Thursday, March 19, 2015

SQLMAP Web GUI

It has certainly been a while :)

The last few weeks I have been teaching myself a little PHP to help improve my skills and knowledge. In the process I decided to try and make a Web GUI for SQLMAP. When I originally started I was unaware of the JSON API that they already have available through sqlmapapi.py (available from latest versions in github repo). The API itself is not documented anywhere really so I took it as a small challenge to see what I might be able to slap together. You can find most of the API functionality documented to best of my ability in the SQLMAPClientAPI.class.php file I wrote, hopefully it will be helpful to others in the future that look to expand or write cooler GUI's and apps for the API.

Quick View of the core SQLMAPClientAPI.class.php:


Now once I had that working, I decided to dive on into trying to make a front end. To date, I have only ever really tried breaking web applications, never really building them (I think I learned things backwards and wouldn't advice this path to others). I decided to use Bootstrap since it was easy to pickup and run with and well documented. The look is clean and simple for now, meets my minimum for acceptability test I suppose but leaves lots of room for improvements if you do this on a regular basis. I documented things in the source as best I could, where I could, but nothing too magical with the front end work and as I said plenty of room for further improvements...

A few snapshots to show off the basic view:


I broke the  form up into tabbed areas to make it all a little easier to swallow since SQLMAP has a whole lot of options to configure scans with. The actual scan opens in a new tab so you dont loose all the form data and allows you to continue enumerating target as you build up info (I like it this way :p).

Request modifications:

Detection modifications:


Injection & Technique modifications:


Enumeration & Data Dumping modifications:


System Access & Advanced Exploitations:

You can find the code on Github for your forking, pulling, and pushing delights: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI

How to get things setup:
  •  Install SQLMAP and all necessary dependencies per the standard sqlmap instructions...
  •  Get a basic LAMP setup going per your favorite distro's guide
    •  NOTE: MySQL is not being used for this project at this point in time
  •  Download the Web GUI files from my new github repo I created (https://github.com/Hood3dRob1n/SQLMAP-Web-GUI)
    • Edit the sqlmap/inc/config.php from the GUI files so the correct paths are in place for your box
    • Then copy all the web_gui/sqlmap/ files to the web root directory for your server /var/www/sqlmap/
  •  Start up the API server when you want to use it, otherwise GUI will fail
  •  Surf to your new SQLMAP Web GUI in browser to enjoy

Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via the Web GUI.

Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005


Demo against: Linux (CentOS), Apache, MySQL, PHP




It is entirely possible that the API Server runs on one server while the Web GUI Frontend runs on a different server, simply make the proper edits to the config file so they can communicate. There still remain a few obstacles in some advanced functions I want to add due to how the API Server works. I plan to try and work on them as time goes on. I had several friends tell me to put this out there and I feel pretty happy with where things are for now that I decided to share with everyone that might be interested.

Open to suggestions and feedback, hope you guys like it!


My Current ToDo List:
  • Ask SQLMAP team to modify the logger or work with me on how to extract info log while it is running scan
    • Would love to present scan log info while the spinner wheel is running during an active scan so you know what is going on
    • Currently the scan log info seems to be set in a blocking manner so that the active scan needs to finish before logs can be parsed/extracted from API
    •  The admin panel seems to suffer from this blocking behavior as well.
      • I would like to improve this function/feature in future but current blocking behavior makes it too annoying to work on for now
  • Ask SQLMAP team to modify the --answer delimiter value or allow custom one to be set
    • Affects ability to pass in more than one path when using file write options (which takes a csv list of paths, but --answer mistakes them as multiple answers instead)
  • Ask if MSF Advanced Exploit options (--os-pwn, --os-smb, --os-bof, --priv-esc) could be prompted differently
    • Currently assumption is that sqlmap attack box is the box that should also accept MSF payload call backs
    • Should allow new option to be added so user can specify a remote IP and PORT instead of local IP/PORT
    • Current setup causes API to hang in an infinite loop if a remote IP/PORT specified
    • The GUI version of these is disabled until can fix
  • The --os-cmd option doesn't seem to return output to API properly with MySQL (works fine for MS-SQL), more testing needed to report bug if indeed a bug...
  • Ask if SQLMAP team would consider moving away from using Python's pickle method for serializing options passed from API to CLI
    • Also use a different web server that doesn't use the same pickle method
    • pickle.loads() and pickle.dumps() are known to be susceptible to Python Object Injection attacks that can lead to code execution
    • Current use of API Server doesn't call the vulnerable cookie decoder the bottle server has built in, so safe for now...
      • Currently my attempts to find a working exploit seem to break the json which stops it from passing through to execute by sqlmap
      • I'm concerned someone smarter than me can figure it out and find a way to sneak some pickled py code through to achieve rce
      • If you know how, please show or send me a quick POC as I would love to see how it is accomplished in this particular situation
    • Until this is address or confirmed safe by more people, I can't widely suggest or really recommend running this Web GUI on a open web facing server to untrusted users of the interwebs
    • Did my best to secure the few areas I found problems with for trying to get it to be safe web facing
      • Nothing can be done without API server running so secure enough for me to use locally or spin up as needed, you will need to decide your own security...
  • Add options to config.php to allow settings or levels to activate and expose some of the other options not currently available as of right now
    • evalCode, proxy options, tor use, etc
  • Do more testing:
    • May have some issues with PHP < 5.3, not tested and still a PHP n00b so all bets are off...
    • Setups Confirmed Working:
      • Debian 7, PHP 5.4.4-14+deb7u14
      • Debian 7, PHP 5.4.36-0+deb7u3
      • Ubuntu 12, PHP 5.3.10-1ubuntu3.17
      • Kali w/PHP 5.4

Monday, January 13, 2014

Searchsploit-rb - Exploit-DB Search Tool gets an upgrade?

Exploit-DB is pretty famous for their collection of exploits and papers and if you are not familiar with them then then you should use some Google-fu to check up on them. They should be a bookmark found in pretty much any hackers handbook. In the past they had made their full archive available for download over HTTP, which was shaky at best and unless you scheduled it with cron or something you never knew if you had the latest and greatest and updating from a scripted manner was not always reliable (for me anyways). I had previously coded this tool in the past for the old archive methods, but today I noticed on Reddit they have moved to Github - w00t! This makes things much easier for everyone, well most people anyway.

Now they have had their archive collection for some time and the searchsploit bash script works just fine, however it can be too simplistic at times and not yield the results we want, unless you match your search syntax to its janky search method. It also lacks color and output logging. I had some time this morning so I decided to update my old script to take advantage of the simplicity of Github to allow easy fetching of new copies and/or updating existing ones. I also added a bit of color to the presentation of the results. It's very helpful for me so thought I would share with the rest of you...

To download exploit-db archives on your own from command line using normal git client:
COMMAND: git clone https://github.com/offensive-security/exploit-database.git

Then to update from command line when you want, you simply pull:
COMMAND: git pull

This can all be done from within my tool so now you can update and search from one place :) Here is a quick overview and a link to my Github page where you can find it.

Help Menu:



If it can't find the archive setup, it will offer to download via git for you:

Search by a range of options with option to log results to file:


NOTE: this can be handy when you get a lot of results (SQL Injection searches mostly...)

Easy peazy updating now that things can leverage Github:



You can find things on my Github page:
git clone https://github.com/Hood3dRob1n/Exploit-DB-Local-Archive-Search-Tool.git

Should only need to install the 'colorize' gem to get things started with ruby:
sudo gem install colorize





Special thanks to everyone on the Offesive Security
 team that helps to make exploit-db and all of their other awesome projects possible!

Until next time, enjoy!

Wednesday, January 8, 2014

Shodan Search Tool w/My Ruby API Class

Today I just wanted to share a little something I made for Shodan. If you don't know what Shodan is, then I highly recommend you check them out and do some quick googling to see what others have done with its help. I initially tried using their published ruby gem and published API documentation but it failed miserably (likely could just be me, but seems their code is outdated with how their site provides output now, idk). I really like Shodan though so I decided to create my own version of their API so I could get started on making a cool search assistant I can run from the command line with some basic logging for analysis after. Once I finished redoing the API class, I made a little CLI based search tool to make quick Shodan research a snap and am now sharing with the rest of the world, hope its helpful for others.

Prerequisites:
sudo gem install colorize curb json nokogiri

NOTE: curb uses libcurl under the hood so you might need to install this if not already included on your OS

Basic Help Menu:


You can run a basic Shodan search and display the results, which are also logged to the results folder.


The logged results are overwritten on each search so you need to rename it or move it if you want to use it later and plan to run multiple searches.

I also made option for quick search which runs a Shodan search and returns the list of IP addresses from results, skipping all the details. I typically run a normal search, then a follow up quick search on same keywords to pass of lists to other tools in a speedy fashion while manual review is more involved with the full search results...

Shodan also offers up a nice search feature to search for exploits which leverages multiple exploit databases. I currently have the Exploit-db and Metasploit search engines available and fully working. This means you can easily search for known exploits with variety of keywords and get matching results displayed and logged for you.

You can even download the exploit/poc code from search results by referencing the ID number from results.

ToDo List:
Include options to search tool for premium search options (somewhat built into my API Class already but not in tool). Include a Gemfile for easy installs for bundler lovers. Also I have not uploaded things to Github yet as I fried my old box and lost a lot of stuff, working on recovery still but should have it updated soon. Until then you can find things on Pastebin, available for a long while...

My Shodan API Standalone Class:

Direct link: http://pastebin.com/q6LZJqcD


My Shodan API Search Tool, Source Code:

Direct Link: http://pastebin.com/B0SdmmrX

Helpful for me, hope it is for you too!

Until next time, Enjoy!

Tuesday, December 31, 2013

XMAS Gifts from ifixit.com for Bug Bounty

I just wanted to give a quick shout out to the nice folks over at ifixit.com. I recently submitted a few small bugs to them and they were hands down the nicest folks I have ever communicated with when it comes to reporting of bugs! They were very responsive in all communications and in patching of the site. They added me to their responsible disclosure page and even sent me some nice swag as a added thanks. The gear arrived to me on Christmas morning which made my day even better! Thanks ifixit.com

T-Shirt, Handy Mini Toolset & Stickers:

Friday, November 8, 2013

Yet Another SMB PSEXEC (Y.A.S.P) Tool

I was working on my own version of an updated standalone PSEXEC tool in ruby, leveraging the MSF standalone as a base along with some of the newer modules that have been released. Unfortunately SMBEXEC 2.0 was recently released which pretty much does the same thing functionality wise but has threading so its probably a bit cooler but thought I would still post mine out there for anyone who cares to take it for a spin. It is single target focused and a little different in the look and feel in comparison to some of the others available so who knows. It works for me, hope it works for someone else too....

I first started off trying to do things on my own by writing classes to wrap the smbclient tool which now supports the pass-the-hash option or can be fairly easily patched to address this. This Samba suite also includes the rpcclient tool which I originally planned to leverage to make some magic happen. Well I got the wrappers working, but was not able to get things fully working with just these two classes. I do recommend playing around with rpcclient as it is an interesting tool and can lead to a lot of insight against a remote target but that's another story. So after giving up on the rpcclient option i did some checking on the net and found some great references from Mubix and Chris Gates on the MSF standalone tool and some ways to play with it. As Chris and Rob point out the librex library is available outside of MSF as a standalone gem which gives you tons of power to do all kinds of neat things on your own. Being that the hard work was already done and available as reference in MSF i decided to borrow what i could from there and merge with my own wrappers and code to get what I wanted. The end result is an smbclient with all the psexec fun and then some.

It can do some basic recon without creds, which I am working on improving but its main focus is on re-using valid credentials. Once authenticated it's capable of running single commands using the PSEXEC technique or jumping into a pseudo shell to execute multiple commands.


Download registry hives for offline pillaging


Leverage MSFVENOM to generate shellcode and then run payloads using PowerShell (my favorite):

NOTE: You need to specify the hostname for Vista+ targets or connection will fail. You can use raw netbios requests or tool like nbtscan to find this pretty quickly and without any pain. On older targets you can omit this field for connection configuration.

The full list of available options once authenticated:


And here are a few demo videos I made to show off how you can use it....

Y.A.S.P. vs Standalone 2k3 Server:



Y.A.S.P. + PowerShell Payload vs Windows 7:
NOTE: It does leverage MSFVENOM currently to generate shellcode which gets converted over to PowerShell acceptable format and then executed via PowerShell command




Y.A.S.P. vs 2k3 Domain Controller + Active Directory Dumping 101:



You can find all the source code along with all the tools used or referenced in the above videos on my github page here: SOURCE + TOOLS

You can keep an eye on Github as I will be working on this one over time to smooth out a few things and add a few more things to it which I wasn't comfortable with rolling out just yet but again just sharing to share and inspire more coders to code cool shit. Until next time, Enjoy!