SQLiv: a massive SQL injection scanner

SQLiv is a Python-based scanning tool that uses Google, Bing or Yahoo for targetted scanning, focused on reveal pages with SQL Injection vulnerabilities.

It uses known dorks in order to find vulnerable URLs.

Features

  1. multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo
  2. targetted scanning by providing specific domain (with crawling)
  3. reverse domain scanning

Installation

  1. Resolve some dependencies:
    pip install bs4 termcolor google
  2. Clone the git repository:
    git clone https://github.com/Hadesy2k/sqliv.git
  3. Start python setup:
    sudo python2 setup.py -i

Quick reference

python sqliv.py --help

usage: sqliv.py [-h] [-d D] [-e E] [-p P] [-t T] [-r]

optional arguments:
  -h, --help  show this help message and exit
  -d D        SQL injection dork
  -e E        search engine [Google only for now]
  -p P        number of websites to look for in search engine
  -t T        scan target website
  -r          reverse domain

Some usage examples

1. Multiple domain scanning with SQLi dork

  • it simply search multiple websites from given dork and scan the results one by one
python sqliv.py -d <SQLI DORK> -e <SEARCH ENGINE>  
python sqliv.py -d "inurl:index.php?id=" -e google

2. Targetted scanning

  • can provide only domain name or specifc url with query params
  • if only domain name is provided, it will crawl and get urls with query
  • then scan the urls one by one
python sqliv.py -t <URL>  
python sqliv.py -t www.example.com  
python sqliv.py -t www.example.com/index.php?id=1

3. Reverse domain and scanning

  • do reverse domain and look for websites that hosted on same server as target url
python sqliv.py -t <URL> -r

More information and downloads

BBQSQL, a framework for Blind SQL Injections

Useful for penetration tests


BBQSQL is a blind SQL injection framework written in Python, with also a semi-automatic tool, helpful for create customized SQL injection attacks in penetration testing activities.

Blind SQL injection can be difficult to exploit. When the available automated tools don’t works well, you have to write something custom, and this is time-consuming process: BBQSQL can help you address those issues.

For more information and usage, refer to official documentation on github:

High Level Usage
Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:
– URL
– HTTP Method
– Headers
– Cookies
– Encoding methods
– Redirect behavior
– Files
– HTTP Auth
– Proxies


What is a Blind SQL Injection attack?

https://xkcd.com/327/

From OWASP:

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .


Installation

Simple, with pip:

sudo pip install bbqsql

Alternatively, you can install from source:

git clone https://github.com/Neohapsis/bbqsql.git
cd bbsql
python setup.py install

More information and downloads

https://github.com/Neohapsis/bbqsql/


NoSQL database enumeration and exploitation with NoSQLMap

Like sqlmap, but for non-relational databases!

NoSQLMap is a tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
Currently the tool’s exploits are focused around MongoDB and CouchDB but additional support for other NoSQL based platforms such as Redis and Cassandra are planned in future releases.

NoSQLMap is developed in python by Michael Skelton and is named as a tribute to Bernardo Damele and Miroslav Stampar’s popular SQL injection tool sqlmap

Its concepts are based on and extensions of Ming Chow’s presentation at Defcon 21, “Abusing NoSQL Databases”:

https://www.defcon.org/images/defcon-21/dc-21-presentations/Chow/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf

Installation

Simply call the setup.py script:

python setup.py install

If run with root privileges, setup.py tries (on Debian and RedHat based systems) to automate the installation of this dependencies:

  • Metasploit Framework,
  • Python with PyMongo
  • httplib2
  • urllib
  • A local, default MongoDB instance

How it works?

Here short demo video of NoSQLMap being used to exploit the default security model on a MongoDB server:


More information and downloads

https://github.com/codingo/NoSQLMap

CVE-2016-6662: a critical MySQL Zero-Day

Oracle, are you there? We need you!

Dawid Golunski, a Polish security researcher discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016–6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files.

The vulnerability that affect all currently supported MySQL versions as well as MariaDB and PerconaDB.

The vulnerability can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web via phpMyAdmin:

“A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running”

Golunski has also published a proof-of-concept exploit code:

https://gist.github.com/andreafortuna/7c6e6d8aa936ef459fdbd9298b77452e

More technical information on official advisory.

Patching?

From Golunski’s advisory:

The vulnerability was reported to Oracle on 29th of July 2016 and triaged
by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.

The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of
30th of August.
During the course of the patching by these vendors the patches went into
public repositories and the fixed security issues were also mentioned in the
new releases which could be noticed by malicious attackers.

As over 40 days have passed since reporting the issues and patches were already
mentioned publicly, a decision was made to start disclosing vulnerabilities
(with limited PoC) to inform users about the risks before the vendor's next 
CPU update that only happens at the end of October.

No official patches or mitigations are available at this time from the vendor. 
As temporary mitigations, users should ensure that no mysql config files are
owned by mysql user, and create root-owned dummy my.cnf files that are not in 
use.
These are by no means a complete solution and users should apply official vendor
patches as soon as they become available.

References

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Weekly Cybersecurity Roundup #8

I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.” – Stephen Hawking

Continue…

Cybersecurity Trends for 2020

According to a TrendMicro’s report, ‘The New Norm’, the major cybersecurity risks for organizations in 2020 comes from DevOps, third-party libraries, container components and even remote workers.

A pleasant reading for the Christmas holidays!

Continue…

Detect and bypass Web Application Firewalls using Python

“If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess.”


Interesting article published by Usman Nasir on KaliTutorials: using a python script, we can forge a malicious XSS request that will be identified by a “signature based” WAF (like ModSecurity) as legitimate.

Web application firewalls are usually placed in front of the web server to filter the malicious traffic coming towards server. If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess.


What is a Web Application Firewall?

web-applicaion-firewall-cyberpersons

OWASP website says:

A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.


Read the whole article with technical details on KaliTutorials.net:

http://www.kalitutorials.net/2016/12/python-detect-and-bypass-web-application-firewall.html

PunkSpider, a powerful web application vulnerability search engine

With great power comes great responsibility!


PunkSPIDER it’s an extremely powerful tool, the results of which should be used with extreme care and awareness

And the developers has the same opinion: when you enter the site in fact you are greeted by a pop-up disclaimer that says:

PunkSPIDER 3.0 is now more powerful than ever, but with great power comes great responsibility. 
 
 The goal is to provide free information to website users and owners regarding website security status. 
 
 We take this very seriously, use it wisely or we’ll have to take it away.

Simply type the URL in the search box and find your website: if it was already mapped by punkspider, the webapp displays a simple report, with the number of flaws:


(for more information about the project you can read the official documentation)


What kinds of vulnerabilities are mapped by PunkSPIDER?

  • BSQLI = Blind SQL Injection
  • SQLI = SQL Injection
  • XSS = Cross Site Scripting
  • TRAV = Path Traversal
  • MXI = Mail Header Injection or Email Injection
  • OSCI = Operating System Command Injection
  • XPATHI = XPath Injection

Enjoy!