How to use SQLMap on Windows for finding SQL Injection flaws on your website

How to use SQLMap on Windows for finding SQL Injection flaws on your website . . .

As a (sort-of-mediocre) web developer, I find security of the site as #1 priority. However with limited knowledge on the subject, it was near-impossible to look for any sort of  security flaw without scrolling through forums for days.

After hours of googling, I discovered an excellent tool to automatically uncover SQL injection exploits in my website without the requirement of intricate SQL knowledge.

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections

SQLMap is coded in Python programming language and runs natively in Linux operating system, however it should run as nice on Windows machines , however we first need to download and install the Python libraries to the machine for it to run.

Anyway, back to your site, one thing you will need to find are URL’s like this http://yoursite.com/users/user.php?id=3 or http://yoursite.com/gallery/albums.php?aid=532

These parameters (in red) query the database, and if not coded/sanitized correctly, can be vulnerable to sql injection. Users can basically access your database and do things such as access passwords, emails, names etc.

So you’ve found your URL on your site as shown above? Lets see if it is vulnerable to sql injections…..

Step 1 – Download & Install Python 2.7.5

Python 2.7 installed on your Windows machine.

Ensure that version 2.7.5 is installed which can be downloaded from here - http://www.python.org/download/

Choose either the normal Windows installer, or the Windows x86-64 installer.

Run through the install accepting the defaults. If all went well, then all of the Python files should be installed to C:\Python27\

Step 2 – Download SQLMap

SQLMap downloaded on your Windows machine

The latest and greatest version is available on the SQLMap home page – click here - https://github.com/sqlmapproject/sqlmap/zipball/master or here http://sqlmap.org/ (and click download .zip on the left!)

Unzip the .zip and put the folder into the C:\ drive (just for ease of access). The folder may be named something like “sqlmapproject-sqlmap-dbb0d7f” so rename this to something like “sqlmap“. For the purpose of this guide, I will be renaming this folder to “sqlmap“.

Step 3 – Run Command Prompt as Administrator

You can do this multiple ways, but just to explain in a way that everyone can easily do, go to Start > All Programs > Accessories and you will see the Command Prompt icon. BUT WAIT! Don’t just click it!

Ensure that you right-click on the Command Prompt icon and Run As Administrator. Normally, command prompt is set with restrictions meaning certain system tools will not run, so running as administrator enables command prompt to have full access to the system.

Step 4 – Run SQLMap

With the above prerequisites completed, we can now start.

- In the command prompt window, CD into the directory where SQLMap is contained

- Type in the following: python sqlmap.py -u “http://yoursite.com/users/users.php?id=3“ (replace the red with what you have!)

- Hit enter and it will start scanning. If you find that you encounter something like this (in grey) then your site IS vulnerable to SQL injections. Uh-oh!

- Let SQLMap run through and at the end it will dump all the necessary information into a files (readable in notepad) in the directory where it resides (for example C:\sqlmap\output\yoursite\).

Below are what I got from the above test:

sqlmap identified the following injection points with a total of 63 HTTP(s) requests:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=8 AND 6220=6220

Type: UNION query
Title: MySQL UNION query (NULL) – 17 columns
Payload: id=-6714 UNION ALL SELECT NULL,NULL,CONCAT(0×7178667171,0x73486f79746764616f74,0x717a666671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
—
web application technology: PHP 5.3.19, Apache 2.2.23
back-end DBMS: MySQL >= 5.0.0

Now, if you’re using a wordpress plugin, disable it and remove it immediately as your site can be easily found using google dorks. Notify the author / developer asap!.

[TuT] – Hack a site through FTP

Here I am again, posting a tutorial on web-penetration. I will be explaining how to crack and hack an FTP server.

What is “FTP”?

FTP stands for File Transfer Protocol. As you can see by the name, you can manage files through the FTP. The FTP port, is very-well known, but is rarely open on big websites. The FTP port is Port 21. There are multiple ways to connect to an FTP server/port, especially thanks to technology, such as FileZilla.

There are of course other ways, which are the manual ways. Which is connecting to the FTP through a DOS Command line. You can do this from Ubuntu, Backtrack, (All linux), and also Windows. I’ve never tried it on Mac, but I’m sure it’s possible.

When you have access to the FTP, you’re the king of the website. Mostly because you can manage all of the files and directories on the site. So you can upload and delete. If you upload your PHP or ASP shell, you could root the server, and possibly hack other sites.

How do I know if the FTP port is open?

Well, you don’t know until you scan. The most popular port scanner would be Nmap. You can download Nmap at http://www.nmap.org/

How do I connect to FTP?

Like I said, there are a couple options. Personally, I would choose the command line first, because you learn from it. In a program like FileZilla, with all the fancy shit, it’s got it all. Easy to work with, etc. But the method we will be using to connect, is with “Telnet”.

Telnet is a network protocol that you can use to connect to certain ports on hosts. You would either need the website name, or IP to connect. You would also have to make sure the port that you want to connect to, is open.

To do that, we need a program called “Nmap”. Nmap is a free Port-Scanner tool, it is very useful to many hackers for multiple reasons.

To connect to FTP on a site, an IP, or a computer, you need to have Telnet installed. Telnet is already installed on all Windows and Linux operating systems. But in Windows 7 & Vista, you have to change some settings.

This can be done very easily, simply go to Control Panel ==> Programs and Features ==> Turn windows features on or off ==> Check off the Telnet Client.

Now we can successfully connect to a port through Telnet.

So open CMD (Command Prompt(Start => Run => CMD)). Now in the command prompt, type:

Code:

telnet

And hit enter. Now we’re on Telnet, so we can connect to a port. If you would like to get familiar with the commands, simply type in “HELP” in the command prompt.

Now, let’s connect to our site (First make sure the FTP port is open (Port 21). Now, let’s type in:

Code:

o http://www.sitename.com 21

Now it should display some information on the FTP, we can use that information against the site, by simply googling some exploits for it.
Example: “ProFTPD 1.3.3c Exploit”.

How do I hack a site through FTP?

There are a couple ways to do this, my favorites are looking for exploits in the FTP client and version, and Bruteforcing/Dictionary attack. The first method is very simple, just read the above section to figure out how to do it.

Bruteforcing is when you attack a target by using somtimes MILLIONS of passwords. Bruteforce uses random combinations, whereas a Dictionary Attack uses words. The Dictionary Attack goes MUCH faster, but will not always work. I only bruteforce when I have no other choice.

The second way, is still pretty easy, but requires a little bit more brain :P. If you want to do it more “Advanced-ly” then download “Hydra”. Hydra is a program that will perform a dictionary attack on any open port on your target site, or IP.

The easy way to do it, is by downloading “Brutus”. It does the same thing, but it’s easier to navigate and use. You can get both programs by googling them. If you can’t find any, PM me and I’ll send you a good link.

If you already have the credntials, you can login to the FTP over Telnet, by doing the following:

Code:

o http://www.site.com 21
-
PASV
-
USER -USERNAMEHERE-
PASS -PASSWORDHERE-

Epilogue

This is a tutorial for beginners, but if I missed something PLEASE notify me by PM or by replying in the comment section. This tutorial does seem very brief to me, but I can’t explain EVERY exploit there is for FTP, otherwise the tutorial would be too long and boring.

Mouse Cursor Styles

Question: How do I change the style of the mouse cursor from JavaScript? Answer: Most modern browsers support the following cursor styles (hover your mouse over the style name to see the cursor change to that style): auto move no-drop col-resize all-scroll pointer not-allowed row-resize crosshair progress e-resize ne-resize default text n-resize nw-resize help vertical-text s-resize se-resize inherit wait w-resize sw-resize To set or change the mouse cursor style for an element of your page from script, you can set the element's property element.style.cursor to one of the above values. (Alternatively, without JavaScript, you can use the attribute style="cursor:value;" in that element's HTML tag.)Example. The function setCursorByID below resets the mouse cursor style, given the input arguments id (the element ID) and cursorStyle (the desired cursor style): function setCursorByID(id,cursorStyle) { var elem; if (document.getElementById && (elem=document.getElementById(id)) ) { if (elem.style) elem.style.cursor=cursorStyle; } } The following demo allows you to change the cursor styles for the highlighted elements (Element 1 and Element 2). In this demo, when you click on the hyperlink help, wait,crosshair, text, default, move, or pointer, the cursor is changed to the corresponding stylefor the entire highlighted element using the function setCursorByID from the above example. When you click on the hyperlink auto, the cursor for the particular element is resetto its original style determined by the browser. Element 1 Change cursor to any of these styles: help wait move crosshair text default pointer auto Element 2 Change cursor to any of these styles: help wait move crosshair text default pointer auto The actual appearance of the mouse cursor depends on the browser and OS configuration. For example, Microsoft Internet Explorer 8.0 under Windows XP, with Windows Classictheme set in Display Properties, mouse cursors look like this:

Disabling Right-Click on a web page

also Protect images

 

Protect images/Disabling right-click on a web page Want to protect your source code? Using this code will prevent the vast majority of users from right-clicking over a page and choosing "View source", or right-clicking over an image and saving it. There are other ways to view the code, though... This is not always a wise technique to use - it would have to be a very special piece of code to want to hide, and those who would want to steal it will always be able to find a way to see it. Try right-clicking on this page as an example. <SCRIPT TYPE="text/javascript"> <!-- //Disable right click script //visit http://www.rainbow.arch.scriptmania.com/scripts/ var message="Sorry, right-click has been disabled"; /////////////////////////////////// function clickIE() {if (document.all) {(message);return false;}} function clickNS(e) {if (document.layers||(document.getElementById&&!document.all)) { if (e.which==2||e.which==3) {(message);return false;}}} if (document.layers) {document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;} else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;} document.oncontextmenu=new Function("return false") // --> </SCRIPT>  Place the above code into <HEAD></HEAD> of your HTML.   ...... How to? To disable the IE imagetoolbar also add the META TAG below to the HEAD <META HTTP-EQUIV="imagetoolbar" CONTENT="no"> To protect TEXT add 'Disable Text Select' code below into <HEAD></HEAD> of your HTML. <SCRIPT TYPE="text/javascript"> <!-- //Disable select-text script (IE4+, NS6+) //visit http://www.rainbow.arch.scriptmania.com/scripts/ /////////////////////////////////// function disableselect(e){ return false } function reEnable(){ return true } //if IE4+ document.onselectstart=new Function ("return false") //if NS6 if (window.sidebar){ document.onmousedown=disableselect document.onclick=reEnable } // --> </SCRIPT> Ways to protect your images To start off, the straight truth is there is no 100% way to protect your images short of not displaying them on the Internet to begin with. There are many ways to prevent a novice visitor, but no matter what you try, there will ALWAYS be a way to get any image. That said, here are a few attempts you may try in no particular order. 1. Using CSS to position a transparent gif overtop of the image. <img src="myimage.gif" width="100" height="50"> <img src="transparent.gif" width="100" height="50" style="position:relative; left:-102px; top:0px;"> 2. Using span tag to position a transparent gif overtop of the image. <span style="background-image: url(images/my_image.jpg)"><img src="images/transparent.gif" width="200" height="150" border="0" alt="My protected Image."></span> 3. Use the image as a background of a table and fill the cell with a transparent gif. <table width="100" height="50"> <tr> <td background="myimage.gif"> <img src="transparent.gif" width="100" height="50"> </td> </tr> </table> 4. Use a watermark. That is, put a mark on the actual image with an image software. A word, a small graphic logo, anything that would deter a thief but still look nice visually for the common visitor. Here are a number of very effective methods of keeping unscrupulous surfers from stealing your HTML source: 1. Use the <INVISIBLE> </INVISIBLE> tags around the entire document.  [ Menu > View > Source.  To see this one. ] 2. Use the DONTSTEAL attribute in the <BODY> tag. 3. Ftp to your server, select all files and directories, hit "Delete". 4. Put every existing copy of every file on floppies, place them in a shoebox and bury them in the backyard. There is another version of this method which involves placing the floppies in a plastic bag and hiding them in a different sort of hole. Both are equally effective. 5. Password protect your entire site and make sure no one has the password, not even you. 6. Employ a small but fanatically loyal and well-armed band of mercenaries to guard your site. 7. Start>Run>format C:\ 8. Attack dogs, preferably rabid. 9. Use any version of Microsoft Frontpage to create your site. (This won't prevent people from viewing your source, but no one will want to steal it.) 10. Don't put your pages on the web.  How To steal 'NO RIGHT CLICK' code :-  Use Left mouse and drag to highlite the code, (or try, cursor over code and triple left click) then use keys [Ctrl + C] to copy and then paste [Ctrl + V] where you want it.