Configuration Section

This information is entered in the Basic Configuration panel:
Basic Configuration Panel.JPG
  • Engine: Microsoft SQL Server, MySQL or Oracle Database Server. When Microsoft SQL Server is selected, Marathon Tool will, by default, use sys.databases or sysusers tables to construct the heavy queries. If Oracle Database is selected then the tables used by default will be userobjects, allobjects or usertables. If MySQL, then the table configured by default is informationschema.columns. These tables can be changed in the injection options.
  • Target base URL: Web application to test, and connection details. SSL is not supported in this version.
  • Parameters: Can be GET or POST parameters, and can be injectable parameters or not. The application will try to find out heavy queries for all the injectable ones.
  • Cookies: A list of variables and values in the cookie can be configured in this section but this version don´t support dynamic values.
  • Authentication: In this section user credentials can be setup to connect to the web application before start the test. This version supports Basic, Digest and NTLM authentication methods.
  • Proxy: An HTTP proxy can be setup.
  • Start Injection with and End Injection with</i> are used to configure a prefix and/or a suffix value in the injection test.
Authentication Methods.JPG

As it can be seen in Figure, there are several parameters that can be tuned to improve the performance of the tool in the injection options panel:
Injections Options Configuration Panel.JPG
  • Min heavy query time: This parameter sets the minimal amount of time between a true answer and a false answer. If the difference between the true response time and false response time is lower than this value Marathon tool will keep on looking for a new heavy query. If the tool is being tested in a local network with a very good connection then this value can be small, either the value should be increased.
  • Http request timeout: After this time Marathon Tool resets the http connection assuming this query to be a heavy query.
  • Request tests count: Once the tool detects a true answer it repeats the test to make sure it is due heavy query and not to thefor any other reason.
  • Pause after heavy query: After every heavy query the tool pauses this time. This is due to the fact that a large number of big heavy queries at the same time could result in false positives or in a denial of service attack against the web application.
  • Pause after any query: After every query, no matter if it is a heavy one or not the tool pauses for this amount of time.
  • Minimum joins for queries: This value is the initial number of tables used in the query when the tool is looking for a heavy query.
  • Maximum joins for queries: If the tool hasn't found a heavy query after constructing a query with this number of tables in join clause then the tool stops.
  • Enable equal sign in selects: To construct the heavy query, depending on the web application, web firewalls or databases, the tool constructs the heavy queries using relational operators or equals operators.
  • Heavy queries tables: These are the tables Marathon Tool will use to construct heavy queries. Depending on the database engine selected the tool selects default ones, but they can be enteredoverriden by the user.

Once the Configuration section is complete and the injection options are configured, Marathon Tool needs to initialize the test. In this initialization test Marathon Tool will look for a valid heavy query in the injectable value to prove the configuration as valid. When it finished the tool can retrieve the schema of the database or the user used in the web application to connect against the database engine.
Basic Start Injection.JPG

Database Schema

This section shows the information Marathon Tool has collected from the web application using Time-Based Blind SQL Injection with heavy queries. It is not a quick method for extracting information but in some web applications based in database engines that do not have time-delay functions it could be the only exploitation method available.
[image:Database Schema.JPG]

Debug Log Section

This panel shows the queries that had been thrown against the web application. It has different detail levels to see all the tests, only the positive answers or only the values Marathon Tool is collecting. This log is a good tool to analyze the behaviour of the web application in the test and it is good for tuning purposes.
Debug Log Section.JPG

Last edited Aug 7, 2008 at 3:20 PM by alekusu, version 3

Comments

michiekiero Oct 15, 2011 at 6:09 PM 
here my problem. Initializing TBL=sys.databases N=3 R=0 T=4 Q=SELECT LEN(system_user)
2:06:49 AM Initializing TBL=sys.databases N=3 R=1 T=4 Q=SELECT LEN(system_user)
2:06:52 AM Initializing TBL=sys.databases N=4 R=0 T=4 Q=SELECT LEN(system_user)
2:06:56 AM Initializing TBL=sys.databases N=4 R=1 T=4 Q=SELECT LEN(system_user)
2:06:59 AM Initializing TBL=sys.databases N=5 R=0 T=4 Q=SELECT LEN(system_user)
2:07:02 AM Initializing TBL=sys.databases N=5 R=1 T=4 Q=SELECT LEN(system_user)
2:07:06 AM Initializing TBL=sys.databases N=6 R=0 T=4 Q=SELECT LEN(system_user)
2:07:09 AM Initializing TBL=sys.databases N=6 R=1 T=4 Q=SELECT LEN(system_user)
2:07:11 AM Initializing TBL=sys.databases N=7 R=0 T=4 Q=SELECT LEN(system_user)
idk how to config :(