|
|
| :: BobCat description :: |
BobCat is a tool to aid a security consultant in taking full advantage of SQL injection vulnerabilities. It is based on a tool named "Data Thief" that was published as PoC by appsecinc. BobCat can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to.
The methods that BobCat incorprates are based on those discussed in the following papers:
advanced sql injection
more advanced sql injection
advanced sql injection
manipulating sql server usig sql injection
--------------------------------------------------------------------------------
|
| :: BobCat documentation :: |
:: Requirements ::
[1] Windows OS (Tested on XP SP2)
[2] Access to MS SQL server/MSDE2000 (Tested on MSDE2000)
[3] .Net Framework 2.0
:: Installation ::
[1] create C:\BobCat
[2] unpack the BobCat archive to this folder
[3] create a shortcut to BobCat and place it on your desktop
[4] create a DataBase called BobCat
[5] configure your SQL Server/MSDE2000 to use SQL Authentication
[6] create a user that can read, write and creaste tables within the BobCat DB
--------------------------------------------------------------------------------
:: Attack ::
:: Stealing Data ::
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method CAST, Create Table or OPENROWSET
[7] click start attack
[8] when the injections have completed, move to the "Data Results" tab
[9] you will see the server name and or the names of any linked servers
[10] you will see to the right of this a list of Databases on the server
[11] in the results window to the bottom of the screen; you will see the output from @@version and the current user and associated privileges
[12] choose a Databse and click the tables button
[13] a list of tables will appear to the right
[14] choose a table and click on the fields button
[15] a list of fields will appear to the right
[16] choose all fileds or a subset and click on the run button
[17] the results window to the bottom of the screen will be populated with the contents of the table and the fields you selected
--------------------------------------------------------------------------------
:: Port Scanning (OPENROWSET) ::
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method CAST, Create Table or OPENROWSET
[7] click start attack
[8] one the attack has finished move to the "Port Scanner" Tab
[9] choose from the port scan options how many ports and which ports you wish to scan
[10] choose a target (a machine that is Internet facing)
[11] run a packet sniffer on this machine and look for incoming connections from your attack network
[12] once an open port or ports have been found, configure your MS SQL Server or MSDE2000 server to listen on this port. You can then use the OPENROWSET method to attack the database.
--------------------------------------------------------------------------------
:: Interactive XP_CMDSHELL ::
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format
http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method Create Table or OPENROWSET
[7] click start attack
[8] once the attack has finished move to the "XPCmdShell" tab
[9] enter your command into the command text box and click on execute
[10] the results of your command will be shown in the results window below
[11] if you do not have sufficient permissions as the current user and are in posession of the credentials for another SQL user, tick the alternative credentials check box
[12] enter the alternative credentials and the ip address of the database server
[13] re-submit your command
--------------------------------------------------------------------------------
:: Uploading Files ::
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format
http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method Create Table or OPENROWSET and choose a file upload method BCP or DEBUG
[7] click start attack
[8] once the attack has finished move to the "File Uploader" tab
[9] choose custom file radio button
[10] click on the browse button and choose the file to upload
[11] click the upload button
--------------------------------------------------------------------------------
:: UDP Reverse Shell ::
/* Thanks to Ollie Whitehouse for his NetCat hacks and permission to distribute the UDP Reverse Shell */
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format
http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method Create Table or OPENROWSET and choose a file upload method BCP or DEBUG
[7] click start attack
[8] once the attack has finished move to the "File Uploader" tab
[9] choose the udp reverse shell radio button
[10] choose a udp port that you know the remote server can commmunicate on
[11] set the remote ip address (your IP address/Internet facing machine that can recieve the shell)
[12] click execute
--------------------------------------------------------------------------------
:: TCP/UDP Port Scanning (fscan from www.foundstone.com) ::
/* Legally I can't distribute fscan */
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method Create Table or OPENROWSET and choose a file upload method BCP or DEBUG
[7] click start attack
[8] once the attack has finished move to the "File Uploader" tab
[9] choose UDP or TCP Port scanning
[9] download fscan.exe from foundstone
[10] use the MAKESCR tool to create an .scr file
[11] place that file in the C:\BobCat\Tools folder
[12] choose a port range to scan
[13] set the rmeote IP to scan
[14] click on execute
[15] have a sniffer running on the remote IP that you set to listen to incoming communications
--------------------------------------------------------------------------------
:: Brute Force Users ::
[1] find an application that is vulnerable to SQL Injection and;
[2] is using MS SQL as a back end Database
[3] in the settings tab enter your connection details (local MSSQL server/MSDE2000)
[4] click connect
[5] enter the url for your target in the format http://www.victim.com/vulnerable_script.asp?vuln_field='<***>&field=foo
[6] choose HTTP method (PUT or GET), choose attack method Create Table or OPENROWSET
[7] click start attack
[8] once the attack has finished move to the "Crack Users" tab
[9] browse for the dictionary you sih to use
[10] click upload
[11] choose attack method (@server or @client) note: @server requires OPENROWSET
[12] click go
[13] OPENROWSET cracked passwords will appear in BoBcat.dbo.sa_passwords
[14] any other method will appear on screen
--------------------------------------------------------------------------------
|
|
| |
|
|
|
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}
;){kind=link}