sql injection 0wning enterprise
DESCRIPTION
null Mumbai Chapter - September 2012 MeetTRANSCRIPT
SQL INJECTION One Click 0wnage using SQL Map
By:
Taufiq Ali
LAB SETUP
VM with Hacme Bank Installed
http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-
sec-com/
On Windows latest version of Python
SQLMap For Windows
https://github.com/sqlmapproject/sqlmap/zipball/master
SQLMap For *nix
It is there on BT5
2
OWASP TOP 10
A1 : Injection Injection flaws, such as SQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data
can trick the interpreter into executing unintended
commands or accessing unauthorized data.
INJECTIONS
Common type of injections :
SQL
LDAP
Xpath
Etc.
Impact
As disastrous as handling the database over to the attacker
Can also lead to OS level access
DEFINITION
Exploiting poorly filtered or in-correctly escaped SQL
queries to parse (execute) data from user input
Major Classes
Error Based
Blind Injections
Boolean Injections
Etc.
5
HOW DOES IT WORK?
Application presents a form to the attacker
Attacker sends an attack in the form data
Application forwards attack to the database in a SQL query
Database runs query containing attack and sends encrypted
result back to application
Application renders data as to the user
VULNERABLE CODE
SQL MAP 0wnage 0wange 0wnage..
SQL MAP INTRODUCTION
MySQL
Oracle
PostgreSQL
Microsoft SQL Server
Microsoft Access
IBM DB2
SQLite
Firebird
Sybase and
SAP MaxDB
Powerful command line utility to exploit SQL Injection
vulnerability
Support for following databases
SQL INJECTION TECHNIQUES
Boolean-based blind
Time-based blind
Error-based
UNION query
Stacked queries
Out-of-band
10
KEY SQL MAP SWITCHES
-u <URL>
--cookie (Authentication)
-dbs (To enumerate databases)
- r (For request in .txt file)
-technique (SQL injection technique)
- dbms (Specify DBMS)
-D <database name> --tables
-T <table name> --columns
-C <column name> --dump
--dump-all (for lazy l33t people)
SQL MAP FLOW
Enumerate the database name
Select database and enumerate tables
Select tables and enumerate columns
Select a column and enumerate rows(data)
Then choose your way in
WHY 0WNING THE ENTERPRISE?
Built in capabilities for cracking hashes
Options of running user defined queries
You could run OS level commands
You could have an interactive OS shell
Meterpreter shell with Metasploit
13
OPTIONS FOR 0WNING ENTERPRISE
--os-cmd
Run any OS level command
--os-shell
Starts an interactive shell
--os-pwn
Injects a Meterpreter shell
--tamper
Evading WAF
14
SQL MAP ++
--tor: Use Tor anonymity network
--tor-port: Set Tor proxy port other than default
--tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)
--check-payload: Offline WAF/IPS/IDS payload detection testing
--check-waf: heck for existence of WAF/IPS/IDS protection
--gpage: Use Google dork results from specified page number
--mobile: Imitate smartphone through HTTP User-Agent header
--smart: Conduct through tests only if positive heuristic(s)
--tamper: custom scripts
15
SQL MAP ++ - FILE SYSTEM ACCESS
These options can be used to access the back-end database
management system underlying file system
--file-read=RFILE: Read a file from the back-end DBMS file
system
--file-write=WFILE: Write a local file on the back-end
DBMS file system
--file-dest=DFILE; Back-end DBMS absolute filepath to write
to
16
SQL MAP ++ - OPERATING SYSTEM ACCESS
These options can be used to access the back-end database management system underlying operating system
--os-cmd=OSCMD - Execute an operating system command
--os-shell - Prompt for an interactive operating system shell
--os-pwn - Prompt for an out-of-band shell, meterpreter or VNC
--os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC
--os-bof - Stored procedure buffer overflow exploitation
--priv-esc - Database process' user privilege escalation
--msf-path=MSFPATH Local path where Metasploit Framework is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
17
SQLMAP ++ -WINDOWS REGISTRY ACCESS
These options can be used to access the back-end database management system Windows registry
--reg-read - Read a Windows registry key value
--reg-add - Write a Windows registry key value data
--reg-del - Delete a Windows registry key value
--reg-key=REGKEY - Windows registry key
--reg-value=REGVAL - Windows registry key value
--reg-data=REGDATA - Windows registry key value data
--reg-type=REGTYPE - Windows registry key value type
18
TAMPER SCRIPTS – BYPASSING WAF
Located inside the tamper folder in SQLMap
space2hash.py and space2morehash.py (MySQL)
space2mssqlblank.py and space2mysqlblank.py (MSSQL)
charencode.py and chardoubleencode.py (Different
Encodings)
charunicodeencode.py and percentage.py (To hide payload
against ASP/ASP.NET applications)
19
WHAT YOU SHOULD EXPLORE
One Click Ownage with SQL Inection
www.mavitunasecurity.com/s/research/OneClickOwnage.pdf
SQL Map with TOR
http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html
SQL MAP Usage Guide
http://sqlmap.sourceforge.net/doc/README.html
20
THANK YOU!
One click 0wnage
21