Written in Python by Miroslav Stamper, Sqlmap is probably the best automated tool to detect and exploit SQL Injection.

Sqlmap fully supports many databases as MySQL, Microsoft SQL Server, PostgreSQL, Oracle (and many more) and is able to detect the following injection types : Boolean based blind, Error based, Union based, Stacked queries, Time based blind, Inline queries. Depending of the target status, sqlmap is also able to :

  • prompt an interactive sql shell
  • download/upload files
  • prompt a web shell
  • crack hashed password using a dictionnary attack
  • and a lot more…

Below some examples of the main functions using bWAPP

Basic usage

sqlmap basic usage

In this example sqlmap has detected that the GET parameter title of the search function is vulnerable to sql injection. Well done! Plus it found that 4 different types of injection can be used for exploitation. Note that sqlmap has also detected that the parameter is vulnerable to XSS attacks which is unfortunatly very common these days…

To perform test on POST field you should write: --data="title=sqlitest&action=search"

In the next example, I’ll turn off the verbose mode.


...

Introduction

Anyone who ever deals with server managment knows the famous ping utility. Ping send ICMP request to a remote host, it’s commonly used to test if a server is alive or to know his ip address. However ping options allow us to customize this requests in some way, then it becomes possible to transfer any type of data. For the purpose I test my script with different media types like png or mp3 and it worked perfectly.

The idea

By default ping requests are formed with 98 bytes including 56 bytes of data and various headers. With the -p option, ping allows you to customize 16 of those 56 bytes:

ping test

Here is the request catched with tcpdump on the remote host:

ping capture

As you can see the submitted string repeats again and again until the end of the data request. If you provide a string longer than 16 bytes it will be truncated. From here, we can convert any data to hexa and send it through ping request.

...

Definition

Steganography is the art of hidding a message in another common message. The hidden message can be clear text or encrypted and the container can be anything: image, music, single text or whatever…  The main benefit of steganography is that you can get the final message only if you know the technic used to hide it, because you’ll need to use the same algorithm. As a second layer of protection, you can also encrypt the data with any algorithm you like or with a private key.

...

With the evolution of cybercrime this last years, security is became an important budget in large companies. For instance, Facebook has created a dedicated platform for security reseacher and frequently reward them ($1.3 million spent in 2014).

Ebay, Airbnb, Yahoo, Snapchat, Wordpress, all of these companies are now aware about security and all of them have subscribed a bug bounty program.  Even mobile plateform as Android and IOS apps are recently focused by the giant Google.

...

As a pentester, you might be able to take control of systems that have a direct access but you also might be able to test the internal network and check the machine who are inside a subnetwork.

For that task you’ll have to use an already compromised machine as a bridge/gateway, this technic is called “pivot”. Depending of the context, different solutions exist to perform that task.

Rinetd

The easiest one. First you need to install Rinetd:

aptitude search rinetd
p   rinetd                                     - Internet TCP redirection server</pre>

Then edit the /etc/rinetd.conf file:

# bindadress    bindport  connectaddress  connectport
192.168.0.10    80        91.121.139.22   8080

Restart Rinetd and from now, all incoming traffic on 192.168.0.10 on port 80 will be redirected to 91.121.139.22 on port 8080. This can be usefull if a firewall is restricting outbound traffic on certain port.

...