The Ethical Hacker Network - pentest for SQL Injection

VICKS_DX

Newbie

Offline

Posts: 15

pentest for SQL Injection

« on: October 27, 2010, 02:43:54 AM »

Hi,
i need a lil help from u guys.Our organisation develops and maintain a website for its employees for the administration part.i was thinking to check if it was vulnerable to sql injection or cross site scipting attacks..i can test the website and is contents locally on a differnt machine..is there any tool wch wld help me accomplish this task..or is there any other way to do this..please guide me with ur suggestions..
thnx in advance


	Logged

ccna,ccna security & ccsa

COm_BOY

Full Member

Offline

Posts: 129

LivinG DeaD

Re: pentest for SQL Injection

« Reply #1 on: October 27, 2010, 03:51:03 AM »

OpenSource or Commercial ?


	Logged

It has become appallingly obvious that our technology has exceeded our humanity.

VICKS_DX

Newbie

Offline

Posts: 15

Re: pentest for SQL Injection

« Reply #2 on: October 27, 2010, 04:05:43 AM »

i didnt get ur question buddy?


	Logged

ccna,ccna security & ccsa

Equix3n-

Sr. Member

Offline

Posts: 386

Re: pentest for SQL Injection

« Reply #3 on: October 27, 2010, 06:10:02 AM »

COm_BOY wants to ask whether you want a commercial tool or an opensource tool?
http://en.wikipedia.org/wiki/Open_source


	Logged

COm_BOY

Full Member

Offline

Posts: 129

LivinG DeaD

Re: pentest for SQL Injection

« Reply #4 on: October 27, 2010, 06:16:11 AM »

Quote from: Equix3n- on October 27, 2010, 06:10:02 AM

COm_BOY wants to ask whether you want a commercial tool or an opensource tool?
http://en.wikipedia.org/wiki/Open_source

Thanks Equix3n for the clarification .
VICKS_DX : Depending on your company requirements you may choose to buy a commercial end tool but if you lack expertise to operate them they may not be that good for you . I would recommend you to hire a pen tester for the job , and to be quite honest you done need to search for a local one , these days internet is changing the way we live so you can find on tester here on EH and get the task done in a relatively cheap cost . When i say cheap I really mean like If you are in USA you may need to throw more then 30K for a test of your organization however internationally you can find these people who are also willing to do it for 10K or so

These values are for an organization and not for single server/ip .
If you want to go for a 180 Degree angle checking you can try metasploit framework , Retina , nikto , nessusd and a lot more free softwares


	Logged

It has become appallingly obvious that our technology has exceeded our humanity.

impelse

Hero Member

Offline

Posts: 565

Re: pentest for SQL Injection

« Reply #5 on: October 27, 2010, 10:52:32 AM »

It is very dificult to hire somebody that you do not know to do the pentest, just for internet.

Remember is a security relationship


	Logged

CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: pentest for SQL Injection

« Reply #6 on: October 27, 2010, 11:34:24 AM »

I agree with impelse, but I liked the info.

I am very curious though, do pentesters really charge companies ~10-30k$ USD to check their website?

I have heard of pentests on government websites for around 7.5k$ USD for the "small package" which apparently didn't include 1x SQL Injection and 3-4x Non-persistent XSS and 1x Directory Traversal (path disclosure) vulnerability.

What I call the excuse, was that the full package of 15k$ USD wasn't bought and therefore these vulnerabilities wasn't found.

But after providing my services afterwards, to the exact same instance, then these vulnerabilities were discovered in ~1 hour. (Without charge. (personal contact)).

Anyway back onto the topic, you can use a commercial tool like Acunetix, it's efficient and it is able to find the most obvious security holes including a few not so obvious security holes. However, no commercial tool that I know off, is able to find the well "hidden" and more obscure security holes.

These also exist on many websites, and luckily most script kiddies doesn't know how to exploit these, but blackhats do or will be able to.

Therefore I still think the best option is as COm_BOY said, would probably be to hire a pentester which you of course must trust both ethically but also in his or her skills.

Educating an employee already interested in security, could be a big plus too but this takes time and thereby money as well. But it may be cheaper over the long term, if the target employee is able to learn and keep up with the trends and attack vectors in Web Application Security. (New attack methods are developed ~yearly, mostly related to incorrect implementation of Javascript, PHP, ASP, etc.)


« Last Edit: October 27, 2010, 11:54:21 AM by MaXe »	Logged

I'm an InterN0T'er

H1t M0nk3y

Hero Member

Offline

Posts: 865

Re: pentest for SQL Injection

« Reply #7 on: October 27, 2010, 12:36:29 PM »

Yes, hire a web apps pentester.

Like MaXe and COm_BOY said, you need to know how to use these tools. More importantly, your need to know how to "feed" them of information.

For example, several tools can find SQL injection flaws when they get a database error message printed on the screen. But for blind SQL injection. Many tools can exploit it, but I am not aware of one tool who can reliably find them...

Same with XSS. Tools can easily find reflective XSS but not stored or persistant ones.

You need a real human who wheel these toys...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

COm_BOY

Full Member

Offline

Posts: 129

LivinG DeaD

Re: pentest for SQL Injection

« Reply #8 on: October 27, 2010, 11:29:07 PM »

By -10-30K i meant organization pen test rather then a single website/ip/server . I have even heard of people getting 60K for a pen test of an organization .... prices varies !!!!


	Logged

It has become appallingly obvious that our technology has exceeded our humanity.

VICKS_DX

Newbie

Offline

Posts: 15

Re: pentest for SQL Injection

« Reply #9 on: October 28, 2010, 12:33:04 AM »

yes i needed an opersource tool..i dont wnt to hire a pentester as this would be done locally n not on internet..n thus if i need to learn a tool i hav whole lot of time to do tht..n since me n my team r deciding to perform this testing on internal network we hav scope for all sorts of trials n error..if any of u hav performed such testing please put some light on the same

thnx


	Logged

ccna,ccna security & ccsa

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: pentest for SQL Injection

« Reply #10 on: October 28, 2010, 03:31:35 AM »

The Web Application Hackers Handbook:
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778

I heard it was good, but I haven't read it yet.

Open Source Tools can e.g. be found in The Penetration Testers Open Source Toolkit vol. 2 which may seem a bit "outdated" to some since an older version of the rapidly evolving BackTrack linux distrobution is mentioned, however most of these tools are essentially the same even though there may be new features and bug fixes in later versions.

Some of the tools I use are:
FireFox with these addons: Firebug, Tamper Data, Live HTTP Headers and Add 'N' Edit Cookies.
(There's a list here too, but it is not up2date: http://firecat.intern0t.net/ )

I should note that I only use a few select tools, because I really don't need to use
a lot of tools. If I need something beyond the tools I have, I just write it in Python or PHP etc.

Now when you have FireFox with at least most of these bare minimum addons (Add 'N' Edit Cookies hasn't been available for later versions of FireFox for a longer time.), then you can proceed onto learning and of course installing:

- Nikto (written in perl, so you also need to install perl.)
- A transparent proxy (Burp Suite, WebScarab, Paros Proxy, etc. Most of these are written in Java.)
- W3AF (Not that easy to use and install, but it works quite good for some types of pentests but mostly I don't use it.)
- And a bunch of online tools like http://intern0t.net/xssor (encode strings in a fast way.)

However with these tools, you should have a good start.

You could also install: SQLmap since you're aiming at finding SQL Injection vulnerabilities, but keep in mind that most of these tools are indeed very nice, but they are unfortunately not that easy to use for especially beginners and all of the tools except the manual method can return false positives too. Even false negatives.

Of course, I suggest you check out BackTrack if you're just wanting a lot of tools but as mentioned previously, you need to understand how these tools work and also how to hack manually. Being able to audit (review) code is not a requirement but it adds a big plus in case you need to find more "obscure" vulnerabilities.


	Logged

I'm an InterN0T'er

H1t M0nk3y

Hero Member

Offline

Posts: 865

Re: pentest for SQL Injection

« Reply #11 on: October 28, 2010, 06:45:04 AM »

@VICKS_DX If you don't know security well, you shouldn't perform a security assessment for a company. You you more than likely miss vulnerabilities based on inexperience...

I will say it again, no tools can find all vulnerabilities. You need to sniff and inspect traffic, understand protocols, etc.

You said you were looking at SQLi and XSS. But what about XSRF (or CSRF), session management, Web Services, AJAX, etc?

You will find tons of resource and help on this forum, but don't play the "Apprentice Sorcerer" with company's assets...


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

impelse

Hero Member

Offline

Posts: 565

Re: pentest for SQL Injection

« Reply #12 on: October 28, 2010, 09:43:54 AM »

I percive that you want to do it for good security and to learn, if I was you stead of buying the tool, buy the eLearnsecurity training, begin with the web module and learn from that and check your system, I am doing the certification exam, and just doing the exam I am learning a lot including doing the documentation, the tool that I used is only to get information, the hack part I did manualy


	Logged

CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/

VICKS_DX

Newbie

Offline

Posts: 15

Re: pentest for SQL Injection

« Reply #13 on: November 10, 2010, 07:23:12 AM »

this is not helping me guys....


	Logged

ccna,ccna security & ccsa

sil

Hero Member

Offline

Posts: 549

Re: pentest for SQL Injection

« Reply #14 on: November 10, 2010, 08:17:49 AM »

Quote from: VICKS_DX on November 10, 2010, 07:23:12 AM

this is not helping me guys....

What is the type of response you're expecting? Your initial question was: is there any tool wch wld help me accomplish this task..or is there any other way to do this.. please guide me with ur suggestions.. To which you received responses and guidance on:

1) Tools: A starting point of tools to use (OWASP based)
2) Recommendations: If you don't know security well, you shouldn't perform a security assessment for a company. You you more than likely miss vulnerabilities based on inexperience...

Now, you haven't been specific enough and your use of shrtning wrds fr whtvr rsn is slghtly annyng n ne cse i wll answr...

For starters you should be a little more specific in your requirement(s): i need a lil help from u guys.Our organisation develops and maintain a website for its employees for the administration part.i was thinking to check if it was vulnerable to sql injection or cross site scipting attacks..i can test the website and is contents locally on a differnt machine.. This is rather broad. What kind of server are you testing against. Apache, IIS, what kind of applications are running on it, what kind of database are you focused on.

See link: http://tinyurl.com/37acsd4

With that out of the way, I will give you something else to read and ponder. Its something I answered 2+ years ago:

Quote

I need to fix my car, therefore I will go into Sears purchase every single automotive related tool, take my car apart, hope to understand what I'm doing, then attempt to put it back together. Can anyone tell me which tools I can buy to undergo this task?

Downloading tools means nothing if you don't fully understand what it is you are doing. Take the time to learn the protocols, how things work, learn how intercommunications work before attempting to just download every tool you can find.

Penetration testing is not always a science and not always an art. There is a lot of information to be understood. So you go and download all these tools for what? Would you understand how to glean info from a packet capture? Would you understand the difference between networks, servers, protocols.

My suggestion would be to begin reading into the OSI layers then moving on to RFC's. I'd start with networking since without a network, there would be no compromise. Local machine with login, sure, but there could be no hacks pulled off on the LAN side since there is no connectivity.

Understand how processes communicate with each other, how and why things happen. Its easier down the road to understand what is going on in terms of security. One doesn't need uber tools if one knows what they're doing from the protocol level on up.

Suggestion: Learn networking, learn systems, learn protocols otherwise you end up devaluing the works of others not to mention yourself. A monkey can be trained to run a tool and most tools out there are that simple. Understanding the entire range of the what you are doing is better in the long run, think about it, if I hired you to perform a pentest on my network and you couldn't explain to me what it is you intend on looking for, how it works in my network, what functions my vulnerabilities perform, why I should remove these functions, I'd sit back in my desk and think the script kiddiot in you.

Too many (quote) professional pentesters have been taking this attitude: "I use Cenzic!@$" that it makes me wonder where this industry is headed. It also makes me think about how many vulnerabilities unclued pentesters can bring into an environment.

http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2008-09/msg00094.html

So I'll start from the beginning... What is it you need to do again and why didn't the information provided help you so far? If possible, please be a little more specific. E.g.: "I'd like to find an open source tool to perform a "VULNERABILITY ANALYSIS" (there is a difference between a pentest and a vuln analysis) of my webserver. I am running IIS on a Windows 2008 using MS-SQL."

That may get you more clear-cut and accurate responses. Your initial message comes across as "hi I need an all-inclusive tool to think for me and find all bugs before hax0rs do! Please give me a direct link for the most uber-free tool to use so I can fire and forget without understanding what is occurring!"

I don't mean this in a negative or harsh way. Simply a realistic interpretation of how this entire message came across. I state this with the response you were given which is solid free advice: "If you are unsure what you are doing, maybe you shouldn't be doing it." Firing off tools means nothing as tools won't always yield real world results (when I finish my RWSP thesis up, I'll post it so others may concretely understand this). Experience will always trump a tool and your reliance on an automated output will be skewed. ESPECIALLY if you don't know what you're doing

http://www.infiltrated.net/trained_monkey.jpg


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

Pages: [1] 2 Go Up

« previous next »