<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Explore Security &#187; database</title>
	<atom:link href="http://www.exploresecurity.com/tag/database/feed/" rel="self" type="application/rss+xml" />
	<link>http://www.exploresecurity.com</link>
	<description>IT security tools, techniques and commentary</description>
	<lastBuildDate>Wed, 15 Jun 2022 09:21:02 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>hourly</sy:updatePeriod>
	<sy:updateFrequency>1</sy:updateFrequency>
	<generator>http://wordpress.org/?v=3.6.1</generator>
		<item>
		<title>Sophie &#8211; a web SQL shell</title>
		<link>http://www.exploresecurity.com/sophie-a-web-sql-shell/</link>
		<comments>http://www.exploresecurity.com/sophie-a-web-sql-shell/#comments</comments>
		<pubDate>Mon, 22 Apr 2013 15:46:15 +0000</pubDate>
		<dc:creator>Jerome</dc:creator>
				<category><![CDATA[Tools]]></category>
		<category><![CDATA[Web Applications]]></category>
		<category><![CDATA[database]]></category>
		<category><![CDATA[shell]]></category>
		<category><![CDATA[SQL]]></category>
		<category><![CDATA[tool]]></category>

		<guid isPermaLink="false">http://www.exploresecurity.com/?p=38</guid>
		<description><![CDATA[Download v.0.2 If you can exploit a flaw to upload files to an executable directory in an IIS environment, there are plenty of web shells around (some of which may be trojaned but that&#8217;s another issue) to give you an interactive command prompt via your browser. If the application makes use of a MS-SQL database, [&#8230;]]]></description>
				<content:encoded><![CDATA[<p><a href="/wp-content/uploads/custom/sophie.aspx">Download v.0.2</a></p>
<p>If you can exploit a flaw to upload files to an executable directory in an IIS environment, there are plenty of web shells around (some of which may be trojaned but that&#8217;s another issue) to give you an interactive command prompt via your browser. If the application makes use of a MS-SQL database, the same flaw can be used to upload Sophie, a &#8220;web SQL shell&#8221;, giving you access to the database via your browser as well:<span id="more-38"></span><span style="line-height: 1.714285714; font-size: 1rem;"><br />
</span></p>
<p><a href="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie0.png"><img class="alignnone size-full wp-image-45" alt="sophie0" src="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie0.png" width="902" height="697" /></a></p>
<p><span style="line-height: 1.714285714; font-size: 1rem;">As with SQL injection, the level of access will depend on how the application and database have been configured.</span></p>
<p><span style="line-height: 1.714285714; font-size: 1rem;">Sophie automatically parses the </span><code style="line-height: 1.714285714;">web.config</code><span style="line-height: 1.714285714; font-size: 1rem;"> file from the current application context for connection strings. In ASP.NET 1.0 and 1.1, connection strings were stored in the </span><code style="line-height: 1.714285714;">&lt;appSettings&gt;</code><span style="line-height: 1.714285714; font-size: 1rem;"> section. From ASP.NET 2.0, a specific </span><code style="line-height: 1.714285714;">&lt;connectionStrings&gt;</code><span style="line-height: 1.714285714; font-size: 1rem;"> section was made available for just this purpose. Nonetheless, it&#8217;s still possible (and you often see) connection strings stored in </span><code style="line-height: 1.714285714;">&lt;appSettings&gt;,</code><span style="line-height: 1.714285714; font-size: 1rem;"> therefore Sophie looks in both sections. What&#8217;s easy about the </span><code style="line-height: 1.714285714;">&lt;connectionStrings&gt;</code><span style="line-height: 1.714285714; font-size: 1rem;"> section is that, because it is precisely designed to hold connection strings, ASP.NET provides a convenient way to access them. In contrast, </span><code style="line-height: 1.714285714;">&lt;appSettings&gt;</code><span style="line-height: 1.714285714; font-size: 1rem;"> can contain all sorts of information so there aren&#8217;t any functions that distinguish connection strings from other settings. Sophie uses some good old-fashioned guesswork, enumerating all keys within </span><code style="line-height: 1.714285714;">&lt;appSettings&gt;</code><span style="line-height: 1.714285714; font-size: 1rem;"> and for each one looking at its name and value for keywords that suggest it is a connection string. This is obviously prone to false positives and false negatives. To account for the latter, Sophie has a button &#8220;Get All&#8221; that shows all </span><code style="line-height: 1.714285714;">&lt;appSettings&gt;</code><span style="line-height: 1.714285714; font-size: 1rem;"> keys for you to review (and if you spot a connection string that Sophie missed by default, please let me know):</span></p>
<p><a href="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie1.png"><img class="alignnone size-full wp-image-46" alt="sophie1" src="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie1.png" width="680" height="473" /></a></p>
<p>If you find nothing of interest and are now facing an overwhelming number of keys, you can always click &#8220;Revert&#8221;.</p>
<p>Having selected a connection string, you can click &#8220;Get Info&#8221; to collect some basic information about the level of access that the connection string provides:</p>
<p><a style="line-height: 1.714285714; font-size: 1rem;" href="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie2.png"><img class="alignnone size-full wp-image-47" style="border: 0px;" alt="sophie2" src="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie2.png" width="389" height="477" /></a></p>
<p>Or you can type some arbitrary SQL and click &#8220;Execute&#8221;:</p>
<p><a href="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie3.png"><img class="alignnone size-full wp-image-48" alt="sophie3" src="http://www.exploresecurity.com/wp-content/uploads/2013/04/sophie3.png" width="637" height="423" /></a></p>
<p>The error handling (like the styling!) is, er, shall we say basic, but hopefully you will find Sophie a useful addition to your pentesting toolkit.</p>
<p><a href="/wp-content/uploads/custom/sophie.aspx">Download v.0.2</a></p>
]]></content:encoded>
			<wfw:commentRss>http://www.exploresecurity.com/sophie-a-web-sql-shell/feed/</wfw:commentRss>
		<slash:comments>1</slash:comments>
		</item>
	</channel>
</rss>
