Sql Injection 0wning Enterprise


Published on

null Mumbai Chapter - September 2012 Meet

Published in: Technology
1 Comment
  • Thanks for providing this. It's awesome.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sql Injection 0wning Enterprise

  1. 1. SQL INJECTIONOne Click 0wnage using SQL Map By: Taufiq Ali
  2. 2. LAB SETUP VM with Hacme Bank Installed  http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/ On Windows latest version of Python SQLMap For Windows  https://github.com/sqlmapproject/sqlmap/zipball/master SQLMap For *nix  It is there on BT5 2
  3. 3. OWASP TOP 10A1 : Injection  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
  4. 4. INJECTIONS Common type of injections :  SQL  LDAP  Xpath  Etc. Impact  As disastrous as handling the database over to the attacker  Can also lead to OS level access
  5. 5. DEFINITION Exploiting poorly filtered or in-correctly escaped SQL queries to parse (execute) data from user input Major Classes  Error Based  Blind Injections  Boolean Injections  Etc. 5
  6. 6. HOW DOES IT WORK? Application presents a form to the attacker Attacker sends an attack in the form data Application forwards attack to the database in a SQL query Database runs query containing attack and sends encrypted result back to application Application renders data as to the user
  8. 8. SQL MAP0wnage 0wange 0wnage..
  9. 9. SQL MAP INTRODUCTION Powerful command line utility to exploit SQL Injection vulnerability Support for following databases  MySQL  IBM DB2  Oracle  SQLite  PostgreSQL  Firebird  Microsoft SQL Server  Sybase and  Microsoft Access  SAP MaxDB
  10. 10. SQL INJECTION TECHNIQUES Boolean-based blind Time-based blind Error-based UNION query Stacked queries Out-of-band 10
  11. 11. KEY SQL MAP SWITCHES -u <URL> --cookie (Authentication) -dbs (To enumerate databases) - r (For request in .txt file) -technique (SQL injection technique) - dbms (Specify DBMS) -D <database name> --tables -T <table name> --columns -C <column name> --dump --dump-all (for lazy l33t people)
  12. 12. SQL MAP FLOW Enumerate the database name Select database and enumerate tables Select tables and enumerate columns Select a column and enumerate rows(data) Then choose your way in
  13. 13. WHY 0WNING THE ENTERPRISE? Built in capabilities for cracking hashes Options of running user defined queries You could run OS level commands You could have an interactive OS shell Meterpreter shell with Metasploit 13
  14. 14. OPTIONS FOR 0WNING ENTERPRISE --os-cmd  Run any OS level command --os-shell  Starts an interactive shell --os-pwn  Injects a Meterpreter shell --tamper  Evading WAF 14
  15. 15. SQL MAP ++ --tor: Use Tor anonymity network --tor-port: Set Tor proxy port other than default --tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5) --check-payload: Offline WAF/IPS/IDS payload detection testing --check-waf: heck for existence of WAF/IPS/IDS protection --gpage: Use Google dork results from specified page number --mobile: Imitate smartphone through HTTP User-Agent header --smart: Conduct through tests only if positive heuristic(s) --tamper: custom scripts 15
  16. 16. SQL MAP ++ - FILE SYSTEM ACCESS These options can be used to access the back-end database management system underlying file system --file-read=RFILE: Read a file from the back-end DBMS file system --file-write=WFILE: Write a local file on the back-end DBMS file system --file-dest=DFILE; Back-end DBMS absolute filepath to write to 16
  17. 17. SQL MAP ++ - OPERATING SYSTEM ACCESS These options can be used to access the back-end database management system underlying operating system --os-cmd=OSCMD - Execute an operating system command --os-shell - Prompt for an interactive operating system shell --os-pwn - Prompt for an out-of-band shell, meterpreter or VNC --os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC --os-bof - Stored procedure buffer overflow exploitation --priv-esc - Database process user privilege escalation --msf-path=MSFPATH Local path where Metasploit Framework is installed --tmp-path=TMPPATH Remote absolute path of temporary files directory 17
  18. 18. SQLMAP ++ -WINDOWS REGISTRY ACCESS These options can be used to access the back-end database management system Windows registry --reg-read - Read a Windows registry key value --reg-add - Write a Windows registry key value data --reg-del - Delete a Windows registry key value --reg-key=REGKEY - Windows registry key --reg-value=REGVAL - Windows registry key value --reg-data=REGDATA - Windows registry key value data --reg-type=REGTYPE - Windows registry key value type 18
  19. 19. TAMPER SCRIPTS – BYPASSING WAF Located inside the tamper folder in SQLMap space2hash.py and space2morehash.py (MySQL) space2mssqlblank.py and space2mysqlblank.py (MSSQL) charencode.py and chardoubleencode.py (Different Encodings) charunicodeencode.py and percentage.py (To hide payload against ASP/ASP.NET applications) 19
  20. 20. WHAT YOU SHOULD EXPLORE One Click Ownage with SQL Inection www.mavitunasecurity.com/s/research/OneClickOwnage.pdf SQL Map with TOR http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html SQL MAP Usage Guide http://sqlmap.sourceforge.net/doc/README.html 20
  21. 21. One click 0wnageTHANK YOU! 21