[WEB SECURITY] Database tools required

Shlomi Narkolayev shlominar at gmail.com
Tue May 18 04:08:12 EDT 2010


Run these:
SELECT user FROM mysql.user;
SELECT host, user, password FROM mysql.user;

Use "John the Ripper" for cracking the password hashes.

Listing databases: SELECT distinct(db) FROM mysql.db;

Load file from OS: SELECT load_file(0x63...);
SELECT ... INTO DUMPFILE...
....

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com


2010/5/18 nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ <narentherival at gmail.com>

> Hello
> very nice and informative post :)  Thanks for it
> during my work i came across same scenario  but more difficult one
>
> - the database is MYSQL 4.1 , so no information_schema thing
> - the user is user at localhost - so no admin rights
>
> The application is vulnerable to sql injection
>
> in such case what u think what should be next step ??  any idea  ./
>
> Thanks
>
> Have a nice day :)
>
> On Wed, May 12, 2010 at 10:00 AM, Shlomi Narkolayev <shlominar at gmail.com>wrote:
>
>> Hello,
>>
>> If it's a little bit serious website/organization so I'm pretty sure you
>> will not get direct access to the DB,  in most organizations the DMZ
>> firewall allow access only to the application/web server on port 80/443 and
>> not to the DB server.
>> As I understand, you got databases' credentials using Penetration Test on
>> the application, so I suggest you to use SQL injection to extract databases'
>> entries in the same way as you found out the credentials.
>> If you only have Blind SQL Injection, so you can use some automated tools
>> that will help you extract DB's entries, you can use: Sqlmap, Absinthe,
>> Pangolin, BSQL Hacker and many others.
>> Try first to find out the database version: Select @@version;
>> If it's MySQL, find out tables names using: Select table_schema,
>> table_name From information_schema.Tables;
>> If it's MS-SQL: SELECT name FROM master..sysobjects WHERE xtype = 'U';
>> Then just run: Select * from %Tables_Names%;
>>
>> If this website is hosted on GoDaddy or something similar to that, so you
>> just need to get DBs' server IP, the best way is to get it from the
>> connection string, you can also try to find the IP using SQL Injection on
>> the application.
>>
>> Kind Regards,
>> Narkolayev Shlomi.
>>
>> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
>>
>>
>>
>> On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <
>> Will_Vandevanter at rapid7.com> wrote:
>>
>>>  Check out the following auxiliaries in metasploit:
>>>
>>> admin/oracle/oracle_login
>>> admin/oracle/oracle_sql
>>> scanner/mssql/mssql_login
>>> admin/mssql/mssql_sql
>>> scanner/mysql/mysql_login
>>> admin/mysql/mysql_sql
>>> scanner/db2/db2_auth
>>>
>>> -Will
>>>
>>>  ------------------------------
>>> *From:* Jorge Correa [jacorream at gmail.com]
>>> *Sent:* Tuesday, May 11, 2010 3:15 PM
>>> *To:* Will Vandevanter
>>> *Cc:* p0wnsauc3 at gmail.com; Parmendra Sharma; websecurity at webappsec.org
>>>
>>> *Subject:* Re: [WEB SECURITY] Database tools required
>>>
>>>  Could you recommend us some of these Metasploit tools?
>>>
>>>
>>> Thank you,
>>> Jorge Correa
>>>
>>>
>>>
>>> On Tue, May 11, 2010 at 13:36, Will Vandevanter <
>>> Will_Vandevanter at rapid7.com> wrote:
>>>
>>>> Also, check out Metasploit which has some great modules for connecting
>>>> to specific DBs.
>>>>
>>>> ________________________________________
>>>> From: TAS [p0wnsauc3 at gmail.com]
>>>> Sent: Tuesday, May 11, 2010 1:59 PM
>>>> To: Parmendra Sharma; websecurity at webappsec.org
>>>> Subject: Re: [WEB SECURITY] Database tools required
>>>>
>>>> Hi,
>>>>
>>>> Though your are not very clear with your question, I assume, since you
>>>> have got the DB credentials, you want to connect to the database at the
>>>> backend directly. If that is so, every database has its client. Download and
>>>> install the client and connect to the backend.
>>>>
>>>> TAS!
>>>>
>>>> Sent from BlackBerry® - Vodafone
>>>>
>>>> ________________________________
>>>> From: Parmendra Sharma <s.parmendra at gmail.com>
>>>> Date: Tue, 11 May 2010 11:07:20 +0530
>>>> To: <websecurity at webappsec.org>
>>>> Subject: [WEB SECURITY] Database tools required
>>>>
>>>> Hi All,
>>>>
>>>> While performing a VA / PT exercise of an application i got the database
>>>> credentials. Kindly suggest any tool which connects me to the database
>>>> through the application.
>>>>
>>>> --
>>>> Thanks and Regards:
>>>>
>>>> Parmendra Sharma
>>>> Computer Security Analyst
>>>>
>>>>
>>>> ----------------------------------------------------------------------------
>>>> Join us on IRC: irc.freenode.net #webappsec
>>>>
>>>> Have a question? Search The Web Security Mailing List Archives:
>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>
>>>> Subscribe via RSS:
>>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>>
>>>> Join WASC on LinkedIn
>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>>
>>>
>>
>
>
> --
> ܔܢܜܔNaReN(๏̯͡๏)
> ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100518/4eb973e0/attachment.html>


More information about the websecurity mailing list