Posts Tagged ‘sqlmap’

So, my wordpress analytics tell me that you guys are looking for a “how to pwn with sqlmap ubuntu” article. No seriously, that was someone’s search term. I’m hesitant to do this, but I figure with everything else I post it’s not the worst thing I could do. Cue the song “There Are Worse Things I Could Do” from Grease.

So here we go, we’re using a “live web app” with a known vulnerability for this exercise. The webapp is available in the OWASP Broken Web Apps virtual machine for those that want to follow along.

For this you will need sqlmap which if you’re using Back Track 5 as I have in this guide is already included. If you’re not you can get it here : http://sqlmap.sourceforge.net/

There are also a few other tools to do this for you like sqlsus. They all pretty much do the same thing.

So real quick, before we start there are two things you need to realize.

  • 1 – doing this to a database/webapp that you don’t have permission to do it to is illegal.
  • 2 – SQLmap performs blind sql injection. Thus it may not detect all vulnerabilities, and likely will take longer to enumerate the actual injection than is actually needed, thus I recommend performing non blind sqli manually to save yourself time.

Okay so now that we have that stuff out of the way and should have sqlmap installed by now (if you don’t know how to install it you really don’t need to be using it.) we can begin.

Vulnerable Web App

In the WordPress Spreadsheet plugin there is a SQL injection vulnerablity in the ss_functions.php that is called in ss_load.php.

The vulnerable code can be seen here :

if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {

Now that we have our vulnerable bit of code we can use SQLmap to exploit it.

SQLMap

SQLmap is an extremely powerful tool that gives you a LOT of control over how deep you get into exploiting the database. You can simply use it to confirm a vulnerability and it will give you a valid injection string to manually confirm, or you can go all the way to a full dump and sometimes (if the dbms is configured poorly gain a remote interactive sql shell/os shell).

Getting an Injection String

If you simply want to determine that the injection vector exists we can run sqlmap as follows

./sqlmap.py -u http://atfieldsandotherstuff.com/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1

Note : I’ve just added an entry in my hosts file to create the domain, an ip will work fine in place of this.

We discover shortly after running the command that parameter ss_id is in fact injectable, and are given the option to continue testing other parameters, you may wish to do this, however for this guide there is no point so I won’t. So we hit N. (which is the default)

As you can see we are presented with a list of three injections that we can use to verify our vulnerability.

And we can confirm that the paramater is in fact injectable.

Database Dumping

The ever popular thing to do with SQLi is “dumping the database”. This is usually how your passwords end up on pastebin, and it’s rather trivial to do it with sqlmap.

You have two options for this dump and dump-all. Dump-all will dump ALL the DBMS database tables where as dump will only dump the active dbms database tables.

Note : If the database user for the vulnerable web app is not dba there is no difference between the two options.

So we’re going to go with a dump since this user is not the dba. (a quick way to find out is using the enumerate-privileges switch with sqlmap.)

./sqlmap.py –dump -u  http://atfieldsandotherstuff.com/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1

After awhile you will be presented with a nice dump of your database, which sqlmap conveniently stores for you. If sqlmap detects hashed strings in the database it will also attempt to crack them for you. This can take a long time, so it may be best to just dump them hashed and crack them off site on a system that is built for hash-cracking (oclhashcat comes to mind).

Other features you might find interesting

Additionally sqlmap comes with a few options to “take over” a dbms. These do not work in all cases, and usually rely on weak configurations where the user who owns the vulnerable database happens to be the dba. These options are.

  • –os-cmd=OSCMD Execute an operating system command
  • –os-shell Prompt for an interactive operating system shell
  • –os-pwn Prompt for an out-of-band shell, meterpreter or VNC
  • –os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
  • –os-bof Stored procedure buffer overflow exploitation
  • –priv-esc Database process’ user privilege escalation

By default the OWASPBWA virtual machine is not configured to allow this, however it would be trivial to grant the owner of the vulnerable database the privileges to utilize these vectors if you’re bored. Keep in mind if you prompt for an out of band meterpreter shell you have to have the Metasploit Framework installed.

There you have it, despite the fact that I will probably regret doing this and get a ton of questions asking how to find vulnerable webapps that’s the basics of using sqlmap for automated blind sqli.

Have fun! 😉

Advertisements

I know that I’ve been kind of lazy in posting lately. I’ve gotten sucked into the sappy, emotional whirlwind that is re-watching the remastered Neon Genesis Evangelion movies.

I know…I’m a complete dork (in case it wasn’t evident from reading anything else on this site). That being said, I’m slightly out of my funk and today I’m going to talk about SQL injection in web applications.

For this discussion we’re going to take a typical Ubuntu Server 10.04.3 with a LAMP stack and the WordPress content management system, and we’re going to illustrate how SQL injection works and why it’s important to defend against it.

What is SQL Injection

SQL injection is the art of injecting data into a DBMS back-end via a vulnerable application. Applications that do not properly validate user input to the database are vulnerable to SQL injection.

SQL injection can yield credentials, allow an attacker to alter content on a web site, and in more rare cases gain remote control of the system. SQL injection can be present in other applications besides web applications, for instance ProFTP is rather easy to configure with a SQL injection vulnerability.

SQL Injection in Practice

Below we will explore SQL injection on a vulnerable web application.

The vulnerable web app

So here we have a vulnerable web application, this is a pretty standard WordPress 3.1.2 install with a couple of addons. Addons are where most WordPress users get into trouble with their web application security.

typical wordpress install with a few plugins.

Here we are manually confirming our vulnerable application by making it throw an error by using the following query


http://192.168.1.4/wp-content/plugins/count-per-day/notes.php?month=-1'

dbms giving an error due to failure to properly use encapsulating 's

Now we can complete the injection here using the following query.


http://192.168.1.4/wp-content/plugins/count-per-day/notes.php?month=-1%20UNION%20ALL%20SELECT%201,current_user%28%29,version%28%29--

properly formed union select shows dbms user and dbms version

What did this yield?

As you can see from the last image we were able to determine the current user of the dbms and the dbms version. We could also attempt to use something like sqlmap to enumerate more data against this vulnerability

sqlmap blind sql injection

What does it look like from the victim’s point of view?

If you are the victim of this type of attack you will likely see something quite similar to this in your /var/log/apache2/access.log


192.168.1.6 - - [18/Oct/2011:02:34:14 -0400] "GET /wp-content/plugins/gd-star-rating/export.php?ex=user%27%29%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%23%20AND%20%28%27wrWF%27%3D%27wrWF HTTP/1.1" 200 347 "-" "sqlmap/1.0-dev (r4009) (http://sqlmap.sourceforge.net)"

Defending against SQL Injection

The obvious method to defending against SQL injection is to write good code. Validate user input and make sure it is properly sanitized. Obviously, if you are not a software developer and simply a system administrator you have another alternative. If you are running Apache, you can use mod-security.

Mod-security is a web application firewall which will match potentially malicious queries against known dangerous activities and respond properly. This will effectively eliminate the threat of SQL injection in web applications, provided that your rules are sufficient to mitigate techniques used for bypassing web application firewalls.

To learn more about installing mod-security on apache under Ubuntu 10.04 click here.

Conclusion

SQL Injection is one of the most common attack vectors against internet facing web sites, it is a threat that should be taken seriously, and can be relatively easy countered by the use of a web application firewall. It occurs in even the most popular web applications (wordpress being the example).

I hope everyone has a great week!