Nytro Posted August 15, 2013 Report Posted August 15, 2013 1. NameSqueeza - SQL Injection without the pain of syringes2. AuthorsMarco Slaviero < marco(at)sensepost(dot)com >Haroon Meer3. License, version & release dateLicense : GPLv2Version : v0.22Release Date : 2008/08/244. Descriptionsqueeza is a tool helps exploits SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)Currently, it supports the following databases: Microsoft SQL Server MySQL (only when multi-queries are enable, which is not too common) squeeza is not a tool for finding injection points. That recipe generally starts with 1 x analyst. #5. Usage ##5.1 Installation Installation is easy. Untar the archive into an appropriate spot. > $tar xvzf squeeza-0.21.tar.gzThereafter, edit the configuration file. By default, this is called 'squeeza.config' and resides in the same directory as the rest of the scripts.Off the bat, you'll want to edit at least the following configuration items: host url querystring method sql_prefix sql_postfix dns_domain The default mode is command mode, and the default channel is dns. ##5.2 Data Flow Model As already mentioned, squeeza splits the creation of data at the server away from the extraction of that data off the server (within certain constraints). Data is created by a /mode/, and extracted via a /channel/. By doing so, it is possible to mix 'n match modes with channels, which we think is pretty nifty/flexible.Currently supported modes: command mode : supports commands execution on the database server copy mode : supports copying of files from the database server to the local machine sql mode : supports the execution of arbitrary sql queriesCurrently supported channels: dns channel : extracts data via dns timing channel : extracts data by timing bits in the output http error message : extracts data through http error messages, similarly to Sec-1's automagic sql injectorAlthough we've striven for complete separation of modes and channels, we haven't completely succeeded as of yet (our SQL-fu is not strong). The following matrix shows the level of support for each mode and channel combination. Channel .-------------------------------------. | DNS | Timing | HTTP Errors | .----------+-----------+-----------+-------------|M | Command || Supported | Supported | Supported |o | Copy || Supported | Supported | Supported |d | SQL || Supported | Supported | Unsupported |e | || | | | `------------------------------------------------`Obviously, you'll also be limited by the capabilities of the database connection. If xp_cmdshell is removed or otherwise unavailable, squeeza isn't going to magically make it reappear.5.3 Command SetThe following commands are hooked into the basic squeeza shell. (Each module will probably further expose its own commands.) squeeza commands are always prefixed by a '!'.!help - print help for the shell and any loaded modules!quit - take a guess...!set - use this to set or view shell variablesThe mssql module has the following commands:!channel - use to view or set the current channel!cmd - switch to command mode!copy - switch to copy mode!sql - switch to sql mode5.4 Example UsageStarting squeeza: $./squeeza.rb Squeeza tha cheeza v0.21 © {marco|haroon}@sensepost.com 2007 sp-sq>This presents you with a basic shell from which to control squeeza. All squeeza commands are prefixed by a '!'. Anything else is sent through to the underlying module; this generally causes action to occur. E.g. The default mode is command mode. When typing in sp-sq> dir c:\The command 'dir c:\' is sent to the server, and its output is returned via your channel of choice. To switch to HTTP error-based copy mode, and copy the file c:\sp.jpeg to local file sp.copied, the following command sequence would work sp-sq> !channel http sp-sq> !copy sp-sq> c:\sp.jpeg sp.copiedTo then extract a list of database tables via timing, one could use sp-sq> !channel time sp-sq> !sql sp-sq> !ret tables5.5 Using command modeSwitch to command mode at any time by using the '!cmd' command.This mode enables the execution of commands on the server. Type in the command of choice, and squeeza will execute it and return its results.Beware that if you attempt to execute a file that triggers a handler, then squeeza will timeout waiting for a response. E.g. if you executec:\some.jpeg, the database server will probably fire up Windows Picture and Fax Viewer /on the server/, and sit waiting for the viewer to quit. Which it won't.Command mode uses the following variables: cmd_table_name : name to use for temporary table in database, default is 'sqcmd'5.6 Using copy modeSwitch to copy mode at any time by using the '!copy' command.This mode enables the copying of files /from/ the server to your local machine. Format of copy command is: sp-sq> src-file [dst-file]where 'src-file' is a full path to the file you want to copy, and the optional 'dst-file' is a local filename.5.7 Using sql modeSwitch to sql mode at any time by using the '!sql' command.This mode enables the execution of fairly simple but arbitrary SQL queries on the database. It has built-in queries to help with the mapping of database schema, but one can easily construct one's own queries. This mode does not actually build an intermediate or temporary table before data extraction, as an added optimisation.The built-in queries are operated using the '!ret' command. Possible values for '!ret' include: info tables columns < table_name >E.g.: sp-sq> !ret info sp-sq> !ret tables sp-sq> !ret columns sysobjectsIssuing arbitrary queries is a little more complex (but not by much!)The query should take the form of: < column_name > < table_names > < where_clause >For instance, to extract user tables one could use the following query sp-sq> name sysobjects xtype='U'5.8 Using the DNS channelSwitch to the dns channel at any time by using the '!channel dns' command.This channel is useful when no HTTP error messages are present, and you can't export reverse shells or connect to bind shells due to network limitations. If DNS is allowed out the network, the channel will work for you.Depending on whether your injection point has sysadmin privileges or not, squeeza can be instructed to use different injection strings. This is influenced by the 'dns_privs' configuration variable. Possible values: high : database user is sysadmin, and xp_cmdshell is available medium : database user is sysadmin, xp_cmdshell is not available (we'll use xp_getfiledetails as a reasonable substitute) low : database user is unprivileged, use xp_getfiledetailsOther configuration variables that affect the DNS channel (see Appendix A for a longer description): request_timeout dns_domain dns_server5.9 Using the timing channelSwitch to timing channel at any time by using the '!channel time' command.This channel enables the extraction of data when very few database or network privileges are present. It can be extremely slow (as in, 1 or 2 bits per second) but might just be what you need.The timing channel provides the command '!calib' for automatic calibration of time ranges. Feedback on the effectiveness of this command is gratefully accepted.Configuration variables for the timing channel (see Appendix A for a longer description: delay outlier_weight one_range zero_range time_privs ansi request_timeout5.10 Using the HTTP error channelSwitch to the HTTP error channel at any time by using the '!channel http' command.This channel requires that SQL errors are shown in the body of the HTML. Not often seen in practise today, but useful when present. Much faster than the other modes.Configuration variables for the HTTP error channel (see Appendix A for a longer description: request_timeout6. RequirementsBefore installing squeeza, ensure that the following system requirements are fulfilled: ruby (developed on 1.8.4, should work on any version after that, at least. prior to 1.8.4, test and let me know if it works) tcpdump (if you're planning on using the dns channel. if you're running windows, let me know which, if any, of the various tcpdump ports worked for you) access to a dns server, if you'll be using the dns channel a large SQL injection point in a vulnerable web application. how large? typical injection strings are 600 or so bytes. #7. Additional Resources ##7.1 Bugs Apart from sql mode not working with the http error channel, we aren't aware of major bugs in squeeza. Feel free to send your bug reports to research@sensepost.com, along with a description of what when wrong, what you were doing at the time, squeeza output and so on. Setting '!debug 2' will give you much more output.7.2 Appendix A: Known configuration variablesDefault value is given in rounded braces after the variable name. If a variable takes on a one of a pre-defined set of values, they are specified after the variable name like so: random_var (default) [ value1 | value 2 | value 3 ]All clear? Good. Let's carry one.ansi (off) [ on | off ] - Specifies whether your terminal capable of handling ansi characters. Set to 'no' for Windows use.cmd_table_name (sqcmd) - Name of temporary table to use in command modecp_table_name (sqfilecp) - Name of temporary table to use in copy mode debug (0) [ 0 | 1 | 2 ] - debug leveldelay (1) - Integer specifying how long to wait for a 1-bit when using the timing channel. Normally this is automatically calculated by !calibdns_domain - Domain that is appended to data when initiating DNS requests. You should have access to traffic between the database server and the DNS server for the dns_domain (either because you're running squeeza on the DNS server or because you're on the path between the victim and the DNS server.dns_privs (high) [ high | medium | low ] - Specifies which injection string to use with the dns channel. - high : database user is sysadmin, and xp_cmdshell is available - medium : database user is sysadmin, xp_cmdshell is not available (we'll use xp_getfiledetails as a reasonable substitute) - low : database user is unprivileged, use xp_getfiledetailsdns_server - IP address of your local machine. If 'dns_privs' is 'high' then we can pass the address of our own DNS server to nslookup. Use this variable if dns_privs is high and works, the server can send UDP traffic directly to your machine.headers[] - Additional HTTP headers to add to the request. Use this to add cookies etc. Usage permits multiple headers[] lines e.g.: headers[]=Cookie: qweqwewqeqweqweqwe headers[]=User-Agent: My squeezahost - Used by the http module to send requests to a vulnerable web application.http_resp_ok (200) - a comma-separated list of http response codes that squeeza should consider OK, otherwise throw errors. For instance, regular DNS and timing attacks only consider 200s to be acceptable by 500s are returned by the HTTP error channel as part of its operation.lines_per_request (1) - Used by the DNS module to request multiple lines per HTTP request. Experiment with setting higher if you like.method (post) [ post | get ] - http method to usemssql_channel (dns) [ dns | time | http ] - Decide at start-up which channel to use.mssql_mode (cmd) [ cmd | copy | sql ] - Decide at start-up which mode to enter.one_range - used by the time channel to determine if a request's time is to be treated as a 1-bit.outlier_weight - used by the time channel to discard outliers when calibratingport (80) - port on which the webserver is listeningprompt (sp-sq>) - used by the shell as a promptquerystring - either POST or GET parameters for the vulnerable page. mark the injection point with _X__X e.g. querystring=__VIEWSTATE=dDwtMTcxMDQzNTQyMDs7PtQR3aDGafqEYIzRv SwVTqrcmzY0&m_search=_X__X&_ctl3=Searchrequest_timeout (20) - user by various channels as a generic timeoutsql_postfix - string that will complete the injection string. typically this would be a "--" (excluding the "")sql_prefix - string that ends the sql statement immediately prior to squeeza's injection string. typically this might look like "';" (excluding the "")ssl (off) [ on | off ] - determine whether ssl is neededtime_privs (high) [ high | low ] - this value is automatically selected for you, depending on the chosen modeurl - a path to the vulnerable pagezero_range - used by the time channel to determine if a request's time is to be treated as a 0-bit.Download:https://github.com/sensepost/squeeza
cyplex Posted August 15, 2013 Report Posted August 15, 2013 ON: Am avut si eu programu asta acum 2 ani dar nu stiam cum sa-l folosesc dar mai incerc odata OFF:Pute-ai si tu sa-l traduci pentru ce-i care nu stiu engleza.
Avram Posted August 25, 2013 Report Posted August 25, 2013 Ok, Dar vulnerabilitatea cum o gasesc:( ?Scuze sunt la inceput nu sariti cu gura pe mine