[Plug-security] SQL Injection Toyz [Flag] (Still Up/Available)

Lisa Kachold lisakachold at obnosis.com
Tue May 14 12:17:54 MST 2013 

We are giving the PLUG Hackfesters additional time to take this flag.
 Since SQL Injection is one of those skills that really demands mastery (or
a good deal of experience with SQL commands such as obtained via DevOps or
Linux Systems Administration/Engineering).

The exploitable system is still up at http://12.159.65.86 -in the  OneNeck
DeVry Rack - Thanks very Much to OneNeck Hosting for providing this rack
resource to the DeVry Students and Phoenix Open Source Community!

There are a great number of SQL Injection tools available for your use:

0) https://code.google.com/p/mysqloit/

1) SQL Ninja:   If you are using SQL Ninja as packaged in BT5r3, it's
configured for use against Microsoft MSSQL and doesn't work. Our SQL
servers are not using a SA user - and a great number of the exploits in the
wild will be using Oracle, db2, postgresql, or mysql.  You can bypass the
(incorrectly preconfigured) version from BT5r3 (which, as a Pentesting
distro, exists just to get you started, not to stop you when something
doesn't work [or is broken by default because it's too powerful for the
masses]) with http://sqlninja.sourceforge.net/  - be sure to follow the
easy tutorial here:  http://sqlninja.sourceforge.net/sqlninjademo.html

2) http://sqlmap.org/  (Note, you must point this to the correct URL where
the example exploitable database is fed from a form  (I.E. this would be
found after completing the login http://12.159.65.86/dvwa/login.php  read
the page silly ).  I saw a few of you pointing to the wrong URL/path.  Some
of that might be due to (again) the defaults in BT5r3.   Here's better
instructions on how to use the SQLmap tool (from any linux. Windows, OSX
python installation):
http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/
(These worked for me).

3) If you would like to attack MSSQL to delve into SQL Injection (as David
Demland's presentation touched on to provide completeness on the subject of
SQL Injection = especially where "sa" user is concerned), please see this
test site:

Here's content presentation that is specific to MySQL only for SQL
Injection:  http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
For anyone at greater than basic level of SQL Injection, the differences in
MSSQL and MYSQL (or other SQL server) are trivial (just ensure you
understand privileges for either mysql user or sa user, and other specifics
for db2 or Oracle for instance.

4) Of course many purists advocate use of BurpeSuite:
http://portswigger.net/burp/ (which is available in BT5r3 {open a terminal
window and type "locate burp"}).

This is nothing like the fun that is had in [my] day to day Linux systems
administration for mysql/postgesql/db2 (for which we generally also act as
a "DBA") or hold key DevOps roles supporting large tanks of developers with
ETL projects.

An especially fun and powerful ETL "tool" (imagine the possibilities) is
CloverETL:    http://www.cloveretl.com/

Hackfest Mentorship DISCLAIMER:  We will happily assist you to learn or use
any tool in order to complete the practical parts of the labs (actual
encroachment).  We will not teach you "how to hack" or "how to get a flag"
 other than refer you to the public lab we have available (in this case
"Metasploitable") or ask you questions that will allow you to solve the
tests..  Expect all of your questions to lead to more questions - we hope
to teach you to USE THE SOURCE Luke!  Google will work if you don't have
any midi-chlorians in your blood.

We especially love this "3 pronged attack"  Translated by use of Google:
http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3

Okay, ready, let's hit the "Blind SQL Injection" button:
http://itsecuritylab.eu/index.php/tag/sql-injection/

We decided not to use our resources for this flag....

So if you want a flag just to win a prize, this one's not for you.  Come
back next month when we do IPV6.
<http://www.cloveretl.com/>--

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/index.php>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130514/f8c15b39/attachment.html>

More information about the Plug-security mailing list