<div dir="ltr">The error messages on the web server make it look like all the tables have been dropped on mutillidae. Was that the injection point we were supposed to go for?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, May 14, 2013 at 3:17 PM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>We are giving the PLUG Hackfesters additional time to take this flag. Since SQL Injection is one of those skills that really demands mastery (or a good deal of experience with SQL commands such as obtained via DevOps or Linux Systems Administration/Engineering). </div>
<div><br></div>The exploitable system is still up at <a href="http://12.159.65.86" target="_blank">http://12.159.65.86</a> -in the OneNeck DeVry Rack -<font size="1"> Thanks very Much to OneNeck Hosting for providing this rack resource to the DeVry Students and Phoenix Open Source Community!</font><br clear="all">
<div><br></div><div>There are a great number of SQL Injection tools available for your use: </div><div><br></div><div>0) <a href="https://code.google.com/p/mysqloit/" target="_blank">https://code.google.com/p/mysqloit/</a></div>
<div><br>
</div><div>1) SQL Ninja: If you are using SQL Ninja as packaged in BT5r3, it's configured for use against Microsoft MSSQL and doesn't work. Our SQL servers are not using a SA user - and a great number of the exploits in the wild will be using Oracle, db2, postgresql, or mysql. You can bypass the (incorrectly preconfigured) version from BT5r3 (which, as a Pentesting distro, exists just to get you started, not to stop you when something doesn't work [or is broken by default because it's too powerful for the masses]) with <a href="http://sqlninja.sourceforge.net/" target="_blank">http://sqlninja.sourceforge.net/</a> - be sure to follow the easy tutorial here: <a href="http://sqlninja.sourceforge.net/sqlninjademo.html" target="_blank">http://sqlninja.sourceforge.net/sqlninjademo.html</a></div>
<div><br></div><div>2) <a href="http://sqlmap.org/" target="_blank">http://sqlmap.org/</a> (Note, you must point this to the correct URL where the example exploitable database is fed from a form (I.E. this would be found after completing the login <a href="http://12.159.65.86/dvwa/login.php" target="_blank">http://12.159.65.86/dvwa/login.php</a> read the page silly ). I saw a few of you pointing to the wrong URL/path. Some of that might be due to (again) the defaults in BT5r3. Here's better instructions on how to use the SQLmap tool (from any linux. Windows, OSX python installation): <a href="http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/" target="_blank">http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/</a> (These worked for me).</div>
<div><br></div><div>3) If you would like to attack MSSQL to delve into SQL Injection (as David Demland's presentation touched on to provide completeness on the subject of SQL Injection = especially where "sa" user is concerned), please see this test site:</div>
<div><br></div><div>Here's content presentation that is specific to MySQL only for SQL Injection: <a href="http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php" target="_blank">http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php</a> For anyone at greater than basic level of SQL Injection, the differences in MSSQL and MYSQL (or other SQL server) are trivial (just ensure you understand privileges for either mysql user or sa user, and other specifics for db2 or Oracle for instance. </div>
<div><br></div><div>4) Of course many purists advocate use of BurpeSuite: <a href="http://portswigger.net/burp/" target="_blank">http://portswigger.net/burp/</a> (which is available in BT5r3 {open a terminal window and type "locate burp"}). </div>
<div><br></div><div>This is nothing like the fun that is had in [my] day to day Linux systems administration for mysql/postgesql/db2 (for which we generally also act as a "DBA") or hold key DevOps roles supporting large tanks of developers with ETL projects.</div>
<div><br></div><div>An especially fun and powerful ETL "tool" (imagine the possibilities) is CloverETL: <a href="http://www.cloveretl.com/" target="_blank">http://www.cloveretl.com/</a></div><div><br></div><div>
<font style color="#ff0000">Hackfest Mentorship DISCLAIMER: We will happily assist you to learn or use any tool in order to complete the practical parts of the labs (actual encroachment). We will not teach you "how to hack" or "how to get a flag" other than refer you to the public lab we have available (in this case "Metasploitable") or ask you questions that will allow you to solve the tests.. Expect all of your questions to lead to more questions - we hope to teach you to USE THE SOURCE Luke! Google will work if you don't have any <span style="font-family:sans-serif;font-size:13px;line-height:19.1875px">midi-chlorians in your blood.</span><span style="font-family:sans-serif;font-size:13px;line-height:19.1875px"> </span></font></div>
<div><span style="line-height:19.1875px;font-size:13px;font-family:sans-serif"><br></span></div><div><span style="line-height:19.1875px;font-size:13px;font-family:sans-serif">We especially love this "3 pronged attack" Translated by use of Google: </span><a href="http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3" target="_blank">http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3</a></div>
<div><font color="#000000" face="sans-serif"><br></font></div><div><font color="#000000" face="sans-serif"><span style="line-height:19.18402862548828px">Okay, ready, let's hit the "Blind SQL Injection" button: </span></font><a href="http://itsecuritylab.eu/index.php/tag/sql-injection/" target="_blank">http://itsecuritylab.eu/index.php/tag/sql-injection/</a></div>
<div><font color="#000000"><br></font></div><div><font color="#000000"><font color="#000000">We decided not to use our resources for this flag.... </font></font></div><div><font color="#000000"><font color="#000000"><br>
</font></font></div><div><font color="#000000"><font color="#000000"><font color="#000000">So if you want a flag just to win a prize, this one's not for you. Come back next month when we do IPV6.<span class="HOEnZb"><font color="#888888"><a href="http://www.cloveretl.com/" target="_blank"><br>
</a></font></span></font></font></font><span class="HOEnZb"><font color="#888888">-- </font></span></div><span class="HOEnZb"><font color="#888888"><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br>
<a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br><a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br>
<br><br><br><br><br><br><br><br><br><br><br><br><br>
</font></span><br>_______________________________________________<br>
Plug-security mailing list - <a href="mailto:Plug-security@lists.phxlinux.org">Plug-security@lists.phxlinux.org</a><br>
To change settings or unsubscribe:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-security" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-security</a><br>
<br></blockquote></div><br></div>