SQL injection

[Faisal Khan <faisal () netxs com pk>]

Pardon the ignorance, but is there any hardware/software based device that 
can outright prevent/mitigate (detect?) SQL injections? Would an IDS be 
able to prevent this?






At 08:29 PM 6/9/2005, you wrote:
> Another option you could try is to use ettercap to insert your
> laptop/pen-test system in as a Man-in-the-Middle between the SQL server
> and client systems and then capture the port 1433 traffic using
> tcpdump/ethereal/your favorite packet capturing program.  This will
> definitely yield the 'sa' password (as well as others).
>
> If you're using Windows on your attack platform, consider using Cain &
> Abel as it can do the Man-in-the-Middle/SQL password capture all in one.
>
> Ido
> --
> Ido Dubrawsky, CISSP
> Senior Security Consultant
> SBC/Callisma
> (571) 633-9500 (Office)
> (202) 213-9029 (Mobile)
>
>
> > -----Original Message-----
> > From: Erik Pace Birkholz [mailto:erik () specialopssecurity com]
> > Sent: Thursday, June 09, 2005 4:06 AM
> > To: Hugo Vinicius Garcia Razera; pen-test () securityfocus com
> > Cc: Erik Pace Birkholz
> > Subject: RE: pen-test on a windows 2003 server box whit
> > MS-SQL and Terminal Services
> >
> >
> > Hugo,
> >
> > Based on the limited info you have provided, here is my advice.
> >
> > Have you done UDP port scans? If you haven't done so, scan to
> > determine
> > what UDP ports are open. Depending on what you find this could be
> > helpful. For example, if SNMP is available with a default or guessable
> > community name it will provide usernames among other goodies.
> >
> > Re: obtaining the SQL version; since the OS is Win3k the SQL
> > server will
> > likely be SQL 2000 with SP3 or later. If you really want to
> > find out try
> > SQLVer (www.sqlsecurity.com) as Chip already mentioned and
> > try SQLRecon
> > (www.SpecialOpsSecurity.com -click on LABS).
> >
> > With that said don't give up on the SQL "SA" brute force
> > attacks. There
> > is no account lock out for SA so rock and roll. SQLDict.exe
> > works pretty
> > well if you have a big dictionary file. Another option is ForceSQL.exe
> > because it brute forces an account (sa) based on a user specified
> > character set (charset.txt) up to a user specified max
> > password length.
> >
> > You also mentioned DNS: 53. Not sure if you are referring to
> > UDP or TCP?
> > If it is TCP then you should try a zone transfer.
> >
> > Also don't forget full (1-65535) TCP port scans and source port scans
> > (SRC=20,53,88,80,etc...)
> >
> > Finally use tracerouting, hping2, tcpdump, etc to determine if the
> > blocking ACLs are on the host or a network device. Something is
> > facilitating the firewalling that is hiding juicy MS specific
> > ports like
> > TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network
> > firewall, perimeter router or what? Once you know this it will help
> > direct your attempts to subvert that protection and get
> > exposure to more
> > ports on the target.
> >
> > Let us know how it goes!
> >
> > Good luck,
> >
> >    Erik Pace Birkholz
> >       www.SpecialOpsSecurity.com
> >
> >
> >
> > -----Original Message-----
> > From: Hugo Vinicius Garcia Razera [mailto:hviniciusg () gmail com]
> > Sent: Tuesday, June 07, 2005 4:01 PM
> > To: pen-test () securityfocus com
> > Subject: pen-test on a windows 2003 server box whit MS-SQL
> > and Terminal
> > Services
> >
> > Hi every one, I'm doing a pen test on a client, and have found that he
> > have a windows 2003 server box on one segment of his public addresses
> > this is his dns/web/mail server:
> >
> > - mssql :1433
> > - terminal services :3389
> > - iis 6 :80
> > - smtp :25
> > - pop3 :110
> > - dns : 53
> > - ftp : filtered
> >
> > ports opened, i logged on the terminal services port whit the winxp
> > remote desktop utility and it connects perfectly.
> >
> > i tried a dictionari atack on mssql server whit the "sa" account and
> > others user names i collected.
> >  Hydra from THC was the tool, but no succes on this atack.
> > also tried the tsgrinder for terminal services , but no success.
> >
> >
> > well here come some questions:
> >
> > - What others Usernames should i try for sql and terminal services?
> >   i tried whit "sa" for sql and "Administrator" for TS
> >
> > - Any one knows how could i identify what version of sql server is
> > running.
> > - What other services of this host can be exploited?
> >
> > any comments, ideas, suggestions would be greatly appreciated.
> >
> > Hugo Vinicius Garcia Razera
> >



Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Cell: +92 (333) 216-1291
Email: faisal () netxs com pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk