Metasploit mailing list archives

using Meterpreter , out of MSF // SQL Injection module

From: mmiller at hick.org (mmiller at hick.org)
Date: Sun, 30 Oct 2005 02:21:25 -0600

On Sun, Oct 30, 2005 at 10:02:23AM +0200, RaMatkal wrote:

The script was developed a while ago to automatically exploit SQL injection
vulns on MSSQL.
Basically it works as follows:

A- Determines USER connected to the database
B- Determines DB version
C- Enumerates table and col names
D- Saves first x rows of selected tables into .csv files

The script could easily be extended to a variety of other things such as use
extended stored procedures to read/write from remote fs and execute commands

The problem i see implementing it in metasploit is 2fold:
    i) Different apps/servers return different error messages and so
metasploit would need some sort of variable which would need to define how
to extract the relevant information from the error message. This is
currently done manually by editing the perl script and tweaking it for
different servers/apps...sometimes it takes a couple of minutes to get it
right....


Well, one way to implement this would be to provide some sort of
abstract class that allows you to define a common interface to the SQL
injection tasks that can be shared and overridden by derived classes
that have an app-specific or server specific error message handler.  You
could then just basically have either a hierarchical or linear search
asking each of the (potentially ranked) classes which would be most
likely capable of handling the specific error format.

This sort of approach actually plays quite well into msf 3.0's recon
modules that are designed to be extensible and sharable in nature.

   ii) The reason i have not released the script is for fear of script
kiddies....the amount of sites which are vulnerable to SQL injection is 
still extremely high....a search on google for ".asp?id=1" reveals 
thousands of thousands of sites which could easily be exploited.....


Always a valid concern.  I think it's fair to not release something if
the potential for abuse is high.  Unfortunately, there is no universal
answer :)

Current thread:

using Meterpreter , out of MSF // SQL Injection module, (continued)
- - - using Meterpreter , out of MSF // SQL Injection module Jerome Athias (Oct 27)
    - using Meterpreter , out of MSF // SQL Injection module news-letters (Oct 27)
    - using Meterpreter , out of MSF // SQL Injection module mmiller at hick.org (Oct 27)
    - using Meterpreter , out of MSF // SQL Injection module Fabrice MOURRON (Oct 27)
    - using Meterpreter , out of MSF // SQL Injection module Andre Ludwig (Oct 27)
    - using Meterpreter , out of MSF // SQL Injection module Kurt Grutzmacher (Oct 27)
    - using Meterpreter , out of MSF // SQL Injection module jasf (Oct 27)
- using Meterpreter , out of MSF // SQL Injection module ahead at mediageneral.com (Oct 27)
- using Meterpreter , out of MSF // SQL Injection module Tim Brown (Oct 28)
  - using Meterpreter , out of MSF // SQL Injection module Hamid . K (Oct 28)
- using Meterpreter , out of MSF // SQL Injection module mmiller at hick.org (Oct 30)
- using Meterpreter , out of MSF // SQL Injection module Hamid . K (Oct 30)