that does the below

(1) Check if the account specified has access to the database
(2) Check if the account has DBA privileges
(3) If no, check the version of the Oracle database server
(4) Select the relevant Oracle SQL injection modules for that version of Oracle database and write a Metasploit resource script to disk
(5) Run the Metasploit resource script and attempt to gain DBA privileges
(6) Check permissions of account and verifies if DBA privileges have been obtained.

ora_priv.py script

ora_priv.py script

The script is still a work in progress.  You can download the script via the below link.
https://github.com/milo2012/pentest_scripts/blob/master/oracle_pillage/ora_priv.py

Categories: Exploitation, Oracle

WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload vulnerability (CVE-2013-3684)

August 10, 2013 Leave a comment

I converted the original WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload exploit from Perl to Python for fun.

The original exploit can be found at http://downloads.securityfocus.com/vulnerabilities/exploits/60533.pl

Below is the python script for CVE-2013-3684

https://github.com/milo2012/pentest_scripts/tree/master/wordpress_exploits

CVE-2013-3684

Categories: Exploitation

Command Line IMAP/POP3 Email Downloader

July 30, 2013 Leave a comment

Wrote this script “Command Line IMAP/POP3 Email Downloader” some time ago.
Found it during spring cleaning.

Download the script here

https://github.com/milo2012/pentest_scripts/tree/master/emaildownloader

Categories: Uncategorized

niktoHelper – Bridge between Nmap Grepable Output and Nikto

July 7, 2013 Leave a comment

During a penetration test, Nikto is usually used after Nmap. However, sometimes the web servers are virtual hosts (serving more than one website on the same web server)

The usual steps after running Nmap against the hosts are
1. Go to Bing.com and do a reverse DNS lookup (e.g. IP:69.194.235.101) on the IPs.
2. If there are no results, check the SSL certificate on the host
3. Run nikto.pl with the vhost parameter. (e.g.)

perl nikto.pl -vhost www.bd-motor.com -maxtime 7200 -Cgidirs all -ssl -host  69.194.235.103 -port 80 -output nikto_69.194.235.103-port443-www.bd-motor.com.txt

This script automates all of the above steps.

Below is what you see when you run niktoHelper.py without any arguments.

You are able to select the number of threads to use using the -child argument.
To only display the Nikto command output, use the -display argument.

Image

To run nikto against a selected website, key in the number followed by comma
E.g. 1,4,10

To run nikto against all results, key in ALL and press enter
To skip all websites shown, press ENTER or key in NONE followed by enter key.Image

If you use the -display argument, the Nikto command is supposed to be used against the websites are shown on screen.

Image

The script can be downloaded at https://github.com/milo2012/pentest_scripts/tree/master/niktohelper

If you have any feedback and suggestion, please send it to me below. Thank you

Automating SQL Injection with Burp, Sqlmap and GDS Burp API

June 26, 2012 Leave a comment

I came across GDS Burp API which seems like a very useful tool for parsing Burp Proxy logs.  The GDS Burp API exposes a Python object interface to requests/responses recorded by Burp. The below link provides a very good introduction to the API.

http://blog.gdssecurity.com/labs/2010/8/10/constricting-the-web-the-gds-burp-api.html

I wrote a simple script to use the API to parse the Burp proxy logs and send it to SQLMap to automate testing SQL injection for all GET and POST parameters and skip all urls without any parameters.

1. Clone the GDSSecurity burpee repository git clone https://github.com/GDSSecurity/burpee.git

2. Download burpSQL.py from https://github.com/milo2012/burpSQL into the burpee folder

3. Next, we will have to configure logging in Burpsuite

4. Change the proxy settings of your browser to 127.0.0.1:8080

5. Crawl the website with Owasp Ajax Crawling tool or spider with Burpsuite or the manual way.

Below are the command line options for burpSQL

6. The above is pretty self explanatory.  If your Burp proxy log is cluttered with urls from multiple domains, you can filtered the SQL injection testing to specific domains using the –domain switch.

Drop me a message if you have any suggestions or comments.  Thank you !

Hacking Beyond The Browser with BeEF (Robbing Your Wireless Keys)

March 11, 2012 2 comments

Pauldotcom has a very interesting post on “Retrieving Clear Text Wireless Keys” from Compromised Systems” at http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html

As mentioned in the post, this works on Windows Vista and 7.

I have written a BeEF module called “Get Wireless Keys” which automates the process of robbing the victim of the wireless keys using a signed Java applet.

Follow the steps listed on https://github.com/beefproject/beef/wiki/BeEF-and-Backtrack-5  in order to download BeEF.  My module is now available in the repo.

If you are new to BeEF, you can find some video tutorials here. https://github.com/beefproject/beef/wiki

This will act as a bridge to allow hacking beyond the browser as you will easily be able to compromise other systems in the network once you  connect to the victim’s wireless networks using the stolen wireless keys on your computer.

Upon launching the module against the victim, the victim will get a popup on his browser.  The victim would need to click “Run” in order for this to work.

You will see the below output in the console of BeEF. This means that the victim’s has executed the java applet and the applet has returned some results.

In the below screen shot, it shows that the wireless profiles on the victim’s computer has been saved to /pentest/web/beef/exported_wlan_profiles.xml

The next thing that we need to do is to import the wireless into your Windows Vista/7 computer.

You should be able to connect to the wireless networks that have been saved on the victim’s computer without any password prompts.

You might want to use this module together with “get physical location” module that I have written to identify the actual location of the wireless access point that the victim use in his home or office.

Thats if you are within close proximity to the victim. If not, this module is useless to you.

Alternatively, you could mass mail to all emails address that you can find that belong to a domain with the link to beef.

If you are using Preshared Keys instead WPA/WPA2 enterprise in your organisation, then all you need is one person in the organization to click Run to the Java Applet alert popup to get pwned.

Please feel free to leave me your comments or follow me on twitter at @keith55.

BeEF module for Geolocation Tracking (via Wireless Access Points)

February 25, 2012 Leave a comment

I have ported my code over to BeEF #beefproject http://beefproject.com/  My module is not in the repository yet.

1.  Meanwhile, you can download the file attached  and copy and extract the files to /pentest/web/beef/modules/host/ .   After that, you should be able to access the module in BeEF as shown in the below screenshot.

2.  The user will receive the below popup in their web browser.   You can change the name of the Java applet to something more discrete as compared to what I have named.

Within seconds, you should be able to get the geolocation of the remote user.

You can download the BeEF module via one of the below links if you do not want to wait for it to be committed to the repository.

https://www2.dropbox.com/sh/cxpafqhpscszfoe/8bGfta5G5W/get_physical_location.zip

I will be doing a write up about the things I learn about writing BeEF module with Java applet integration in the next couple of days.

I hope it can help other people who are just getting started with BeEF development.

Let me know if you would have any suggestions.   Thanks !

Follow

Get every new post delivered to your Inbox.