• System upgrade
• Performance boost
• New look
• Improved start menu

• 32-bit or 64-bit processor
• 256 MB of system memory (RAM)
• 4.4 GB of disk space for installation
• Graphics card capable of 800×600 resolution
• DVD-ROM drive or USB port

Introduction

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if 'sa' password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works) 
• Evasion techniques to confuse a few IDS/IPS/WAF
• Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
• Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
• Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

Platforms supported

• Linux
• FreeBSD
• Mac OS X

Introduction:

Screenshot:

Features:

• Full support for http, https website.
• Full support for Basic, Digest, NTLM http authentications.
• Full support for GET, Post, Cookie sql injection.
• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
• Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
• Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
• Support to enumerate databases, tables, columns and data.
• Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
• Support to ip domain query,web path guess,md5 crack etc.
• Support for sql injection scan.

Download:

• .NET Framework 2.0 or above needed to install

• Safe3SI v9.0

Features

• Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
• Command line interface. Different commands trigger different actions.
• Auto-completion for commands, command arguments and database, table and columns names.
• Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
• Exploits SQL Injections through GET and POST methods.
• Developed in python 3.

Tutorial

In this tutorial, you will learn how to use The Mole to exploit SQL Injections, extracting data from the database and reading files from the vulnerable server.

In order to read a complete reference of The Mole's commands and how to use them, please visit http://www.aldeid.com/wiki/TheMole (btw, thanks to Sébastien Damaye for writing such a complete guide!).

Before we start, you must know what is required in order to exploit a SQL Injection using The Mole. Once you have found a vulnerable script, you have to find a string which normally appears in the web page, but does not appear when you negate the query which is being executed on the database(by modifying the vulnerable parameter).

Identifying the injection

This example will be shown using this test site:

Okay, assuming we don't know there's a SQL Injection, we will ensure there is one on the parameter "id". We negate the query which will be executed in the database, and try to find the string above mentioned.

Fine, we see the string "admin" has disappeared. We will provide this string to The Mole and exploit the injection.

Exploiting the injection

First of all, we execute The Mole using the parameter "-u" to indicate which URL we will be using, and "-n" to indicate the needle/string. Our command should look like this:

./mole.py -u 'http://192.168.0.142/vulnerable/sqli.php?id=1' -n 'admin'




The mole will start and give us a prompt:

Notice that by default, the last parameter on the URL is used as the vulnerable parameter. If you want to specify another parameter as the vulnerable one, you can use the "-p" command line argument, or use the "injectable_field" command.

Windows users

Windows users shoud be aware that when using the "-u" command line argument, the "&" characters have to be escaped manually using the "^" character. Therefore, if the URL has two parameters, it should look like this:

mole.exe -u http://192.168.0.142/vulnerable/sqli.php?param=1^&id=1 -n 'admin'




You can also set the URL by using the "url" command, so you can paste the URL without quoting it. The needle can also be set using the "needle" command.

---

Okay, we are ready to go. First of all, we want to know which databases are available on the system. The command "schemas" will dump their names.

The Mole has done two things here:

• Find exploitation parameters, such as number of columns, the comment to be used, the back-end database, the number of parenthesis, etc.
• Once it has been initialized, it dumps the database names, using back-end database specific queries.

Note that the initialization phase is done only once. Moving on, we will dump the tables in the "test" database. The "tables" command does that, and requires the database name as its argument:

Great! There's a "users" table! Now we need to find the columns of that table. The "columns" command requires the name of the database and table name as its arguments.

We see 3 columns, id, username and password. Now it's time to dump those hashes :D. The "query" command requires the database name, the table name, and a list of comma-separated columns to dump. Alternatively, you could use '*' in the columns field, but we don't want to dump the "id" column right now, so we will do it manually. Remember that The Mole provides nice autocompletion features, so the database, table and column names will be autocompleted whenever you press the TAB key.

Nice! We've got the administrator's credentials. However, when we dumped the database names, we could see "mysql", so we probably have mysql root privileges. Let's find out by using the "dbinfo" command, which will dump the database user, name and version.

Ha, thought so, we have root privileges. Okay, lets try reading a file by using the "readfile" command, which expects the filename to be read as its argument. We will read /etc/passwd as an example.

Okay, now we move on to the handy commands which will make things faster. Imagine we don't know which tables exist on the "mysql" table. In this case, the injection goes quite fast, since it can be exploited through the union technique, however, Blind SQL Injections are pretty common. In the latter case, dumping the name of every table in a certain database can be quite slow. In this case, we will use the "find_users_table" command, which tries to find a table name in a certain database which "looks like" it might contain usernames and passwords(based on its name). Note that this command does not use any metadata database/table, such as information_schema.tables, so it can be used in scenarios where the back-end database is a Mysql < 5, which does not contain the information_schema databse.

This command contains a small list of names, you can artenatively use "find_tables" which tries to find tables using a list provided by you.

As expected, mysql.user exists :D. Now we will use another command which will be more useful, but requires information_schema(or any other DBMS database which serves the same purpose) to exist. The "find_tables_like" command requires a database as its first argument and a string which will be used to search for database names. You can use the '%' wildcard, or any other database specific. As an example, we will find all tables that contain the substring "ABLE".

Going back to the "query" command, we can use some extra parameters which will be useful under certain situations. We can limit the number of rows to be dumped and/or indicate the first index from which to start the dump(0-index based). This prints only one row, starting from the second index. 

We can also indicate a "where condition", in order to only dump rows which match it.

To sum up, here's a video of The Mole exploiting a SQL Injection, using both union and blind techniques.

VIDEO:

======

=DOWNLOAD=

http://themole.sourceforge.net/?q=downloads

Official Site:

http://themole.sourceforge.net/

Reference:

http://themole.sourceforge.net/

http://themole.sourceforge.net/?q=tutorial

• Can automatically discover the VLAN ID and VLAN Hop (add a VoIP Interface, send a "tagged" dhcp request)
• VLAN protocol discovery methods:  CDP, Avaya DHCP, Nortel DHCP, LLDP-MED (Cisco), 802.1q
• Assessment mode:  Interactive, menu driven command interface (-z)
• Assessment mode:  Manually spoof CDP or LLDP-MED, or automatically VLAN Hop based on first discovered VVID
• Assessment mode:  DHCP client automatically times out if DHCP is disabled, and still adds the VoIP interface and ARP sniffer
• Assessment mode:  Can set a static IP address and spoof the MAC address of a previously discovered IP Phone, from a menu list ('s' option)
• Assessment mode:  Analyze and record any discovered hosts (IP and MAC) on default interface to hosts.txt file
• Assessment mode:  Automatically adds an ARP sniffer to VoIP VLAN interface after VLAN Hop, and records any discovered IP Phones (IP and MAC) to a file, voip-hosts.txt
• Can VLAN Hop without discovery, by the Administrator specifying a VLAN ID to attempt to "Hop" into (-v)
• VoIP DHCP client:  A fully integrated DHCP client.  VoIP Hopper implements DHCP messaging as function calls instead of relying on the old 'dhcpcd' client.  This opens up the door for future VLAN Discovery mechanisms for other vendors, such as Alcatel.
• CDP Modes:  Can spoof a Cisco IP Phone and automatically VLAN Hop, using three methods.  1)  CDP sniffing, 2) Spoofing a CDP packet specified by user input, 3) Spoofing a pre-constructed IP Phone packet of a Cisco 7971G-GE (fastest method)
• Avaya IP Phone VLAN discovery:  Can spoof the DHCP client Option 176 used by an Avaya IP Phone in order to automatically discover the VVID, and VLAN Hop.
• Nortel IP Phone VLAN discovery:  Can spoof the DHCP client Option 191 used by a Nortel IP Phone in order to automatically discover the VVID, and VLAN Hop.
• LLDP-MED support:  Support for sniffing or spoofing LLDP-MED capabilities used by an IP Phone, in order to enumerate the Voice VLAN ID.
• 802.1q VLAN Discovery:  By default, most ethernet switch ports that terminate IP Phones are enabled for 802.1q trunking, and permit access for at least two VLANs.  The broadcast ethernet frames of IP Phones (ARP) will be sent, tagged, to all members (switch ports) of the broadcast domain (all IP Phones on the VoIP VLAN).  By running a simple sniffer, you can capture the VVID.  VoIP Hopper automates this method of VVID discovery.
• Error correction with VLAN Interfaces:  Implemented a feature that checks to see if the IP address is already configured for the voice interface before attempting to add the new virtual interface, and tag the DHCP request.
• 802.1x Anonymous Voice VLAN Bypass:  VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do.  In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet.  Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
• Voice VLAN Interface Delete:  VoIP Hopper can delete the created Voice interface (-d).
• MAC Address Spoof, then exit:  VoIP Hopper can change the MAC Address of an interface offline and exit, without VLAN Hopping.
• MAC Address spoof and automatic VLAN Hop, supporting multiple discovery methods
• MAC Address spoof, only on new VoIP Interface (keep default interface the same MAC Address) (-D)

• One of the most effective ways to run VoIP Hopper is the new, interactive assessment mode.  Simply run it as follows:  

• LLDP-MED spoofing:  You can spoof LLDP-MED packets to quickly learn the Voice VLAN ID, as follows:

• There are three CDP modes for VoIP Hopper.  Sniff (-c 0), Spoof with custom packet (-c 1), and Spoof with pre-made packet (-c 2).  To sniff for CDP and run a VLAN Hop into the Voice VLAN, simply run VoIP Hopper on the ethernet interface, in the following way:

• To spoof CDP in order to more rapidly hop to the Voice VLAN in Cisco SIP environments, run VoIP Hopper in the following way:

• To spoof CDP in order to more rapidly hop to the Voice VLAN in Cisco SCCP environments, run VoIP Hopper in the following way:

• To spoof CDP with a pre-made packet generated by a Cisco 7971G-GE IP Phone:

• VoIP Hopper also allows one to VLAN Hop to an arbitrary VLAN, without sniffing for CDP.  If you already know the Voice VLAN ID, or would like to VLAN Hop into another VLAN (without sniffing for CDP), you can run it in the following way (target VLAN ID is '200'):

• To discover the Voice VLAN in an Avaya IP Phone environment and automatically jump VLANs:

• To discover the Voice VLAN in a Nortel IP Phone environment and automatically jump VLANs:

• To spoof the MAC address of an IP Phone by sniffing for CDP (this changes the MAC address of default interface and new interface):

• To spoof the MAC address of an IP Phone using an Avaya DHCP request (this changes the MAC address of default interface and new interface):

• To spoof the MAC address of an IP Phone by VLAN Hopping without CDP or DHCP (this changes the MAC address of default interface and new interface):

• To spoof the MAC address of an IP Phone without changing the MAC address of the default ethernet interface (only spoof the new voice interface's MAC address):

• To simply spoof the MAC address of an interface and then exit.

• To delete the VoIP interface (eth0.200) created by VoIP Hopper:

Tutorial 1:  Assessment Mode video tutorial for VoIP Hopper 2.0

Tutorial 2:  LLDP-MED features of VoIP Hopper

Tutorial 3:  Hotel Exploit Demo ~ When DHCP is disabled