Posts

Showing posts from 2013

The forgotten JBOSS Admin Console and CVE 2010-1871

Image
Well, we are in 2013 and It’s amazing how many JBOSS administration interfaces (jmx-console, web-console, invokers etc) are still exposed on the internet, however we are not going to talk about it. A couple of days ago I was performing a penetration testing and I found an environment with JBOSS AS 6. The JMX-Console wasn’t password protected but one console in special attracted my attention: the Admin Console. It seems that this console, I do not know the reason, is kind of forgotten by the security community as an attack vector. The default access credential for this console is admin/admin and it is also built upon a vulnerable version of Seam framework CVE 2010-1871 . This console provides a powerful JBOSS administration allowing a user to check the server’s configuration, to deploy and to delete applications, to read datasources etc. I checked out for the default credential but they were changed. There were other ways to hack this JBOSS but I was quite interes

SQL Injection - enumerating Microsoft AD users using Oracle resources

In my last post I have talked about how to explore SQL injection flaws to perform port scanner when the database is Oracle. Now I am sharing with you a way to perform brute force attack to enumerate users from Microsoft AD (or other LDAP repository). Oracle provides a package called DBMS_LDAP since 9i version and this can help us with such task. It seems that even in Oracle 11g there is no special ACL assigned to such resource. What does it mean? It means we can use it in our SQL injection attacks with most of the Oracle users. Let's take a look at a practical example performed on a penetration testing: http://target/index_target.php?id=15||DBMS_LDAP.simple_bind_s((dbms_ldap.init('targetdomain.com',389)),'admin@targetdomain.com','password')-- In this case, the value of the vulnerable parameter id is concatenated with the result of DBMS_LDAP.simple_bind_s function. We can manipulate the target domain and its port as well user names and passwords. If the LD