SQL INJECTION One Click 0wnage using SQL Map

By:

Taufiq Ali

LAB SETUP

VM with Hacme Bank Installed

http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-

sec-com/

On Windows latest version of Python

SQLMap For Windows

https://github.com/sqlmapproject/sqlmap/zipball/master

SQLMap For *nix

It is there on BT5

2

OWASP TOP 10

A1 : Injection Injection flaws, such as SQL, OS, and LDAP injection,

occur when untrusted data is sent to an interpreter as

part of a command or query. The attacker’s hostile data

can trick the interpreter into executing unintended

commands or accessing unauthorized data.

INJECTIONS

Common type of injections :

SQL

LDAP

Xpath

Etc.

Impact

As disastrous as handling the database over to the attacker

Can also lead to OS level access

DEFINITION

Exploiting poorly filtered or in-correctly escaped SQL

queries to parse (execute) data from user input

Major Classes

Error Based

Blind Injections

Boolean Injections

Etc.

5

HOW DOES IT WORK?

Application presents a form to the attacker

Attacker sends an attack in the form data

Application forwards attack to the database in a SQL query

Database runs query containing attack and sends encrypted

result back to application

Application renders data as to the user

VULNERABLE CODE

SQL MAP 0wnage 0wange 0wnage..

SQL MAP INTRODUCTION

MySQL

Oracle

PostgreSQL

Microsoft SQL Server

Microsoft Access

IBM DB2

SQLite

Firebird

Sybase and

SAP MaxDB

Powerful command line utility to exploit SQL Injection

vulnerability

Support for following databases

SQL INJECTION TECHNIQUES

Boolean-based blind

Time-based blind

Error-based

UNION query

Stacked queries

Out-of-band

10

KEY SQL MAP SWITCHES

-u <URL>

--cookie (Authentication)

-dbs (To enumerate databases)

- r (For request in .txt file)

-technique (SQL injection technique)

- dbms (Specify DBMS)

-D <database name> --tables

-T <table name> --columns

-C <column name> --dump

--dump-all (for lazy l33t people)

SQL MAP FLOW

Enumerate the database name

Select database and enumerate tables

Select tables and enumerate columns

Select a column and enumerate rows(data)

Then choose your way in

WHY 0WNING THE ENTERPRISE?

Built in capabilities for cracking hashes

Options of running user defined queries

You could run OS level commands

You could have an interactive OS shell

Meterpreter shell with Metasploit

13

OPTIONS FOR 0WNING ENTERPRISE

--os-cmd

Run any OS level command

--os-shell

Starts an interactive shell

--os-pwn

Injects a Meterpreter shell

--tamper

Evading WAF

14

SQL MAP ++

--tor: Use Tor anonymity network

--tor-port: Set Tor proxy port other than default

--tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)

--check-payload: Offline WAF/IPS/IDS payload detection testing

--check-waf: heck for existence of WAF/IPS/IDS protection

--gpage: Use Google dork results from specified page number

--mobile: Imitate smartphone through HTTP User-Agent header

--smart: Conduct through tests only if positive heuristic(s)

--tamper: custom scripts

15

SQL MAP ++ - FILE SYSTEM ACCESS

These options can be used to access the back-end database

management system underlying file system

--file-read=RFILE: Read a file from the back-end DBMS file

system

--file-write=WFILE: Write a local file on the back-end

DBMS file system

--file-dest=DFILE; Back-end DBMS absolute filepath to write

to

16

SQL MAP ++ - OPERATING SYSTEM ACCESS

These options can be used to access the back-end database management system underlying operating system

--os-cmd=OSCMD - Execute an operating system command

--os-shell - Prompt for an interactive operating system shell

--os-pwn - Prompt for an out-of-band shell, meterpreter or VNC

--os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC

--os-bof - Stored procedure buffer overflow exploitation

--priv-esc - Database process' user privilege escalation

--msf-path=MSFPATH Local path where Metasploit Framework is installed

--tmp-path=TMPPATH Remote absolute path of temporary files directory

17

SQLMAP ++ -WINDOWS REGISTRY ACCESS

These options can be used to access the back-end database management system Windows registry

--reg-read - Read a Windows registry key value

--reg-add - Write a Windows registry key value data

--reg-del - Delete a Windows registry key value

--reg-key=REGKEY - Windows registry key

--reg-value=REGVAL - Windows registry key value

--reg-data=REGDATA - Windows registry key value data

--reg-type=REGTYPE - Windows registry key value type

18

TAMPER SCRIPTS – BYPASSING WAF

Located inside the tamper folder in SQLMap

space2hash.py and space2morehash.py (MySQL)

space2mssqlblank.py and space2mysqlblank.py (MSSQL)

charencode.py and chardoubleencode.py (Different

Encodings)

charunicodeencode.py and percentage.py (To hide payload

against ASP/ASP.NET applications)

19

WHAT YOU SHOULD EXPLORE

One Click Ownage with SQL Inection

www.mavitunasecurity.com/s/research/OneClickOwnage.pdf

SQL Map with TOR

http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html

SQL MAP Usage Guide

http://sqlmap.sourceforge.net/doc/README.html

20

THANK YOU!

One click 0wnage

21