![]() There are a lot of cool things you can do, if you get your hands on privileged tokens from the instance generated using an attached IAM role.Īs an attacker, one of the ways to move from attacking the application server or the database to attacking the entire AWS infrastructure will require the ability to generate and extract credentials from the instance metadata service. One of the key things that I personally go after when testing applications on AWS is the potential that the app may allow me to interact with the instance metadata service. What can you do as part of post exploitation, apart from data exfil? SQL Injection on a web application on AWS is no different than any other web app. DNS records show that this is located on AWS. Imagine you have found a SQL Injection on a web application on the Internet. This post highlights functions, packages, methods and techniques in 4 of the most popular RDBMS software - MySQL, MSSQL, PostgreSQL and Oracle, that can be used either via a SQL Injection or via a direct connection to the database to perform network requests resulting in Server Side Request (Forgeries). Again, these are well documented in a category of data extraction techniques called Out of Band Exploitation where data is exfiltrated through DNS or HTTP channels. ![]() These are used for database related operations, usually to fetch data from a file on a network share or on the Internet or to initiate connections to other servers etc.Īs attackers, SQL Injection often provides us the ability to interact with the database and call these functions. ![]() Post exploitation scenarios with SQL Injections commonly lead to, apart from the ability to interact with the database, the ability to read files, write files and sometimes to execute operating system commands.Īll modern databases have built-in functions or the ability to create procedures that provide some level of network access. SQL Injection is a well known, researched and publicized security vulnerability that has been used to attack web apps and steal data from backend databases for multiple decades now. References, all URLs from the post and further reading.Limited SSRF using master.xp_dirtree (and other file stored procedures).Oracle packages that support a URL or a Hostname/Port Number specification.You can skip to the section that interests you The most options are changing the file paths.A blog post about some post exploitation scenarios with MySQL, MSSQL, PostgreSQL and Oracle that use SQL Injection to make network requests resulting in Server Side Request Forgery/Cross Site Port Attacks. However, if doing this it is recommended that you test the paths some other way. In these case you can use -IgnoreFileChecks to skip the path test. – When the SQL Instance is on a *nix OS as xp_dirtree is not implemented.– The Sql Instance has write only permissions to the backup folder (common security permission).Unfortunately this is know to fail in a couple of cases, the most common being: ![]() To override this behavior using the -BuildPath switchīy default we will us xp_dirtree on the SQL instance to check the path exits. By default Backup-DbaDatabase will **NOT** create folders that do not exist. In the next section we’ll be discussing pushing backups to other locations. Now the defaults are explained let’s start doing something different Path Creation We set the backup file extension using the standard SQL Server conventions: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |