Tag Archives: sql

15 new nmap scripts

I just posted 15 new nmap scripts to the nmap-dev mailing list. For anyone curios to check them out have a look over here. I’ve been working on these new scripts for a while and they add yet more database support to nmap allowing users to perform password guessing against both Oracle and Informix servers. In addition custom SQL queries can be made to Informix servers directly from nmap.

I’ve also created a number of scripts which can be suitable when pen testing Lotus Domino. These scripts include support for collecting Internet password hashes and user ID files. ID files can be collected both as an authenticated user from the person web view or unauthenticated using the vulnerability CVE-2006-5835. Oh, and you can add Lotus Domino 8.5 to the list of vulnerable versions in that advisory. There are also two scripts that allow you to interact with the IBM Lotus Domino remote console. One script allows for password guessing, while the other one allows you to interact with the console ones your authenticated.

There’s a tiny script in the zip file that supports querying for registered objects in a ORB Naming Service using the GIOP protocol.

Last but not least I’ve created a framework for other password guessing scripts to use. The framework runs using multiple worker threads and does all the looping, iteration and other basic logic used by most of my previous brute scripts.

The zip file included in the nmap-dev post can be downloaded from here. Please help me out testing the scripts so that they can be added to the subversion version of nmap!

Nmap does more MySQL

I’ve just added some code to my Nmap MySQL library that enables query support. With this code in place it’s possible to run queries against MySQL directly from a Nmap script. In order to illustrate this I’ve added three scripts: mysql-list-users, mysql-list-databases and mysql-show-variables.

While messing around with the library I also cleaned up the code for mysql-brute and mysql-empty-password. All of the scripts that query the database obviously require credentials to do so. These can be provided on the command line using script arguments mysqluser and mysqlpassword or by running the mysql-brute or mysql-empty-password on the same time. There are dependencies set up so that the query scripts wait until these two scripts have collected the credentials. Here’s some sample output from the scripts …

Continue reading

OWASP – Sweden meeting

My presentation from the Swedish OWASP meeting the other day is now online.
I spoke about SQL injection (again), efficient UNION exploitation, OOB channels and DNS-tunneling in MSSql, Oracle and MySQL.

The presentation, DNS-server tool and a minimal cheat sheet can be found here.
I had a great time and enjoyed meeting friends, colleagues and listening to the other speaches.

Simplifying enumeration by error messages

I have been experimenting with SQL-injection and information enumeration through error messages for a while.
The idea was to simplify the process of extracting data so that very little application logic would be needed to perform the task. Ideally a simple 3-5 line bash-script wrapping wget or curl should do the trick.

Continue reading