For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.

Key Features

• SQL Injection detection using time based injection method
• Database fingerprint
• Web server directory fingerprint
• Payload creation and execution

MySqloit is currently only tested on Linux. This is a new tool though so we should expect more development soon, I hope some of you guys can test it out and let the author know what you think.

You can download MySqloit v0.1 here:

MySqloitv0.1.tar

Or read more here.

For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

• Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
• Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
• Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
• This make sqlmap 0.7 to work again on Windows too.
• Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
• HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:

Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Or read more here.

We reported bsqlbf when it first hit the net back in April 2006 with bsqlbf v1.1, then the v2.0 update in June 2008. This new update adds much better Oracle support.

Databases supported:

• MS-SQL
• MySQL
• PostgreSQL
• Oracle

The 6 Attack Models

• Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
• Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
• Type 2: Blind SQL Injection in “order by” and “group by”.
• Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
• Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
• Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

New additions

-type: Type of injection:

3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)

Type 4 (O.S code execution) supports the following sub types:

-stype: How you want to execute command:

0: SType 0 (default) is based on java,
universal but won’t work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler

You can download bsqlbf v2.3 here:

bsqlbf-v2-3.pl

Or read more here.

Well the latest version has been released recently with some updates, bug fixes and improvements on the web application security front.

I’m hoping to try out the AcuSensor on a PHP install soon to see what kind of information it can give me.

A full review isn’t really need as the installation, interface and features are mostly the same as version 6.

One of the great new features is the Login Sequence Recorder (LSR), which can record the exact sequence needed to login to a site and replay it.

Combine this with the Session Auto Recognition module, which will identify when a logged in session is invalided or expired and will re-login automatically and you have a great tool for scanning authentication based web applications.

There is also a lot more support for JSP/Tomcat based application, I haven’t had chance to test this as I don’t deal with many Java based web applications.

Also included are some back-end and interface changes like the display of port scan & network alerts separately from the web alerts, which does make it easier to see where the issues are.

Backend stuff like cookie handling and Blind SQL Injection methods have been improved, you can also import your settings from Version 6 if you are currently using that.

You can read the press release here, or more on the blog here.

The pricing can be found here (in both Euros and USD).

If you want to know more about the features you can download the manual here:

Acunetix WVS 6.5 Manual [PDF]

Database Support

• Access: Informations (Database Path; Root Path; Drivers); Data
• MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
• MySql: Informations; Data; FileReader; FileWriter;
• Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
• Informix: Informatons; Data
• DB2: Informatons; Data; and more;
• Sybase: Informatons; Data; and more;
• PostgreSQL: Informatons; Data; FileReader;
• Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

You can download Pangolin here:

pangolin_free_edition_2.1.2.924.rar (Download Page)

Or read more here.

Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…

It is designed to maximize the amount of data gathered per web server hit, making the best use of MySQL functions to optimize the available injection space.

sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.

It is not and won’t ever be a SQL injection scanner, it starts its job on the next step.

Both quoted and numeric injections are supported.

All quoted texts can be translated as their hex equivalent (eg : “sqlsus” will become 0×73716c737573)

sqlsus also supports these 2 scenarios of injection :

• sighted : the result of the request will be in the HTML returned by the web server
• blind : when you can’t see the result of the request directly

Support for GET and POST parameters injections.

Support for HTTP proxy and HTTP simple authentication.

Full logging support of your queries and the answers, allowing you to recall a command and its cached answer, even in a later re-use of the session.

Key variables can be edited on the fly, saved per session, and can be loaded in a later session on the same target server.

Requirements

On a Debian system, in addition to perl, you will need the following packages :

• libterm-readline-perl-perl
• libipc-shareable-perl
• libwww-mechanize-perl

It also requires previous SQL injection knowledge, and.. well.. a brain helps.

You can download sqlsus 0.2 here:

sqlsus-0.2.tgz

Or read more here.

Later Kaspersky has stated that no data was actually exposed, apparently there was a flaw to do with data validation and perhaps only the database table names were exposed – not the data within.

So far though it’s all speculation unless the hacker releases the actual data and Kaspersky comfirms it there’s no way we can know what has actually transpired.

Anti-virus vendor Kaspersky Lab denies any data was stolen during a SQL injection attack launched Feb. 6. Well-known database security expert David Litchfield of NGSSoftware is doing a third-party review for Kaspersky.

Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend.

According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it.

The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.

Kaspersky has already commissioned a 3rd party audit from well-known specialist in Database Security, David Litchfield the principal consultant with NGS Software.

I wonder if Mr. Litchfield will publish his findings publicly or they will be vetted through Kaspersky first, I’d imagine the latter – which again means we might never know the true extent of the vulnerability.

According to the company, the problem was due to the site not properly validating user input. Roel Schouwenberg, senior anti-virus researcher at Kaspersky, confirmed that the names of the tables are accurate. However, having the names of the tables does not mean the hacker actually accessed them, he noted.

Schouwenberg added that no credit card data was stored on the server targeted by the hacker, though there were product activation codes and 2,500 e-mail addresses for people who signed up for a product trial.

“This shouldn’t have happened,” Schouwenberg said, adding he was worried about the impact the hack would have on Kaspersky’s reputation.

The vulnerable code the hacker took advantage of to launch the attack was developed externally and did not go through Kaspersky’s normal code review process, Schouwenberg said.

It shouldn’t have happened? What insight these people have!

They are blaming the vulnerability on code developed externally, and it seems that from the story it’s limited data to do with some kind of software trial. It’s not the full customer records database.

Still I think we need to wait a little longer to get a clearer picture of what is going on, either way it looks like this might be an interesting story for us to follow.

Source: eWeek

This time it’s for a much more relevant piece of software IMHO, and one which I actually like using and have used in the past – Acunetix Web Vulnerability Scanner 6. Version 6 was recently released and has some quite exciting new features including the new more accurate Acusensor, Port Scanner and Network Alerts tool and actual Blind SQL Injection.

If you were previously using version 5 and you’re interesting in version 6 there are some good progressive changes. One good development is AcuSensor which goes much more in depth into web application security testing and code injection (it can find vulnerabilities that typical black box scanning wouldn’t). The new Port Scanning feature will perform some kind of Nessus like function and try and find vulnerabilities in network services, you can learn more about adding your own vulnerability scripts here.

Something important for me too is the additional of Pausing a scan, this is very useful especially on a long scan when you can only carry it out during off peak hours.

There are some other minor improvements like the ability to mark an alert as a false positive, improvements in the scheduler and general improvements in the searching and filtering features.

Installation

Installation is very easy, there are very few options to select and it’s just a next-next kind of install. There is the option of installing the BETA Firefox Plugin, which is pretty neat. No reboot is required during install, but you do need to Restart Firefox if you wish to utilize the Plugin.

Getting Started

Once you fire up the software it will let you know if there are any updates, it’s managed very well with no manual action needed by the user.

With the wizard it’s very easy to start a scan or any of the other tasks within WVS.

Once the target is selected it allows you to optimize the scan for various different technologies depending on the architecture of the site (PHP, ASP, Perl and so on).

Then the scanning options – it gives you 3 main options for scanning; Extensive, Heuristic and Quick.

It also offers you some variety in crawling options, how deep you want to go, should you scan above the root directory or only below and then after that it’s basically on auto-pilot (it does give you the option for HTTP Authentication if you need to scan something behind a login/password).

Features

The crawling and scanning is pretty comprehensive, whilst the scan is taking place it give you updates in terms of progress and in terms of anything it has found (categorised).

The progress section is quite detailed and shows which module is running, on which page of the site and generally what is happening (some scripts run concurrently).

As for anything it finds out of the ordinary, threats are categorised into 3 levels – High, Medium & Low. On top of that there is also info and knowledge base (such as which ports are open).

There are also other useful tools such as the HTTP Fuzzer and Sniffer which are good for examining HTTP traffic in detail and especially for exposing weak authentication schemes.

AcuSensor is interesting because it actually has a server side component, both for ASP.NET applications and PHP based web apps. This means that it can tell you exactly where in your code the flaw is – like this SQL Injection Vulnerability found in Mambo by AcuSensor.

There’s another example about backdoor code in web applications here, with the example this time being the Wordpress 2.1.1 Vulnerability.

This is the first time I’ve encountered this kind of technology and I think it’s an excellent step forwards in automated code auditing and deeper web application security.

Surprisingly I also found some Legislation and Compliance reports inside the WVS, this was a welcome surprise (as I’ve been involved in many ISO27001 projects) something like this can really save time.

Conclusion

All in all it’s a well rounded tool with a pretty accurate scanning engine (You can find a list of vulnerabilities it checks for here including those for specific software), it’s come a long way since the earlier versions and is now quite strong in all areas of web application security testing.

The new AcuSensor also ensures more vulnerabilities are found and less false positives delivered – false positives are the bane of any vulnerability scanner. That’s where the consultant skill comes in, ascertaining which are real and which are not.

A good part is it’s quite usable by less technical people as it gives in-depth descriptions on both a conceptual and a technical level enabling people to understand the issue uncovered.

Darknet recommends Acunetix Web Vulnerability Scanner 6 highly, it could make a real difference to your work flow for the consultants and for the in-house guys it could help improve the security, stability and integrity of your web applications.

You can find more reviews about Acunetix WVS here and some Customer Testimonials here.

If you wish to read more about Acunetix WVS you can do so here and you can find the prices here (in both Euros and USD).

You can also check out WVS Free Edition.

- For SQL Server, Oracle
- Error Base and Union Base

Interface

Features

• Retrieve schema : DB/TableSpace, Table, Column, other object
• Retrieve data : retrive paging, dump xml file
• Log : View the raw data HTTP log

Environment

OS: Windows 2000/XP/VISTA
Requirement: Microsoft .NET(2.0) Library (Download Here).

You can download WITOOL v0.1 here:

WITOOL_V0.1_081231.zip

Or read more here.

This time however it doesn’t really effect home users or the general consumer, it’s a more specific server side vulnerability affecting Microsoft SQL Server 2000 and 2005 versions. It seems pretty serious though as it also appears that this vulnerability if exploited properly could lead to remote code execution.

Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software. Microsoft issued a security advisory late Monday, saying that the bug could be exploited to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.

Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and Web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.

Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.

Again I wonder how far behind the curve Microsoft is with this? Usually these kind of bugs have been discovered by the more malicious parties way before Microsoft has any idea that their software is vulnerable.

It claims that the code hasn’t been used in online attacks, but honestly if it was used well by a smart party who would even know? SQL injection could lead to this attack being executed and the code is published online so I find it unlikely that it hasn’t been used.

The bug lies in a stored procedure called “sp_replwritetovarbin,” which is used by Microsoft’s software when it replicates database transactions. It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.

“Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,” Microsoft said in its advisory.

This is the third serious bug in Microsoft’s software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. “It is rather low risk given other vulnerabilities that exist,” he said via instant message. “There are a lot of better ways to currently compromise windows systems.”

The bug was discovered by someone in April this year, so that’s at least 7 months someone has known about it..but only know when the vendor discloses it then Microsoft chooses to say something about it.

It is a fairly low risk vulnerability due to the requirements needed to execute it effectively, but still it’s another chink in the Microsoft armour to add to the (long long) list.

Source: Network World