[WEB SECURITY] Database tools required

Shlomi Narkolayev shlominar at gmail.com
Wed May 12 00:30:09 EDT 2010


Hello,

If it's a little bit serious website/organization so I'm pretty sure you
will not get direct access to the DB,  in most organizations the DMZ
firewall allow access only to the application/web server on port 80/443 and
not to the DB server.
As I understand, you got databases' credentials using Penetration Test on
the application, so I suggest you to use SQL injection to extract databases'
entries in the same way as you found out the credentials.
If you only have Blind SQL Injection, so you can use some automated tools
that will help you extract DB's entries, you can use: Sqlmap, Absinthe,
Pangolin, BSQL Hacker and many others.
Try first to find out the database version: Select @@version;
If it's MySQL, find out tables names using: Select table_schema, table_name
>From information_schema.Tables;
If it's MS-SQL: SELECT name FROM master..sysobjects WHERE xtype = 'U';
Then just run: Select * from %Tables_Names%;

If this website is hosted on GoDaddy or something similar to that, so you
just need to get DBs' server IP, the best way is to get it from the
connection string, you can also try to find the IP using SQL Injection on
the application.

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com


On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <
Will_Vandevanter at rapid7.com> wrote:

>  Check out the following auxiliaries in metasploit:
>
> admin/oracle/oracle_login
> admin/oracle/oracle_sql
> scanner/mssql/mssql_login
> admin/mssql/mssql_sql
> scanner/mysql/mysql_login
> admin/mysql/mysql_sql
> scanner/db2/db2_auth
>
> -Will
>
>  ------------------------------
> *From:* Jorge Correa [jacorream at gmail.com]
> *Sent:* Tuesday, May 11, 2010 3:15 PM
> *To:* Will Vandevanter
> *Cc:* p0wnsauc3 at gmail.com; Parmendra Sharma; websecurity at webappsec.org
>
> *Subject:* Re: [WEB SECURITY] Database tools required
>
>  Could you recommend us some of these Metasploit tools?
>
>
> Thank you,
> Jorge Correa
>
>
>
> On Tue, May 11, 2010 at 13:36, Will Vandevanter <
> Will_Vandevanter at rapid7.com> wrote:
>
>> Also, check out Metasploit which has some great modules for connecting to
>> specific DBs.
>>
>> ________________________________________
>> From: TAS [p0wnsauc3 at gmail.com]
>> Sent: Tuesday, May 11, 2010 1:59 PM
>> To: Parmendra Sharma; websecurity at webappsec.org
>> Subject: Re: [WEB SECURITY] Database tools required
>>
>> Hi,
>>
>> Though your are not very clear with your question, I assume, since you
>> have got the DB credentials, you want to connect to the database at the
>> backend directly. If that is so, every database has its client. Download and
>> install the client and connect to the backend.
>>
>> TAS!
>>
>> Sent from BlackBerry® - Vodafone
>>
>> ________________________________
>> From: Parmendra Sharma <s.parmendra at gmail.com>
>> Date: Tue, 11 May 2010 11:07:20 +0530
>> To: <websecurity at webappsec.org>
>> Subject: [WEB SECURITY] Database tools required
>>
>> Hi All,
>>
>> While performing a VA / PT exercise of an application i got the database
>> credentials. Kindly suggest any tool which connects me to the database
>> through the application.
>>
>> --
>> Thanks and Regards:
>>
>> Parmendra Sharma
>> Computer Security Analyst
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100512/30867912/attachment.html>


More information about the websecurity mailing list