Toying with SQLmap

First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*

The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”

The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore []. The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.

us@vamanos:~$

Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.

sqlmapbegin

Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.

The image is of the command line on Kali Linux. The sqlmap output indicates that 'customeridget' is 'Generic UNION query (NULL) - 1 to 20 columns' is injectable. SQLMAP prompts the user to see if the others should be tested. Yes is selected. More information is displayed regarding the GET parameter 'customeridget' and the queries. SQLMAP indicates the back end database management system is MySQL. The web sever operating system is Windows 7. The web applicaiton technologies include Apache 2.2.22, and PHP 7.1.7. The version of MySQL is greater than or equal to 5.0.12. The data is fetched and logged to text files under /root/.sqlmap/output/www.sql.net

Finally, we can also see the server OS, the version of Apache and type of database.

So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.

Looking through the advanced help there are a few parameters that seem interesting.

 

sqlmap_advanced_help
It’s critical to get comfortable using a tools native help functions whether that’s ‘man pages’ in Linux, Get-Help in powershell or any command line tool/interface period.

 

I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload  the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.

win7_peeking_at_directory

win7_textfile_php

 

I was able to navigate to the web shell like so:

z_webshell_in_use
1: You can see how easy it is to upload a file from here and place it into the web server’s directory. It’s no harder to find the ISS webroot inetpub (This was serving a copy of the same website at the time, but I was more personally interested in Apache.)
z_webshell_in_use2
2: Executing only minimal parameters in the shell gave me a list of the C drive contents, and other information.
z_webshell_in_use3
3: You can use sqlmap to identify the web root, though I skipped that step to be honest. I knew the webroot was here for the ‘sql.com’ version of Bad Store I was hosting.
z_webshell_in_use4
4: ‘del main.php’ executed in the directory deleted the file, breaking the site. When I ran it a second time I got the ‘Could Not Find’ error you see there.

Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!

All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.

me@notes:~$

–os-shell (from the file access help in sqlmap)

I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.

sqlmap_brute_force_common_dir

sqlmap_brute_force_common_dir_detail

It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.

privescos-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.

–read-file=Index

sqlmap_readfileindex

If you open Index with Nano there is nothing there…

sqlmap_fileaccess2.png

Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.

 

*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured.  It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”

Spinning Up Your First Virtual Machine

Virtual machines, emulations of computers, are an amazing learning tool. If you have a single computer and want to learn about computer networking, web application pen-testing, or try a new Linux distro, virtual machines are your very best friend. By setting up one or more servers as virtual machines you can experiment with quite a bit!

All you need is a hypervisor, a program to run the virtual machines, and installation media for your virtual machine.

The two main options you’ll hear a lot about are the lovely open source Oracle Box [https://www.virtualbox.org/] and VMWare. You can get VMWare Workstation Player for free (Windows), or get a trial of VMWare Fusion (Mac) or VMWare Workstation Pro (Windows). But Orcale Box is free, and can run on any OS.

Let’s say you install Oracle box on your personal computer. Now you need installation media to install the operating system. This is pretty similar to installing an operating system on a ‘real’ computer. There are a lot of options as far as that goes. For example:

  • Kali Linux : Built with the security pro/nerd in mind, Kali comes with a ton of tools like Burpsuite already installed.   https://www.kali.org/downloads/
  • FreeBSD : University of California Berkeley Unix https://www.freebsd.org/where.html
  • Free BSD also provides an open source firewall called pfsense
  • Ubuntu: A noob friendly Linux distro https://www.ubuntu.com/download

Of course, you’re welcome to pay for Windows too…

Once you have your system image (your copy of the OS) you can install it on a virtual machine quite easily. Below I’ve included a guide for Oracle Box.

1. Open up virtual box and, naturally, click “New” to begin setting up a virtual machine. After clicking 'New' button, you can enter the new virtual machine name, type of operating system and OS version. Memory size and whether the hard disk should be created now, later, or whether to use an existing virtual hard disk.

Give it a snazzy name, and make sure to set ‘type’ and ‘version’ appropriately.

Screen Shot 2018-10-31 at 3.05.58 AM

2. Determine how much memory to allocate to the VM. This will depend on your hardware specs, OS requirements, and how many virtual machines you want to be able to run on your hardware in the first place.

Screen Shot 2018-10-31 at 3.11.33 AM

Guided Mode isn’t that different than ‘Expert Mode’ by the way. It gives more detail about the options, and makes suggestions for the values, but provides the same options in reality. 

Screen Shot 2018-10-31 at 3.14.15 AM.png

3) If you’ve selected ‘create virtual hard disk now’ , and if this is your first vm you’ll need to, then you’ll be confronted with the following:

Screen Shot 2018-10-31 at 3.16.21 AM

It’s worth noting that you may find you have difficulty exporting the VM from Oracle Box either way. Your mileage will vary but there always seems to be some sort of hiccup in my experience. If you think you might want to try VMWare later, you can create it as a VMDK which is compatible with both programs.

The allocation on your local disk is pretty self-explanatory since Oracle gave such a thorough description. I prefer dynamic allocation to save space on my hard drive until I need it, but it’s up to you. Just make sure wherever you create the file, you don’t tamper with it later.

Screen Shot 2018-10-31 at 3.20.18 AM.png

Simply give that file a recognizable name and choose its size.

Screen Shot 2018-10-31 at 3.23.32 AM

From here, it’s more or less dependent on which OS you are installing and what virtualized hardware you’ll want.

For example, you can alter the virtual machine settings to add an optical drive (think CD player), which you can load a .iso file into. ISO is often used for operating system images or other archives.

I’m not sure how helpful this is or not, but if you have questions about basic set up let me know in comments. At some point, I’ll get started on an article to follow this one to explain various settings or options in depth, that may be confusing the first time you see them. My real agenda is to provide instructions on hosting a website from your virtual machine, in order to introduce tools like Burpsuite or OWASP’s testing tools.

Cryptography Basics : Notes

**I’ve been reading The Manga Guide to Cryptography and POC||GTFO to learn more about crypto. I’m just trying out digitizing some of my notes here, though I’m thinking a wiki like docuwiki would be better. OneNote isn’t really floating my boat lately. Anyway, this shouldn’t be taken as original writing, or a finished article, and I will cite direct quotes when necessary**

1.Classic Encryption

A. Shannon’s Encryption Model

Plaintext(m); Ciphertext(C); Encryption Key (EK); Decryption Key (DK)

m-> Encryption (With Key EK)-> C

C->Decryption (With Key DK)-> m

B. Substitution Cipher

In a substitution cipher, characters in m are converted by EK to a specific other letter.

Example: Ceaser’s Cipher

Conversion Rule (sigma): shift each letter n times ; n=3*

Ceaser Cipher Key Space: 23;  (Total letters)-1= Key Space size

C. Polyalphabetic Cipher

Scrambling the alphabet would increase the key space based on how many permutations are possible.

26P26=26! *=* 4.0329*10^26

Read as: From a set of 26 things, all unique arrangements of 26 items = is equal to factorial (26) = 4.0329*10^26

It is computationally infeasible to test all of these possible keys based on a 26 letter alphabet, so frequency analysis is used to gain clues to the cipher.

D. Relevant Mathematics

  • Permutation: Way to determine the uniquely ordered combinations of r things from the total set n.

nPr= n*(n-1)*…(n-r+1)= n!/(n-r)!

26P3= 26!/23! = 26*25*23 = 15,600

  • Combination: Way to determine the unique combinations of r things from the total set n when order does not matter

nCr= (nPr/r!)= (n!)/((n-r)!*r!)

Example:

26!/23!*3! = 26*25*24 / 1*2*3 = 15,600 / 6 = 2,600 combinations

  • Take Away: There are far more permutations of n than there are combinations

E. Attacks

Frequency Analysis based on the features of the ciphertext, or known statistics about it, guesses can be made about the plaintext or encryption key. It’s highly effective against simple substitution ciphers.

Example: The most common letter in the english alphabet is E and the most common word is THE so repeats or common characters in the ciphertext can hint at the key, or plaintext.

 

 

Refocusing

When I made this blog, originally I was inspired by a technical writing course I took. I wanted to create a resource accessible to the average home user.

However, in hindsight, there are multiple issues with that focus. Firstly, that’s far to narrow of a focus considering my interests are not that of the average home user. I frankly have no idea what someone like that would find helpful. My husband has begun to accuse me of technobabble, and he’s not exactly clueless about computers. Second, that is far too narrowly focused, and my interests in technology have expanded as I’ve learned more about computing and technology.

What drew me to technology in general was the centrality of internet and computing technologies in our daily lives. We truly live in the Information Age.

Big Data, and Privacy are major issues in our times. My interests are in the social, legal and technological issues presented to the modern person in controlling their data, privacy and maintaining control over their property (software and hardware). The list of things I intend to research in depth in the next year keeps growing and if I ever want to have a meaningful record of progress, and share what I learn along the way, I shouldn’t be narrowing my scope too far.

I want to empower myself and others by increasing access to clear and useful information on technology and privacy but I can’t narrow my focus so much that I never write or kill my own fun.

So, if I can crank out an article on VPNs that my grandparents would understand, awesome. But that doesn’t mean not writing about SQL injection, or routing protocols.

This blog post is really for myself to read in a month or a year and remember that if I want to accomplish my goals, it’s best to write whatever I want now, and edit later. I’ve had a “how to set up a virtual machine” article saved as a draft for weeks! So, I’ll keep notes that I think may benefit others here, and track progress on various projects here, and write how-tos as I go.

This is really my journal. A record for myself, of what I’m learning and would like others to be able to find information on as well. So… here goes!