One Click Ownage
I’ve been keeping this under my desk for ages now. It’s been about 6 months since I came up with a practical exploitation of this idea and even developed an application to automate the scanning and exploitation process.
This attack is all about SQL Injection for lazy minds. One of the classical SQL Injection attacks in SQL Server – SA connections is obviously trying to get reverse shell from the target database. There are some ways to do it, like sending hundreds of requests or using PERL scripts, executables etc. I didn’t like the current approach and decided to find a better way to deal with it.
I think I came up with the holy grail of the this attack. One request to get a reverse shell, can’t get any better than that. You can copy paste it, you can stick it into an src attribute of an img tag to carry out a CSRF attack etc.
- Download White Paper which explains the attack – One Click Ownage White Paper
- Scripts to generate the payload
- IT Underground 2009 Presentation
- IstSec 2009 Presentation (Turkish, this is a slightly different presentation, mostly focus on automated detection and exploitation)