Welcome to The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS
Search
Nickname Password Security Code Security Code Type Security Code  
Penetration Testing the way it was meant to be
The best CEH V6 learning package

We recommend:

Top Instructors Top classes from the confort of your home

Video Library

Skimming for ID theft
5 / 2
Views: 149
Comments: 1
2008-11-01 00:18

Latest version of ATM skimmer hidden behind a speaker looking device
5 / 2
Views: 163
Comments: 0
2008-11-01 00:11

ATM Scam, do check your ATM machine before using it
5 / 1
Views: 159
Comments: 0
2008-10-31 23:59

Survey

Whic of the following certifications would you like to get?

GPEN
GCIH
CEH
QEH
GREM
GSEC
CISSP
Security+
Other (please leave a comment)



Results
Polls

Votes: 110
Comments: 0

Who's Online

There are currently, 76 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS: SQL Security

Search on This Topic:   
[ Go to Home | Select a New Topic ]

SQL Injection and Parameter Manipulation Video Clips
Posted by cdupuis on Wednesday, 03 March 2010 @ 11:13:58 EST (173 reads)
Topic SQL Security

NOTE FROM CLEMENT:
These two videos are very nice videos that demonstrate in simple terms what SQL Injections are and also what is Parameter Tampering.  It is not for the purpose to learn everything there is to know about the subject,  that would take weeks,  the goal is to educate people and developers on the issue.   They are great because of their short length and I like the animations as well.   One picture is worth a thousand words they say.  In this case on minute of video clip is worth 10 minutes of talks.    I will most certainly use them in some of my classes.  Job well done.   Clement

One of the biggest challenges of the security community is to build true SDLC (Secure development Life Cycle).

The biggest obstacle is that application developers at large lack the know-how and motivation to address application risk. 

At Checkmarx labs we thought that a new approach to application developers might help them cross the barrier.
We have developed as a pilot including two short animated clips that should help developers understand security flaws, how they can be detected and consequently prevented.

We built one clip for SQL Injection and another for Parameter Tampering - limited up to 5 minutes each.

We would appreciate feedback from the OWASP community whether the effort is meaningful and should it be extended.

Please feel free to use the clips freely.

The clips can be found at:

SQL Injection : http://www.youtube.com/watch?v=vjDrseRLyuA&hd=1

Parameter Tampering: http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1

Yours,

Maty Siman, CISSP
CTO
Checkmarx


(comments? | Score: 0)


Sqlmap version 0.7 has been released
Posted by cdupuis on Thursday, 06 August 2009 @ 22:01:06 EDT (1367 reads)
Topic SQL Security

Anonymous writes "

Hi,

I am glad to release sqlmap version 0.7.

Introduction
============


sqlmap is an open source command-line automatic SQL injection tool.

Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.


Changes
=======


Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

* Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This make sqlmap 0.7 to work again on Windows too.
* Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.


Download
========


You can download it in various formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.gz

* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.bz2

* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.zip

* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.7-1_all.deb

* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7-1.noarch.rpm

* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7_exe.zip


Documentation
=============


* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/


Happy hacking!

--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
"

(Read More... | 2 comments | Score: 0)


sqlmap version 0.7rc1 has been released
Posted by cdupuis on Thursday, 21 May 2009 @ 08:13:47 EDT (838 reads)
Topic SQL Security

Anonymous writes "

Hi,

I am glad to release sqlmap version 0.7rc1.

WARNING: This release is a candidate, it only works on Linux so please do not complain that it does not work on your Windows or Mac OS X systems.

Introduction
============


sqlmap is an open source command-line automatic SQL injection tool.  Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.


Changes
=======


Some of the new features include:

* Added support to execute arbitrary commands on the database server underlying operating system either returning the standard output or not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;

* Added support for out-of-band connection between the attacker box and the database server underlying operating system via stand-alone payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;

* Added support for out-of-band connection via Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;

* Added support for out-of-band connection via SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit;

* Added support to read and write (upload) both text and binary files on the database server underlying file system for MySQL, PostgreSQL and Microsoft SQL Server;

* Added database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.

Download
========


You can download it in two formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.tar.gz

* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.zip


Documentation
=============


* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* "Advanced SQL injection to operating system full control" whitepaper[1] and slides[2] presented at Black Hat Europe 2009 in Amsterdam (The Netherlands) on April 16, 2009

[1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

[2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides


Happy hacking!

--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

"

(Read More... | 2 comments | Score: 0)


A new version of sqlsus has been released
Posted by cdupuis on Friday, 10 April 2009 @ 21:55:09 EDT (754 reads)
Topic SQL Security

Hi everyone,

A new version of sqlsus has been released and is available at http://sqlsus.sf.net/

You will find on the website a description of the features, along with some documentation and flash demos showing how the tool can be used.

sqlsus is a MySQL injection and takeover tool, written in perl.  Via a command line interface that mimics a mysql console, you can retrieve the database structure / contents, inject a SQL query, download files from the web server, upload and control a backdoor, and much more...

It is designed to maximize the amount of data gathered per web server hit, making the best use (I can think of) of MySQL functions to optimize the available injection space.  sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of which are really specific to this DBMS.


What's new
==========

- Full SQLite backend, storing queries / results as they come, databases structure, variables... into a local SQLite database.
- Added "clone" command to clone some columns, a table, or the full database into a local SQLite database.
- "clone" has a resume ability, allowing to continue accross sessions.
- Rewrite of the blind injection engine (A LOT faster now):
  - keep all the threads busy with micro tasks (huge speed improvement)
  - regular expression matching for each item, prior to bruteforcing
(huge drop in the number of hits required)
  - progress meter
- Added cookie support.
- Possibility to change the current database ("use xxx"), and still be
able to use all the commands transparently
- Better query shortening, allowing even more data to be fetched per server hit.
- Got rid of IPC::Shareable, using socketpair() instead.
- Use of BINARY for inband injections, to avoid collation issues.
- Inband injection is now only contained in subqueries, to allow more
complex sql injection scenarios.
...

The full CHANGELOG can be found in the tarball or at
http://sqlsus.sf.net/download.html

Download and enjoy :)

- sativouf


(Read More... | 8 comments | Score: 0)


sqlmap version 0.6.4 has been released
Posted by cdupuis on Friday, 06 February 2009 @ 13:49:00 EST (701 reads)
Topic SQL Security

Anonymous writes "

Hi,

I am glad to release sqlmap version 0.6.4.

Introduction
============

sqlmap is an open source command-line automatic SQL injection tool developed in Python.

Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.


Changes
=======

Some of the new features include:

* Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object.
* Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable.


Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.


Download
========

You can download it in various formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.gz

* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.bz2

* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.zip

* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.4-1_all.deb

* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4-1.noarch.rpm

* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4_exe.zip


Documentation
=============

* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/


Happy hacking!

--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

"

(comments? | Score: 0)


sqlmap version 0.6.1 has been released
Posted by cdupuis on Wednesday, 26 November 2008 @ 00:00:00 EST (679 reads)
Topic SQL Security

Hi, I am glad to release sqlmap version 0.6.1.

Introduction
============

sqlmap is an automatic SQL injection tool developed in Python.

Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

Changes
=======

Some of the new features include:

* Added a Metasploit Framework 3 auxiliary module to run sqlmap;

* Implemented possibility to test for and inject also on LIKE statements;

* Implemented --start and --stop options to set the first and the last table entry to dump;

* Added non-interactive/batch-mode (--batch) option to make it easy to wrap sqlmap in Metasploit and any other tool.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.

Download
========

You can download it in various formats:

* Source gzip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz
* Source bzip2 compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2
* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip
* DEB binary package, http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb
* RPM binary package, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip

 

Documentation
=============

* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/

Happy hacking!

-- Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

(Read More... | 13 comments | Score: 0)


sqlmap an automatic SQL injection
Posted by cdupuis on Thursday, 04 September 2008 @ 00:03:39 EDT (7290 reads)
Topic SQL Security

Hi,

I am glad to release sqlmap version 0.6.

Introduction
============

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target
host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

Changes
=======

Some of the new features include:

* Added multithreading support to set the maximum number of concurrent HTTP requests.

* Implemented SQL shell (--sql-shell) functionality and fixed SQL query (--sql-query, before called -e) to be able to run whatever SELECT statement and get its output in both inband and blind SQL injection attack.

* Added an option (--privileges) to retrieve DBMS users privileges, it also notifies if the user is a DBMS administrator.

* Added support (-c) to read options from configuration file, an example of valid INI file is sqlmap.conf and support (--save) to save command line options on a configuration file.

* Implemented support for HTTPS requests over HTTP(S) proxy.

* Enhanced logging system: added three more levels of verbosity to show also HTTP sent and received traffic.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.


Download
========

You can download it in various formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.tar.gz

* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.tar.bz2

* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.zip

* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6-1_all.deb

* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6-1.noarch.rpm

* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6_exe.zip

Note: the subversion repository is not accessible anymore so the only way to get the new release is to download it from one of the above links.

Documentation
=============

* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/


Happy hacking!

- --
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile number: +39-3493821385


(Read More... | 740 comments | Score: 0)


Deep Blind SQL Injection
Posted by cdupuis on Friday, 29 August 2008 @ 11:32:25 EDT (7077 reads)
Topic SQL Security

Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.

Related Applications

  • BSQL brute forcer V2Updated version of the Blind SQL Injection Brute Forcer from www.514.es. Works against PostgreSQL, MySQL, MSSQL and Oracle and supports custom SQL Queries.
  • BSQL HackerBSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

Related Presentations

PDF Paper - Deep Blind SQL Injection

MD5: 139CCA843EE5C8F014350A551133AF6D
SHA1:649F08CFF6FC22FA6CF8AD1A5CD7F84D4008B53E

(Read More... | 931 comments | Score: 0)


Deep Blind SQL Injection
Posted by cdupuis on Wednesday, 20 August 2008 @ 23:34:56 EDT (6589 reads)
Topic SQL Security

Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.

Download White Paper


(Read More... | 737 comments | Score: 0)


Pangolin Sql Injection tool version 1.2.5.604 has been released
Posted by boss on Sunday, 18 May 2008 @ 19:57:25 EDT (5899 reads)
Topic SQL Security

Anonymous writes "Hi, all: I’m glad to tell you that Pangolin, the wonderful Sql injection tool, has been updated to version 1.2.5.604. You can download it from here: http://www.nosec.org/web/pangolin
Pangolin is a GUI tool running on Windows to perform as more as possible pen-testing through SQL injection. This version now supports following databases and operations: * MSSQL : Server informations, Datas, CMD execute, Regedit, Write file, Download file, Read file, File Browser... * MYSQL : Server informations, Datas, Read file, Write file...
* ORACLE : Server informations, Datas, Accounts cracking...
* PGSQL : Server informations, Datas, Read file...
* DB2 : Server informations, Datas, ...
* INFORMIX : Server informations, Datas, ...
* SQLITE : Server informations, Datas, ...
* ACCESS : Server informations, Datas, ...
* SYBASE : Server informations, Datas, ...
etc. And supports: * HTTPS support
* Pre-Login
* Proxy
* Specify any HTTP headers(User-agent, Cookie, Referer and so on)
* Bypass firewall setting
* Auto-analyzing keyword
* Detailed check options
* Injection-points management
etc. What's the differents to the others? * Easy-of-use : What I try to do is making pen-tester more care about result, not the process. All you should do is clicking the buttons.
* Amazing Speed : so many people told you things about brute sql injection, is it really necessary? Forget char-by-char, we can row-by-row(of cource, not every injection-point can do this)?
* The exact check mothod : do you really think automated tools like AWVS,APPSCAN can find all injection-points? So, whatever, just check it out, and then enjoy your feeling ;)"

(Read More... | 597 comments | Score: 0)


sqlninja 0.2.2 has been released
Posted by boss on Tuesday, 22 January 2008 @ 18:53:40 EST (3938 reads)
Topic SQL Security

cdupuis writes " a new version of sqlninja is out at Sourceforge!

Introduction
=========
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on: - Linux - FreeBSD - Mac OS X

You can find it, together with a flash demo of its features at:

http://sqlninja.sourceforge.net

What's new
========
# Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
# A more sophisticated upload module
# A new 'blind execution' attack mode, useful to issue commands and performs diagnostics when other modes fail
# Automatic URL-encoding now is performed only on sqlninja generated SQL code, giving the user a more granular control on the exploit strings
# Several other minor improvements

What's not so new
+============
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
# Bruteforce of 'sa' password, both dictionary-based and incremental
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

Happy hacking !

-- icesurfer "

(Read More... | 584 comments | Score: 0)


SQLMap Automated SQL injection tool
Posted by boss on Saturday, 19 January 2008 @ 14:41:37 EST (3565 reads)
Topic SQL Security

cdupuis writes " This might be of interest to penetration testers:

sqlmap is an automatic SQL injection tool entirely developed in Python.

It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

http://sqlmap.sourceforge.net/

Best regards,

Laurent de la Vaissiere "

(Read More... | 592 comments | Score: 0)


sqlninja 0.2.1 has been released
Posted by boss on Monday, 08 October 2007 @ 00:34:30 EDT (768 reads)
Topic SQL Security

cdupuis writes " Hello fellow security enthusiasts, a new version of sqlninja is out at sourceforge !

Introduction

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.

It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

- Linux
- FreeBSD
- Mac OS X

You can find it, together with a flash demo of its features, at the address:

http://sqlninja.sourceforge.net

What's new


# A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)

# Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the 'sa' account can succeed or not

# Documentation is now in HTML format, which should make things much easier for new users # Several bugfixes and minor improvements

What's not so new

# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)

# Bruteforce of 'sa' password

# Privilege escalation to 'sa' if its password has been found

# Creation of a custom xp_cmdshell if the original one has been disabled

# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections

# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell

# Direct and reverse bindshell, both TCP and UDP

# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

Happy hacking !

icesurfer "

(Read More... | 4 comments | Score: 0)


ISR-Sqlget - Blind SQL Injection Tool
Posted by boss on Tuesday, 26 June 2007 @ 21:10:49 EDT (3989 reads)
Topic SQL Security

Anonymous writes "ISR-sqlget: It's a blind SQL injection tool developed in Perl.

It lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:
- IBM DB2
- Microsoft SQL Server
- Oracle
- Postgres
- Mysql
- IBM Informix
- Sybase
- Hsqldb (www.hsqldb.org)
- Mimer (www.mimer.com)
- Pervasive (www.pervasive.com)
- Virtuoso (virtuoso.openlinksw.com)
- SQLite
- Interbase/Yaffil/Firebird (Borland)
- H2 (http://www.h2database.com)
- Mckoi (http://mckoi.com/database/)
- Ingres (http://www.ingres.com)
- MonetDB (http://www.monetdb.nl)
- MaxDB (www.mysql.com/products/maxdb/)
- ThinkSQL (http://www.thinksql.co.uk/)
- SQLBase (http://www.unify.com)

Evasion features:
- Full-width/Half-width Unicode encoding
- Apache non standard CR bypass
- mod_security bypass
- Random uppercase request transform
- PHP Magicquotes: encode every string using db CHR function or similar.
- Convert requests to hexadecimal values
- Avoid non-space replacing for /**/ or (t) tab
- Avoid non || or + concatenation using db concat function or similar.
- Random user-agent
- Random proxy-server
- Random delay request

Common features:
- Database schemate download blacklist
- Cookie array support
- SSL support
- Proxy server support
- Database information dumped in csv format

Reporting:
- Database structure graphication to create impact executive reports require Graphviz library (http://www.graphviz.org/)

Demo:
- Demo features (bypassing IBM ISS Proventia IPS) - http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html
Additional Information:
The information has been provided by Francisco Amato.
To keep updated with the tool visit the project's homepage at: http://www.infobyte.com.ar/development.html
================================================================================
This bulletin is sent to members of the SecuriTeam mailing list.
In order to subscribe to the mailing list and receive advisories in HTML format, simply forward this email to: html-list-subscribe@securiteam.com
"

(Read More... | 613 comments | Score: 0)


SQLNinja -- A new version has been released
Posted by boss on Wednesday, 20 June 2007 @ 21:21:46 EDT (768 reads)
Topic SQL Security

Anonymous writes "Hello fellow security enthusiasts,

a new version of sqlninja is out at sourceforge !

Introduction
============
sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.

It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is released under the GPLv2, it is written in perl and runs on Unix-like boxes. You can find it, together with a flash demo of its features, at the address http://sqlninja.sourceforge.net

What's new
==========
# Test mode, that checks whether the configuration is correct and the injection is successful
# Debug option, which allows to print SQL commands and raw HTTP request/response data. Useful when things are not working and you want to see what's going on under the hood
# Files are uploaded to %TEMP%, bypassing possible write restrictions
# A simplified way to configure the injection parameters
# Interactive config file generation

What's not so new
=================
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability)
# Bruteforce of 'sa' password
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

Happy hacking !

--
icesurfer

"

(Read More... | 5 comments | Score: 0)


Login

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Our Sponsors

Reverse Engineering

Big Story of Today

There isn't a Biggest Story for Today, yet.

You can syndicate our news using the file backend.php or ultramode.txt


All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2003-2008 by Clement Dupuis and Nathalie Lambert (Site Maintainers).

 


 

 


Page Generation: 0.54 Seconds