'Re: [WEB SECURITY] Database tools required'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] Database tools required
From:       nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ <narentherival () gmail ! com>
Date:       2010-05-19 9:00:11
Message-ID: AANLkTinHA01u6OeJxr6Cj--yb7As4phLfmxvVu_A-ddh () mail ! gmail ! com
[Download RAW message or body]

Hello
Thanks thats very helpfull for me .
I face one problem during my work that is ,
The client application has SQLi  vulnerability and database is MYSQL4.1
Now 4.1 doesn't support information_schema thing
and to add more difficulty user is just "user@localhost" a normal user . He
doesn't have access to SELECT command for tables .
so is there is any another way to enumerate database or is this a DEAD END ?


2010/5/19 Will Vandevanter <Will_Vandevanter@rapid7.com>

>  There are a number of attack vectors you can use from here. One of my
> favorite privilege escalation techniques is adding a page to the server as a
> shell. Typically, your db user will need the ability to create tables
> and write the fs. This technique is great for pivoting into the DMZ
> depending on what your goal(s) for the engagement is.
>
> I would also look into gaining access to other accounts as I often find
> extra/hidden functionality as a higher level user. One way to do this is
> query for tables with pass as a column name (e.g. in MySQL: SELECT
> table_schema, table_name FROM information_schema.columns WHERE column_name =
> 'password'; ). Often this hidden/extra functionality is not tested with
> the same rigor as other parts of the application and, on occasion, even
> allows me to directly access the filesystem (e.g. via deployment scripts,
> etc.).
>
> -Will
>
>  ------------------------------
> *From:* Shlomi Narkolayev [shlominar@gmail.com]
> *Sent:* Tuesday, May 18, 2010 4:08 AM
> *To:* nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ
> *Cc:* websecurity@webappsec.org
>
> *Subject:* Re: [WEB SECURITY] Database tools required
>
>   Run these:
> SELECT user FROM mysql.user;
> SELECT host, user, password FROM mysql.user;
>
> Use "John the Ripper" for cracking the password hashes.
>
> Listing databases: SELECT distinct(db) FROM mysql.db;
>
> Load file from OS: SELECT load_file(0x63...);
> SELECT ... INTO DUMPFILE...
> ....
>
> Kind Regards,
> Narkolayev Shlomi.
>
> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
>
>
> 2010/5/18 nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ <narentherival@gmail.com>
>
>> Hello
>> very nice and informative post :)  Thanks for it
>> during my work i came across same scenario  but more difficult one
>>
>> - the database is MYSQL 4.1 , so no information_schema thing
>> - the user is user@localhost - so no admin rights
>>
>> The application is vulnerable to sql injection
>>
>> in such case what u think what should be next step ??  any idea  ./
>>
>> Thanks
>>
>> Have a nice day :)
>>
>> On Wed, May 12, 2010 at 10:00 AM, Shlomi Narkolayev <shlominar@gmail.com>wrote:
>>
>>> Hello,
>>>
>>> If it's a little bit serious website/organization so I'm pretty sure you
>>> will not get direct access to the DB,  in most organizations the DMZ
>>> firewall allow access only to the application/web server on port 80/443 and
>>> not to the DB server.
>>> As I understand, you got databases' credentials using Penetration Test on
>>> the application, so I suggest you to use SQL injection to extract databases'
>>> entries in the same way as you found out the credentials.
>>> If you only have Blind SQL Injection, so you can use some automated tools
>>> that will help you extract DB's entries, you can use: Sqlmap, Absinthe,
>>> Pangolin, BSQL Hacker and many others.
>>> Try first to find out the database version: Select @@version;
>>> If it's MySQL, find out tables names using: Select table_schema,
>>> table_name From information_schema.Tables;
>>> If it's MS-SQL: SELECT name FROM master..sysobjects WHERE xtype = 'U';
>>> Then just run: Select * from %Tables_Names%;
>>>
>>> If this website is hosted on GoDaddy or something similar to that, so you
>>> just need to get DBs' server IP, the best way is to get it from the
>>> connection string, you can also try to find the IP using SQL Injection on
>>> the application.
>>>
>>> Kind Regards,
>>> Narkolayev Shlomi.
>>>
>>> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
>>>
>>>
>>>
>>> On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <
>>> Will_Vandevanter@rapid7.com> wrote:
>>>
>>>>  Check out the following auxiliaries in metasploit:
>>>>
>>>> admin/oracle/oracle_login
>>>> admin/oracle/oracle_sql
>>>> scanner/mssql/mssql_login
>>>> admin/mssql/mssql_sql
>>>> scanner/mysql/mysql_login
>>>> admin/mysql/mysql_sql
>>>> scanner/db2/db2_auth
>>>>
>>>> -Will
>>>>
>>>>  ------------------------------
>>>> *From:* Jorge Correa [jacorream@gmail.com]
>>>> *Sent:* Tuesday, May 11, 2010 3:15 PM
>>>> *To:* Will Vandevanter
>>>> *Cc:* p0wnsauc3@gmail.com; Parmendra Sharma; websecurity@webappsec.org
>>>>
>>>> *Subject:* Re: [WEB SECURITY] Database tools required
>>>>
>>>>    Could you recommend us some of these Metasploit tools?
>>>>
>>>>
>>>> Thank you,
>>>> Jorge Correa
>>>>
>>>>
>>>>
>>>> On Tue, May 11, 2010 at 13:36, Will Vandevanter <
>>>> Will_Vandevanter@rapid7.com> wrote:
>>>>
>>>>> Also, check out Metasploit which has some great modules for connecting
>>>>> to specific DBs.
>>>>>
>>>>> ________________________________________
>>>>> From: TAS [p0wnsauc3@gmail.com]
>>>>> Sent: Tuesday, May 11, 2010 1:59 PM
>>>>> To: Parmendra Sharma; websecurity@webappsec.org
>>>>> Subject: Re: [WEB SECURITY] Database tools required
>>>>>
>>>>> Hi,
>>>>>
>>>>> Though your are not very clear with your question, I assume, since you
>>>>> have got the DB credentials, you want to connect to the database at the
>>>>> backend directly. If that is so, every database has its client. Download and
>>>>> install the client and connect to the backend.
>>>>>
>>>>> TAS!
>>>>>
>>>>> Sent from BlackBerry � - Vodafone
>>>>>
>>>>> ________________________________
>>>>> From: Parmendra Sharma <s.parmendra@gmail.com>
>>>>> Date: Tue, 11 May 2010 11:07:20 +0530
>>>>> To: <websecurity@webappsec.org>
>>>>> Subject: [WEB SECURITY] Database tools required
>>>>>
>>>>> Hi All,
>>>>>
>>>>> While performing a VA / PT exercise of an application i got the
>>>>> database credentials. Kindly suggest any tool which connects me to the
>>>>> database through the application.
>>>>>
>>>>> --
>>>>> Thanks and Regards:
>>>>>
>>>>> Parmendra Sharma
>>>>> Computer Security Analyst
>>>>>
>>>>>
>>>>> ----------------------------------------------------------------------------
>>>>> Join us on IRC: irc.freenode.net #webappsec
>>>>>
>>>>> Have a question? Search The Web Security Mailing List Archives:
>>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>>
>>>>> Subscribe via RSS:
>>>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>>>
>>>>> Join WASC on LinkedIn
>>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> ܔܢܜܔNaReN(๏̯͡๏)
>> ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•
>>
>
>


-- 
ܔܢܜܔNaReN(๏̯͡๏)
ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ ~●•●•●๋•

[Attachment #3 (text/html)]

Hello <br>Thanks thats very helpfull for me .<br>I face one problem during my work \
that is ,<br>The client application has SQLi   vulnerability and database is \
MYSQL4.1<br>Now 4.1 doesn&#39;t support information_schema thing <br> and to add more \
difficulty user is just &quot;user@localhost&quot; a normal user . He doesn&#39;t \
have access to SELECT command for tables .<br>so is there is any another way to \
enumerate database or is this a DEAD END ?<br> <br><br><div \
class="gmail_quote">2010/5/19 Will Vandevanter <span dir="ltr">&lt;<a \
href="mailto:Will_Vandevanter@rapid7.com">Will_Vandevanter@rapid7.com</a>&gt;</span><br><blockquote \
class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, \
204, 204); padding-left: 1ex;">





<div>
<div dir="ltr"><font size="2" color="#000000" face="Tahoma">There are a number of \
attack vectors you can use from here. One of my favorite privilege escalation \
techniques is adding a page to the server as a shell.  Typically, your db user will \
need the ability  to create tables and  write the fs. This technique is great for \
pivoting into the DMZ depending on what your goal(s) for the engagement is. \
</font></div> <div dir="ltr"><font size="2" face="tahoma"></font>  </div>
<div dir="ltr"><font size="2" face="tahoma">I would also look into gaining access to \
other accounts as I often find extra/hidden functionality as a higher level user. One \
way to do this is query for tables with pass as a column name (e.g. in MySQL: <font \
size="3" face="Times New Roman">SELECT table_schema, table_name FROM \
information_schema.columns WHERE column_name  = &#39;password&#39;; ).</font> Often \
this hidden/extra functionality is not tested with the same rigor as other parts of \
the application and, on  occasion, even allows me to directly access the filesystem \
(e.g. via deployment scripts, etc.). </font></div>
<div dir="ltr"><font size="2" face="tahoma"></font>  </div>
<div dir="ltr"><font size="2" face="tahoma">-Will</font></div>
<div dir="ltr"><font size="2" face="tahoma"></font>  </div>
<div style="direction: ltr;">
<hr>
<font size="2" face="Tahoma"><b>From:</b> Shlomi Narkolayev [<a \
href="mailto:shlominar@gmail.com" target="_blank">shlominar@gmail.com</a>]<br> \
<b>Sent:</b> Tuesday, May 18, 2010 4:08 AM<br> <b>To:</b> nArEn ÁĹ0ПΞ \
Ŵ0ĹŦஇ<br> <b>Cc:</b> <a href="mailto:websecurity@webappsec.org" \
target="_blank">websecurity@webappsec.org</a><div><div></div><div class="h5"><br> \
<b>Subject:</b> Re: [WEB SECURITY] Database tools required<br> \
</div></div></font><br> </div><div><div></div><div class="h5">
<div></div>
<div>
<div dir="ltr">Run these:<br>
SELECT user FROM mysql.user;<br>
SELECT host, user, password FROM mysql.user; <br>
<br>
Use &quot;John the Ripper&quot; for cracking the password hashes. <br>
<br>
Listing databases: SELECT distinct(db) FROM mysql.db;<br>
<br>
Load file from OS: SELECT load_file(0x63...);<br>
<span><code></code></span><code></code>SELECT ... INTO DUMPFILE...<br>
....<br>
<br clear="all">
Kind Regards,<br>
Narkolayev Shlomi.<br>
<br>
Visit my blog: <a href="http://Narkolayev-Shlomi.blogspot.com" \
target="_blank">http://Narkolayev-Shlomi.blogspot.com</a><br> <br>
<br>
<div class="gmail_quote">2010/5/18 nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ <span dir="ltr">&lt;<a \
href="mailto:narentherival@gmail.com" \
target="_blank">narentherival@gmail.com</a>&gt;</span><br> <blockquote \
class="gmail_quote" style="padding-left: 1ex; margin: 0pt 0pt 0pt 0.8ex; border-left: \
1px solid rgb(204, 204, 204);"> Hello<br>
very nice and informative post :)   Thanks for it   <br>
during my work i came across same scenario   but more difficult one<br>
<br>
- the database is MYSQL 4.1 , so no information_schema thing<br>
- the user is user@localhost - so no admin rights<br>
<br>
The application is vulnerable to sql injection <br>
<br>
in such case what u think what should be next step ??   any idea   ./ <br>
<br>
Thanks <br>
<br>
Have a nice day :)<br>
<br>
<div class="gmail_quote">On Wed, May 12, 2010 at 10:00 AM, Shlomi Narkolayev <span \
dir="ltr"> &lt;<a href="mailto:shlominar@gmail.com" \
target="_blank">shlominar@gmail.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="padding-left: 1ex; margin: 0pt 0pt 0pt 0.8ex; border-left: \
1px solid rgb(204, 204, 204);"> <div dir="ltr">Hello,<br>
<br>
If it&#39;s a little bit serious website/organization so I&#39;m pretty sure you will \
not get direct access to the DB,   in most organizations the DMZ firewall allow \
access only to the application/web server on port 80/443 and not to the DB \
server.<br>

As I understand, you got databases&#39; credentials using Penetration Test on the \
application, so I suggest you to use SQL injection to extract databases&#39; entries \
in the same way as you found out the credentials.<br>

If you only have Blind SQL Injection, so you can use some automated tools that will \
help you extract DB&#39;s entries, you can use: <cite><span \
dir="ltr"></span></cite>Sqlmap, Absinthe, Pangolin, BSQL Hacker and many others.<br> \
Try first to find out the database version: Select @@version;<br> If it&#39;s MySQL, \
find out tables names using: Select table_schema, table_name From \
information_schema.Tables;<br> If it&#39;s MS-SQL: SELECT name FROM \
master..sysobjects WHERE xtype = &#39;U&#39;; <br> Then just run: Select * from \
%Tables_Names%;<br> <br>
If this website is hosted on GoDaddy or something similar to that, so you just need \
to get DBs&#39; server IP, the best way is to get it from the connection string, you \
can also try to find the IP using SQL Injection on the application.<br>

<br clear="all">
Kind Regards,<br>
Narkolayev Shlomi.<br>
<br>
Visit my blog: <a href="http://Narkolayev-Shlomi.blogspot.com" \
target="_blank">http://Narkolayev-Shlomi.blogspot.com</a> <div>
<div></div>
<div><br>
<br>
<br>
<div class="gmail_quote">On Tue, May 11, 2010 at 10:38 PM, Will Vandevanter <span \
dir="ltr"> &lt;<a href="mailto:Will_Vandevanter@rapid7.com" \
target="_blank">Will_Vandevanter@rapid7.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="padding-left: 1ex; margin: 0pt 0pt 0pt 0.8ex; border-left: \
1px solid rgb(204, 204, 204);"> <div>
<div dir="ltr"><font size="2" color="#000000" face="Tahoma">Check out the following \
auxiliaries in metasploit:</font></div> <div dir="ltr"><font size="2" \
face="tahoma"></font>  </div> <div dir="ltr"><font size="2" \
face="tahoma">admin/oracle/oracle_login</font></div> <div dir="ltr"><font size="2" \
face="tahoma">admin/oracle/oracle_sql</font></div> <div dir="ltr"><font size="2" \
face="tahoma">scanner/mssql/mssql_login</font></div> <div dir="ltr"><font size="2" \
face="tahoma">admin/mssql/mssql_sql</font></div> <div dir="ltr"><font size="2" \
face="tahoma">scanner/mysql/mysql_login</font></div> <div dir="ltr"><font size="2" \
face="tahoma">admin/mysql/mysql_sql</font></div> <div \
dir="ltr">scanner/db2/db2_auth</div> <div dir="ltr">  </div>
<div dir="ltr"><font size="2" face="tahoma">-Will</font></div>
<div dir="ltr"><font size="2" face="tahoma"></font>  </div>
<div style="direction: ltr;">
<hr>
<font size="2" face="Tahoma"><b>From:</b> Jorge Correa [<a \
href="mailto:jacorream@gmail.com" target="_blank">jacorream@gmail.com</a>]<br> \
<b>Sent:</b> Tuesday, May 11, 2010 3:15 PM<br> <b>To:</b> Will Vandevanter<br>
<b>Cc:</b> <a href="mailto:p0wnsauc3@gmail.com" \
target="_blank">p0wnsauc3@gmail.com</a>; Parmendra Sharma; <a \
href="mailto:websecurity@webappsec.org" target="_blank">websecurity@webappsec.org</a> \
<div> <div></div>
<div><br>
<b>Subject:</b> Re: [WEB SECURITY] Database tools required<br>
</div>
</div>
</font><br>
</div>
<div>
<div></div>
<div>
<div></div>
<div><span><span title="" style="color: rgb(0, 0, 0); background-color: rgb(230, 236, \
249);">Could you recommend us some of these Metasploit tools?</span></span><br> <br>
<br clear="all">
Thank you,<br>
Jorge Correa<br>
<br>
<br>
<br>
<div class="gmail_quote">On Tue, May 11, 2010 at 13:36, Will Vandevanter <span \
dir="ltr"> &lt;<a href="mailto:Will_Vandevanter@rapid7.com" \
target="_blank">Will_Vandevanter@rapid7.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="padding-left: 1ex; margin: 0pt 0pt 0pt 0.8ex; border-left: \
1px solid rgb(204, 204, 204);"> Also, check out Metasploit which has some great \
modules for connecting to specific DBs.<br> <br>
________________________________________<br>
From: TAS [<a href="mailto:p0wnsauc3@gmail.com" \
                target="_blank">p0wnsauc3@gmail.com</a>]<br>
Sent: Tuesday, May 11, 2010 1:59 PM<br>
To: Parmendra Sharma; <a href="mailto:websecurity@webappsec.org" \
                target="_blank">websecurity@webappsec.org</a><br>
Subject: Re: [WEB SECURITY] Database tools required<br>
<div>
<div></div>
<div><br>
Hi,<br>
<br>
Though your are not very clear with your question, I assume, since you have got the \
DB credentials, you want to connect to the database at the backend directly. If that \
is so, every database has its client. Download and install the client and connect to \
the  backend.<br>
<br>
TAS!<br>
<br>
Sent from BlackBerry � - Vodafone<br>
<br>
________________________________<br>
From: Parmendra Sharma &lt;<a href="mailto:s.parmendra@gmail.com" \
                target="_blank">s.parmendra@gmail.com</a>&gt;<br>
Date: Tue, 11 May 2010 11:07:20 +0530<br>
To: &lt;<a href="mailto:websecurity@webappsec.org" \
                target="_blank">websecurity@webappsec.org</a>&gt;<br>
Subject: [WEB SECURITY] Database tools required<br>
<br>
Hi All,<br>
<br>
While performing a VA / PT exercise of an application i got the database credentials. \
Kindly suggest any tool which connects me to the database through the \
application.<br> <br>
--<br>
Thanks and Regards:<br>
<br>
Parmendra Sharma<br>
Computer Security Analyst<br>
<br>
</div>
</div>
<div>
<div></div>
<div>----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> <br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> <br>
Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> <br>
Join WASC on LinkedIn<br>
<a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> <br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
ܔܢܜܔNaReN(๏̯͡๏) <br>
ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ \
~●•●•●๋•<br> </blockquote>
</div>
<br>
</div>
</div>
</div></div></div>

</blockquote></div><br><br clear="all"><br>-- <br>ܔܢܜܔNaReN(๏̯͡๏) \
<br>ιηƒσямαт!ση ~# αησтнєя ηαмє σƒ gσ∂ \
~●•●•●๋•<br>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic