Friday, January 22, 2016
Open Source MySQL Injection - sqlsus
sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…Whenever relevant, sqlsus will mimic a MySQL console output.
sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use (I can think of) of MySQL functions.It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit. Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection. If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server. It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..
Requirements
sqlsus has been designed to work on Linux. If it works on other platforms, that’s good.
If it doesn’t work on your platform, well.. grab a Linux box.
You will need the following perl modules :
ºLWP::UserAgent
ºDBD::SQLite
ºHTML::LinkExtractor
ºLWP::Protocol::socks (for socks proxy support)
And a proper Term::ReadLine package is definitely recommended (yet not mandatory)
You will probably also want to install sqlite3, the command line interface for SQLite 3.
Or, if you are on a debian system :
apt-get install libwww-perl libdbd-sqlite3-perl libhtml-linkextractor-perl libterm-readline-gnu-perl liblwp-protocol-socks-perl sqlite3
It also requires previous SQL injection knowledge, and.. well.. a brain helps.
Open Source MySQL Injection:
ºBoth quoted and numeric injections are supported.
ºDatabases names, tables names, columns names, count(*) per table, privileges… On MySQL > 5, the database structure can be grabbed in one command from within sqlsus.
ºDiscovery of the exact injection space, going through all possible restrictions (web server, suhosin patch…), to inject as much as possible at once.
ºAll quoted texts can be translated as their hex equivalent to bypass any quotes filtering (eg: magic_quotes_gpc) (eg : “sqlsus” will become 0x73716c737573).
ºsqlsus also supports these types of injection :
inband (UNION w/ stacked subqueries) : the result of the request will be in the HTML returned by the web server
blind (boolean-based or time-based) : when you can’t see the result of the request directly
ºSupport for GET and POST parameters injection vectors.
ºSupport for HTTP proxy and HTTP simple authentication.
ºSupport for HTTPS.
ºSupport for socks proxy.
ºSupport for cookies.
ºSupport for binary data retrieving.
ºFull SQLite backend, storing queries / results as they come, databases structure, key variables. This allows you to recall a command and its cached answer, even in a later re-use of the session.
ºPossibility to clone a database / table / column, into a local SQLite database, and continue over different sessions.
ºIf you can’t access the information_schema database, or if it doesn’t exist, sqlsus will help you bruteforce the names of the tables and columns.
ºPossibility to change the current database and still use all the commands transparently.
ºAuto-detection of the length restriction in place, be it the web server or the layer above (eg: suhosin).
Inband
If your query is likely to return more than one row, sqlsus will use as many subqueries it can use at a time (per query), staying under a configurable limit. Therefore, it can grab up to thousands of records in just 1 server hit (depending on the available injection space) (cf inband demo) Once you have found an inband injection, you need to find the correct number of columns for UNION. sqlsus will do the job for you, identifying the needed number of columns, and which of them are suitable for injection. To speed things up, multithreading (actually, multiple processes (fork)) can be used.
Blind
Blind injection is supported, using conditional responses, and multithreading (actually, again, multiple processes (fork)).
The engine has been optimised in speed and server hit :
ºkeep all the threads busy with small relevant tasks.
ºmatch each item against a few regular expressions, prior to bruteforcing, to determine the character space to use, reducing a lot the number of hits required.
Takeover
If the database user has the FILE privilege, and if you can use quotes in your injection (mandatory for a SELECT INTO OUTFILE), then sqlsus will help you place a php backdoor on the remote system, recursively looking for writable directories. You can use download <file> from sqlsus shell, to download an arbitrary (world readable) file from the remote server. The file will be stored in the local filesystem, rebuilding the path tree to the file in the data directory. sqlsus has the ability to crawl the website at a configurable depth, looking for all the directories it can find, via hypertext links, img links, etc… Then, it tries to upload a tiny php uploader on each candidate directory until it finds one world writable, later used to upload the backdoor itself. All sqlsus needs (besides what has been said above) is the document_root used server side. You can find it by downloading/reading the relevant files on the web server. It ships with a PHP backdoor you can upload and a controller, to help you execute system commands, PHP commands, and SQL queries as if you were sitting on a normal direct MySQL connection.
Search
Translate
Popular Posts
-
LeakSearch is a simple tool to search and parse plain text passwords using ProxyNova COMB (Combination Of Many Breaches) over the Interne...
-
As mobile applications become more integral to our daily lives, ensuring their security is paramount. Vulnerabilities in mobile apps can exp...
-
In this post, we will explore a Python script designed to parse logs containing url:user:pass data. These logs are instrumental in executin...
Categories
#Snowden
Active Directory Attacks
Analysis
Android
Android Hack
Android Pentest
Anonimato
Anonymity
Anti-Forensic
Anti-Forensic Tools
Anti-Government
Anti-System
Apache
API Hacking
APK
ARM
Assembly
Attack Map
Auditing Tool
Automation Tools
AvKill
AWS Pentest
Backdoor
Bind
BlueTeam
Bluetooth
Bot
botnet/DDoS
Bounty
Brute Force
Bypass
Certificate
Cheat Sheet
Cloud Forensics
Cloud Pentest
Courses
Cryptography
CTF Engine
CVEs
Cyber Forensics
Cyber War
Data Base
DeepWeb
DevSecOps
Disassembler
DLL Hijacking
Dns Enumeration
Dns Recon
Dns Spoof
Documentary
DoS
Downloads
DUMP
Elearn Security
Email Hacking
Encrypted DNS
Engenharia Reversa
Enumeration
Evasion
EXIF
Exploit
Exploitation Tools
Exposed Leaked
Fake
Filmes e Documentários
Fingerprint
Firewall
Footprint
Frameworks
Fuck The System
Fuzzer
GeoIP
Google Hacking
Hackers
Hackers News
Hackers Tools
Hacking
Hacking Ebook's
Hacking Vídeos
Hacktivism
Hardening
Hardware
Hardware Hack
Hidden
HIDS
Honeypots
How to exit the Matrix
IDS
IDS/IPS
Incident Response
Information Gathering
iOS
IoT
JAVA
Kali
Kali Linux
Keylogger
Labs
Leaked
Leaks
Leave The Matrix
Linux
Linux System
Mac
Malware
Malware Analysis
MetaSploit
Mind Map
MIPS
MITM
Monitoring
Movies
Network
Networking
New World Order
Nmap
Offensive Politics
Offensive Sec
OffSec
OffSec Exclusive Tools
Open Your Mind
OpenSSL
Os Sec
OSINT Tools
OWASP ZAP Scanner
Password Capture
Password Cracking
Passwords
Payload
PCC
PDF
Pentest
Pentest Tools
Phishing Attacks
Phones
PHP
Port Scan
Post-Exploitation Tool
PowerShell
Pr1v8
Privacidade
Privacy
Privilege Escalation
Projects
Proxy
Python
Ransomware
RAT
Recover File and Disk Analyzer
Red Team
Redes
Remote
Reverse
Reverse Engineering
Reverse Shell
RFID
Rootkit
Scan Tools
Security
Security Ebook's
Seriados
Series
Shell
Shell PHP
Shellcode
Shodan
Sniffer
Social Engineering
Source Code
Spoofing
SQLinjection
SSL
Stealer
Steganography
Stress Testing
Study
Subdomain Discovery
SysInternals
Telnet
The Theory of Conspiracy
Threat Intelligence
Tools
Tor
Trojan
Tutorials
Unix System
URL Inspector
Usb Boot
Virtual Machine
Virus
VoIP
VPN
Vulnerabilities
Vulnerability Analysis
WAF
Web Applications
Web Pentesting
Whois
Wifi-Hacks
Windows
Wireless Hacking
Word List
WordPress
X86
XSS
0 comentários:
Post a Comment
Note: Only a member of this blog may post a comment.