RE: SQL injection

From: Todd Towles (toddtowles@brookshires.com)
Date: Thu Jun 09 2005 - 11:52:05 EDT

There are servers built for this sole purpose - web application
firewall. They clean HTTP traffic and detect many Web attacks. Seems
like a good thing to have in front of your main webserver, but I haven't
ever used one. Anyone know of the most popular company that is doing
this? Any experience with them?

Normal IDS/IPS System should be able to do this type of thing as well.

http://whitepaper.informationweek.com/cmpinformationweek/search/viewabst
ract/69387/index.jsp
http://www.axiliance.com/produit/realsentry/?LG=uk
http://www.modsecurity.org/
http://secyber.net/www2/htmldb/teros.html#t100

-Todd

> -----Original Message-----
> From: Faisal Khan [mailto:faisal@netxs.com.pk]
> Sent: Thursday, June 09, 2005 10:38 AM
> To: pen-test@securityfocus.com
> Subject: SQL injection
>
>
>
> Pardon the ignorance, but is there any hardware/software
> based device that can outright prevent/mitigate (detect?) SQL
> injections? Would an IDS be able to prevent this?
>
>
>
>
>
>
> At 08:29 PM 6/9/2005, you wrote:
> >Another option you could try is to use ettercap to insert your
> >laptop/pen-test system in as a Man-in-the-Middle between the
> SQL server
> >and client systems and then capture the port 1433 traffic using
> >tcpdump/ethereal/your favorite packet capturing program. This will
> >definitely yield the 'sa' password (as well as others).
> >
> >If you're using Windows on your attack platform, consider
> using Cain &
> >Abel as it can do the Man-in-the-Middle/SQL password capture
> all in one.
> >
> >Ido
> >--
> >Ido Dubrawsky, CISSP
> >Senior Security Consultant
> >SBC/Callisma
> >(571) 633-9500 (Office)
> >(202) 213-9029 (Mobile)
> >
> >
> > > -----Original Message-----
> > > From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com]
> > > Sent: Thursday, June 09, 2005 4:06 AM
> > > To: Hugo Vinicius Garcia Razera; pen-test@securityfocus.com
> > > Cc: Erik Pace Birkholz
> > > Subject: RE: pen-test on a windows 2003 server box whit
> MS-SQL and
> > > Terminal Services
> > >
> > >
> > > Hugo,
> > >
> > > Based on the limited info you have provided, here is my advice.
> > >
> > > Have you done UDP port scans? If you haven't done so, scan to
> > > determine what UDP ports are open. Depending on what you
> find this
> > > could be helpful. For example, if SNMP is available with
> a default
> > > or guessable community name it will provide usernames among other
> > > goodies.
> > >
> > > Re: obtaining the SQL version; since the OS is Win3k the
> SQL server
> > > will likely be SQL 2000 with SP3 or later. If you really want to
> > > find out try SQLVer (www.sqlsecurity.com) as Chip already
> mentioned
> > > and try SQLRecon (www.SpecialOpsSecurity.com -click on LABS).
> > >
> > > With that said don't give up on the SQL "SA" brute force attacks.
> > > There is no account lock out for SA so rock and roll. SQLDict.exe
> > > works pretty well if you have a big dictionary file.
> Another option
> > > is ForceSQL.exe because it brute forces an account (sa)
> based on a
> > > user specified character set (charset.txt) up to a user specified
> > > max password length.
> > >
> > > You also mentioned DNS: 53. Not sure if you are referring
> to UDP or
> > > TCP?
> > > If it is TCP then you should try a zone transfer.
> > >
> > > Also don't forget full (1-65535) TCP port scans and source port
> > > scans
> > > (SRC=20,53,88,80,etc...)
> > >
> > > Finally use tracerouting, hping2, tcpdump, etc to
> determine if the
> > > blocking ACLs are on the host or a network device. Something is
> > > facilitating the firewalling that is hiding juicy MS
> specific ports
> > > like TCP 135 and 445. Is it ICF, IPSec, a personal
> firewall, network
> > > firewall, perimeter router or what? Once you know this it
> will help
> > > direct your attempts to subvert that protection and get
> exposure to
> > > more ports on the target.
> > >
> > > Let us know how it goes!
> > >
> > > Good luck,
> > >
> > > Erik Pace Birkholz
> > > www.SpecialOpsSecurity.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Hugo Vinicius Garcia Razera [mailto:hviniciusg@gmail.com]
> > > Sent: Tuesday, June 07, 2005 4:01 PM
> > > To: pen-test@securityfocus.com
> > > Subject: pen-test on a windows 2003 server box whit MS-SQL and
> > > Terminal Services
> > >
> > > Hi every one, I'm doing a pen test on a client, and have
> found that
> > > he have a windows 2003 server box on one segment of his public
> > > addresses this is his dns/web/mail server:
> > >
> > > - mssql :1433
> > > - terminal services :3389
> > > - iis 6 :80
> > > - smtp :25
> > > - pop3 :110
> > > - dns : 53
> > > - ftp : filtered
> > >
> > > ports opened, i logged on the terminal services port whit
> the winxp
> > > remote desktop utility and it connects perfectly.
> > >
> > > i tried a dictionari atack on mssql server whit the "sa"
> account and
> > > others user names i collected.
> > > Hydra from THC was the tool, but no succes on this atack.
> > > also tried the tsgrinder for terminal services , but no success.
> > >
> > >
> > > well here come some questions:
> > >
> > > - What others Usernames should i try for sql and terminal
> services?
> > > i tried whit "sa" for sql and "Administrator" for TS
> > >
> > > - Any one knows how could i identify what version of sql
> server is
> > > running.
> > > - What other services of this host can be exploited?
> > >
> > > any comments, ideas, suggestions would be greatly appreciated.
> > >
> > > Hugo Vinicius Garcia Razera
> > >
>
>
>
> Faisal Khan
> CEO
> Net Access Communication
> Systems (Private) Limited
> _____________________________
> 1107 Park Avenue, 24-A, Block 6,
> PECHS, Main Shahrah-e-Faisal,
> Karachi 74500 (Pakistan)
> Board: +92 (21) 111 222 377
> Direct: +92 (21) 454-346
> Fax: +92 (21) 454-4347
> Cell: +92 (333) 216-1291
> Email: faisal@netxs.com.pk
> Web: <http://www.netxs.com.pk/>www.netxs.com.pk
>
>
>
>

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:23 EDT