Jump to content
  • Revista PROGRAMAR: Já está disponível a edição #60 da revista programar. Faz já o download aqui!


SQLMAP Advanced SQLinjection to operating system fullcontrol

Recommended Posts


Vou apresentar um excelente PAPER para se conseguir controle total de um servidor através de uma simples falha de SQL Injection... sim, uma falha num site com as ferramentas actuais e correctas já permite uma shell com privilégios ROOT/ADMIN

PAPER: Advanced SQLinjection to operating system fullcontrol








Sobre o SQLMAP E suas Caracteristicas:

Features implemented in sqlmap include:

Generic features

    * Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.

    * Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.

    * It is possible to provide a single target URL, get the list of targets from Burp proxy requests log file or WebScarab proxy conversations/ folder, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.

    * Automatically tests all provided GET parameters, POST parameters, HTTP Cookie header values and HTTP User-Agent header value to find the dynamic ones, which means those that vary the HTTP response page content. On the dynamic ones sqlmap automatically tests and detects the ones affected by SQL injection. Each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three data-types with zero to two parenthesis to correctly detect which is the SELECT statement syntax to perform further injections with. It is also possible to specify the only parameter(s) that you want to perform tests and use for injection on.

    * Option to specify the maximum number of concurrent HTTP requests to speed up the inferential blind SQL injection algorithms (multi-threading). It is also possible to specify the number of seconds to wait between each HTTP request.

    * HTTP Cookie header string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header. You can also specify to always URL-encode the Cookie header.

    * Automatically handle HTTP Set-Cookie header from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. You can also force to ignore any Set-Cookie header.

    * HTTP Basic, Digest, NTLM and Certificate authentications support.

    * Anonymous HTTP proxy support to pass by the requests to the target application that works also with HTTPS requests.

    * Options to fake the HTTP Referer header value and the HTTP User-Agent header value specified by user or randomly selected from a text file.

    * Support to increase the verbosity level of output messages: there exist six levels. The default level is 1 in which information, warnings, errors and tracebacks (if any occur) will be shown.

    * Granularity in the user's options.

    * Estimated time of arrival support for each query, updated in real time while fetching the information to give to the user an overview on how long it will take to retrieve the output.

    * Automatic support to save the session (queries and their output, even if partially retrieved) in real time while fetching the data on a text file and resume the injection from this file in a second time.

    * Support to read options from a configuration INI file rather than specify each time all of the options on the command line. Support also to save command line options on a configuration INI file.

    * Option to update sqlmap as a whole to the latest development version from the Subversion repository.

    * Integration with other IT security open source projects, Metasploit and w3af.

Fingerprint and enumeration features

    * Extensive back-end database software version and underlying operating system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.

    * Basic web server software and web application technology fingerprint.

    * Support to retrieve the DBMS banner, session user and current database information. The tool can also check if the session user is a database administrator (DBA).

    * Support to enumerate database users, users' password hashes, users' privileges, databases, tables and columns.

    * Support to dump database tables as a whole or a range of entries as per user's choice. The user can also choose to dump only specific column(s).

    * Support to automatically dump all databases' schemas and entries. It is possibly to exclude from the dump the system databases.

    * Support to enumerate and dump all databases' tables containing user provided column(s). Useful to identify for instance tables containing custom application credentials.

    * Support to run custom SQL statement(s) as in an interactive SQL client connecting to the back-end database. sqlmap automatically dissects the provided statement, determines which technique to use to inject it and how to pack the SQL payload accordingly.

Takeover features

Some of these techniques are detailed in the white paper Advanced SQL injection to operating system full control and in the slide deck Expanding the control over the operating system from the database.

    * Support to inject custom user-defined functions: the user can compile shared object then use sqlmap to create within the back-end DBMS user-defined functions out of the compiled shared object file. These UDFs can then be executed, and optionally removed, via sqlmap too.

    * Support to read and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

    * Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

          o On MySQL and PostgreSQL via user-defined function injection and execution.

          o On Microsoft SQL Server via xp_cmdshell() stored procedure. Also, the stored procedure is re-enabled if disabled or created from scratch if removed.

    * Support to establish an out-of-band stateful TCP connection between the user machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice. sqlmap relies on Metasploit to create the shellcode and implements four different techniques to execute it on the database server. These techniques are:

          o Database in-memory execution of the Metasploit's shellcode via sqlmap own user-defined function sys_bineval(). Supported on MySQL and PostgreSQL.

          o Upload and execution of a Metasploit's stand-alone payload stager via sqlmap own user-defined function sys_exec() on MySQL and PostgreSQL or via xp_cmdshell() on Microsoft SQL Server.

          o Execution of Metasploit's shellcode by performing a SMB reflection attack ( MS08-068) with a UNC path request from the database server to the user's machine where the Metasploit smb_relay server exploit runs.

          o Database in-memory execution of the Metasploit's shellcode by exploiting Microsoft SQL Server 2000 and 2005 sp_replwritetovarbin stored procedure heap-based buffer overflow ( MS09-004) with automatic DEP bypass.

    * Support for database process' user privilege escalation via Metasploit's getsystem command which include, among others, the kitrap0d technique ( MS10-015) or via Windows Access Tokens kidnapping by using Meterpreter's incognito extension.

    * Support to access (read/add/delete) Windows registry hives.


Share this post

Link to post
Share on other sites

Parece-me uma boa opção. As tecnologias que suporta são as da maioria dos servidores e isso deixa um leque de utilidade mais vasto.

Parece-me que eles no futuro vão incluir ISS, SQLServer nisso, bem como M$ Windows, para que o leque seja ainda mais alargado.

Share this post

Link to post
Share on other sites
Parece-me uma boa opção. As tecnologias que suporta são as da maioria dos servidores e isso deixa um leque de utilidade mais vasto.

Parece-me que eles no futuro vão incluir ISS, SQLServer nisso, bem como M$ Windows, para que o leque seja ainda mais alargado.

não leves a mal, mas não entendeste o post, nem as técnicas, nem a ferramenta... pelo teu comentário.. mas é na boa fé que dissolvo dúvidas para que não fique confusão

parece que não foi bem percebido... isto são técnicas de SQL Injection (procurem no forum pois há mt info sobre isso nesta secção) e baseiam-se numa vulnerabilidade de SQL Injection como uma má validação de inputs... o que estas novas ferramentas fazem é integrar diversas técnicas e passos que antigamente se tinha de fazer à mão, por assim dizer, agora está tudo integrado....

o futuro vão incluir ISS, SQLServer nisso, bem como M$ Windows,

o IIS não tem nada a ver com SQL Injection... não sei como se fala disso aqui..é porque não se sabe o que é SQL Injection

se leres verás que  SQL Server já está incluído e tem uma funcionalidade BRUTAL para o MS SQL Server... há a mal afamada _xp_cmdshell que foi das maiores loucuras que a M$ fez e permite aceder ao SO pelo SQL...

por norma esta stored é retirada como boa pratica, eu diria obrigatória, mas com o SQL Map é possível REABILITA-LA, mesmo que tenho sido desabilitada, o que é brutal, pois a partir dai temos o poder total sobre o SO

mas tb tem outras técnicas brutais que é fazer logo operações BULK como ler toda uma tabela e exportar, ou apagar uma tabela ou o que seja... isto no SQL mas também cria uma SHELL (linha de comandos no SO)

e é multi-plataforma (SO), multi motor de SQL... todos os principais são suportados... todos os que são usados

para que o leque seja ainda mais alargado.

não entendeste... isto faz tudo o que precisas e a partir daqui só afinações... isto DÁ O PODER TOTAL SOBRE UM ALVO COM UMA FALHA SQL

e quando integrado no w3af, a Web Application Attack  and Audit Framework nem o céu é o limite... permite descobrir falhas não conhecidas com o WMAP... normalmente é por assinatura mas o WMAP analisa tudo e consegue saber se há ou não falham, mesmo que não aja assinatura ou conhecimento dela...



Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.