[WEB SECURITY] Database tools required

nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ narentherival at gmail.com
Wed May 19 04:48:11 EDT 2010


Hello
Thanks thats very helpfull for me .
I face one problem during my work that is ,
The client application has SQLi  vulnerability and database is MYSQL4.1
Now 4.1 doesn't support information_schema thing
and to add more difficulty user is just "user at localhost" a normal user . He
doesn't have access to SELECT command for tables .
so is there is any another way to enumerate database or is this a DEAD END ?


2010/5/19 Will Vandevanter <Will_Vandevanter at rapid7.com>

>  There are a number of attack vectors you can use from here. One of my
> favorite privilege escalation techniques is adding a page to the server as a
> shell. Typically, your db user will need the ability to create tables
> and write the fs. This technique is great for pivoting into the DMZ
> depending on what your goal(s) for the engagement is.
>
> I would also look into gaining access to other accounts as I often find
> extra/hidden functionality as a higher level user. One way to do this is
> query for tables with pass as a column name (e.g. in MySQL: SELECT
> table_schema, table_name FROM information_schema.columns WHERE column_name =
> 'password'; ). Often this hidden/extra functionality is not tested with
> the same rigor as other parts of the application and, on occasion, even
> allows me to directly access the filesystem (e.g. via deployment scripts,
> etc.).
>
> -Will
>
>  ------------------------------
> *From:* Shlomi Narkolayev [shlominar at gmail.com]
> *Sent:* Tuesday, May 18, 2010 4:08 AM
> *To:* nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ
> *Cc:* websecurity at webappsec.org
>
> *Subject:* Re: [WEB SECURITY] Database tools required
>
>   Run these:
> SELECT user FROM mysql.user;
> SELECT host, user, password FROM mysql.user;
>
> Use "John the Ripper" for cracking the password hashes.
>
> Listing databases: SELECT distinct(db) FROM mysql.db;
>
> Load file from OS: SELECT load_file(0x63...);
> SELECT ... INTO DUMPFILE...
> ....
>
> Kind Regards,
> Narkolayev Shlomi.
>
> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
>
>
> 2010/5/18 nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ <narentherival at gmail.com>
>
>> Hello
>> very nice and informative post :)  Thanks for it
>> during my work i came across same scenario  but more difficult one
>>
>> - the database is MYSQL 4.1 , so no information_schema thing
>> - the user is user at localhost - so no admin rights
>>
>> The application is vulnerable to sql injection
>>
>> in such case what u think what should be next step ??  any idea  ./
>>
>> Thanks
>>
>> Have a nice day :)
>>
>> On Wed, May 12, 2010 at 10:00 AM, Shlomi Narkolayev <shlominar at gmail.com>wrote:
>>
>>> Hello,
>>>
>>> If it's a little bit serious website/organization so I'm pretty sure you
>>> will not get direct access to the DB,  in most organizations the DMZ
>>> firewall allow access only to the application/web server on port 80/443 and
>>> not to the DB server.
>>> As I understand, you got databases' credentials using Penetration Test on
>>> the application, so I suggest you to use SQL injection to extract databases'
>>> entries in the same way as you found out the credentials.
>>> If you only have Blind SQL Injection, so you can use some automated tools
>>> that will help you extract DB's entries, you can use: Sqlmap, Absinthe,
>>> Pangolin, BSQL Hacker and many others.
>>> Try first to find out the database version: Select @@version;
>>> If it's MySQL, find out tables names using: Select table_schema,
>>> table_name From information_schema.Tables;
>>> If it's MS-SQL: SELECT name FROM master..sysobjects WHERE xtype = 'U';
>>> Then just run: Select * from %Tables_Names%;
>>>
>>> If this website is hosted on GoDaddy or something similar to that, so you
>>> just need to get DBs' server IP, the best way is to get it from the
>>> connection string, you can also try to find the IP using SQL Injection on
>>> the application.
>>>
>>> Kind Regards,
>>> Narkolayev Shlomi.
>>>
>>> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
>>>
>>>
>>>
>>> On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <
>>> Will_Vandevanter at rapid7.com> wrote:
>>>
>>>>  Check out the following auxiliaries in metasploit:
>>>>
>>>> admin/oracle/oracle_login
>>>> admin/oracle/oracle_sql
>>>> scanner/mssql/mssql_login
>>>> admin/mssql/mssql_sql
>>>> scanner/mysql/mysql_login
>>>> admin/mysql/mysql_sql
>>>> scanner/db2/db2_auth
>>>>
>>>> -Will
>>>>
>>>>  ------------------------------
>>>> *From:* Jorge Correa [jacorream at gmail.com]
>>>> *Sent:* Tuesday, May 11, 2010 3:15 PM
>>>> *To:* Will Vandevanter
>>>> *Cc:* p0wnsauc3 at gmail.com; Parmendra Sharma; websecurity at webappsec.org
>>>>
>>>> *Subject:* Re: [WEB SECURITY] Database tools required
>>>>
>>>>    Could you recommend us some of these Metasploit tools?
>>>>
>>>>
>>>> Thank you,
>>>> Jorge Correa
>>>>
>>>>
>>>>
>>>> On Tue, May 11, 2010 at 13:36, Will Vandevanter <
>>>> Will_Vandevanter at rapid7.com> wrote:
>>>>
>>>>> Also, check out Metasploit which has some great modules for connecting
>>>>> to specific DBs.
>>>>>
>>>>> ________________________________________
>>>>> From: TAS [p0wnsauc3 at gmail.com]
>>>>> Sent: Tuesday, May 11, 2010 1:59 PM
>>>>> To: Parmendra Sharma; websecurity at webappsec.org
>>>>> Subject: Re: [WEB SECURITY] Database tools required
>>>>>
>>>>> Hi,
>>>>>
>>>>> Though your are not very clear with your question, I assume, since you
>>>>> have got the DB credentials, you want to connect to the database at the
>>>>> backend directly. If that is so, every database has its client. Download and
>>>>> install the client and connect to the backend.
>>>>>
>>>>> TAS!
>>>>>
>>>>> Sent from BlackBerry® - Vodafone
>>>>>
>>>>> ________________________________
>>>>> From: Parmendra Sharma <s.parmendra at gmail.com>
>>>>> Date: Tue, 11 May 2010 11:07:20 +0530
>>>>> To: <websecurity at webappsec.org>
>>>>> Subject: [WEB SECURITY] Database tools required
>>>>>
>>>>> Hi All,
>>>>>
>>>>> While performing a VA / PT exercise of an application i got the
>>>>> database credentials. Kindly suggest any tool which connects me to the
>>>>> database through the application.
>>>>>
>>>>> --
>>>>> Thanks and Regards:
>>>>>
>>>>> Parmendra Sharma
>>>>> Computer Security Analyst
>>>>>
>>>>>
>>>>> ----------------------------------------------------------------------------
>>>>> Join us on IRC: irc.freenode.net #webappsec
>>>>>
>>>>> Have a question? Search The Web Security Mailing List Archives:
>>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>>
>>>>> Subscribe via RSS:
>>>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>>>
>>>>> Join WASC on LinkedIn
>>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> ܔܢܜܔNaReN(๏̯͡๏)
>> ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•
>>
>
>


-- 
ܔܢܜܔNaReN(๏̯͡๏)
ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100519/423e55d9/attachment.html>


More information about the websecurity mailing list