root@bt:/sqlmap# ./sqlmap.py -u “http://www.foo.org/index.php?” –data “option=com_aardvertiser&cat_name=user&task=view” -p cat_name –dbs
[03:18:19] [WARNING] POST parameter ‘cat_name’ is not injectable
[03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase –level/–risk values to perform more tests. Rerun by providing either a valid –string or a valid –regexp, refer to the user’s manual for details
[*] shutting down at: 03:18:19
Ok, by now you probably now how much I enjoy hacking, ehm, ehm…sorry!, pentesting. Well for this tutorial I will be pentesting MS SQL Server with SQLat, Freetds, and Cain. Database store and provide access to information and information is power. Sensitive data such as bank account numbers, credit reports, and lots of other important information can be obtained from an insecure database, in this tutorial I will try to explain basic technology about MSSQL, like default install as well as demonstrate tools and techniques that can be use to exploit MSSQL server.
Important facts about MS SQL Server:
1- Ms SQL server users
SQL server creates the sa account, the system administrator of the SQL server instance and database owner(DBO) of all the databases on the SQL Server. The sa account is a login account that is mapped to the sysadmin role for the SQL server system. It is also the DBO for all the databases. This account by default is granted all privileges and permissions on the database and it can execute commands as SYSTEM on the server.
You can configure SQL server user authentication to use Windows credentials only or in combination with named SQL server login IDs and passwords, which is known as mixed mode authentication. Once the user is created this user can authenticate to the database and begin to operate within the bounds of his permissions and roles
TimThumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting aspecial image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.
Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the ‘src’ GET-request – Hashed in MD5 format.
SSLScan:Possibly the oldest SSL scanning tool. SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported. SSLScan is designed to be easy, lean and fast. The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats.
Download SSLScan v1.8.2 (sslscan-1.8.2.tgz) here.
TLSSLed: It is based on SSLcan. TLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
Download TLSSLed v1.1 (TLSSLed_v1.1.sh) here.
Comodo SSL Analyzer: The SSL Analyzer highlights insecure elements that need immediate remediation in red. Green represents an adequate level of security and an amber color means there is a potential issue that should be evaluated by the web server administrator. The Comodo SSL Analyzer provides consumers and web site owners with essential knowledge regarding the security level of any e-Business. We have covered this tool here.
Visit COMODO SSL Analyzer v0.9.13 (BETA) here.
Plecost is a nice tool which is also included in BT5. Use it to scan your WordPress websites and check the results out!
General description
WordPress finger printer tool, plecost search and retrieve information about the plugins versions installed in WordPress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there.
Plecost retrieves the information contained on Web sites supported by WordPress, and also allows a search on the results indexed by Google.
So, after posting on twitter about my OSX firewall configuration, a few people asked me to post up a copy of my rules. Now, I’m by no means a OSX expert, an IPFW expert, or a networking expert for that matter…. but this configuration could be useful as a starting point for people.
I use waterroof on my mac to work with firewall configurations, and the following sets of rules should import into Waterroof of IPFW fine.
add 00010 deny icmp from any to any in
add 00100 allow ip from any to any via lo*
add 00110 deny ip from 127.0.0.0/8 to any in
add 00120 deny ip from any to 127.0.0.0/8 in
add 00130 allow udp from any to 224.0.0.251 dst-port 5353
add 00140 allow udp from 224.0.0.251 to any dst-port 5353
add 00300 deny ip from 224.0.0.0/3 to any in
add 00400 deny tcp from any to 224.0.0.0/3 in
add 00500 deny tcp from any to any dst-port 0 in
add 00600 check-state
add 01000 allow tcp from me to any keep-state
add 01001 allow udp from me to any keep-state
add 25000 allow ip from me to
add 25100 allow ip from to me in
add 33300 deny tcp from any to any established
add 65000 allow udp from any 67 to any dst-port 68 in
add 65100 deny log icmp from any to me in icmptypes 8
add 65200 deny udp from any to any in
add 65300 deny icmp from any to any in
add 65400 deny ip from any to any in
add 65535 allow ip from any to any
HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.
It works on Linux and Windows running the following:
I was going through theMetasploit The Penetration Tester’s Guideby David Kennedy,Jim O’Gorman, Devon Kearns and Mati Aharoni . Guys I must say it is worth reading .
This is a reference for the most frequently used commands and syntax within Metasploit’s various interfaces and utilities.
As a part of its ongoing Hacker Intelligence Initiative, Imperva’s Application Defense Center (ADC) observed and categorized attacks across 30 applications as well as onion router (TOR) traffic, monitoring more than 10 million individual attacks targeted at web applications over a period of six months. This report discusses and analyzes their findings:
The osql utility allows you to enter Transact-SQL statements, system procedures, and script files. This utility uses ODBC to communicate with the server.
osql -U YourUserName -P YourPassword -S ServerName -d DatabaseName
-n-1 -i DriveLetter:SQLFileNameAndPath.sql -o DriveLetter:LogFile.txt
Switches
-U: login ID for the specified server
-P: password for the login ID
-S: server name
-d: database upon which the script will be executed
-n: removes numbering and the prompt symbol (>) from the output file
-i: the .SQL file name (including drive letter)
-o: an output file that details how the script executed (if at all)
Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. For each uploaded binary, the Eureka service will attempt to unpack and (for Eureka I, disassemble; for Eureka II (not yet available), decompile) the binary, and will produce an annotated callgraph, subroutine/data index page, strings summary, and a list of embedded DNS entries. http://eureka.cyber-ta.org
