Disclaimer: This
article is only for educational purposes, security researchers, and pentester.
I would like to clarify that I am completely against cyber-crime.
ABSTRACT
Most cyber-attacks in the world that involve websites
occurs due to lack of updates and configuration faults resulting in
explorations of success.
One of the main threats is SQL Injection that left many
worried about their systems, programmers, and SQL databases.
The biggest problem is not the DBMS itself but the
lack of definition and verification of the input fields in web applications.
CONTEXT
Many web developers
do not know how SQL queries can be handled and assume that an SQL query is a
trusted command. This allows for SQL queries to circumvent access controls,
thereby bypassing standard authentication and authorization checks. And
sometimes SQL queries even may allow access to the command shell on the server
operating system level.
Direct injection of
SQL commands is a technique where an attacker creates or alters existing SQL
commands to expose hidden data or to override valuable data, and even to
execute dangerous system level commands on the server.
INTRODUCTION
Structured Query
Language is the standard declarative language for relational databases. This allows
for its simplicity and ease of use.
SQL was originally
developed in the early 70s at IBM labs.
SQLMAP is a tool
used for this type of vulnerability.
It is Open source,
and often is used for Penetration Testing that enable intrusions on fragile
DBMS written in Python. It provides functions to detect and exploit
vulnerabilities of SQLI. Let's use the example sqlmap.py, widely used in
operating systems and databases.
STEP BY STEP
Readers I will try
to explain this in the simplest possible way.
You must have a
vulnerable target, to find out if the target is vulnerable just input ' at the
end of the URL
being tested and press "Enter" if some error is returned the database is
vulnerable.
You can use google
to find it with some dork. Example: inurl:
news.php id = 1?
There is a bank of google dorks data and several other
possibilities that can be used to filter your search.
cd /pentest/database/sqlmap
We will now begin the
game, to view the menu for sqlmap.py use the command ./sqlmap.py -h
Let's run
sqlmap.py, the parameter [--dbs], to search the all databases in DBMS.
Or use the
parameter --current-db to show the
databases that are being used.
The parameter -D is for the target of database and --tables is tables list.
We will verify the
existence of interesting information in the table (admin_users), time to list the columns. The parameter is –columns.
It is important to
always indicate the target database (-D)
data before listing the tables because if you do not do this (without the -D)
it will list all tables in all databases.
-T =
target table
-C =
target columns, can be more than one column to be chosen. Example: username, password.
--dump
= obtain, extract data.
Important to
remember the parameter --proxy:
enables use of proxy.
Example: /sqlmap.py --url
"http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs
--proxy=http://183.223.10.108:80
Readers, I think
that's the basics for beginners. sqlmap.py also has many interesting functions,
I suggest researching about --prefix=PREFIX,
--postfix=POSTFIX and takeover options.
More information
about the program and videos of them in action on the official site.
--dump
is to extract the data from the site but is not given any, this must be within
the selected column, and you have to choosen what to extract from the column,
where I extracted the logins and passwords are saved within the column.
Generally, the
field of "passwords" DBMS are encrypted.
We then need to
decrypt the passwords in order to access the target system.
We can find a way
to log into the system. But wait, the passwords are encrypted in MD5, hahahaha
put your hash on: http://www.md5decrypt.org
and may be decrypted or otherwise
BEYOND THE BASICS
Readers, lucky for
us, there are some awesome tamper scripts for sqlmap, which can be found in the
latest development version from the Subversion repository.
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
In fact the
function of the tamper scripts is to modify the request in a way that will
escape detection rules WAF (Web Application Firewall). In some cases it may be
necessary to combine some tamper scripts together in order to fool the WAF.
Many enterprises
often overlook the current vulnerabilities and rely only on the firewall for
protection. Unfortunately, most, if not all firewalls can be bypassed. So
gentlemen, I want to demonstrate how to use some of the new features of sqlmap
to bypass WAF’s/IDS.
Well, I'll
demonstrate some important scripts that are charencode.py and charcodeencode.py
to work with MySQL.
Hands-on: To begin
using tamper scripts, you use the --tamper
followed by the script name. In the example, we use the command:
Summary of charencode.py
Quite simply, this
script is useful for ignoring very weak web application firewalls (WAF) …
Another interesting
function url-decode the request before processing it through their set of rules
(:
The web server will
anyway go to url-decoded back version, concluding, it should work against any
DBMS.
Example to use:
We
will demonstrate the use of charunicodeencode.py for additional security. The
vast number of organizations have deployed WAF. Guys, this is a tricky part to
exploit such an environment. Well, standard SQL injection attack vectors will
not work neither will the scripts.
That
is the reason we use tamper scripts, this facility known as “tamper scripts"
in aid of a quiet way to bypass web application firewalls.
Guys,
I have demonstrated just a few of the many tamper scripts. We highly recommend
testing them out as each one can be used in different situations.
Notes:
That's not a tool for "script kiddies" it is of utmost importance to
make use of such a powerful tool responsibly and maturely.
Caution
if used in the wrong way, sqlmap generates many queries and can affect the
performance of the database target, moreover strange entries and changes to the
database schema are possible if the tool is not controlled and used extensively.
PARTLY ANONYMOUS
I will
demonstrate to you how to use sqlmap with The Onion Router for the protection
of IP, DNS, etc... In your Linux, in the terminal type:
$ sudo apt-get install tor tor-geoip
After enter the
sqlmap folder and type:
./sqlmap.py -u "http://www.targetvuln.com/index.php?cata_id=1"
-b -a –tor --check-tor--user-agent="Mozilla/5.0 (compatible;
Googlebot/2.1; +http://www.google.com/bot.html)"
The argument --tor invokes the Tor to be used and the
--check-tor checks if Tor is being
used properly, if not, you will receive an error message in red at the terminal.
The User Agent is the googlebot, all
your requests on the site will look like the Google bot doing a little visit.
TOR at SQLMap, we
can set your TOR proxy for hiding the source from where the traffic or request
is generated.
–tor-port,
–tor-type : the parameter can help you out to set the TOR
proxy manually.
–check-tor : the parameter will check if
the tor setup is appropriate and functional.
CONCLUSION:
It is known that
many targets have been explored through SQL Injection a few years ago when this
threat was discovered, the injection form was "the nail". The
pentester had to enter the codes manually, taking longer to complete the
attack.
Then came the
development of programs that automated attack. Nowadays perhaps the best known
of these programs is sqlmap.py. SQLMAP is a program of open source testing
framework written in Python. It has full support for database systems: MySQL,
Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite,
Firebird, Sybase, SAP MaxDB and also supports 6 types of SQL Injection
techniques.
SOLUTION:
1. Correct the SQL server regularly.
2. Limit the use of dynamic queries.
3. Escape input data from users.
4. Stores the credentials of the database in a separate
file.
5. Use the principle of least privilege.
6. Turn off the magic quotes.
7. Disable shell access.
8. Disable any feature of the bank that you do not need
9. Test your code
10. Search in google advanced techniques to correct this
vulnerability.
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.