Who's Online
There are currently, 76 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS: SQL Security
[ Go to Home | Select a New Topic ] |
|
SQL Injection and Parameter Manipulation Video Clips
Posted by cdupuis on Wednesday, 03 March 2010 @ 11:13:58 EST (173 reads)
Topic SQL Security
NOTE FROM CLEMENT:
These two videos are very nice videos that demonstrate in simple terms what SQL Injections are and also what is Parameter Tampering. It is not for the purpose to learn everything there is to know about the subject, that would take weeks, the goal is to educate people and developers on the issue. They are great because of their short length and I like the animations as well. One picture is worth a thousand words they say. In this case on minute of video clip is worth 10 minutes of talks. I will most certainly use them in some of my classes. Job well done. Clement
One of the biggest challenges of the security community is to build true SDLC (Secure development Life Cycle).
The biggest obstacle is that application developers at large lack the know-how and motivation to address application risk.
At Checkmarx labs we thought that a new approach to application developers might help them cross the barrier.
We have developed as a pilot including two short animated clips that should help developers understand security flaws, how they can be detected and consequently prevented.
We built one clip for SQL Injection and another for Parameter Tampering - limited up to 5 minutes each.
We would appreciate feedback from the OWASP community whether the effort is meaningful and should it be extended.
Please feel free to use the clips freely.
The clips can be found at:
SQL Injection : http://www.youtube.com/watch?v=vjDrseRLyuA&hd=1
Parameter Tampering: http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1
Yours,
Maty Siman, CISSP
CTO
Checkmarx
Sqlmap version 0.7 has been released
Posted by cdupuis on Thursday, 06 August 2009 @ 22:01:06 EDT (1367 reads)
Topic SQL Security
Anonymous writes "Hi,
I am glad to release sqlmap version 0.7.
Introduction
============
sqlmap is an open source command-line automatic SQL injection tool.
Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Changes
=======
Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:
* Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This make sqlmap 0.7 to work again on Windows too.
* Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.gz
* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.bz2
* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.zip
* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.7-1_all.deb
* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7-1.noarch.rpm
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7_exe.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
"
sqlmap version 0.7rc1 has been released
Posted by cdupuis on Thursday, 21 May 2009 @ 08:13:47 EDT (838 reads)
Topic SQL Security
Anonymous writes "Hi,
I am glad to release sqlmap version 0.7rc1.
WARNING: This release is a candidate, it only works on Linux so please do not complain that it does not work on your Windows or Mac OS X systems.
Introduction
============
sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Changes
=======
Some of the new features include:
* Added support to execute arbitrary commands on the database server underlying operating system either returning the standard output or not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box and the database server underlying operating system via stand-alone payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
* Added support for out-of-band connection via SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit;
* Added support to read and write (upload) both text and binary files on the database server underlying file system for MySQL, PostgreSQL and Microsoft SQL Server;
* Added database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in two formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.tar.gz
* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* "Advanced SQL injection to operating system full control" whitepaper[1] and slides[2] presented at Black Hat Europe 2009 in Amsterdam (The Netherlands) on April 16, 2009
[1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
[2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides
Happy hacking!
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F "
A new version of sqlsus has been released
Posted by cdupuis on Friday, 10 April 2009 @ 21:55:09 EDT (754 reads)
Topic SQL Security
Hi everyone,
A new version of sqlsus has been released and is available at http://sqlsus.sf.net/
You will find on the website a description of the features, along with some documentation and flash demos showing how the tool can be used.
sqlsus is a MySQL injection and takeover tool, written in perl. Via a command line interface that mimics a mysql console, you can retrieve the database structure / contents, inject a SQL query, download files from the web server, upload and control a backdoor, and much more...
It is designed to maximize the amount of data gathered per web server hit, making the best use (I can think of) of MySQL functions to optimize the available injection space. sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of which are really specific to this DBMS.
What's new
==========
- Full SQLite backend, storing queries / results as they come, databases structure, variables... into a local SQLite database.
- Added "clone" command to clone some columns, a table, or the full database into a local SQLite database.
- "clone" has a resume ability, allowing to continue accross sessions.
- Rewrite of the blind injection engine (A LOT faster now):
- keep all the threads busy with micro tasks (huge speed improvement)
- regular expression matching for each item, prior to bruteforcing
(huge drop in the number of hits required)
- progress meter
- Added cookie support.
- Possibility to change the current database ("use xxx"), and still be
able to use all the commands transparently
- Better query shortening, allowing even more data to be fetched per server hit.
- Got rid of IPC::Shareable, using socketpair() instead.
- Use of BINARY for inband injections, to avoid collation issues.
- Inband injection is now only contained in subqueries, to allow more
complex sql injection scenarios.
...
The full CHANGELOG can be found in the tarball or at
http://sqlsus.sf.net/download.html
Download and enjoy :)
- sativouf
sqlmap version 0.6.4 has been released
Posted by cdupuis on Friday, 06 February 2009 @ 13:49:00 EST (701 reads)
Topic SQL Security
Anonymous writes "Hi,
I am glad to release sqlmap version 0.6.4.
Introduction
============
sqlmap is an open source command-line automatic SQL injection tool developed in Python.
Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.
Changes
=======
Some of the new features include:
* Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object.
* Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.gz
* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.bz2
* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.zip
* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.4-1_all.deb
* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4-1.noarch.rpm
* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4_exe.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F "
sqlmap version 0.6.1 has been released
Posted by cdupuis on Wednesday, 26 November 2008 @ 00:00:00 EST (679 reads)
Topic SQL Security
Hi, I am glad to release sqlmap version 0.6.1.
Introduction
============
sqlmap is an automatic SQL injection tool developed in Python.
Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Changes
=======
Some of the new features include:
* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
* Implemented possibility to test for and inject also on LIKE statements;
* Implemented --start and --stop options to set the first and the last table entry to dump;
* Added non-interactive/batch-mode (--batch) option to make it easy to wrap sqlmap in Metasploit and any other tool.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz
* Source bzip2 compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2
* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip
* DEB binary package, http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb
* RPM binary package, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
-- Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F
sqlmap an automatic SQL injection
Posted by cdupuis on Thursday, 04 September 2008 @ 00:03:39 EDT (7290 reads)
Topic SQL Security
Hi,
I am glad to release sqlmap version 0.6.
Introduction
============
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target
host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Changes
=======
Some of the new features include:
* Added multithreading support to set the maximum number of concurrent HTTP requests.
* Implemented SQL shell (--sql-shell) functionality and fixed SQL query (--sql-query, before called -e) to be able to run whatever SELECT statement and get its output in both inband and blind SQL injection attack.
* Added an option (--privileges) to retrieve DBMS users privileges, it also notifies if the user is a DBMS administrator.
* Added support (-c) to read options from configuration file, an example of valid INI file is sqlmap.conf and support (--save) to save command line options on a configuration file.
* Implemented support for HTTPS requests over HTTP(S) proxy.
* Enhanced logging system: added three more levels of verbosity to show also HTTP sent and received traffic.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.tar.gz
* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.tar.bz2
* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.zip
* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6-1_all.deb
* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6-1.noarch.rpm
* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6_exe.zip
Note: the subversion repository is not accessible anymore so the only way to get the new release is to download it from one of the above links.
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
- --
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile number: +39-3493821385
Deep Blind SQL Injection
Posted by cdupuis on Friday, 29 August 2008 @ 11:32:25 EDT (7077 reads)
Topic SQL Security
Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.
Related Applications
- BSQL brute forcer V2Updated version of the Blind SQL Injection Brute Forcer from www.514.es. Works against PostgreSQL, MySQL, MSSQL and Oracle and supports custom SQL Queries.
- BSQL HackerBSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.
Related Presentations
PDF Paper - Deep Blind SQL Injection
MD5: 139CCA843EE5C8F014350A551133AF6D
SHA1:649F08CFF6FC22FA6CF8AD1A5CD7F84D4008B53E
Deep Blind SQL Injection
Posted by cdupuis on Wednesday, 20 August 2008 @ 23:34:56 EDT (6589 reads)
Topic SQL Security
Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.
Download White Paper
Pangolin Sql Injection tool version 1.2.5.604 has been released
Posted by boss on Sunday, 18 May 2008 @ 19:57:25 EDT (5899 reads)
Topic SQL Security
Anonymous writes "Hi, all:
I’m glad to tell you that Pangolin, the wonderful Sql injection tool, has been updated to version 1.2.5.604.
You can download it from here: http://www.nosec.org/web/pangolin
Pangolin is a GUI tool running on Windows to perform as more as possible pen-testing through SQL injection. This version now supports following databases and operations:
* MSSQL : Server informations, Datas, CMD execute, Regedit, Write file, Download file, Read file, File Browser... * MYSQL : Server informations, Datas, Read file, Write file...
* ORACLE : Server informations, Datas, Accounts cracking...
* PGSQL : Server informations, Datas, Read file...
* DB2 : Server informations, Datas, ...
* INFORMIX : Server informations, Datas, ...
* SQLITE : Server informations, Datas, ...
* ACCESS : Server informations, Datas, ...
* SYBASE : Server informations, Datas, ...
etc. And supports: * HTTPS support
* Pre-Login
* Proxy
* Specify any HTTP headers(User-agent, Cookie, Referer and so on)
* Bypass firewall setting
* Auto-analyzing keyword
* Detailed check options
* Injection-points management
etc.
What's the differents to the others?
* Easy-of-use : What I try to do is making pen-tester more care about result, not the process. All you should do is clicking the buttons.
* Amazing Speed : so many people told you things about brute sql injection, is it really necessary? Forget char-by-char, we can row-by-row(of cource, not every injection-point can do this)?
* The exact check mothod : do you really think automated tools like AWVS,APPSCAN can find all injection-points?
So, whatever, just check it out, and then enjoy your feeling ;)"
sqlninja 0.2.2 has been released
Posted by boss on Tuesday, 22 January 2008 @ 18:53:40 EST (3938 reads)
Topic SQL Security
cdupuis writes " a new version of sqlninja is out at Sourceforge!
Introduction
=========
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on: - Linux - FreeBSD - Mac OS X
You can find it, together with a flash demo of its features at:
http://sqlninja.sourceforge.net
What's new
========
# Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
# A more sophisticated upload module
# A new 'blind execution' attack mode, useful to issue commands and performs diagnostics when other modes fail
# Automatic URL-encoding now is performed only on sqlninja generated SQL code, giving the user a more granular control on the exploit strings
# Several other minor improvements
What's not so new
+============
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
# Bruteforce of 'sa' password, both dictionary-based and incremental
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
Happy hacking !
-- icesurfer "
SQLMap Automated SQL injection tool
Posted by boss on Saturday, 19 January 2008 @ 14:41:37 EST (3565 reads)
Topic SQL Security
cdupuis writes " This might be of interest to penetration testers:
sqlmap is an automatic SQL injection tool entirely developed in Python.
It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.
http://sqlmap.sourceforge.net/
Best regards,
Laurent de la Vaissiere "
sqlninja 0.2.1 has been released
Posted by boss on Monday, 08 October 2007 @ 00:34:30 EDT (768 reads)
Topic SQL Security
cdupuis writes " Hello fellow security enthusiasts, a new version of sqlninja is out at sourceforge !
Introduction
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.
It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is written in perl and so far has been successfully tested on:
- Linux
- FreeBSD
- Mac OS X
You can find it, together with a flash demo of its features, at the address:
http://sqlninja.sourceforge.net
What's new
# A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
# Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the 'sa' account can succeed or not
# Documentation is now in HTML format, which should make things much easier for new users # Several bugfixes and minor improvements
What's not so new
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
# Bruteforce of 'sa' password
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
Happy hacking !
icesurfer "
ISR-Sqlget - Blind SQL Injection Tool
Posted by boss on Tuesday, 26 June 2007 @ 21:10:49 EDT (3989 reads)
Topic SQL Security
Anonymous writes "ISR-sqlget: It's a blind SQL injection tool developed in Perl.
It lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.
Databases supported:
- IBM DB2
- Microsoft SQL Server
- Oracle
- Postgres
- Mysql
- IBM Informix
- Sybase
- Hsqldb (www.hsqldb.org)
- Mimer (www.mimer.com)
- Pervasive (www.pervasive.com)
- Virtuoso (virtuoso.openlinksw.com)
- SQLite
- Interbase/Yaffil/Firebird (Borland)
- H2 (http://www.h2database.com)
- Mckoi (http://mckoi.com/database/)
- Ingres (http://www.ingres.com)
- MonetDB (http://www.monetdb.nl)
- MaxDB (www.mysql.com/products/maxdb/)
- ThinkSQL (http://www.thinksql.co.uk/)
- SQLBase (http://www.unify.com)
Evasion features:
- Full-width/Half-width Unicode encoding
- Apache non standard CR bypass
- mod_security bypass
- Random uppercase request transform
- PHP Magicquotes: encode every string using db CHR function or similar.
- Convert requests to hexadecimal values
- Avoid non-space replacing for /**/ or (t) tab
- Avoid non || or + concatenation using db concat function or similar.
- Random user-agent
- Random proxy-server
- Random delay request
Common features:
- Database schemate download blacklist
- Cookie array support
- SSL support
- Proxy server support
- Database information dumped in csv format
Reporting:
- Database structure graphication to create impact executive reports require Graphviz library (http://www.graphviz.org/)
Demo:
- Demo features (bypassing IBM ISS Proventia IPS) - http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html
Additional Information:
The information has been provided by Francisco Amato.
To keep updated with the tool visit the project's homepage at: http://www.infobyte.com.ar/development.html
================================================================================
This bulletin is sent to members of the SecuriTeam mailing list.
In order to subscribe to the mailing list and receive advisories in HTML format, simply forward this email to: html-list-subscribe@securiteam.com
"
SQLNinja -- A new version has been released
Posted by boss on Wednesday, 20 June 2007 @ 21:21:46 EDT (768 reads)
Topic SQL Security
Anonymous writes "Hello fellow security enthusiasts,
a new version of sqlninja is out at sourceforge !
Introduction
============
sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.
It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is released under the GPLv2, it is written in perl and runs on Unix-like boxes. You can find it, together with a flash demo of its features, at the address http://sqlninja.sourceforge.net
What's new
==========
# Test mode, that checks whether the configuration is correct and the injection is successful
# Debug option, which allows to print SQL commands and raw HTTP request/response data. Useful when things are not working and you want to see what's going on under the hood
# Files are uploaded to %TEMP%, bypassing possible write restrictions
# A simplified way to configure the injection parameters
# Interactive config file generation
What's not so new
=================
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
# Bruteforce of 'sa' password
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
Happy hacking !
--
icesurfer
"
|
|
Login
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Big Story of Today
There isn't a Biggest Story for Today, yet.
Old Articles
| Friday, June 15 | | · | New release of sqlmap 0.4; sqlmap is an automatic blind SQL |
| Thursday, January 25 | | · | sqlmap: a blind SQL injection tool 0.3 released |
| Friday, December 15 | | · | sqlmap: a blind SQL injection tool 0.2 released |
| Thursday, December 14 | | · | A new version of SQLNinja has been released |
| Sunday, April 09 | | · | New version of bsqlbf has been released |
| Monday, February 20 | | · | SQL Power Injector has been officially released |
| Sunday, February 19 | | · | Blind SQL Injection Perl Tool |
| Tuesday, March 22 | | · | SQLRecon v1.0 has been released (and it is FREE) |
| Thursday, December 09 | | · | Absinthe 1.1 - Blind SQL Injection Tool Released |
| Wednesday, September 22 | | · | New SQL Injection Paper |
| Monday, April 19 | | · | SQL Injection Signatures Evasion |
| Thursday, April 01 | | · | Detection of SQL Injection and Cross-site Scripting Attacks |
| Tuesday, November 25 | | · | Sql Injection Game |
| Wednesday, September 03 | | · | BlindFolded SQL Injeciton Attacks |
|
Does it hold any weight?