IT Breathes!

Welcome to Part 2 of the /pentest A to Z story. Previously we went through the Bluetooth and Cisco folders. I also went through the trouble of explaining my lab setup. In this part we’re just going to be visiting one folder: database

Initially I thought this folder would contain tools for exploiting common database vulnerabilities or something simple like a mysql/mssql bruteforcers. Instead it contains some rather robust tools for testing databases and SQL injections.

For most of the testing performed here I used a Linux distro called ‘Moth’. Moth is a vulnerable Linux distro which runs a web app designed for exactly what I was doing, testing webapp/SQLInjection tools.

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

1. Testing Web Application Security Scanners

2. Testing Static Code Analysis tools (SCA)

3. Giving an introductory course to Web Application Security.”

Speaking of SQL injections the first tool: blindsql fits right in. This tool is really just two shell scripts:

1. Sqlcheck.sh. This script simply takes a known URL and a known value that the page is supposed to return and checks if its vulnerably to SQL injection
2. Sqldata.sh. This script should be able to grab data from the SQL server itself. I, however, was unable to get it to do much more than complain and return nothing

The next three tools I’m going to lump in together here because I wasn’t really able to put them through their paces.

Metacoretex is a slick looking Java tool that’s supposedly to be used for testing Oracle databases. Not running Oracle in my lab (yet) made testing this tool tough. Also, walking through the tool I don’t think I ever got it working right and trying to read about it on the internet proved impossible because the site for the tool is down (and because Metacoretex is a term used in the Matrix Online which makes finding anything about it non Matrix Online related even harder).

SQLNinja sounds like a great tool for testing vulnerable ASP/.NET pages and getting a shell on a remote machine. Currently, however, I don’t have a vulnerable web-app I can bang this tool against in my lab. I’m sure ones exist all over the net (the entire .cn TLD perhaps, Exotic Liability shoutout!) but the way I’ve setup this lab is to be completely segregated from any outside network so I won’t be testing that.

Finally there’s sqlbrute. Presumably a tool used for brute forcing SQL databases. Unfortunately it’s only good for MS SQL and ORACLE database. Neither of which I have so I wasn’t able to test this tool. Though if you have tested this tool out let me know in the comments.

Next on the list is MiniMysqlat0r. I loaded this tool up and was surprised by the nice gui interface. I put in the ‘moth’ server IP address and let it scan away for about 10 minutes. What I was presented with was a whole slew of places where injection were possible. I selected one of these URLs from the list presented and tested out the SQL Exploiter feature

SQLater Exploit Tab

This tool was literally able to give me anything I wanted from the server. I could dump the MySQL users table, dump all the databases and even grab a copy of the /etc/passwd file!

That right there is a nice /etc/passwd file

I tried the /etc/shadow file but alas the mysql user didn’t have the right permissions. Given the time though I would be able to get enough information about this server to find another way in since I’d be able to grab every config file and read through them for weaknesses. One caveat, this was against a very vulnerable server and I’m curious if it’s able to work this well in the real world.

After spending about an hour playing with SQLator I pulled myself away to check out Pblind. Not a very complicated tool. You supply it with the URL to test and it tells you if it worked or not, plus a little bit extra. I was able to use it to get the current user but not much else beyond that.

T h a t i s t h e u s e r n a m e. Hard to read and other tools do a better job.

Next I tested out SQLiX. No idea what the name of the tool means or what exactly it’s supposed to do. But I was able to get it to tell me that the server I’m testing was vulnerable. Though the tool is a little old and there are far better tools available today.

SQLiX sounds like a charecter from Star Trek: Voyager

Finally we have SQLMap.

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Same as SQLator I really liked this tool and was able to get some interesting information gleaned from the database. In this screenshot you can see I was able to get all the users usernames from the MySQL user database:

It even recreates the formatting

Keep in mind this screenshot is from SQLMap itself, pulling information from a blind SQL injection. I don’t have access to the database other than the URL I supplied in the screenshot. However that was just the tip of the iceberg. Using sqlmap I was able to retrieve the name of all the databases I had access to, all the tables within those databases and, if I wanted them, the columns within those tables. All in all I was fairly impressed with this tool.

The version  provided on the back track 4 CD, however, is a little old and I’d recommend getting the most recent version from http://sqlmap.sourceforge.net. The newer version has even more interesting functionality such as creating a remote shell and your own sql shell. If you don’t want to download sqlmap yourself I would recommend you check out the Samurai LiveCD. A LiveCD designed specifically for testing web frameworks.

That pretty much wraps up the ‘database’ folder. There was one folder I didn’t touch: The UDF folder.  I have no idea what it’s for and apparently neither does the good people Remote Exploit https://wiki.remote-exploit.org/backtrack/wiki/UDF either (the makers of backtrack).