SlideShare a Scribd company logo

Sql Injection 0wning Enterprise

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - September 2012 Meet

Technology
1 of 21
Download to read offline
SQL INJECTION One Click 0wnage using SQL Map By: Taufiq Ali
LAB SETUP  VM with Hacme Bank Installed  http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/  On Windows latest version of Python  SQLMap For Windows  https://github.com/sqlmapproject/sqlmap/zipball/master  SQLMap For *nix  It is there on BT5 2
OWASP TOP 10 A1 : Injection  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
INJECTIONS  Common type of injections :  SQL  LDAP  Xpath  Etc.  Impact  As disastrous as handling the database over to the attacker  Can also lead to OS level access
DEFINITION  Exploiting poorly filtered or in-correctly escaped SQL queries to parse (execute) data from user input  Major Classes  Error Based  Blind Injections  Boolean Injections  Etc. 5
HOW DOES IT WORK?  Application presents a form to the attacker  Attacker sends an attack in the form data  Application forwards attack to the database in a SQL query  Database runs query containing attack and sends encrypted result back to application  Application renders data as to the user
VULNERABLE CODE
SQL MAP 0wnage 0wange 0wnage..
SQL MAP INTRODUCTION  Powerful command line utility to exploit SQL Injection vulnerability  Support for following databases  MySQL  IBM DB2  Oracle  SQLite  PostgreSQL  Firebird  Microsoft SQL Server  Sybase and  Microsoft Access  SAP MaxDB
SQL INJECTION TECHNIQUES  Boolean-based blind  Time-based blind  Error-based  UNION query  Stacked queries  Out-of-band 10
KEY SQL MAP SWITCHES  -u <URL>  --cookie (Authentication)  -dbs (To enumerate databases)  - r (For request in .txt file)  -technique (SQL injection technique)  - dbms (Specify DBMS)  -D <database name> --tables  -T <table name> --columns  -C <column name> --dump  --dump-all (for lazy l33t people)
SQL MAP FLOW  Enumerate the database name  Select database and enumerate tables  Select tables and enumerate columns  Select a column and enumerate rows(data)  Then choose your way in
WHY 0WNING THE ENTERPRISE?  Built in capabilities for cracking hashes  Options of running user defined queries  You could run OS level commands  You could have an interactive OS shell  Meterpreter shell with Metasploit 13
OPTIONS FOR 0WNING ENTERPRISE  --os-cmd  Run any OS level command  --os-shell  Starts an interactive shell  --os-pwn  Injects a Meterpreter shell  --tamper  Evading WAF 14
SQL MAP ++  --tor: Use Tor anonymity network  --tor-port: Set Tor proxy port other than default  --tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)  --check-payload: Offline WAF/IPS/IDS payload detection testing  --check-waf: heck for existence of WAF/IPS/IDS protection  --gpage: Use Google dork results from specified page number  --mobile: Imitate smartphone through HTTP User-Agent header  --smart: Conduct through tests only if positive heuristic(s)  --tamper: custom scripts 15
SQL MAP ++ - FILE SYSTEM ACCESS  These options can be used to access the back-end database management system underlying file system  --file-read=RFILE: Read a file from the back-end DBMS file system  --file-write=WFILE: Write a local file on the back-end DBMS file system  --file-dest=DFILE; Back-end DBMS absolute filepath to write to 16
SQL MAP ++ - OPERATING SYSTEM ACCESS  These options can be used to access the back-end database management system underlying operating system  --os-cmd=OSCMD - Execute an operating system command  --os-shell - Prompt for an interactive operating system shell  --os-pwn - Prompt for an out-of-band shell, meterpreter or VNC  --os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC  --os-bof - Stored procedure buffer overflow exploitation  --priv-esc - Database process' user privilege escalation  --msf-path=MSFPATH Local path where Metasploit Framework is installed  --tmp-path=TMPPATH Remote absolute path of temporary files directory 17
SQLMAP ++ -WINDOWS REGISTRY ACCESS  These options can be used to access the back-end database management system Windows registry  --reg-read - Read a Windows registry key value  --reg-add - Write a Windows registry key value data  --reg-del - Delete a Windows registry key value  --reg-key=REGKEY - Windows registry key  --reg-value=REGVAL - Windows registry key value  --reg-data=REGDATA - Windows registry key value data  --reg-type=REGTYPE - Windows registry key value type 18
TAMPER SCRIPTS – BYPASSING WAF  Located inside the tamper folder in SQLMap  space2hash.py and space2morehash.py (MySQL)  space2mssqlblank.py and space2mysqlblank.py (MSSQL)  charencode.py and chardoubleencode.py (Different Encodings)  charunicodeencode.py and percentage.py (To hide payload against ASP/ASP.NET applications) 19
WHAT YOU SHOULD EXPLORE  One Click Ownage with SQL Inection  www.mavitunasecurity.com/s/research/OneClickOwnage.pdf  SQL Map with TOR  http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html  SQL MAP Usage Guide  http://sqlmap.sourceforge.net/doc/README.html 20
One click 0wnage THANK YOU! 21

Recommended

SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 

Recommended

SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 

More Related Content

What's hot

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 

What's hot (20)

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
Sql injection
Sql injectionSql injection
Sql injection
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Web application security
Web application securityWeb application security
Web application security
 
Sql injection
Sql injectionSql injection
Sql injection
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Sql injection
Sql injectionSql injection
Sql injection
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 

Viewers also liked

Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suitesportblonde1589
 
Scaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanovScaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanovDenis Nagorny
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environmentSoshi Nemoto
 
Practical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint ProgrammingPractical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint Programminged271828
 
Sour Pickles
Sour PicklesSour Pickles
Sour PicklesSensePost
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]RootedCON
 

Viewers also liked (12)

Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suite
 
Scaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanovScaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanov
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environment
 
Practical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint ProgrammingPractical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint Programming
 
Sour Pickles
Sour PicklesSour Pickles
Sour Pickles
 
Guru01 13 15
Guru01 13 15Guru01 13 15
Guru01 13 15
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
 

Similar to Sql Injection 0wning Enterprise

Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsRaul Leite
 
0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HKLawrence Amer
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfMarna Walle
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...Banking at Ho Chi Minh city
 

Similar to Sql Injection 0wning Enterprise (20)

Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Automation day red hat ansible
Automation day red hat ansible Automation day red hat ansible
Automation day red hat ansible
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
 
zLAMP
zLAMPzLAMP
zLAMP
 
0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
SAP hands on lab_en
SAP hands on lab_enSAP hands on lab_en
SAP hands on lab_en
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdf
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Sql Injection 0wning Enterprise

  • 1. SQL INJECTION One Click 0wnage using SQL Map By: Taufiq Ali
  • 2. LAB SETUP  VM with Hacme Bank Installed  http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/  On Windows latest version of Python  SQLMap For Windows  https://github.com/sqlmapproject/sqlmap/zipball/master  SQLMap For *nix  It is there on BT5 2
  • 3. OWASP TOP 10 A1 : Injection  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
  • 4. INJECTIONS  Common type of injections :  SQL  LDAP  Xpath  Etc.  Impact  As disastrous as handling the database over to the attacker  Can also lead to OS level access
  • 5. DEFINITION  Exploiting poorly filtered or in-correctly escaped SQL queries to parse (execute) data from user input  Major Classes  Error Based  Blind Injections  Boolean Injections  Etc. 5
  • 6. HOW DOES IT WORK?  Application presents a form to the attacker  Attacker sends an attack in the form data  Application forwards attack to the database in a SQL query  Database runs query containing attack and sends encrypted result back to application  Application renders data as to the user
  • 9. SQL MAP INTRODUCTION  Powerful command line utility to exploit SQL Injection vulnerability  Support for following databases  MySQL  IBM DB2  Oracle  SQLite  PostgreSQL  Firebird  Microsoft SQL Server  Sybase and  Microsoft Access  SAP MaxDB
  • 10. SQL INJECTION TECHNIQUES  Boolean-based blind  Time-based blind  Error-based  UNION query  Stacked queries  Out-of-band 10
  • 11. KEY SQL MAP SWITCHES  -u <URL>  --cookie (Authentication)  -dbs (To enumerate databases)  - r (For request in .txt file)  -technique (SQL injection technique)  - dbms (Specify DBMS)  -D <database name> --tables  -T <table name> --columns  -C <column name> --dump  --dump-all (for lazy l33t people)
  • 12. SQL MAP FLOW  Enumerate the database name  Select database and enumerate tables  Select tables and enumerate columns  Select a column and enumerate rows(data)  Then choose your way in
  • 13. WHY 0WNING THE ENTERPRISE?  Built in capabilities for cracking hashes  Options of running user defined queries  You could run OS level commands  You could have an interactive OS shell  Meterpreter shell with Metasploit 13
  • 14. OPTIONS FOR 0WNING ENTERPRISE  --os-cmd  Run any OS level command  --os-shell  Starts an interactive shell  --os-pwn  Injects a Meterpreter shell  --tamper  Evading WAF 14
  • 15. SQL MAP ++  --tor: Use Tor anonymity network  --tor-port: Set Tor proxy port other than default  --tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)  --check-payload: Offline WAF/IPS/IDS payload detection testing  --check-waf: heck for existence of WAF/IPS/IDS protection  --gpage: Use Google dork results from specified page number  --mobile: Imitate smartphone through HTTP User-Agent header  --smart: Conduct through tests only if positive heuristic(s)  --tamper: custom scripts 15
  • 16. SQL MAP ++ - FILE SYSTEM ACCESS  These options can be used to access the back-end database management system underlying file system  --file-read=RFILE: Read a file from the back-end DBMS file system  --file-write=WFILE: Write a local file on the back-end DBMS file system  --file-dest=DFILE; Back-end DBMS absolute filepath to write to 16
  • 17. SQL MAP ++ - OPERATING SYSTEM ACCESS  These options can be used to access the back-end database management system underlying operating system  --os-cmd=OSCMD - Execute an operating system command  --os-shell - Prompt for an interactive operating system shell  --os-pwn - Prompt for an out-of-band shell, meterpreter or VNC  --os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC  --os-bof - Stored procedure buffer overflow exploitation  --priv-esc - Database process' user privilege escalation  --msf-path=MSFPATH Local path where Metasploit Framework is installed  --tmp-path=TMPPATH Remote absolute path of temporary files directory 17
  • 18. SQLMAP ++ -WINDOWS REGISTRY ACCESS  These options can be used to access the back-end database management system Windows registry  --reg-read - Read a Windows registry key value  --reg-add - Write a Windows registry key value data  --reg-del - Delete a Windows registry key value  --reg-key=REGKEY - Windows registry key  --reg-value=REGVAL - Windows registry key value  --reg-data=REGDATA - Windows registry key value data  --reg-type=REGTYPE - Windows registry key value type 18
  • 19. TAMPER SCRIPTS – BYPASSING WAF  Located inside the tamper folder in SQLMap  space2hash.py and space2morehash.py (MySQL)  space2mssqlblank.py and space2mysqlblank.py (MSSQL)  charencode.py and chardoubleencode.py (Different Encodings)  charunicodeencode.py and percentage.py (To hide payload against ASP/ASP.NET applications) 19
  • 20. WHAT YOU SHOULD EXPLORE  One Click Ownage with SQL Inection  www.mavitunasecurity.com/s/research/OneClickOwnage.pdf  SQL Map with TOR  http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html  SQL MAP Usage Guide  http://sqlmap.sourceforge.net/doc/README.html 20