[WEB SECURITY] Database tools required

Shlomi Narkolayev shlominar at gmail.com
Wed May 12 03:05:42 EDT 2010


If you don't have direct access to DB server, then no tool can help you.

There are two options left for you:
1) Try to upload ASP file (You can use the Semi-Colon IIS vulnerability,
more details here:
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf)
containing the connection string to DB, and run your SQL queries.
2) Look for SQL Injections entry points.

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com


On Wed, May 12, 2010 at 9:43 AM, Parmendra Sharma <s.parmendra at gmail.com>wrote:

> Hi all,
>
> Let me be more specific...
>
> What i got is a file containing the database credentials which provides
> Database connection string, which can be included in all the ASP files that
> require Data Base connection.
>
> Now i wanted to know if there any tool which i can use to get connect to
> the database using these credentials.
> Shlomi Narkolayev -- Exactly i do not have a direct access to the database
> and so i need to extract the data through the application.
>
> Thanks for the replies.
> On Wed, May 12, 2010 at 10:00 AM, Shlomi Narkolayev <shlominar at gmail.com>wrote:
>
>> Hello,
>>
>> If it's a little bit serious website/organization so I'm pretty sure you
>> will not get direct access to the DB,  in most organizations the DMZ
>> firewall allow access only to the application/web server on port 80/443 and
>> not to the DB server.
>> As I understand, you got databases' credentials using Penetration Test on
>> the application, so I suggest you to use SQL injection to extract databases'
>> entries in the same way as you found out the credentials.
>> If you only have Blind SQL Injection, so you can use some automated tools
>> that will help you extract DB's entries, you can use: Sqlmap, Absinthe,
>> Pangolin, BSQL Hacker and many others.
>> Try first to find out the database version: Select @@version;
>> If it's MySQL, find out tables names using: Select table_schema,
>> table_name From information_schema.Tables;
>> If it's MS-SQL: SELECT name FROM master..sysobjects WHERE xtype = 'U';
>> Then just run: Select * from %Tables_Names%;
>>
>> If this website is hosted on GoDaddy or something similar to that, so you
>> just need to get DBs' server IP, the best way is to get it from the
>> connection string, you can also try to find the IP using SQL Injection on
>> the application.
>>
>> Kind Regards,
>> Narkolayev Shlomi.
>>
>> Visit my blog: http://Narkolayev-Shlomi.blogspot.com<http://narkolayev-shlomi.blogspot.com/>
>>
>>
>>
>> On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <
>> Will_Vandevanter at rapid7.com> wrote:
>>
>>>  Check out the following auxiliaries in metasploit:
>>>
>>> admin/oracle/oracle_login
>>> admin/oracle/oracle_sql
>>> scanner/mssql/mssql_login
>>> admin/mssql/mssql_sql
>>> scanner/mysql/mysql_login
>>> admin/mysql/mysql_sql
>>> scanner/db2/db2_auth
>>>
>>> -Will
>>>
>>>  ------------------------------
>>> *From:* Jorge Correa [jacorream at gmail.com]
>>> *Sent:* Tuesday, May 11, 2010 3:15 PM
>>> *To:* Will Vandevanter
>>> *Cc:* p0wnsauc3 at gmail.com; Parmendra Sharma; websecurity at webappsec.org
>>>
>>> *Subject:* Re: [WEB SECURITY] Database tools required
>>>
>>>   Could you recommend us some of these Metasploit tools?
>>>
>>>
>>> Thank you,
>>> Jorge Correa
>>>
>>>
>>>
>>> On Tue, May 11, 2010 at 13:36, Will Vandevanter <
>>> Will_Vandevanter at rapid7.com> wrote:
>>>
>>>> Also, check out Metasploit which has some great modules for connecting
>>>> to specific DBs.
>>>>
>>>> ________________________________________
>>>> From: TAS [p0wnsauc3 at gmail.com]
>>>> Sent: Tuesday, May 11, 2010 1:59 PM
>>>> To: Parmendra Sharma; websecurity at webappsec.org
>>>> Subject: Re: [WEB SECURITY] Database tools required
>>>>
>>>> Hi,
>>>>
>>>> Though your are not very clear with your question, I assume, since you
>>>> have got the DB credentials, you want to connect to the database at the
>>>> backend directly. If that is so, every database has its client. Download and
>>>> install the client and connect to the backend.
>>>>
>>>> TAS!
>>>>
>>>> Sent from BlackBerry® - Vodafone
>>>>
>>>> ________________________________
>>>> From: Parmendra Sharma <s.parmendra at gmail.com>
>>>> Date: Tue, 11 May 2010 11:07:20 +0530
>>>> To: <websecurity at webappsec.org>
>>>> Subject: [WEB SECURITY] Database tools required
>>>>
>>>> Hi All,
>>>>
>>>> While performing a VA / PT exercise of an application i got the database
>>>> credentials. Kindly suggest any tool which connects me to the database
>>>> through the application.
>>>>
>>>> --
>>>> Thanks and Regards:
>>>>
>>>> Parmendra Sharma
>>>> Computer Security Analyst
>>>>
>>>>
>>>> ----------------------------------------------------------------------------
>>>> Join us on IRC: irc.freenode.net #webappsec
>>>>
>>>> Have a question? Search The Web Security Mailing List Archives:
>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>
>>>> Subscribe via RSS:
>>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>>
>>>> Join WASC on LinkedIn
>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>>
>>>
>>
>
>
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Computer Security Analyst
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100512/9d66d257/attachment.html>


More information about the websecurity mailing list