WIKI SAYS: Secure Sockets Layer (SSL), is cryptographic protocols that provide communication security over the Internet.TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange,symmetric encryption for privacy, and message authentication codes for message integrity.
Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP). (via[http://en.wikipedia.org/wiki/Secure_Sockets_Layer] )

Running sslstrip

• Flip your machine into forwarding mode. (echo "1" > /proc/sys/net/ipv4/ip_forward)
• Setup iptables to redirect HTTP traffic to sslstrip. (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>)
• Run sslstrip. (sslstrip.py -l <listenPort>)
• Run arpspoof to convince a network they should send their traffic to you. (arpspoof -i <interface> -t <targetIP> <gatewayIP>)

How does this work?

This alarming program reveals the daily battle between the Internet’s outlaws and the hackers who oppose them by warding off system attacks, training IT professionals and police officers, and watching cyberspace for signs of imminent infowar.
Through interviews with frontline personnel from the Department of Defense, NYPD’s computer crime squad, private detective firm Kroll Associates, X-Force Threat Analysis Service, and several notorious crackers, the program provides penetrating insights into the millions of hack attacks that occur annually in the U.S. – including one that affected the phone bills of millions and another that left confidential details of the B-1 stealth bomber in the hands of teenagers.
The liabilities of wireless networks, the Code Red worm, and online movie piracy are also discussed.

Introduction

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if 'sa' password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works) 
• Evasion techniques to confuse a few IDS/IPS/WAF
• Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
• Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
• Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

Platforms supported

• Linux
• FreeBSD
• Mac OS X

Introduction:

Screenshot:

Features:

• Full support for http, https website.
• Full support for Basic, Digest, NTLM http authentications.
• Full support for GET, Post, Cookie sql injection.
• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
• Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
• Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
• Support to enumerate databases, tables, columns and data.
• Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
• Support to ip domain query,web path guess,md5 crack etc.
• Support for sql injection scan.

Download:

• .NET Framework 2.0 or above needed to install

• Safe3SI v9.0

Features

• Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
• Command line interface. Different commands trigger different actions.
• Auto-completion for commands, command arguments and database, table and columns names.
• Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
• Exploits SQL Injections through GET and POST methods.
• Developed in python 3.

Tutorial

In this tutorial, you will learn how to use The Mole to exploit SQL Injections, extracting data from the database and reading files from the vulnerable server.

In order to read a complete reference of The Mole's commands and how to use them, please visit http://www.aldeid.com/wiki/TheMole (btw, thanks to Sébastien Damaye for writing such a complete guide!).

Before we start, you must know what is required in order to exploit a SQL Injection using The Mole. Once you have found a vulnerable script, you have to find a string which normally appears in the web page, but does not appear when you negate the query which is being executed on the database(by modifying the vulnerable parameter).

Identifying the injection

This example will be shown using this test site:

Okay, assuming we don't know there's a SQL Injection, we will ensure there is one on the parameter "id". We negate the query which will be executed in the database, and try to find the string above mentioned.

Fine, we see the string "admin" has disappeared. We will provide this string to The Mole and exploit the injection.

Exploiting the injection

First of all, we execute The Mole using the parameter "-u" to indicate which URL we will be using, and "-n" to indicate the needle/string. Our command should look like this:

./mole.py -u 'http://192.168.0.142/vulnerable/sqli.php?id=1' -n 'admin'




The mole will start and give us a prompt:

Notice that by default, the last parameter on the URL is used as the vulnerable parameter. If you want to specify another parameter as the vulnerable one, you can use the "-p" command line argument, or use the "injectable_field" command.

Windows users

Windows users shoud be aware that when using the "-u" command line argument, the "&" characters have to be escaped manually using the "^" character. Therefore, if the URL has two parameters, it should look like this:

mole.exe -u http://192.168.0.142/vulnerable/sqli.php?param=1^&id=1 -n 'admin'




You can also set the URL by using the "url" command, so you can paste the URL without quoting it. The needle can also be set using the "needle" command.

---

Okay, we are ready to go. First of all, we want to know which databases are available on the system. The command "schemas" will dump their names.

The Mole has done two things here:

• Find exploitation parameters, such as number of columns, the comment to be used, the back-end database, the number of parenthesis, etc.
• Once it has been initialized, it dumps the database names, using back-end database specific queries.

Note that the initialization phase is done only once. Moving on, we will dump the tables in the "test" database. The "tables" command does that, and requires the database name as its argument:

Great! There's a "users" table! Now we need to find the columns of that table. The "columns" command requires the name of the database and table name as its arguments.

We see 3 columns, id, username and password. Now it's time to dump those hashes :D. The "query" command requires the database name, the table name, and a list of comma-separated columns to dump. Alternatively, you could use '*' in the columns field, but we don't want to dump the "id" column right now, so we will do it manually. Remember that The Mole provides nice autocompletion features, so the database, table and column names will be autocompleted whenever you press the TAB key.

Nice! We've got the administrator's credentials. However, when we dumped the database names, we could see "mysql", so we probably have mysql root privileges. Let's find out by using the "dbinfo" command, which will dump the database user, name and version.

Ha, thought so, we have root privileges. Okay, lets try reading a file by using the "readfile" command, which expects the filename to be read as its argument. We will read /etc/passwd as an example.

Okay, now we move on to the handy commands which will make things faster. Imagine we don't know which tables exist on the "mysql" table. In this case, the injection goes quite fast, since it can be exploited through the union technique, however, Blind SQL Injections are pretty common. In the latter case, dumping the name of every table in a certain database can be quite slow. In this case, we will use the "find_users_table" command, which tries to find a table name in a certain database which "looks like" it might contain usernames and passwords(based on its name). Note that this command does not use any metadata database/table, such as information_schema.tables, so it can be used in scenarios where the back-end database is a Mysql < 5, which does not contain the information_schema databse.

This command contains a small list of names, you can artenatively use "find_tables" which tries to find tables using a list provided by you.

As expected, mysql.user exists :D. Now we will use another command which will be more useful, but requires information_schema(or any other DBMS database which serves the same purpose) to exist. The "find_tables_like" command requires a database as its first argument and a string which will be used to search for database names. You can use the '%' wildcard, or any other database specific. As an example, we will find all tables that contain the substring "ABLE".

Going back to the "query" command, we can use some extra parameters which will be useful under certain situations. We can limit the number of rows to be dumped and/or indicate the first index from which to start the dump(0-index based). This prints only one row, starting from the second index. 

We can also indicate a "where condition", in order to only dump rows which match it.

To sum up, here's a video of The Mole exploiting a SQL Injection, using both union and blind techniques.

VIDEO:

======

=DOWNLOAD=

http://themole.sourceforge.net/?q=downloads

Official Site:

http://themole.sourceforge.net/

Reference:

http://themole.sourceforge.net/

http://themole.sourceforge.net/?q=tutorial