sqlmap 0.7 – Automatic SQL Injection Tool

For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

  • Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
  • Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
  • Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
  • This make sqlmap 0.7 to work again on Windows too.
  • Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
  • HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:

Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Or read more here.

Labels: , ,

bsqlbf v2.3 – Blind SQL Injection Brute Forcing Tool

This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.

Databases supported:

  • MS-SQL
  • MySQL
  • PostgreSQL
  • Oracle

The 6 Attack Models

  • Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
  • Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
  • Type 2: Blind SQL Injection in “order by” and “group by”.
  • Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
  • Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
  • Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:

bsqlbf-v2-3.pl

Or read more here.

Labels: , ,

Damn Vulnerable Web App

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.

Vulnerabilities

  • SQL Injection
  • XSS (Cross Site Scripting)
  • LFI (Local File Inclusion)
  • RFI (Remote File Inclusion)
  • Command Execution
  • Upload Script
  • Login Brute Force

Changes

  • Added Acunetix scan report.
  • All links use http://hiderefer.com to hide referrer header.
  • Updated/added ‘more info’ links.
  • Moved change log info to CHANGELOG.txt.
  • Fixed the exec.php UTF-8 output.
  • Moved Help/View source buttons to footer.
  • Fixed phpInfo bug.
  • Made DVWA IE friendly.
  • Fixed html bugs.
  • Improved README.txt and fixed typos.
  • Made SQL injection possible in sqli_med.php.

WARNING

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

You can download DVWA 1.0.4 here:

dvwa_v1.0.4.zip

Or read more here.

Labels: , ,

MultiISO LiveDVD v1.0 – BackTrack, Knoppix & Ophcrack

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone.

MultiISO LiveDVD Version 1.0 consists of:

  • Backtrack 3
  • Damn Small Linux (DSL) 4.2.5
  • GeeXboX 1.1
  • Damn Vulnerable Linux (Strychnine) 1.4 edition
  • Knoppix 5.1.1, MPentoo 2006.1
  • Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets)
  • Puppy Linux 3.01
  • Byzantine OS i586-20040404

You can download MultiISO LiveDVD here (to conserve bandwidth only a Torrent link is available, please seed after downloading):

Torrent: EmErgEs_MultiBOOT_ISO.torrent (4.03GB)

MD5SUM: 1b1f37ed6b6f958cde0529a8a1f06637
SHA1SUM: 593ffbfa3c4b665220dcd63b2e4b77bacde5237d

Or read more here.

Labels: , , ,
Subscribe to: Posts (Atom)