Wednesday, August 27, 2008

The best SQL Injection tools classified

| Armando Romeo |

Continuing my review of the best penetration testers tools, it's time to face the most dangerous vulnerability a website may suffer in regards to data protection : SQL Injection.
I'm not going through the sql injection basis as we already have a nice guide in depth and there is a number of references on the internet.
But I'm going to make some rough classification of every tool listed so that this can serve as a quick reference.

I am going to list here the most used tools for sql injection exploitation. There are some others to find the sql injection in a website as well. But this shouldn't be an issue for a professional.

The explotitaion tools work for different kind of DBMS and using different techniques such as error based sql injection, inband or union based sql injection and blind sql injection.

To date, MS SQL Server is the DBMS that has the highest number
of attacking tools available. It is prone to error based sql injection thus retrieving data from it is as easy as providing the vulnerable url to tools like Priamos and Absinthe and clicking a button.
These tools are not free from bugs. Sometimes they fail to receive correct data, but if you're not a script kiddie there's no way you can miss it.

Priamos

  • Works on SQL server only
  • Enumerates databases, tables and data in a very nice GUI
  • The only big problem is that it works only with GET requests, unless you make it pass through a proxy to change the request to POST and shift the query string to the http request payload.
  • Allows for proxy tunneling
  • Very fast

Absinthe
Beside some bugs that affect the tool, 2.0b version works with

  • Blind sqli
  • Error based sqli
and does a better job than 1.41 version.

Blind mode supports: SQL Server, Postgre, Sybase, Oracle.
Error based mode supports SQL Server

  • good GUI from which fine tuning the injection parameters and additional options like authentication.


Injection is feasible through

  • POST
  • GET
  • COOKIE

Allows for proxy tunneling

SQLMap
It's the best tool to deal with Mysql sql injections. The only tool that does the job sometimes.

  • It's python powered so it's cross platform.

It supports:

  • MySQL
  • Oracle
  • PostgreSQL
  • Microsoft SQL Server.

SQLmap supports two operating modes:

  • Blind SQLi
  • Inband (Union) Sqli

Before going for Blind sql injection, that is slow and requires a lot of requests to the server, it is possible to check for UNION based sqli availability that gives faster results.

SQLmap performs blind sqli recognition through hashes of the http response text. It is possible to specify the string to match in the response text when the case is TRUE. A very needed feature sometimes.

It supports injection into

  • GET
  • POST
  • COOKIE
  • USER-AGENT

and retrieves:

  • databases username and password
  • DBMS version
  • databases
  • tables
  • data
It allows to execute custom SQL queries as if you were on a real SQL client connected to the remote DBMS. This saves a lot of time and allows for very sophisticated data retrieval.

More options are:

  • proxy support
  • google dorks
  • remote file retrieval.

In the tool package a very nice guide on the tool usage is given

Automagic
It's written in perl and requires that you read the guide or watch the nice flash video before you can really enjoy it.

It works only against SQL Server DBMS and performs dumo of

  • database
  • tables
  • data

It is possible to retrieve DBMS users and passwords. It's quite fast, in my opinion Priamos and Absinthe do a better job.
A good backup tool though.


To sum up

Mysql SQL Injection tools:

  • SQL Map (blind and inband)

Oracle SQL Injection tools:

  • SQL Map (inband)
  • Absinthe (blind)

Sybase SQL Injection tools:

  • Absinthe (blind)

MS SQL Server SQL Injection tools:

  • Atomagic (error)
  • SQL Map (error and inband)
  • Priamos (error)
  • Absinthe (error)


If the list is not exhaustive...well...these at least are the most known and used.
Of course every professional has his own tools and patches to improve these tools or adding functionalities. Your own tool is always the best tool.
Any suggestion or addition is encouraged!

Friday, August 8, 2008

iPhone owns you : Warshipping

| Armando Romeo |

You have a package sitting in your shipping department addressed to "U R Owned, INC." ? Well, it may be David Maynor, CTO of Errata Sec, trying to Warshipping you !


In my opinion this is the most clever research I've heard so far in the war driving field. Basically David, is using an iPhone, empowered with passive sniffing tools to make a reconaissance tour of the inner wifi networks of a company without being right there with a car and huge antennas pretending to be TV technicians fixing cable TV.



The package would be shipped to a non-existent recipient at the company's address and probably stay there for some time (the recipient is non-existent) and then being sent back.

The iPhone 3g, under At&t network coverage could be even capable of receiving new commands like a real trojan horse, but I guess this was not the main purpose of the research. But surely feasible.

David Maynor is presenting this research today at Defcon and new details will be available soon.

Thursday, August 7, 2008

DNS cache poisoning, first attacks

| Armando Romeo |

From this (funny) video, I have found on Kaminsky blog (the guy who gave new life to the old DNS cache poisoning issue) seems that large part of the major ISP's DNS servers have been patched.

After Kaminsky's publication of the vulnerability exploit code gone wild and ported to HD Moore's Metasploit framework just few days late.

Not even 2 weeks after the breakthrough, HD Moore's company web site has been hijacked by spammers poisonoing At&T DNS Server serving his company's website. Hilarious, but sh*t happens. Above all when it's not up to you or under your control.

Yesterday, Black Hat day 1, Kaminsky gave more details on the patching status of the main ISP's and all the unpublished details about the attack.
It's only a matter of patching now, since everything is public.

Monday, August 4, 2008

Gary the Ufo Hacker

| Armando Romeo |

This is how they call him. The all-times best hacker. I'm not sure if it's true or not, but since Mitnick "just" used social engineering to own the top world companies, I might say Gary may easily be called such.

He managed to break into US military networks from his bedroom. Using a 56K dial up. Once again this is what the press says, I don't trust press writing about hackers anymore, I've read enough of their fake stories.

But this time I feel we are really against someone who will hit history books.

For his skills and above all for his attacks main focus: finding evidences of extraterrestrial life and hidden governments projects.

Something, I personally judge the best reason you can have if you're going to risk 60 years of jail, extradition and imprisonment in Guantanamo.

Where you won't get a (real) lawyer. At least this is what the TV tells us in Europe, but if you're a US reader you may have different information.

The 42 years old man, mainly took control of US military machines through blank or default password-protected operatying systems.

It seems that while we go after super advanced attacking techniques and exploit codes, the best hackers are still the ones who are able to exploit the most widespread vulnerability of this world: stupidity.

If I had to break into some (supposed) super secured system I would start thinking of all the most elite exploits I could think of and probably forget about simple blank password trials. Am I overestimating Govt's security guys?

Hackers are running much faster than system administrators. And system administrators silliness don't make all the hacking research effort worth it.
Nasa, please at least provide some passwords to your systems. Even 4-5 figures number. Or hackers will be depressed.

Free Security Magazines