I think the video is worth watching for someone interested in having a quick overview on very few sqlmap features, but going through the users' manual and the users' mailing list archive offer much more technical insight on the tool and the vulnerability itself.
Follows my comments on the video:
- Minute 0:20 - "[...] one of the reasons why I think it is better than commercial tools it's quite simply because of its flexibility [...]".
In practice only the less flexible enumeration option has been demonstrated (--dump-all) rather than focusing on the fact that it has plenty of options to automatically enumerate/dump specific information like for example test if session user is DBA, retrieve only current user password hash, dump only a range of entries from a table or even only some columns, etc. All of these features are illustrated with examples in the sqlmap user's manual.
Also, he is showing sqlmap user's manual from the site (0.7rc1) but during the demonstration he is using sqlmap 0.6.4.
- Minute 7:10 - "[...] there has been a lot of tools that do PHP [...]. This tool also has the capability of doing ASP [...]".
SQL injection is not a matter of the web application language. It is a matter of lack of security driven development best practices put in place, lack of proper input sanitization, lack of proper web application firewall and so on. The concept exposed by John here is wrong and can lead the newbie user to not understand the flaw properly.
Also, from his words it seems that a SQL injection tool is more powerful if it "does" more web scripting languages: needless to say that this is totally wrong because as soon as the tool engine is written and working, the SQL injection tool does not care at all what is the language in which the application is written. On the other hand, something that shall be considered when evaluating a SQL injection tool is its support for different back-end DBMS software which implies support for different SQL dialects because the SQL statements depend upon the database software / version / session user privileges. Again, not on the front-end language.
- Minute 7:26 - "[...] a wonderful error [...] tools crash anytime [...]".
If you take a look at the Python traceback, you see why the tool raises the exception. It's because sqlmap saves everything it fetches into the output/ subfolder. John probably run the tool at first place as a privileged user so the output/testasp.acunetix.com/log has been created with 644 privileges, owned by root and since he runs the tool for the second time as normal user (apparently argotek) it's obvious that it "crashes" with a Permission denied exception.
- Minute 7:39 - "[...] going off Microsoft SQL back-ends as well as part of ASP".
Good point, but Microsoft SQL Server can be the back-end DBMS also for a front-end application in PHP or any other language that has built-in or external connectors to support connections to such DBMS.
- Minute 7:50 - --sql-shell has been recently fixed. Give it a try to the latest development version from subversion repository. However, good point and well described here.
- Minute 8:35 - Thanks for pointing out the user several times to RTFM.
- John only mentioned about the takeover functionality at the beginning of the video while going through the user's manual pages.
What about a video demonstrating in practice the new features to takeover the underlying file system and operating system from the SQL injection vulnerability? To give you an idea, just grab sqlmap from subversion repository and read more on my presentations' slides, whitepaper and video.
0 comments:
Post a Comment