Jump to content
Nytro

Squeeza - SQL Injection without the pain of syringes

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

1. Name

Squeeza - SQL Injection without the pain of syringes

2. Authors

Marco Slaviero < marco(at)sensepost(dot)com >

Haroon Meer

3. License, version & release date

License : GPLv2

Version : v0.22

Release Date : 2008/08/24

4. Description

squeeza is a tool helps exploits SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)

Currently, it supports the following databases:

Microsoft SQL Server

MySQL (only when multi-queries are enable, which is not too common)

squeeza is not a tool for finding injection points. That recipe generally starts with 1 x analyst. #5. Usage ##5.1 Installation Installation is easy. Untar the archive into an appropriate spot. > $tar xvzf squeeza-0.21.tar.gz

Thereafter, edit the configuration file. By default, this is called 'squeeza.config' and resides in the same directory as the rest of the scripts.

Off the bat, you'll want to edit at least the following configuration items:

host

url

querystring

method

sql_prefix

sql_postfix

dns_domain

The default mode is command mode, and the default channel is dns. ##5.2 Data Flow Model As already mentioned, squeeza splits the creation of data at the server away from the extraction of that data off the server (within certain constraints). Data is created by a /mode/, and extracted via a /channel/. By doing so, it is possible to mix 'n match modes with channels, which we think is pretty nifty/flexible.

Currently supported modes:

command mode : supports commands execution on the database server

copy mode : supports copying of files from the database server to the local machine

sql mode : supports the execution of arbitrary sql queries

Currently supported channels:

dns channel : extracts data via dns

timing channel : extracts data by timing bits in the output

http error message : extracts data through http error messages, similarly to Sec-1's automagic sql injector

Although we've striven for complete separation of modes and channels, we haven't completely succeeded as of yet (our SQL-fu is not strong). The following matrix shows the level of support for each mode and channel combination.

Channel

.-------------------------------------.

| DNS | Timing | HTTP Errors |

.----------+-----------+-----------+-------------|

M | Command || Supported | Supported | Supported |

o | Copy || Supported | Supported | Supported |

d | SQL || Supported | Supported | Unsupported |

e | || | | |

`------------------------------------------------`

Obviously, you'll also be limited by the capabilities of the database connection. If xp_cmdshell is removed or otherwise unavailable, squeeza isn't going to magically make it reappear.

5.3 Command Set

The following commands are hooked into the basic squeeza shell. (Each module will probably further expose its own commands.) squeeza commands are always prefixed by a '!'.

!help - print help for the shell and any loaded modules

!quit - take a guess...

!set - use this to set or view shell variables

The mssql module has the following commands:

!channel - use to view or set the current channel

!cmd - switch to command mode

!copy - switch to copy mode

!sql - switch to sql mode

5.4 Example Usage

Starting squeeza:

$./squeeza.rb

Squeeza tha cheeza v0.21 © {marco|haroon}@sensepost.com 2007

sp-sq>

This presents you with a basic shell from which to control squeeza. All squeeza commands are prefixed by a '!'. Anything else is sent through to the underlying module; this generally causes action to occur. E.g. The default mode is command mode. When typing in

sp-sq> dir c:\

The command 'dir c:\' is sent to the server, and its output is returned via your channel of choice. To switch to HTTP error-based copy mode, and copy the file c:\sp.jpeg to local file sp.copied, the following command sequence would work

sp-sq> !channel http sp-sq> !copy sp-sq> c:\sp.jpeg sp.copied

To then extract a list of database tables via timing, one could use

sp-sq> !channel time sp-sq> !sql sp-sq> !ret tables

5.5 Using command mode

Switch to command mode at any time by using the '!cmd' command.

This mode enables the execution of commands on the server. Type in the command of choice, and squeeza will execute it and return its results.

Beware that if you attempt to execute a file that triggers a handler, then squeeza will timeout waiting for a response. E.g. if you execute

c:\some.jpeg, the database server will probably fire up Windows Picture and Fax Viewer /on the server/, and sit waiting for the viewer to quit. Which it won't.

Command mode uses the following variables:

cmd_table_name : name to use for temporary table in database, default is 'sqcmd'

5.6 Using copy mode

Switch to copy mode at any time by using the '!copy' command.

This mode enables the copying of files /from/ the server to your local machine. Format of copy command is:

sp-sq> src-file [dst-file]

where 'src-file' is a full path to the file you want to copy, and the optional 'dst-file' is a local filename.

5.7 Using sql mode

Switch to sql mode at any time by using the '!sql' command.

This mode enables the execution of fairly simple but arbitrary SQL queries on the database. It has built-in queries to help with the mapping of database schema, but one can easily construct one's own queries. This mode does not actually build an intermediate or temporary table before data extraction, as an added optimisation.

The built-in queries are operated using the '!ret' command. Possible values for '!ret' include:

info

tables

columns < table_name >

E.g.:

sp-sq> !ret info sp-sq> !ret tables sp-sq> !ret columns sysobjects

Issuing arbitrary queries is a little more complex (but not by much!)

The query should take the form of:

< column_name > < table_names > < where_clause >

For instance, to extract user tables one could use the following query

sp-sq> name sysobjects xtype='U'

5.8 Using the DNS channel

Switch to the dns channel at any time by using the '!channel dns' command.

This channel is useful when no HTTP error messages are present, and you can't export reverse shells or connect to bind shells due to network limitations. If DNS is allowed out the network, the channel will work for you.

Depending on whether your injection point has sysadmin privileges or not, squeeza can be instructed to use different injection strings. This is influenced by the 'dns_privs' configuration variable. Possible values:

high : database user is sysadmin, and xp_cmdshell is available

medium : database user is sysadmin, xp_cmdshell is not available (we'll use xp_getfiledetails as a reasonable substitute)

low : database user is unprivileged, use xp_getfiledetails

Other configuration variables that affect the DNS channel (see Appendix A for a longer description):

request_timeout

dns_domain

dns_server

5.9 Using the timing channel

Switch to timing channel at any time by using the '!channel time' command.

This channel enables the extraction of data when very few database or network privileges are present. It can be extremely slow (as in, 1 or 2 bits per second) but might just be what you need.

The timing channel provides the command '!calib' for automatic calibration of time ranges. Feedback on the effectiveness of this command is gratefully accepted.

Configuration variables for the timing channel (see Appendix A for a longer description:

delay

outlier_weight

one_range

zero_range

time_privs

ansi

request_timeout

5.10 Using the HTTP error channel

Switch to the HTTP error channel at any time by using the '!channel http' command.

This channel requires that SQL errors are shown in the body of the HTML. Not often seen in practise today, but useful when present. Much faster than the other modes.

Configuration variables for the HTTP error channel (see Appendix A for a longer description:

request_timeout

6. Requirements

Before installing squeeza, ensure that the following system requirements are fulfilled:

ruby (developed on 1.8.4, should work on any version after that, at least. prior to 1.8.4, test and let me know if it works)

tcpdump (if you're planning on using the dns channel. if you're running windows, let me know which, if any, of the various tcpdump ports worked for you)

access to a dns server, if you'll be using the dns channel

a large SQL injection point in a vulnerable web application. how large? typical injection strings are 600 or so bytes.

#7. Additional Resources ##7.1 Bugs Apart from sql mode not working with the http error channel, we aren't aware of major bugs in squeeza. Feel free to send your bug reports to research@sensepost.com, along with a description of what when wrong, what you were doing at the time, squeeza output and so on. Setting '!debug 2' will give you much more output.

7.2 Appendix A: Known configuration variables

Default value is given in rounded braces after the variable name. If a variable takes on a one of a pre-defined set of values, they are specified after the variable name like so:

random_var (default) [ value1 | value 2 | value 3 ]

All clear? Good. Let's carry one.

ansi (off) [ on | off ] - Specifies whether your terminal capable of handling ansi characters. Set to 'no' for Windows use.

cmd_table_name (sqcmd) - Name of temporary table to use in command mode

cp_table_name (sqfilecp) - Name of temporary table to use in copy mode

debug (0) [ 0 | 1 | 2 ] - debug level

delay (1) - Integer specifying how long to wait for a 1-bit when using the timing channel. Normally this is automatically calculated by !calib

dns_domain - Domain that is appended to data when initiating DNS requests. You should have access to traffic between the database server and the DNS server for the dns_domain (either because you're running squeeza on the DNS server or because you're on the path between the victim and the DNS server.

dns_privs (high) [ high | medium | low ] - Specifies which injection string to use with the dns channel. - high : database user is sysadmin, and xp_cmdshell is available - medium : database user is sysadmin, xp_cmdshell is not available (we'll use xp_getfiledetails as a reasonable substitute) - low : database user is unprivileged, use xp_getfiledetails

dns_server - IP address of your local machine. If 'dns_privs' is 'high' then we can pass the address of our own DNS server to nslookup. Use this variable if dns_privs is high and works, the server can send UDP traffic directly to your machine.

headers[] - Additional HTTP headers to add to the request. Use this to add cookies etc. Usage permits multiple headers[] lines e.g.:

headers[]=Cookie: qweqwewqeqweqweqwe

headers[]=User-Agent: My squeeza

host - Used by the http module to send requests to a vulnerable web application.

http_resp_ok (200) - a comma-separated list of http response codes that squeeza should consider OK, otherwise throw errors. For instance, regular DNS and timing attacks only consider 200s to be acceptable by 500s are returned by the HTTP error channel as part of its operation.

lines_per_request (1) - Used by the DNS module to request multiple lines per HTTP request. Experiment with setting higher if you like.

method (post) [ post | get ] - http method to use

mssql_channel (dns) [ dns | time | http ] - Decide at start-up which channel to use.

mssql_mode (cmd) [ cmd | copy | sql ] - Decide at start-up which mode to enter.

one_range - used by the time channel to determine if a request's time is to be treated as a 1-bit.

outlier_weight - used by the time channel to discard outliers when calibrating

port (80) - port on which the webserver is listening

prompt (sp-sq>) - used by the shell as a prompt

querystring - either POST or GET parameters for the vulnerable page. mark the injection point with X_X_X_X_X_X e.g.

querystring=__VIEWSTATE=dDwtMTcxMDQzNTQyMDs7PtQR3aDGafqEYIzRv

SwVTqrcmzY0&m_search=X_X_X_X_X_X&_ctl3=Search

request_timeout (20) - user by various channels as a generic timeout

sql_postfix - string that will complete the injection string. typically this would be a "--" (excluding the "")

sql_prefix - string that ends the sql statement immediately prior to squeeza's injection string. typically this might look like "';" (excluding the "")

ssl (off) [ on | off ] - determine whether ssl is needed

time_privs (high) [ high | low ] - this value is automatically selected for you, depending on the chosen mode

url - a path to the vulnerable page

zero_range - used by the time channel to determine if a request's time is to be treated as a 0-bit.

Download:

https://github.com/sensepost/squeeza

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
Go to topic listing
×
×
  • Create New...