If you can exploit a flaw to upload files to an executable directory in an IIS environment, there are plenty of web shells around (some of which may be trojaned but that’s another issue) to give you an interactive command prompt via your browser. If the application makes use of a MS-SQL database, the same flaw can be used to upload Sophie, a “web SQL shell”, giving you access to the database via your browser as well:
As with SQL injection, the level of access will depend on how the application and database have been configured.
Sophie automatically parses the
web.config file from the current application context for connection strings. In ASP.NET 1.0 and 1.1, connection strings were stored in the
<appSettings> section. From ASP.NET 2.0, a specific
<connectionStrings> section was made available for just this purpose. Nonetheless, it’s still possible (and you often see) connection strings stored in
<appSettings>, therefore Sophie looks in both sections. What’s easy about the
<connectionStrings> section is that, because it is precisely designed to hold connection strings, ASP.NET provides a convenient way to access them. In contrast,
<appSettings> can contain all sorts of information so there aren’t any functions that distinguish connection strings from other settings. Sophie uses some good old-fashioned guesswork, enumerating all keys within
<appSettings> and for each one looking at its name and value for keywords that suggest it is a connection string. This is obviously prone to false positives and false negatives. To account for the latter, Sophie has a button “Get All” that shows all
<appSettings> keys for you to review (and if you spot a connection string that Sophie missed by default, please let me know):
If you find nothing of interest and are now facing an overwhelming number of keys, you can always click “Revert”.
Having selected a connection string, you can click “Get Info” to collect some basic information about the level of access that the connection string provides:
Or you can type some arbitrary SQL and click “Execute”:
The error handling (like the styling!) is, er, shall we say basic, but hopefully you will find Sophie a useful addition to your pentesting toolkit.