SlideShare a Scribd company logo

Sql Injection 0wning Enterprise

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter - September 2012 Meet

Technology
1 of 21
Download to read offline
SQL INJECTION One Click 0wnage using SQL Map By: Taufiq Ali
LAB SETUP  VM with Hacme Bank Installed  http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/  On Windows latest version of Python  SQLMap For Windows  https://github.com/sqlmapproject/sqlmap/zipball/master  SQLMap For *nix  It is there on BT5 2
OWASP TOP 10 A1 : Injection  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
INJECTIONS  Common type of injections :  SQL  LDAP  Xpath  Etc.  Impact  As disastrous as handling the database over to the attacker  Can also lead to OS level access
DEFINITION  Exploiting poorly filtered or in-correctly escaped SQL queries to parse (execute) data from user input  Major Classes  Error Based  Blind Injections  Boolean Injections  Etc. 5
HOW DOES IT WORK?  Application presents a form to the attacker  Attacker sends an attack in the form data  Application forwards attack to the database in a SQL query  Database runs query containing attack and sends encrypted result back to application  Application renders data as to the user
VULNERABLE CODE
SQL MAP 0wnage 0wange 0wnage..
SQL MAP INTRODUCTION  Powerful command line utility to exploit SQL Injection vulnerability  Support for following databases  MySQL  IBM DB2  Oracle  SQLite  PostgreSQL  Firebird  Microsoft SQL Server  Sybase and  Microsoft Access  SAP MaxDB
SQL INJECTION TECHNIQUES  Boolean-based blind  Time-based blind  Error-based  UNION query  Stacked queries  Out-of-band 10
KEY SQL MAP SWITCHES  -u <URL>  --cookie (Authentication)  -dbs (To enumerate databases)  - r (For request in .txt file)  -technique (SQL injection technique)  - dbms (Specify DBMS)  -D <database name> --tables  -T <table name> --columns  -C <column name> --dump  --dump-all (for lazy l33t people)
SQL MAP FLOW  Enumerate the database name  Select database and enumerate tables  Select tables and enumerate columns  Select a column and enumerate rows(data)  Then choose your way in
WHY 0WNING THE ENTERPRISE?  Built in capabilities for cracking hashes  Options of running user defined queries  You could run OS level commands  You could have an interactive OS shell  Meterpreter shell with Metasploit 13
OPTIONS FOR 0WNING ENTERPRISE  --os-cmd  Run any OS level command  --os-shell  Starts an interactive shell  --os-pwn  Injects a Meterpreter shell  --tamper  Evading WAF 14
SQL MAP ++  --tor: Use Tor anonymity network  --tor-port: Set Tor proxy port other than default  --tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)  --check-payload: Offline WAF/IPS/IDS payload detection testing  --check-waf: heck for existence of WAF/IPS/IDS protection  --gpage: Use Google dork results from specified page number  --mobile: Imitate smartphone through HTTP User-Agent header  --smart: Conduct through tests only if positive heuristic(s)  --tamper: custom scripts 15
SQL MAP ++ - FILE SYSTEM ACCESS  These options can be used to access the back-end database management system underlying file system  --file-read=RFILE: Read a file from the back-end DBMS file system  --file-write=WFILE: Write a local file on the back-end DBMS file system  --file-dest=DFILE; Back-end DBMS absolute filepath to write to 16
SQL MAP ++ - OPERATING SYSTEM ACCESS  These options can be used to access the back-end database management system underlying operating system  --os-cmd=OSCMD - Execute an operating system command  --os-shell - Prompt for an interactive operating system shell  --os-pwn - Prompt for an out-of-band shell, meterpreter or VNC  --os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC  --os-bof - Stored procedure buffer overflow exploitation  --priv-esc - Database process' user privilege escalation  --msf-path=MSFPATH Local path where Metasploit Framework is installed  --tmp-path=TMPPATH Remote absolute path of temporary files directory 17
SQLMAP ++ -WINDOWS REGISTRY ACCESS  These options can be used to access the back-end database management system Windows registry  --reg-read - Read a Windows registry key value  --reg-add - Write a Windows registry key value data  --reg-del - Delete a Windows registry key value  --reg-key=REGKEY - Windows registry key  --reg-value=REGVAL - Windows registry key value  --reg-data=REGDATA - Windows registry key value data  --reg-type=REGTYPE - Windows registry key value type 18
TAMPER SCRIPTS – BYPASSING WAF  Located inside the tamper folder in SQLMap  space2hash.py and space2morehash.py (MySQL)  space2mssqlblank.py and space2mysqlblank.py (MSSQL)  charencode.py and chardoubleencode.py (Different Encodings)  charunicodeencode.py and percentage.py (To hide payload against ASP/ASP.NET applications) 19
WHAT YOU SHOULD EXPLORE  One Click Ownage with SQL Inection  www.mavitunasecurity.com/s/research/OneClickOwnage.pdf  SQL Map with TOR  http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html  SQL MAP Usage Guide  http://sqlmap.sourceforge.net/doc/README.html 20
One click 0wnage THANK YOU! 21

Recommended

SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 

Recommended

SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Sqlmap
SqlmapSqlmap
SqlmapInstitute of Information Security (IIS)
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Attack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationAttack and Mitigation for Insecure Deserialization
Attack and Mitigation for Insecure DeserializationSukhpreet Singh
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRaghav Bisht
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql injection
Sql injectionSql injection
Sql injectionMehul Boghra
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 

More Related Content

What's hot

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRaghav Bisht
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 

What's hot (20)

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Sql injection
Sql injectionSql injection
Sql injection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Secure code
Secure codeSecure code
Secure code
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 

Viewers also liked

Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suitesportblonde1589
 
Scaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanovScaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanovDenis Nagorny
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environmentSoshi Nemoto
 
Practical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint ProgrammingPractical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint Programminged271828
 
Sour Pickles
Sour PicklesSour Pickles
Sour PicklesSensePost
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]RootedCON
 

Viewers also liked (12)

Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1Perl Basics for Pentesters Part 1
Perl Basics for Pentesters Part 1
 
Vulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp SuiteVulnerability Assessments:Burp Suite
Vulnerability Assessments:Burp Suite
 
Scaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanovScaling python to_hpc_big_data-maidanov
Scaling python to_hpc_big_data-maidanov
 
Instruction: dev environment
Instruction: dev environmentInstruction: dev environment
Instruction: dev environment
 
Practical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint ProgrammingPractical RISC-V Random Test Generation using Constraint Programming
Practical RISC-V Random Test Generation using Constraint Programming
 
Sour Pickles
Sour PicklesSour Pickles
Sour Pickles
 
Guru01 13 15
Guru01 13 15Guru01 13 15
Guru01 13 15
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
 

Similar to Sql Injection 0wning Enterprise

Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsRaul Leite
 
0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HKLawrence Amer
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfMarna Walle
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...Banking at Ho Chi Minh city
 

Similar to Sql Injection 0wning Enterprise (20)

Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Automation day red hat ansible
Automation day red hat ansible Automation day red hat ansible
Automation day red hat ansible
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
 
zLAMP
zLAMPzLAMP
zLAMP
 
0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK0xsp mongoose RED - DragonCon HK
0xsp mongoose RED - DragonCon HK
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
SAP hands on lab_en
SAP hands on lab_enSAP hands on lab_en
SAP hands on lab_en
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdf
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...Installing tivoli system automation for high availability of db2 udb bcu on a...
Installing tivoli system automation for high availability of db2 udb bcu on a...
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Sql Injection 0wning Enterprise

  • 1. SQL INJECTION One Click 0wnage using SQL Map By: Taufiq Ali
  • 2. LAB SETUP  VM with Hacme Bank Installed  http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/  On Windows latest version of Python  SQLMap For Windows  https://github.com/sqlmapproject/sqlmap/zipball/master  SQLMap For *nix  It is there on BT5 2
  • 3. OWASP TOP 10 A1 : Injection  Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
  • 4. INJECTIONS  Common type of injections :  SQL  LDAP  Xpath  Etc.  Impact  As disastrous as handling the database over to the attacker  Can also lead to OS level access
  • 5. DEFINITION  Exploiting poorly filtered or in-correctly escaped SQL queries to parse (execute) data from user input  Major Classes  Error Based  Blind Injections  Boolean Injections  Etc. 5
  • 6. HOW DOES IT WORK?  Application presents a form to the attacker  Attacker sends an attack in the form data  Application forwards attack to the database in a SQL query  Database runs query containing attack and sends encrypted result back to application  Application renders data as to the user
  • 9. SQL MAP INTRODUCTION  Powerful command line utility to exploit SQL Injection vulnerability  Support for following databases  MySQL  IBM DB2  Oracle  SQLite  PostgreSQL  Firebird  Microsoft SQL Server  Sybase and  Microsoft Access  SAP MaxDB
  • 10. SQL INJECTION TECHNIQUES  Boolean-based blind  Time-based blind  Error-based  UNION query  Stacked queries  Out-of-band 10
  • 11. KEY SQL MAP SWITCHES  -u <URL>  --cookie (Authentication)  -dbs (To enumerate databases)  - r (For request in .txt file)  -technique (SQL injection technique)  - dbms (Specify DBMS)  -D <database name> --tables  -T <table name> --columns  -C <column name> --dump  --dump-all (for lazy l33t people)
  • 12. SQL MAP FLOW  Enumerate the database name  Select database and enumerate tables  Select tables and enumerate columns  Select a column and enumerate rows(data)  Then choose your way in
  • 13. WHY 0WNING THE ENTERPRISE?  Built in capabilities for cracking hashes  Options of running user defined queries  You could run OS level commands  You could have an interactive OS shell  Meterpreter shell with Metasploit 13
  • 14. OPTIONS FOR 0WNING ENTERPRISE  --os-cmd  Run any OS level command  --os-shell  Starts an interactive shell  --os-pwn  Injects a Meterpreter shell  --tamper  Evading WAF 14
  • 15. SQL MAP ++  --tor: Use Tor anonymity network  --tor-port: Set Tor proxy port other than default  --tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)  --check-payload: Offline WAF/IPS/IDS payload detection testing  --check-waf: heck for existence of WAF/IPS/IDS protection  --gpage: Use Google dork results from specified page number  --mobile: Imitate smartphone through HTTP User-Agent header  --smart: Conduct through tests only if positive heuristic(s)  --tamper: custom scripts 15
  • 16. SQL MAP ++ - FILE SYSTEM ACCESS  These options can be used to access the back-end database management system underlying file system  --file-read=RFILE: Read a file from the back-end DBMS file system  --file-write=WFILE: Write a local file on the back-end DBMS file system  --file-dest=DFILE; Back-end DBMS absolute filepath to write to 16
  • 17. SQL MAP ++ - OPERATING SYSTEM ACCESS  These options can be used to access the back-end database management system underlying operating system  --os-cmd=OSCMD - Execute an operating system command  --os-shell - Prompt for an interactive operating system shell  --os-pwn - Prompt for an out-of-band shell, meterpreter or VNC  --os-smbrelay - One click prompt for an OOB shell, meterpreter or VNC  --os-bof - Stored procedure buffer overflow exploitation  --priv-esc - Database process' user privilege escalation  --msf-path=MSFPATH Local path where Metasploit Framework is installed  --tmp-path=TMPPATH Remote absolute path of temporary files directory 17
  • 18. SQLMAP ++ -WINDOWS REGISTRY ACCESS  These options can be used to access the back-end database management system Windows registry  --reg-read - Read a Windows registry key value  --reg-add - Write a Windows registry key value data  --reg-del - Delete a Windows registry key value  --reg-key=REGKEY - Windows registry key  --reg-value=REGVAL - Windows registry key value  --reg-data=REGDATA - Windows registry key value data  --reg-type=REGTYPE - Windows registry key value type 18
  • 19. TAMPER SCRIPTS – BYPASSING WAF  Located inside the tamper folder in SQLMap  space2hash.py and space2morehash.py (MySQL)  space2mssqlblank.py and space2mysqlblank.py (MSSQL)  charencode.py and chardoubleencode.py (Different Encodings)  charunicodeencode.py and percentage.py (To hide payload against ASP/ASP.NET applications) 19
  • 20. WHAT YOU SHOULD EXPLORE  One Click Ownage with SQL Inection  www.mavitunasecurity.com/s/research/OneClickOwnage.pdf  SQL Map with TOR  http://0entropy.blogspot.in/2011/04/sqlmap-and-tor.html  SQL MAP Usage Guide  http://sqlmap.sourceforge.net/doc/README.html 20