October 09, 2009

Sqlninja & Metasploit Demo

Last week I run the "Web App Pen-Testing" SANS webcast to provide a sneak preview of the SEC542 "Web Penetration Testing and Ethical Hacking" course I will be teaching in London later this year. At the end of the webcast I run a Sqlninja & Metasploit demo over the Hacme Bank vulnerable site using the recently released sqlninja patch.

This post includes a screencast of that demo (15:40 minutes):



You can access the archived version of the full SEC542 webcast from the SANS portal. Hope to see some of you, RaDaJo readers, in London!

Labels:

5 Comments:

Anonymous Sergio Hernando said...

Excellent demo. I must confess I´ve never used both sqlninja and Metasploit together, but this demo indicates me I should :)

Regards,

7:14 PM  
Blogger Raul Siles said...

Thanks Sergio! Definitely, I recommend all web-app pen-testers to check the current integration of the most relevant web-app tools, like sqlninja, sqlmap, w3af, or BeEF, with Metasploit.

It is really amazing when you fully realize the kind of advanced attacks that can be exercised today on web applications!

12:34 AM  
Anonymous Juan Kinunt said...

Hello Raul,

I would like to know you opinion about this problem:

[+] Checking whether met12999.exe is there...
[-] met12999.exe seems to be there but empty. Debug.exe has probably failed

It seems that debug.exe were not executed properly.

Do you know any reasons? Do you know any solutions?

Thanks.

10:02 AM  
Blogger Raul Siles said...

Hello Juan,
You need to gather more details in order to confirm the reason for that error.

First of all, I suggest you to check if the file is there (under %TEMP%) and its size. After that, review the sqlninja code for that portion, searching by debug.exe. You can see that the code does the following to check the size:
--
"dir %TEMP%\\".$filearray[0].".exe | ".
"find \"".$filearray[0].".exe\" > %TEMP%\\xtst.txt & ".
"for /F \"tokens=3\" %i in (%TEMP%\\xtst.txt) do ".
"(if %i equ 0 ping -n ".$blindtime." 127.0.0.1) & ".
"for /F \"tokens=4\" %i in (%TEMP%\\xtst.txt) do ".
"(if %i equ 0 ping -n ".$blindtime." 127.0.0.1) & ".
"del %TEMP%\\xtst.txt";
--

You can run that in a cmd.exe window, replacing filearray[0] by met12999.exe (or the current filename).

If the file is zero, then the upload() function failed, and you need to go step by step over it to check where it failed. Perhaps on the "debug" invocation?

5:45 PM  
Anonymous Rafael Alfaro said...

Thanks for your demo.
I'll follow your suggestions about Metasploit integration as far as I can.

Regards,

1:43 PM  

Post a Comment

<< Home