[Plug-security] SQL Injection Toyz [Flag] (Still Up/Available)

Lisa Kachold lisakachold at obnosis.com
Wed May 22 11:16:21 MST 2013


Someone probably crashed the server.

We can recreate it.

On Tue, May 21, 2013 at 2:20 PM, Sam Kreimeyer <skreimey at gmail.com> wrote:

> The error messages on the web server make it look like all the tables have
> been dropped on mutillidae. Was that the injection point we were supposed
> to go for?
>
>
> On Tue, May 14, 2013 at 3:17 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> We are giving the PLUG Hackfesters additional time to take this flag.
>>  Since SQL Injection is one of those skills that really demands mastery (or
>> a good deal of experience with SQL commands such as obtained via DevOps or
>> Linux Systems Administration/Engineering).
>>
>> The exploitable system is still up at http://12.159.65.86 -in the
>>  OneNeck DeVry Rack - Thanks very Much to OneNeck Hosting for providing
>> this rack resource to the DeVry Students and Phoenix Open Source Community!
>>
>> There are a great number of SQL Injection tools available for your use:
>>
>> 0) https://code.google.com/p/mysqloit/
>>
>> 1) SQL Ninja:   If you are using SQL Ninja as packaged in BT5r3, it's
>> configured for use against Microsoft MSSQL and doesn't work. Our SQL
>> servers are not using a SA user - and a great number of the exploits in the
>> wild will be using Oracle, db2, postgresql, or mysql.  You can bypass the
>> (incorrectly preconfigured) version from BT5r3 (which, as a Pentesting
>> distro, exists just to get you started, not to stop you when something
>> doesn't work [or is broken by default because it's too powerful for the
>> masses]) with http://sqlninja.sourceforge.net/  - be sure to follow the
>> easy tutorial here:  http://sqlninja.sourceforge.net/sqlninjademo.html
>>
>> 2) http://sqlmap.org/  (Note, you must point this to the correct URL
>> where the example exploitable database is fed from a form  (I.E. this would
>> be found after completing the login http://12.159.65.86/dvwa/login.php
>> read the page silly ).  I saw a few of you pointing to the wrong URL/path.
>>  Some of that might be due to (again) the defaults in BT5r3.   Here's
>> better instructions on how to use the SQLmap tool (from any linux. Windows,
>> OSX python installation):
>> http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/
>> (These worked for me).
>>
>> 3) If you would like to attack MSSQL to delve into SQL Injection (as
>> David Demland's presentation touched on to provide completeness on the
>> subject of SQL Injection = especially where "sa" user is concerned), please
>> see this test site:
>>
>> Here's content presentation that is specific to MySQL only for SQL
>> Injection:
>> http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php  For
>> anyone at greater than basic level of SQL Injection, the differences in
>> MSSQL and MYSQL (or other SQL server) are trivial (just ensure you
>> understand privileges for either mysql user or sa user, and other specifics
>> for db2 or Oracle for instance.
>>
>> 4) Of course many purists advocate use of BurpeSuite:
>> http://portswigger.net/burp/ (which is available in BT5r3 {open a
>> terminal window and type "locate burp"}).
>>
>> This is nothing like the fun that is had in [my] day to day Linux systems
>> administration for mysql/postgesql/db2 (for which we generally also act as
>> a "DBA") or hold key DevOps roles supporting large tanks of developers with
>> ETL projects.
>>
>> An especially fun and powerful ETL "tool" (imagine the possibilities) is
>> CloverETL:    http://www.cloveretl.com/
>>
>> Hackfest Mentorship DISCLAIMER:  We will happily assist you to learn or
>> use any tool in order to complete the practical parts of the labs (actual
>> encroachment).  We will not teach you "how to hack" or "how to get a flag"
>>  other than refer you to the public lab we have available (in this case
>> "Metasploitable") or ask you questions that will allow you to solve the
>> tests..  Expect all of your questions to lead to more questions - we hope
>> to teach you to USE THE SOURCE Luke!  Google will work if you don't have
>> any midi-chlorians in your blood.
>>
>> We especially love this "3 pronged attack"  Translated by use of Google:
>> http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3
>>
>> Okay, ready, let's hit the "Blind SQL Injection" button:
>> http://itsecuritylab.eu/index.php/tag/sql-injection/
>>
>> We decided not to use our resources for this flag....
>>
>> So if you want a flag just to win a prize, this one's not for you.  Come
>> back next month when we do IPV6.
>>  <http://www.cloveretl.com/>--
>>
>> (503) 754-4452 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> it-clowns.com <http://it-clowns.com/c/index.php>
>> Chief Clown
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
>> To change settings or unsubscribe:
>> http://lists.phxlinux.org/mailman/listinfo/plug-security
>>
>>
>
> _______________________________________________
> Plug-security mailing list  -  Plug-security at lists.phxlinux.org
> To change settings or unsubscribe:
> http://lists.phxlinux.org/mailman/listinfo/plug-security
>
>


-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/index.php>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130522/8cbb1805/attachment-0001.html>


More information about the Plug-security mailing list