Sophie – a web SQL shell

Download v.0.2

If you can exploit a flaw to upload files to an executable directory in an IIS environment, there are plenty of web shells around (some of which may be trojaned but that’s another issue) to give you an interactive command prompt via your browser. If the application makes use of a MS-SQL database, the same flaw can be used to upload Sophie, a “web SQL shell”, giving you access to the database via your browser as well:

sophie0

As with SQL injection, the level of access will depend on how the application and database have been configured.

Sophie automatically parses the web.config file from the current application context for connection strings. In ASP.NET 1.0 and 1.1, connection strings were stored in the <appSettings> section. From ASP.NET 2.0, a specific <connectionStrings> section was made available for just this purpose. Nonetheless, it’s still possible (and you often see) connection strings stored in <appSettings>, therefore Sophie looks in both sections. What’s easy about the <connectionStrings> section is that, because it is precisely designed to hold connection strings, ASP.NET provides a convenient way to access them. In contrast, <appSettings> can contain all sorts of information so there aren’t any functions that distinguish connection strings from other settings. Sophie uses some good old-fashioned guesswork, enumerating all keys within <appSettings> and for each one looking at its name and value for keywords that suggest it is a connection string. This is obviously prone to false positives and false negatives. To account for the latter, Sophie has a button “Get All” that shows all <appSettings> keys for you to review (and if you spot a connection string that Sophie missed by default, please let me know):

sophie1

If you find nothing of interest and are now facing an overwhelming number of keys, you can always click “Revert”.

Having selected a connection string, you can click “Get Info” to collect some basic information about the level of access that the connection string provides:

sophie2

Or you can type some arbitrary SQL and click “Execute”:

sophie3

The error handling (like the styling!) is, er, shall we say basic, but hopefully you will find Sophie a useful addition to your pentesting toolkit.

Download v.0.2

One thought on “Sophie – a web SQL shell

  1. Anant Shrivastava

    Good work.
    would suggest you to upload the code on github or simmilar code sharing / versioning system so that people can also contribute as well as you can keep a track of the code in a better manner.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>