Penetration Testing mailing list archives
RE: SQL injection
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 9 Jun 2005 10:52:05 -0500
There are servers built for this sole purpose - web application firewall. They clean HTTP traffic and detect many Web attacks. Seems like a good thing to have in front of your main webserver, but I haven't ever used one. Anyone know of the most popular company that is doing this? Any experience with them? Normal IDS/IPS System should be able to do this type of thing as well. http://whitepaper.informationweek.com/cmpinformationweek/search/viewabst ract/69387/index.jsp http://www.axiliance.com/produit/realsentry/?LG=uk http://www.modsecurity.org/ http://secyber.net/www2/htmldb/teros.html#t100 -Todd
-----Original Message----- From: Faisal Khan [mailto:faisal () netxs com pk] Sent: Thursday, June 09, 2005 10:38 AM To: pen-test () securityfocus com Subject: SQL injection Pardon the ignorance, but is there any hardware/software based device that can outright prevent/mitigate (detect?) SQL injections? Would an IDS be able to prevent this? At 08:29 PM 6/9/2005, you wrote:Another option you could try is to use ettercap to insert your laptop/pen-test system in as a Man-in-the-Middle between theSQL serverand client systems and then capture the port 1433 traffic using tcpdump/ethereal/your favorite packet capturing program. This will definitely yield the 'sa' password (as well as others). If you're using Windows on your attack platform, considerusing Cain &Abel as it can do the Man-in-the-Middle/SQL password captureall in one.Ido -- Ido Dubrawsky, CISSP Senior Security Consultant SBC/Callisma (571) 633-9500 (Office) (202) 213-9029 (Mobile)-----Original Message----- From: Erik Pace Birkholz [mailto:erik () specialopssecurity com] Sent: Thursday, June 09, 2005 4:06 AM To: Hugo Vinicius Garcia Razera; pen-test () securityfocus com Cc: Erik Pace Birkholz Subject: RE: pen-test on a windows 2003 server box whitMS-SQL andTerminal Services Hugo, Based on the limited info you have provided, here is my advice. Have you done UDP port scans? If you haven't done so, scan to determine what UDP ports are open. Depending on what youfind thiscould be helpful. For example, if SNMP is available witha defaultor guessable community name it will provide usernames among other goodies. Re: obtaining the SQL version; since the OS is Win3k theSQL serverwill likely be SQL 2000 with SP3 or later. If you really want to find out try SQLVer (www.sqlsecurity.com) as Chip alreadymentionedand try SQLRecon (www.SpecialOpsSecurity.com -click on LABS). With that said don't give up on the SQL "SA" brute force attacks. There is no account lock out for SA so rock and roll. SQLDict.exe works pretty well if you have a big dictionary file.Another optionis ForceSQL.exe because it brute forces an account (sa)based on auser specified character set (charset.txt) up to a user specified max password length. You also mentioned DNS: 53. Not sure if you are referringto UDP orTCP? If it is TCP then you should try a zone transfer. Also don't forget full (1-65535) TCP port scans and source port scans (SRC=20,53,88,80,etc...) Finally use tracerouting, hping2, tcpdump, etc todetermine if theblocking ACLs are on the host or a network device. Something is facilitating the firewalling that is hiding juicy MSspecific portslike TCP 135 and 445. Is it ICF, IPSec, a personalfirewall, networkfirewall, perimeter router or what? Once you know this itwill helpdirect your attempts to subvert that protection and getexposure tomore ports on the target. Let us know how it goes! Good luck, Erik Pace Birkholz www.SpecialOpsSecurity.com -----Original Message----- From: Hugo Vinicius Garcia Razera [mailto:hviniciusg () gmail com] Sent: Tuesday, June 07, 2005 4:01 PM To: pen-test () securityfocus com Subject: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hi every one, I'm doing a pen test on a client, and havefound thathe have a windows 2003 server box on one segment of his public addresses this is his dns/web/mail server: - mssql :1433 - terminal services :3389 - iis 6 :80 - smtp :25 - pop3 :110 - dns : 53 - ftp : filtered ports opened, i logged on the terminal services port whitthe winxpremote desktop utility and it connects perfectly. i tried a dictionari atack on mssql server whit the "sa"account andothers user names i collected. Hydra from THC was the tool, but no succes on this atack. also tried the tsgrinder for terminal services , but no success. well here come some questions: - What others Usernames should i try for sql and terminalservices?i tried whit "sa" for sql and "Administrator" for TS - Any one knows how could i identify what version of sqlserver isrunning. - What other services of this host can be exploited? any comments, ideas, suggestions would be greatly appreciated. Hugo Vinicius Garcia RazeraFaisal Khan CEO Net Access Communication Systems (Private) Limited _____________________________ 1107 Park Avenue, 24-A, Block 6, PECHS, Main Shahrah-e-Faisal, Karachi 74500 (Pakistan) Board: +92 (21) 111 222 377 Direct: +92 (21) 454-346 Fax: +92 (21) 454-4347 Cell: +92 (333) 216-1291 Email: faisal () netxs com pk Web: <http://www.netxs.com.pk/>www.netxs.com.pk
Current thread:
- RE: SQL injection Todd Towles (Jun 09)
- <Possible follow-ups>
- Re: SQL injection Davi Ottenheimer (Jun 09)
- RE: SQL injection BĂ©noni MARTIN (Jun 09)
- Re: RE: SQL injection travis . barlow (Jun 09)
- RE: SQL injection Ofer Shezaf (Jun 09)
- RE: SQL injection Hecber Cordova (Jun 09)
- Exploit Repositories and Due Diligence Jeff (Jun 09)
- RE: Exploit Repositories and Due Diligence Leandro Reox (Jun 09)
- RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
- RE: SQL injection Hecber Cordova (Jun 09)