Infrastructure Pentesting: Databases

A Cyber Security Research Dumpsite

Infrastructure Pentesting: Databases

Databases store a lot of important information that businesses do not want to be accessed by unauthorized personal. There are also a lot of different database types that a cyber professional needs to be able to understand.

MongoDB

MongoDB is a ‘schema-less’ document based, NoSQL database. It’s ability to scale and manage big data makes Mongo a popular choice for lot of companies. Mongodb stores data in the form of JSON.

Databases, Collections & Documents
Mongo databases are made up of collections and documents; comparing this with MySQL, these would be tables and rows. MongoDB stores data records as BSON documents, these are binary versions of JSON documents. The maximum BSON document size is 16 megabytes.
Mongo stores data documents in collections. There can be many documents within a collection.
Every document must always contain an _Objectid. A unique identifier for the document. Mongo will automatically create an object ID records if it is not specified. This objectID is a 12 byte string that consists of:

    • a 4-byte value representing the seconds since the Unix epoch,
    • a 5-byte random value, and
  • a 3-byte counter, starting with a random value.

It can also contain information such as the timestamp of the document and much more. 

Basic Syntax

Basic mongodb query/method syntax is in the format of db.parameter.option. There are some similarities between mongo and mysql, for example:

  • Selecting records from the customer table:

MySQL: SELECT * FROM customer

MongoDB: db.customer.find()

  • Inserting records into the customer table

MySQL: INSERT INTO customer (cust_id, branch, status) VALUES (‘appl01’, ‘main’, ‘A’)

MongoDB: db.customer.insert({ cust_id: ‘appl01’, branch: ‘main’, status: ‘A’ })

Mongo Shell Common Commands

Below is a list of basic commands to help navigate your way through a NoSQL database. 

    • show dbs – this command will list all the active available databases in Mongo
    • use [DATABASE NAME] – this command is used to select and use a specified database from the list of databases (For a database to be listed it must contain one document.)
    • show collections – this will list all the collections in the selected database 
    • db.[DATABASE NAME].insert({}) – Enter a record within a collection, (Worth noting that Mongo will create the collection with this command, if it doesn’t already exist).
    • db.[COLLECTION NAME].find() – This command will output all the documents within a specified collection. #
  • ObjectId(“123”).getTimestamp() – To get timestamp of a document in a collection

SQL:

An Introduction

Structured Query Language
SQL acts a middle man between a database and website, however there are a few variations of SQL which are suited to different database needs. Three of the most popular are: SQLiteMySQL, and PostgreSQL.

Common SQL commands

SELECT – This statement is used to fetch data from the database, therefore every database query will start with SELECT.
*– The asterisk represents all (wild card), therefore SELECT * would translate to ‘select all’.
FROM – selects a table within the database, from which the data is queried.
WHERE – specifies which column you wish to perform your SQL command in.
LIKE – This statement will be used in conjunction with the WHERE statement to search each row for a specific pattern.
BETWEEN–  used to filter data between two values.
ORDER BY (ASC | DESC) – This statement is used to order the returned rows from the SQL command.
As an example, SELECT * FROM table WHERE name LIKE ‘Bob’ would return all rows from the table where the name of a user is Bob.

Examples:

Getting employees from the “employees table”:
select * from employees

Getting employees from the “employees table” that earn between a certain amount
select * from employees where pay between ‘54000’ AND ‘63000’

Getting an employees email:
select * from employees where email like “First.SecondName@email.com”

Sorting the table:
select * from employees where pay ORDER BY pay

How to Defend Against it

OWASP recommendation to defend against SQL Injection:

Primary Defenses:

  • Option 1: Use of Prepared Statements (with Parameterized Queries)
  • Option 2: Use of Stored Procedures
  • Option 3: White List Input Validation
  • Option 4: Escaping All User Supplied Input

Additional Defenses:

  • Also: Enforcing Least Privilege
  • Also: Performing White List Input Validation as a Secondary Defense

SQLMap

sqlmap is a tool used to automate the detection and exploitation of SQL injection flaws, enabling users to carry out tasks such as dumping a database, accessing the underlying file system, and executing commands.

Fetch Website: 
sqlmap -u [URL_OR_IP]
*Can’t simply be: www.website.com, has to be for example: http://ww.website.com/index.php….

Fetch website databases/tables/columns: 
sqlmap -u [URL_OR_IP] –dbs
–dbs = database
–tables = tables
–columns = columns

To specify the columns:
sqlmap -u [URL_OR_IP] –columns -D corporate_database

Optimise the performance of sqlm:
-o

To provide detailed information about the DBMS:
-f