[Plug-security] SQL Injection Toyz [Flag] (Still Up/Available)

Jorge Rios jorge.rios.2981 at gmail.com
Sat Jun 15 19:13:02 MST 2013


Hi Lisa,

I've been playing with the system for the last few days and it seems to be
down today.

- Jorge


On Thu, May 23, 2013 at 10:00 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> Well, there are a few things to attack on Metasploitable.
>
> There's ssh of course - but you got help there?
> There's php holes - run Metasploitable or Armitage against it?
> There's tikiwiki there too - to declare your flags.
> Damn Vulnerable Linux is the Injection example.
>
> Here's some tutorials for use with Metasploitable 2 and Backtrack5:
>
> http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html
> https://community.rapid7.com/docs/DOC-1875
>
>
> On Thu, May 23, 2013 at 9:34 PM, Sam Kreimeyer <skreimey at gmail.com> wrote:
>
>> Thanks for the help! The ssh login was pretty useful. I was able to look
>> at the php source code for the sql injection tab and see that magic quotes
>> were turned on (which made for very difficult injecting!). I saw that the
>> security cookie was defaulted to high, so I just changed that with firebug.
>> That made things much easier!
>>
>> Now is there a particular flag file I should be looking for, or is this
>> more of a sandbox to play with?
>>
>>
>> On Wed, May 22, 2013 at 4:35 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>
>>> Here's the SQL Injection links:
>>>
>>> http://12.159.65.86/dvwa/index.php
>>>
>>>
>>> On Wed, May 22, 2013 at 12:37 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>>
>>>> You can get in via *msfadmin ssh.  *
>>>> *
>>>> *
>>>> *I rebooted it.*
>>>> *
>>>> *
>>>> *It should answer now.
>>>> *
>>>> We just needed to do this:
>>>> http://colesec.inventedtheinternet.com/metasploitable-2-and-mutillidae/
>>>>
>>>>
>>>> On Wed, May 22, 2013 at 11:17 AM, Lisa Kachold <lisakachold at obnosis.com
>>>> > wrote:
>>>>
>>>>> Login to the first page - the login is on the bottom of the screen and
>>>>> restart the toy/tool.
>>>>>
>>>>>
>>>>> On Wed, May 22, 2013 at 11:16 AM, Lisa Kachold <
>>>>> lisakachold at obnosis.com> wrote:
>>>>>
>>>>>> Someone probably crashed the server.
>>>>>>
>>>>>> We can recreate it.
>>>>>>
>>>>>>
>>>>>> On Tue, May 21, 2013 at 2:20 PM, Sam Kreimeyer <skreimey at gmail.com>wrote:
>>>>>>
>>>>>>> The error messages on the web server make it look like all the
>>>>>>> tables have been dropped on mutillidae. Was that the injection point we
>>>>>>> were supposed to go for?
>>>>>>>
>>>>>>>
>>>>>>> On Tue, May 14, 2013 at 3:17 PM, Lisa Kachold <
>>>>>>> lisakachold at obnosis.com> wrote:
>>>>>>>
>>>>>>>>  We are giving the PLUG Hackfesters additional time to take this
>>>>>>>> flag.  Since SQL Injection is one of those skills that really demands
>>>>>>>> mastery (or a good deal of experience with SQL commands such as obtained
>>>>>>>> via DevOps or Linux Systems Administration/Engineering).
>>>>>>>>
>>>>>>>> The exploitable system is still up at http://12.159.65.86 -in the
>>>>>>>>  OneNeck DeVry Rack - Thanks very Much to OneNeck Hosting for
>>>>>>>> providing this rack resource to the DeVry Students and Phoenix Open Source
>>>>>>>> Community!
>>>>>>>>
>>>>>>>> There are a great number of SQL Injection tools available for your
>>>>>>>> use:
>>>>>>>>
>>>>>>>> 0) https://code.google.com/p/mysqloit/
>>>>>>>>
>>>>>>>> 1) SQL Ninja:   If you are using SQL Ninja as packaged in BT5r3,
>>>>>>>> it's configured for use against Microsoft MSSQL and doesn't work. Our SQL
>>>>>>>> servers are not using a SA user - and a great number of the exploits in the
>>>>>>>> wild will be using Oracle, db2, postgresql, or mysql.  You can bypass the
>>>>>>>> (incorrectly preconfigured) version from BT5r3 (which, as a Pentesting
>>>>>>>> distro, exists just to get you started, not to stop you when something
>>>>>>>> doesn't work [or is broken by default because it's too powerful for the
>>>>>>>> masses]) with http://sqlninja.sourceforge.net/  - be sure to
>>>>>>>> follow the easy tutorial here:
>>>>>>>> http://sqlninja.sourceforge.net/sqlninjademo.html
>>>>>>>>
>>>>>>>> 2) http://sqlmap.org/  (Note, you must point this to the correct
>>>>>>>> URL where the example exploitable database is fed from a form  (I.E. this
>>>>>>>> would be found after completing the login
>>>>>>>> http://12.159.65.86/dvwa/login.php  read the page silly ).  I saw
>>>>>>>> a few of you pointing to the wrong URL/path.  Some of that might be due to
>>>>>>>> (again) the defaults in BT5r3.   Here's better instructions on how to use
>>>>>>>> the SQLmap tool (from any linux. Windows, OSX python installation):
>>>>>>>> http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/
>>>>>>>> (These worked for me).
>>>>>>>>
>>>>>>>> 3) If you would like to attack MSSQL to delve into SQL Injection
>>>>>>>> (as David Demland's presentation touched on to provide completeness on the
>>>>>>>> subject of SQL Injection = especially where "sa" user is concerned), please
>>>>>>>> see this test site:
>>>>>>>>
>>>>>>>> Here's content presentation that is specific to MySQL only for SQL
>>>>>>>> Injection:
>>>>>>>> http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
>>>>>>>> For anyone at greater than basic level of SQL Injection, the differences in
>>>>>>>> MSSQL and MYSQL (or other SQL server) are trivial (just ensure you
>>>>>>>> understand privileges for either mysql user or sa user, and other specifics
>>>>>>>> for db2 or Oracle for instance.
>>>>>>>>
>>>>>>>> 4) Of course many purists advocate use of BurpeSuite:
>>>>>>>> http://portswigger.net/burp/ (which is available in BT5r3 {open a
>>>>>>>> terminal window and type "locate burp"}).
>>>>>>>>
>>>>>>>> This is nothing like the fun that is had in [my] day to day Linux
>>>>>>>> systems administration for mysql/postgesql/db2 (for which we generally also
>>>>>>>> act as a "DBA") or hold key DevOps roles supporting large tanks of
>>>>>>>> developers with ETL projects.
>>>>>>>>
>>>>>>>> An especially fun and powerful ETL "tool" (imagine the
>>>>>>>> possibilities) is CloverETL:    http://www.cloveretl.com/
>>>>>>>>
>>>>>>>> Hackfest Mentorship DISCLAIMER:  We will happily assist you to
>>>>>>>> learn or use any tool in order to complete the practical parts of the labs
>>>>>>>> (actual encroachment).  We will not teach you "how to hack" or "how to get
>>>>>>>> a flag"  other than refer you to the public lab we have available (in this
>>>>>>>> case "Metasploitable") or ask you questions that will allow you to solve
>>>>>>>> the tests..  Expect all of your questions to lead to more questions - we
>>>>>>>> hope to teach you to USE THE SOURCE Luke!  Google will work if you don't
>>>>>>>> have any midi-chlorians in your blood.
>>>>>>>>
>>>>>>>> We especially love this "3 pronged attack"  Translated by use of
>>>>>>>> Google:
>>>>>>>> http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3
>>>>>>>>
>>>>>>>> Okay, ready, let's hit the "Blind SQL Injection" button:
>>>>>>>> http://itsecuritylab.eu/index.php/tag/sql-injection/
>>>>>>>>
>>>>>>>> We decided not to use our resources for this flag....
>>>>>>>>
>>>>>>>> So if you want a flag just to win a prize, this one's not for you.
>>>>>>>>  Come back next month when we do IPV6.
>>>>>>>>  <http://www.cloveretl.com/>--
>>>>>>>>
>>>>>>>> (503) 754-4452 Android
>>>>>>>> (623) 239-3392 Skype
>>>>>>>> (623) 688-3392 Google Voice
>>>>>>>> **
>>>>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>>>>> Chief Clown
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
>>>>>>>> To change settings or unsubscribe:
>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
>>>>>>> To change settings or unsubscribe:
>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> (503) 754-4452 Android
>>>>>> (623) 239-3392 Skype
>>>>>> (623) 688-3392 Google Voice
>>>>>> **
>>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>>> Chief Clown
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> (503) 754-4452 Android
>>>>> (623) 239-3392 Skype
>>>>> (623) 688-3392 Google Voice
>>>>> **
>>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>>> Chief Clown
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> (503) 754-4452 Android
>>>> (623) 239-3392 Skype
>>>> (623) 688-3392 Google Voice
>>>> **
>>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>>> Chief Clown
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> (503) 754-4452 Android
>>> (623) 239-3392 Skype
>>> (623) 688-3392 Google Voice
>>> **
>>> it-clowns.com <http://it-clowns.com/c/index.php>
>>> Chief Clown
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
>>> To change settings or unsubscribe:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>>
>>>
>>
>> _______________________________________________
>> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
>> To change settings or unsubscribe:
>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>
>>
>
>
> --
>
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> it-clowns.com <http://it-clowns.com/c/index.php>
> Chief Clown
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
> To change settings or unsubscribe:
> http://lists.phxlinux.org/mailman/listinfo/plug-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130615/5e6848ee/attachment-0001.html>


More information about the Plug-security mailing list