-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft SQL Database Link Crawler - SQLi #976
Conversation
Please run msftidy first and correct all mistakes found, thanks. |
Oops - sorry about that - it looks like I was using an outdated version. I'll try to get it cleaned up today or tomorrow. Thanks for taking a look at it. |
No prob, please take your time :-) |
Do you need anything else from us on this? |
Hi @nullbind -- at this point, probably. I've asked @gspillman-r7 to see if we can't get a nice, contained QA instance of the systems that you're describing here, and I've taken my own run at it... but we clearly don't have the infrastructure expertise that you have. Every time we start down the path, it gets complicated and something easier to tackle comes up. :( This PR tortures me; I want to help fix up the Ruby and get this attack strategy into the hands of pen-testers, but I'm reluctant to do so without a decent test bed to validate changes. Do you guys host a vulnerable application somewhere that we can bang on? If not, maybe you'd consider setting up an OpenVPN tunnel (we've done that before with complicated targets)? If not, then maybe we can just start making edits and have you validate that the attack still works after cleanup? Failing all that, do you have something kind of guide or a VM set that you can share (outside of GitHub of course, it would be huge). I'm just having a really hard time even approaching a test environment for this -- this is more complex than the usual "get a vulnerable version of FooServer and run this module." |
Hi Tod, Thanks for the follow up. I defiantly understand. We do have a lab all setup for this. I'll see if I can get approval to open it up to you. If I can't I'll write a setup guide. Sorry for the head aches :) |
Hey, @nullbind. Can you give me an update on this PR? |
Closing this for now till we can get some testing done. Feel free to reopen it when you get back to us. Thanks! |
Sorry about that - I'm still finishing the lab setup guide for you guys. Thanks, Scott On Sat, Jun 15, 2013 at 5:05 AM, wvu-r7 notifications@github.com wrote:
|
This module can be used to crawl MS SQL Server database links and deploy metasploit payloads through links configured with sysadmin privileges via SQL injection. If you are attempting to obtain multiple reverse shells using this module we recommend setting the “DisablePayloadHandler” advanced option to “true”, and setting up a multi/handler to run in the background as a job to support multiple incoming shells. If you are interested in deploying payloads to spefic servers this module also supports that functionality via the “DEPLOYLIST” option. Currently, the module is capable of delivering payloads to both 32bit and 64bit Windows systems via powershell memory injection methods based on Matthew Graeber’s work . As a result, the target server must have powershell installed. By default, all of the crawl information is saved to a CSV formatted log file and MSF loot so that the tool can also be used for auditing without deploying payloads. The module supports error, union, and time based SQL injection. However, be aware that the module will not discover SQL injection for you. Below are a few basic examples of how to set the GET_PATH parameter correctly for each type of injection.
Error based syntax:
/account.asp?id=1+and+1=[SQLi];--
Union based syntax
/account.asp?id=1+union+all+select+null,[SQLi],null;--
Note: Union works most reliably if "id=1" does not return any data, i.e. use "id=12345678"
Time based syntax (blind):
/account.asp?id=1;[SQLi];--
Basic video example: http://www.youtube.com/watch?v=eCSxPC4FenQ