That is one way to name it. I see SQL Injections as vulnerabilities that should have died long ago… Not because they’ve been around for too long (look at buffer overflows), but because they are simple to prevent… Seeing the high number of new developers that pop up every year, with no secure coding habits, I foresee a great future for SQL Injections, as well as for any other web application vulnerability.

Leaving aside the sarcasm, I’ve written this article with the sole purpose of sharing SQL Injection related resources that I did find useful.

RTFM!? (Read The “Funky” Manual)

Before even trying to understand what SQL Injection is, you should have (at least) basic knowledge on the type of database that the SQL Injection back end has and it’s syntax (the ANSI/ISO SQL standard and DBMS specific functions/procedures/tables). Best direction for a start up (and quick reference) on a specific DBMS is it’s own manual:

• MS SQL (Transact-SQL)
• MySQL
• Oracle
• PostgreSQL

Note here (and through the whole article) that I will emphasis on MSSQL, MySQL, Oracle and PostgreSQL, because they are the most common DBMS’s you’ll encounter.

SQL Injection 101

You should understand basic SQL Injection attacks. I linked to OWASP’s article on SQL Injection, but you could search another one (there are plenty on the web) which may seem more appropriate to you. Also don’t forget to dive in Blind SQL Injections.

From that point onward it goes on with a bit of practice (there are a couple of challenge websites) and some DBMS specific techniques. The following articles are some examples on the subject:

• MySQL table and column names
• MySQL into outfile
• SQL Injection and Oracle
• Manipulating SQL Server Using SQL Injection

As I said, these are just a few examples. Other interesting (MySQL) techniques would be the ones using Benchmark() and Procedure Analyze().

SQL Injection Cheat Sheet

The most helpful resources when you’re doing SQL Injection attacks manually. I personally use Ferruh’s and pentestmonkey’s cheat sheets. You should not stop at only these two, there are many other cheat sheets (DBMS specific also) available. The best option would be to union more cheat sheets (some have exotic vectors, while other have more detailed examples) and from those select what you think would be appropriate for your cheat sheet.

Browserware

There are two firefox add-on’s that I would suggest for SQL Injection testing. The first one is HackBar, which I find very useful when exploiting SQL Injections from the browser directly (extracting/enumerating/dumping), while the second is SQL Inject Me, add-on which will prove useful in the pages with many input fields.

A Little Extra

Although SQL Injections can be exploited manually on several occasions (and based on your laziness) you’ll want to automate the job of extracting/detecting/dumping/bruteforcing (?) a Database. Here the following scripts/apps would prove handy…

SQLMap
sqlmap is an open source command-line automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

MultiInjector
MultiInjector is a mass exploitation tool (automated defacement). You basically give to the application a list of targets and payload, while it will fuzz all the found parameters by appending the payload to it. Check the website for more information.

Blind Sql Injection Brute Forcer version 2
This is a modified version of ‘bsqlbfv1.2-th.pl’. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported: MSSQL, MySQL, PostgreSQL and Oracle.

SQLNinja

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

SQLBrute
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle.

This is just a small list, for more check out the top 15 sql injection scanners back at security-hacks.

Bruteforce?

If you can’t SQL Inject a website, you can bruteforce the login credentials (if external access is allowed). Just download medusa/hydra (I prefer Hydra, due to Windows support :) generate a custom wordlist for your scenario (resource on wordlists and common passwords), and hit enter.

I know I’ve gone a bit off topic with the bruteforcing section, but I guess it didn’t hurt nobody a little more info.

AND 1=0

Have any suggestion? Feel free to contribute with comments/articles/cheat sheets, or any other resource which would improve this article.

The anwser isn’t that simple. Based on the amount of data that could have been leached from the websites (mentioned above) F-Secure looks the trust worthiest. Why F-Secure? Because given their defense-in-depth methodology no sensitive data could have been retrieved, just ordinary data that you may see on other several public pages.

As from any other attack scenario, there is something to be learned. In this case F-Secure and their methodology gave us the lesson. You should never, and I repet never, grant access to important data to a user which interacts with a visitor (in this case, a mysql database user). You will lower the threat by creating different users for different tasks.

Also, I won’t go in complaining about the SQL injections, even if I should, because it’s nothing uncommon. When you have a team of developers which constantly add/remove components and which haven’t got a secure coding methodology (some might sanitize the data on request, others before the usage) SQL injection vulnerabilities (XSS vulnerabilities) will iminently pop up. I said I won’t complain about the vulnerability, but given the fact that they are in the security industry (and not some unknown players) you would expect more…

Another “debate” I’ve seen was based on Acunetix article which mentioned that Unu found the vulnerability in Kaspersky’s website via their scanner. Even if true, we all know that Acunetix Scanner isn’t always enough to catch all the vulnerabilities (as Unu declared also), and no such scanner can. People generally use Acunetix Scanner for a quick and dirty PRELIMINARY scan.

Enough said.

And if you weren’t sure till know, I assure you I’m going to speak about Firefox Addons.

LiveHTTPHeaders

Useful addon for both developers and hackers. It let’s you analyze the HTTP requests and responses done at/from a specified point. It also allows you to modify the requests as you want, from parameters to HTTP headers, anything is possible.

For those that use intercepting proxies in passive mode, for grabbing links while browsing, which later will be passed to some web application scanner (or something like that), guess what: liveHTTPHeaders supports that also.

Download: liveHTTPHeaders

Tamper Data

On several occasions you may want to modify/forge requests in the first submission of a page/form. For that reason Tamper Data is another addon that shouldn’t miss from your toolbox. The functionality I mentioned is just the tip of the iceberg regarding Tamper Data.

Screenshots and download: Tamper Data

HackBar

But what if you don’t need to modify headers, just the content or parameters? Should use Tamper Data just for that?

The answer is obviously NO! Just press F9 (HackBar shortcut key) and you’re ready to tamper/forge requests as you wish. It’s a great addon not just because it eases work with long URLs, but also has the ability to send POST requests for you, thus relieving you from having another window/tab for executing forged POST requests. Did I also mentioned how helpful it can be when working with SQL Injections? No?! I wonder how could I omit that?…

Screenshots and download: HackBar

Final notes

In the end it’s up to you to decide how you’ll do from this point onward. Either work with the suggested plugins, or continue your ritual with intercepting proxies. There is no good/bad way of doing it, it’s just a matter of taste. Some people (including myself) like to do as much possible from the browser before firing up another application…

Maybe not exactly a full step, but you will understand later on why not.

In the ending of the article I mentioned that there is a wordpress plugin that does just that, it is called access log (duh) and you can download it from here. After installing the plugin and configuring it you may also want to decode the REQUEST_URI because that will help later on for analysis. Just add the rawurldecode function to the code:

$href = rawurldecode($_SERVER['REQUEST_URI']);

Another important step after installing/configuring the plugin would be to protect the log directory from unwanted visitors. I use a simple .htaccess file to accomplish the task. The following example denotes the rewrite rule I use:

RewriteRule ^(.*)$ http://insanesecurity.info [R=301,L]

If you’re a stranger towards .htaccess files you might be interested in, a short resource based article I wrote, .htaccess 101.

After a while of log harvesting you might be interested in analyzing the logs and find potential intruders/attackers. That’s when Scalp comes in.

Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET (By default, Apache does not log the HTTP/POST variable).

And this is the reason why we take a partial step, because it doesn’t support custom access log files, thus we cannot analyze POST requests. But let’s give Romain some time, as he’s working on a improved C++ version of it, which hopefully will have this feature.

Among Scalps features (options) are the following:

• tough: Will decode a part of potential attacks (this is done to use better the regexp from PHP-IDS in order to decrease the false-negative rate)
• period: Specify a time-frame to look at, all the rest will be ignored
• sample: Does a random sampling of the log lines in order to look at a certain percentage, this is useful when the user doesn’t want to do a full scan of all the log, but just ping it to see if there is some problem…
• attack: Specify what classes of vulnerabilities the tool will look at (eg, look only for XSS, SQL Injection, etc.)

The things that Scalp can find are: XSS, CSRF, SQL Injection, LFI, RFE (or RFI as some call it), DOS, Directory Transversal, Spam and Information Disclosure.

For more information you can visit the start page of the project here, or just go to the download section here. Almost forgot to mention, Scalp is a python script.

Not done just yet, Scalp works with PHP-IDS’s filters, so you’ll have to download the filter (xml) file from their website to get things working.

Enough said, hopefully Scalp will help you in preventing attackers, rather than helping you in attack forensics.

If there is a phrase that describes in the best way the distribution, it has to be the one from LinuxTracker:

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.

To be honest I didn’t play with it till now (even if have been a user of the website for a year or so) because off limited free time that I’ve got. But in the near future (hope so) I will give it a shot, you know demonstrate my “talents” to my work colleague, maybe even do a video to help out DVL.

More specific info about included vulnerabilities/tools you can find on this page, but just up to version 1.4, and the download mirrors can be found here.

If this is an unknown domain for you (security) I would recommend you firstly to start out with some basics before even taking a glimpse at DVL. In such a case you might be interested in David Melnichuk book The Hacker’s Underground Handbook.

Before I forget… You would highly be appreciated for seeding the torrent, not just leeching it, because the free stuff never gets seeded well, IMO.