Scribd Logo
Upload

Welcome to Scribd!

  • Take Over Situations - Part 3 - SQL Injection - White Oak Sec

    Uploaded by

    Luiz Carlos
    10 views7 pages

    Original Title

    Take Over Situations_ Part 3 - SQL Injection _ White Oak Sec

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views7 pages

    Take Over Situations - Part 3 - SQL Injection - White Oak Sec

    Uploaded by

    Luiz Carlos

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Take Over Situations: Part 3 – SQL

    Injection to Domain Admin


    September 30, 2021 – Brett DeWall – Adversarial Simulation

    White Oak Security recently performed a red team engagement for a client where we discovered
    subsidiaries owned by their parent company (which we were testing against). All of these subsidiaries
    were in-scope for this engagement. 

    To explain this a little more, let’s start to look through simple Google searches for the various
    subsidiaries – an example request would look like this (site:DOMAIN-NAME). Reviewing these results, I
    came across an interesting web page.

    Like a curious pentester would do… I inserted a single tick into the field for the DatabaseName within
    the URL. Low and behold, a SQL error message!
    SQL Injection
    After loading up this HTTP request in SQLMap (https://sqlmap.org/), it was able to discover the
    injection point.

    Now let’s enumerate who the current user is within the database. This can be done by using the
    following flag within SQLmap – “–current-user”.

    Utilizing the “–os-shell” flag within SQLMap, we can execute Windows operating system commands
    on the remote host. Let’s run “whoami” to see what user we are currently running as.
    Interesting… it looks like we are running as “administrador” – let’s gather some more information on
    this user account by issuing the following command “net user administrador /domain”.
    SQL Injection That Lead To Domain Admins
    Jackpot! The user account we just gained access to through SQL injection is a member of the
    “Admins. del dominio” which is the “Domain Admins” group. At this point, we have successfully
    compromised the internal domain through SQL injection from a publicly facing website.

    Domain Compromises
    This was one of the craziest domain compromises I have come across due to the fact the remote
    database is being run as a Domain Administrator. Organizations that have publicly facing web
    applications within their environment should look into the following items to prevent unauthorized
    access:

    Sanitize all user supplied input


    Implement a web application firewall
    Execute all web applications and databases utilizing the least privilege required to run the
    instance

    Following these recommendations, as well as common best practices for web applications, your
    organization will be more secure and set up for future security success.

    Read more about interesting take-over situations, part 1


    (https://www.whiteoaksecurity.com/blog/interesting-take-over-situations-part-1/) and part 2
    (https://www.whiteoaksecurity.com/blog/interesting-take-over-situations-part-2-zerologon/).

    MORE FROM WHITE OAK SECURITY


    White Oak Security is a highly skilled and knowledgeable cyber security testing company that works
    hard to get into the minds of opponents to help protect those we serve from malicious threats
    through expertise, integrity, and passion. 

    Read more from White Oak Security’s pentesting team. (https://www.whiteoaksecurity.com/blog/)

    Author:
    Brett DeWall

    Categories:
    Adversarial Simulation
    Tags:

    Domain admin, domain compromises, interesting take over situations, part 3, penetration testing,
    pentesting, Red Team, red team services, red teaming, SQL injection, SQL injection compromises,
    take over situations, threat emulation

    Categories
    Adversarial Simulation
    Application Security
    Cloud Security
    Defense
    Disclosures
    How To
    Leadership
    Network Security
    Strategic Insight
    Tactical Insights
    Tools
    Uncategorized
    White Oak Security News

    Recent Posts
    APKLeaks: Discover leaks within APK files
    Frevvo Vulnerability Disclosure
    Using DNS to Bypass SSRF Protections
    What Is A Penetration Tester
    Threat Hunter
    Authors
    Alex Becker
    Alex Crittenden
    Allie Traxler
    Brett DeWall
    Brett DeWall & Michael Rand
    Christopher Emerson
    Daniel Sandau
    Dave Stacy
    Jeffrey Green
    Jerry Odegaard
    John Lynch
    Joshua Platz
    Justin Benjamin
    Karl Schuttler
    Kurt Poquette
    Megan Roby
    Michael Rand
    Michael Rand & Talis Ozols
    Paul Davison
    Rachel Reser
    Scott Goetzinger
    Talis Ozols
    Tib3rius
    Vincent Barrett
    Wes Harden
    White Oak Security Team
    STEM Methodology
    In-depth, multi-layer approach that extends penetration
    testing beyond traditional testing.

    LEARN MORE

    Get Started
    Take the first step to protecting yourself and your company
    from malicious threats.

    L E T ' S TA L K

    © 2023 White Oak Security

    You might also like