Earlier I had written about performing SQL injection in search field and how to do a DoS attack and privilege escalation using 'Like' operators. Now another SQLi exploitation I came across recently. That too in the search field. This becomes important as lots of people don't pay much attention on the search forms/ fields in the application. My aim is to show that a search form can also be exploited with SQL Injection. The following queries are based on a real world exploitation. The steps and data are for just illustration purpose only.
Suppose, the search form provides the details of users who have accessed the application some time and their login time details etc, we just need to provide their name in the search box provided. All the data were being going as Post request.
So, to just fingerprint the database, I provide, 'nil'+'esh' in the search field and it successfully gives me the results. That means the database behind the application is concatenat…
The great open source Nipper tool, used for auditing infrastructure and network devices, has now become commercial. So visiting http://sourceforge.net/projects/nipper/ would give you the latest version (1.0) which is of little help, as it contains the stripped version. So, no use of it. Fortunately, my friends on Null suggested me few links from where still the older version (0.11-12) could be downloaded. One of such link is:
http://tools.l0t3k.net/NETWORKutils/ , you can download nipper-inone-0.12.6.zip. It's an exe and you can run it directly.
Alternate method: Upgrade to BackTrack5 R2. The latest version includes the Nipper-ng tool. To update to the latest version: http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/
Also, once upgraded you need to install Nipper on the new kernel:
apt-get install nipper-ng
Screenshot from BT5 R2: