Pages

Wednesday, August 19, 2015

Executing SQL Queries from Antak Webshell

I have recently made some changes to Antak. The first one implementation of an authentication mechanism to check its misuse. It was also part of a feature request raised in Nishang's GitHub repository: https://github.com/samratashok/nishang/issues/17. Antak now asks for Username and Password before you would be able to use it on a target. The username/password are hardcoded in the the antak.aspx itself.  Unless correct credentials are entered, all the controls in the webshell remain invisible and disabled. This is not secure but that is the only way I could implement some sort of restriction on antak's access and still keep it in a single file. Default Username is "Disclaimer" and Password is "ForLegitUseOnly" without quotes and case-sensitive. This is how Antak looks like without authentication. 
After authentication, we will be able to access Antak. Because Antak has the ability to execute PowerShell commands and scripts, upload and download files we can use it for many things.  I have already done a post earlier on other functionalities of Antak: http://www.labofapenetrationtester.com/2014/06/introducing-antak.html. In this post lets focus on the new functionality of ability to execute SQL Queries from Antak. The code has been largely taken from cmdsql (https://github.com/NetSPI/cmdsql) from Antti and Scott at NetSPI.

Here is how to use it:
Click om "Parse Web.Config". We should be able to see the connection string. By default, Antak looks for web.config in the C:\Inetpub directory. We can specify a full path in the command box to look for web.config in other directory.
Paste that connection string in the textbox besides the "Execute SQL Query" button. Enter the SQL Query in the command box and click the "Execute SQL Query" button.
Great! We can now execute SQL queries. This opens up so many opportunities to play with. Feel free to play around with SQL Queries, look here to begin with: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

Hope you enjoyed this! I welcome suggestions and feedback.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.