Next week I'll be speaking at AppSec 2009 in Washington DC about "One Click Ownage". This is a very practical way to get a reverse shell, reverse VNC or something like that. Basically after you find an SQL Injection in a MS SQL Server, you can carry out your own payload and run it in the target system by using one HTTP request. There are also other advantages of this such as the ability to exploit SQL Injections via CSRF attacks. 

Finally I'll publish a small tool called WebRaider which allows you to automate the whole attack. All you need to do is type the URL and click the exploit button to get a reverse shell.

I'll be hanging around at the conference between the 11^th and 13^rd. See you over there, if you are attending and fancy a quick chat, drop me an email, ferruh-at-mavitunasecurity.com.

After the conference I'll be in New York for a while, if you are in that area and interested in Netsparker, do not hesitate to contact us so that we can arrange a demonstration in your office.

One Click Ownage

Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.

• It's only one request therefore faster,
• Simple, you don't need a tool you can do it manually by using your browser or a simple MITM proxy,
• just copy paste the payload,
• CSRF(able), It's possible to craft a link and carry out a CSRF attack that will give you a reverse shell
• It's not fixed, you can change the payload,
• It's short, Generally not more than 3.500 characters,
• Doesn't require any application on the target system like FTP, TFTP or debug.exe
• Easy to automate.

Download One Click Ownage White Paper

Presentation

Download WebRaider Tool

WebRaider written for fun as a weekend project by Ferruh Mavituna and Mesut Timur, it’s a PoC tool, code is messy and expect many bugs. You’ve been warned :)

• Binary Release
• Source Code