[Plug-security] SQL Injection Toyz [Flag] (Still Up/Available)

Sam Kreimeyer skreimey at gmail.com
Tue May 21 14:20:56 MST 2013


The error messages on the web server make it look like all the tables have
been dropped on mutillidae. Was that the injection point we were supposed
to go for?


On Tue, May 14, 2013 at 3:17 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> We are giving the PLUG Hackfesters additional time to take this flag.
>  Since SQL Injection is one of those skills that really demands mastery (or
> a good deal of experience with SQL commands such as obtained via DevOps or
> Linux Systems Administration/Engineering).
>
> The exploitable system is still up at http://12.159.65.86 -in the
>  OneNeck DeVry Rack - Thanks very Much to OneNeck Hosting for providing
> this rack resource to the DeVry Students and Phoenix Open Source Community!
>
> There are a great number of SQL Injection tools available for your use:
>
> 0) https://code.google.com/p/mysqloit/
>
> 1) SQL Ninja:   If you are using SQL Ninja as packaged in BT5r3, it's
> configured for use against Microsoft MSSQL and doesn't work. Our SQL
> servers are not using a SA user - and a great number of the exploits in the
> wild will be using Oracle, db2, postgresql, or mysql.  You can bypass the
> (incorrectly preconfigured) version from BT5r3 (which, as a Pentesting
> distro, exists just to get you started, not to stop you when something
> doesn't work [or is broken by default because it's too powerful for the
> masses]) with http://sqlninja.sourceforge.net/  - be sure to follow the
> easy tutorial here:  http://sqlninja.sourceforge.net/sqlninjademo.html
>
> 2) http://sqlmap.org/  (Note, you must point this to the correct URL
> where the example exploitable database is fed from a form  (I.E. this would
> be found after completing the login http://12.159.65.86/dvwa/login.php
> read the page silly ).  I saw a few of you pointing to the wrong URL/path.
>  Some of that might be due to (again) the defaults in BT5r3.   Here's
> better instructions on how to use the SQLmap tool (from any linux. Windows,
> OSX python installation):
> http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/
> (These worked for me).
>
> 3) If you would like to attack MSSQL to delve into SQL Injection (as David
> Demland's presentation touched on to provide completeness on the subject of
> SQL Injection = especially where "sa" user is concerned), please see this
> test site:
>
> Here's content presentation that is specific to MySQL only for SQL
> Injection:  http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
> For anyone at greater than basic level of SQL Injection, the differences in
> MSSQL and MYSQL (or other SQL server) are trivial (just ensure you
> understand privileges for either mysql user or sa user, and other specifics
> for db2 or Oracle for instance.
>
> 4) Of course many purists advocate use of BurpeSuite:
> http://portswigger.net/burp/ (which is available in BT5r3 {open a
> terminal window and type "locate burp"}).
>
> This is nothing like the fun that is had in [my] day to day Linux systems
> administration for mysql/postgesql/db2 (for which we generally also act as
> a "DBA") or hold key DevOps roles supporting large tanks of developers with
> ETL projects.
>
> An especially fun and powerful ETL "tool" (imagine the possibilities) is
> CloverETL:    http://www.cloveretl.com/
>
> Hackfest Mentorship DISCLAIMER:  We will happily assist you to learn or
> use any tool in order to complete the practical parts of the labs (actual
> encroachment).  We will not teach you "how to hack" or "how to get a flag"
>  other than refer you to the public lab we have available (in this case
> "Metasploitable") or ask you questions that will allow you to solve the
> tests..  Expect all of your questions to lead to more questions - we hope
> to teach you to USE THE SOURCE Luke!  Google will work if you don't have
> any midi-chlorians in your blood.
>
> We especially love this "3 pronged attack"  Translated by use of Google:
> http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3
>
> Okay, ready, let's hit the "Blind SQL Injection" button:
> http://itsecuritylab.eu/index.php/tag/sql-injection/
>
> We decided not to use our resources for this flag....
>
> So if you want a flag just to win a prize, this one's not for you.  Come
> back next month when we do IPV6.
>  <http://www.cloveretl.com/>--
>
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> it-clowns.com <http://it-clowns.com/c/index.php>
> Chief Clown
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
> To change settings or unsubscribe:
> http://lists.phxlinux.org/mailman/listinfo/plug-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130521/8ff969fe/attachment.html>


More information about the Plug-security mailing list