5. SQL Injection Demo 1
Okay, so the first thing we’re going to do is we’re going to connect to the ISO image that’s out on our drive of our landing machine. And the ISO image on it under Tools for Pods is called DB web app. Great. Now the next thing we’ll do is we’ll go ahead and open up the Copy paste Web App Lab. And we want to open this with notepad plus plus. The reason we want to open it with Notepad Plus Plus is that it actually has the line numbers on here. What we’ll do is we’ll take these first three variables and replace them. I’m first going to need to save this because I won’t be able to save it as a read only file. So I’m going to just copy it right to my and I’m going to click on Search Replace and I’m going to replace my name with my name and I’m going to just do a replace all.
The next thing I’ll do is grab this IP address which should be labeled Instructors Machine, and I’m going to click on Search Replace and I’m going to replace this with the IP address of the landing machine. Next I’m going to go ahead and grab this Win two K Web app, post and copy it and just simply put it here. And I’m going to put its IP address to the IP address of our web app, which is 149, and do a Replace all. Now, the last one we could just leave as it is, but I want you to try a couple of things. First off, we’re going to need to open up Firefox. We’re going to do all of this in Firefox. And in Firefox, I’m going to have you grab this very first command.
All right? And that would be on line 28, an alt tab over to Firefox. And I’m just going to paste that in the bookstore. Should come up, it should look something like this. If it didn’t, you’re going to need to double check to make sure you’ve got the right IP addresses in the file. All right? So I’m going to next come back and explain a couple of things. First off, let’s start by probably making this a little bit bigger, make it a little bit easier for you to see. Now, I shouldn’t take credit for all of this because I got most of these commands off of a place called Pentestmonkey Net. This is a great place to get SQL injection commands, all kinds of syntax for breaking into things.
So get an opportunity to go out and check that out. The next thing I’m going to do is explain the different parameters. So we know that we’re going out to this website and we’re going to connect to a directory called Book and run an application called Books. We’re going to pass it a parameter called Stack ID is equal to two. So you’ll notice that the parameter passing Books ASP we pass it with a question mark. Stack ID is one of the variables and we’ve set that value to two. Now we can force an error inside of this by forcing it Http, so on and so forth. SDK ID is equal to two or one. One is true.
Since this is a numeric right here, I don’t need to use the single quote two or one in select user. This is what I’m passing in to have it do. And I’m going to end the command. So I’m just going to grab this right here, copy it, go over to my firefox, paste it in and go to it before you say, well, I got an error message, you’re supposed to get an error message. This is because it’s what’s referred to as error based SQL injection. So we’re going to look in here to see if we could find the error. Keep in mind what we did right here is we said Sxid is equal to two or one in select user. Well, user is a string.
It’s not going to concatenate with a numeric. It doesn’t know how to do that. And so it’s going to come back and say error type, syntax error. Converting the NV Carvar value Dbo to a column type of integer. The NV Carvar value Dbo is what we were looking for. That’s going to be our database user. So this is we’re extracting that database user, we’re logging in as Dbo. The next thing let’s do is let’s see if we can extract the database version here. So I’m going to grab this right here, paste it in and run that. Now we get another error message, which is exactly what I’m expecting to get. So it’s saying it’s having trouble converting the syntax in the carbar value. And here is what we’re looking for.
This is a database server, SQL Server 2000. Okay, so let’s go on to the next one. Let’s see if we can extract the database name itself. So what we’re going to do is the same thing here in select DB name. All right, so our DB name, our database name is Books. You see how we’re doing this now? Now let’s see if we can extract the server name. And you can see that the server name is victim W two K. Let’s go ahead and see if we can list all of the various databases. So I’m going to start with database name zero and go to whatever number of databases that I want to. So let’s go ahead and grab this R1 quick and we can see that Dbo is a value of books. I know that the only thing that changed right here was this number.
So I’m just going to change that number real quick. The next one is called Master. The next one is called Tempdb, and the next one is called Model, and I could go on from there. Now let’s see if we can extract the first database table. Now, remember, a table is a table inside of a database. So I’m going to grab this right here, and it says that we have a database named Books. And the first table in it is called Books. Let’s see if we can extract the second table. The second table is called Buyers. And you can kind of see what we’re doing right here, see if I can make this a little bit bigger. And the next one after that is called Orders. And you can kind of see what we’re doing right here.
6. SQL Injection Demo 2
So let’s go into our next type of SQL injection and this one’s called blind SQL injection. And let’s discuss it just a little bit. Now in blind SQL injection, as I talked about before, we are not going to be able to get the error messages. So we’re going to have to infer what’s going on. So let’s start off like we started it off before we wanted to extract the database user. The first thing is helpful to know is how many characters are in the database user. So we’re going to use the same SQL injection new command. If the length of user is equal to one, wait for 10 seconds before you send the page back. If it’s equal to two, wait for 10 seconds. If it’s equal to three, wait for 10 seconds. So let’s go ahead and try the first one here. 1001.
Well, boy, that’s definitely not 10 seconds. Let’s try two characters. 1001. Boy, that’s just 1001. And let’s try three characters. Now we happen to know that the database user is named Dbo and Dbo is indeed three characters. Just produce some kind of an error. So you can see 10 01, 10 02, 10 03, 10 04. And you can see down here waiting for seven, 8910, 1112. And there it is. You can definitely tell the difference between the first two pages and this page. The next thing we’ll want to check is what’s the first character? And so I’m not going to do each one of these, but I want you to notice that is the first character an A is the second character a B is the next character a c is a character a D. Well then it’s going to wait 10 seconds.
Does this look like it’s going to be a little bit tedious for us to go through this? If you said yes, you’re absolutely correct. But I’m going to show you a way of doing it a little bit easier as well. The next thing I want to show you is doing some things with the XP command shell. If it’s invoked. Now, you remember I said earlier that the XP command shell can be a huge benefit or it can also be a hindrance. If it’s turned on and not restricted, it could be a definite hindrance. I’m going to put this in right here and press Enter. You can see it really didn’t do much of anything. It says come back and said it’s done. But I want you to notice right here, XP command shell dir. And I want you to see the Dir of WT book and I want you to put it in a file named Dirtym. Txt.
Well, that’s fine. Let’s go ahead and take a look at dirtim txt. And there it is. So what we’re doing is we’re writing what would normally come to the screen, to a file and then pulling up that file. Let’s do another one. The IP configuration of the machine is, if it’s a web server, it’s more than likely going to be dual homed, meaning it’s going to have two cards in it and it’d be nice to know what the other card’s IP address is. Now in my lab environment, I just have one card, but this will give you a pretty good idea. Now it looks like nothing really happened. Well, I have to go back and check what file I sent it to and there it is. Let’s do the Netstat command to see what applications may be running.
Now keep in mind what’s actually happening here is it’s running that next at command off of the server and then I’m going to report from that server what it found. There’s not an IDs in the world that’s going to pick this up and there are the applications that are active. Let’s do something a little bit interesting. Now let’s go ahead and use our Tftp server, it’s running on our landing machine to transfer a file by the name of netcat. But I want it to be transferred to the server as Tim underscore in C. So this is how we would get a file up to our server or our toolkit up to the server. If I look down here I didn’t look fast enough, you would have seen that it transferred the file. But let’s go ahead and see if I can do something a little bit interesting here. I’m going to run netcat starting in a listening mode in port 56789.
And when I connect to 56789, I want to run CMD exe. I want you to notice down here that says waiting. That’s because it’s opened up a listener on this machine and it’s waiting for a connection on it. So what I’m going to do is I’m going to go out and in this command prompt, I’m going to type in this command. Now I need to be in the netcat directory for this to work. So I’m just going to click on copyright here. I’m going to move down into the netcat directory and I’m going to just simply paste that in. When I do, what’s going to happen is I’m going to netcat to that listener at that particular port and bing bang, boom, I am in that SQL Server. If I type in Dir, here is simply the information. More specifically, if I type in W-H-O am I? Who am I? I’m in as one step above administrator, ms system or Nt Authority system.
7. SQL Injection Demo 3
Now the next thing we’re going to do is we’re going to show you how to make it a little bit easier. Now there’s an old saying in Spanish, my wife is Spanish and she tells me all these sayings qed el Arizon pour la que yuas zabatos adjustos, which means what’s the reason you wear tight shoes? And the answer is pork Ciente tanbien Guando, which translated means because it feels so good once you take them off. And let’s take off those shoes. I’m going to show you a little application that’s free called Havage. Now there’s a free version and there is a paid version. This happens to be the free version but it does a whole bunch. Now I want you to notice some of the things that it says that it does. We’re attacking SQL Server, the pro version will do blind SQL injection, time based and all that kind of thing.
Now what I need to do to make this work is all I need to do is put in one of the strings that I used in order to force an error. So I’m just going to grab one of these. It doesn’t really make any difference which one I grab and I’m going to put that in up here and I’m going to tell it that I want to analyze. You can see this going down through here and it’s detected a little bit of things. It’s found out that the host is this IP address. It’s a Microsoft Is 50 server, I guess injection type is integer. If injection failed, retry with a manual keyword. The DB server is Ms SQL 2000 with error and the database name is Book. Okay, well let’s see what else we can get. If I go into info right here and I tell it that I want to get some more info, look what all of the information it’s found basically the same information it’s found earlier.
Here’s the system user we’re connecting as here’s the current user, dbo, the response time, the web server, all of the different database names, that kind of thing. Let’s see what else we can find. I’m going to click on tables and it’s found all of these tables. But what I’d like to do next is I’d like to get all of the databases. All right, got all the databases. Now let’s get the tables that are inside of Books. We know Books had a books table, a buyer’s table, an orders table, and it has a technology. If I decide that I want to get some of the data that’s there, let’s go ahead and from the books right here, let’s see if I can get the column. Okay. And as you can see I’ve got all the columns that are in the books table. Now let’s say I’d like to get the data that’s in those columns.
I need to select several of the columns maybe and let’s get the data that’s in those columns is this just a little bit easier than we had before? I would think so I can query the database with any SQL command. I can even find the administrator. So it’s going to look for common names of where the administrator page might be. It looks like we found one login ASP. And let’s see if we can find anything in there. We’re going to just try and see if we didn’t see anything there. So let’s try the MD five and click on a start. And what we’ll we’ve done is we’ve grabbed the password hash and we’re going to try and crack that hash. And look here, there is the password 123456. So you can see we have a tremendous amount of information that we can grab just using a free tool called Habit.
