September 25, 2009

Sqlninja & Metasploit

Sqlninja is one of the best open-source tools to automate SQL injection exploitation against MS SQL Server databases. If you combine it with the best open-source network penetration testing framework, Metasploit, you get an extremely powerful web application pen-testing toolkit for total database p0wnage!

This week I have been preparing a sqlninja demo focused on its integration with Metasploit for next week "Web App Pen-Testing" SANS webcast, scheduled for October 1. During the webcast I'll cover a sneak preview of the SEC542 "Web Penetration Testing and Ethical Hacking" course I will be teaching in London later this year, and run a demo using the latest publicly available sqlninja version, 0.2.3-r1, including the quick fix detailed below (0.2.3-r1p).

Sqlninja is a Perl-based tool that can make use of Metasploit capabilities to upload and run a Meterpreter or VNC server payload on the target MS SQL server through SQL injection flaws on the target web application. The integration of these tools accepts both direct and reverse TCP connections to/from the database server and the pen-tester system. It uses the "msfpayload" tool to generate the payload that will be executed on the database server (metxxxxx.exe), and the "msfcli" tool to establish (or wait for) a connection with that payload.

Due to the extensive number of modules available in Metasploit nowadays, the msfcli execution takes around 20 seconds in a BTv4 virtual machine to load the whole Metasploit module tree:

# ./msfconsole -v
Framework Version: 3.3-dev
# ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]
+ -- --=[ 404 exploits - 248 payloads
+ -- --=[ 21 encoders - 8 nops
=[ 188 aux

# time /pentest/exploits/framework3/msfcli
[*] Please wait while we load the module tree...
real 0m18.568s
user 0m13.402s
sys 0m4.683s

As a result, the current sqlninja Metasploit module may fail due to a race condition mainly on reverse mode, and specifically, due to timing issues of when the module initiating the connection(client role) executes versus the module listening for the connection (server role).

The patch released in this post fixes this race condition by adding specific (client & server) timeouts to the bind_tcp and reverse_tcp connections. The timers for the bind case try to ensure that the server (msfpayload) starts before the client (msfcli) tries to establish a connection. The timers for the reverse case try to ensure that the server (msfcli) starts before the client (msfpayload) initiates the reverse connection. The values for the timers are conservative and set a difference of 25 seconds between the server and the client initialization.

Due to the fact the reverse Metasploit payload does not retry the client connection, if the other end is not listening when the connection is initiated, the connection never succeeds and cannot be established. Additionally, I've seen the CPU of the target DB system going up to near 100% (a non-desirable DoS condition during a professional pen-test).

The patch can be applied by renaming the original 0.2.3-r1 "sqlninja" Perl file to "sqlninja.original" and running:

$ patch sqlninja.original -i sqlninja.patch -o sqlninja

The new timers ($client_delay (30 secs) and $server_delay (5 secs)), defined at the beginning of the sqlninja main file, can be changed to accommodate future Metasploit startup delays, or even be converted into sqlninja configuration options within the sqlninja.conf file. The patch changes the sqlninja version to 0.2.3-r1p, to indicate the patch has been applied.

Enjoy it, (sql) ninja pen-testers!



Anonymous Anonymous said...

Gracias Raúl

10:39 PM  
Blogger Jose Selvi said...

Hi Raul, nice post ;)

sqlmap has similar feature creating and using metasploit payloads through databases command execution features. I saw it on SOURCES Conferences last week in Barcelona and It seems to work great.

Did you try sqlmap vs sqlninja? Which gives you more confidence?


8:30 AM  
Blogger Raul Siles said...

Both are great tools to automate the exploitation of SQLi flaws. The main differences, without going into too much details, are that sqlmap is a Python based tool, it provides extensive blind SQL injection capabilities, can use multiple injection points (such as cookies or UA), and supports multiple DB, like MySQL, Oracle, PostgreSQL and MS SQL Server. As a result it is a more complex tool.

BTW, we cover sqlmap, and even have an sqlmap exercise, on the SEC542 course mentioned on the post.

9:30 AM  

Post a Comment

<< Home