Solucionado (ver solução)
Solucionado
(ver solução)
4
respostas

SQLMAP com defeito ou aplicação é segura...

Referente ao curso Segurança Web: vulnerabilidades do seu sistema e OWASP, no capítulo SQL Injection e atividade SQLMAP

por Tiago Ferreira Rodrigues
| 62.9k xp | 15 posts

De fato não funciona...

root@kali:~# sqlmap -u "http://192.168.1.40/mutillidae/index.php?page-user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details" --random-agent --batch
        ___
       __H__                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.4.7#stable}                                                                                                                   
|_ -| . [.]     | .'| . |                                                                                                                                  
|___|_  [)]_|_|_|__,|  _|                                                                                                                                  
      |_|V...       |_|   http://sqlmap.org                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:47:05 /2020-10-15/

[00:47:05] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                                                                             
[00:47:05] [WARNING] provided value for parameter 'password' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[00:47:05] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=n8m6mm2nbiu...s6tflb8261;showhints=1'). Do you want to use those [Y/n] Y
[00:47:06] [INFO] testing if the target URL content is stable
[00:47:07] [INFO] target URL content is stable
[00:47:07] [INFO] testing if GET parameter 'username' is dynamic
[00:47:08] [WARNING] GET parameter 'username' does not appear to be dynamic
[00:47:09] [WARNING] heuristic (basic) test shows that GET parameter 'username' might not be injectable
[00:47:09] [INFO] testing for SQL injection on GET parameter 'username'
[00:47:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:47:13] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:47:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:47:17] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:47:20] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:47:23] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:47:26] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:47:27] [INFO] testing 'Generic inline queries'
[00:47:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:47:30] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:47:32] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:47:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:47:38] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:47:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:47:44] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[00:47:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:47:53] [WARNING] GET parameter 'username' does not seem to be injectable
[00:47:53] [INFO] testing if GET parameter 'password' is dynamic
[00:47:53] [WARNING] GET parameter 'password' does not appear to be dynamic
[00:47:54] [WARNING] heuristic (basic) test shows that GET parameter 'password' might not be injectable
[00:47:54] [INFO] testing for SQL injection on GET parameter 'password'
[00:47:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:47:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:47:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:48:01] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:48:04] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:48:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:48:10] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'

continua...

4 respostas
por Tiago Ferreira Rodrigues
| 62.9k xp | 15 posts
[00:48:10] [INFO] testing 'Generic inline queries'
[00:48:11] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:48:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:48:16] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:48:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:48:21] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:48:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:48:27] [INFO] testing 'Oracle AND time-based blind'
[00:48:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:48:37] [WARNING] GET parameter 'password' does not seem to be injectable
[00:48:37] [INFO] testing if GET parameter 'user-info-php-submit-button' is dynamic
[00:48:37] [WARNING] GET parameter 'user-info-php-submit-button' does not appear to be dynamic
[00:48:38] [WARNING] heuristic (basic) test shows that GET parameter 'user-info-php-submit-button' might not be injectable
[00:48:38] [INFO] testing for SQL injection on GET parameter 'user-info-php-submit-button'
[00:48:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:48:42] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:48:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:48:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:48:49] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:48:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:48:56] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:48:56] [INFO] testing 'Generic inline queries'
[00:48:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:49:00] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:49:03] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:49:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:49:09] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:49:12] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:49:15] [INFO] testing 'Oracle AND time-based blind'
[00:49:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:49:25] [WARNING] GET parameter 'user-info-php-submit-button' does not seem to be injectable
[00:49:25] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment')                                                                                                                                             

[*] ending @ 00:49:25 /2020-10-15/

root@kali:~#

enfim, não deu certo logo a OVA, não roda, nem no VirtualBox, nem no Workstation, então fui na fonte e baixei um Kali 2020...

por Tiago Ferreira Rodrigues
| 62.9k xp | 15 posts

O servidor da Aplicação funcionou legal, apenas não tinha IP. Fiz a configuração estatica de IP para as duas maquinas virtuais em modo Brigdge. network 192.168.1.0/24, uma com IP 39 (Kali) outra com IP 40 (owasp).

tentei todas as possiveis combinações de comandos, com --timeout=500, com --predict-output, com --random-agent, com --batch... e nada funciona.

Testei a comunicação entre as maquinas com ping e funciona

root@kali:~# ping 192.168.1.40 -c 5
PING 192.168.1.40 (192.168.1.40) 56(84) bytes of data.
64 bytes from 192.168.1.40: icmp_seq=1 ttl=64 time=2.79 ms
64 bytes from 192.168.1.40: icmp_seq=2 ttl=64 time=0.613 ms
64 bytes from 192.168.1.40: icmp_seq=3 ttl=64 time=0.766 ms
64 bytes from 192.168.1.40: icmp_seq=4 ttl=64 time=0.821 ms
64 bytes from 192.168.1.40: icmp_seq=5 ttl=64 time=0.763 ms

--- 192.168.1.40 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4041ms
rtt min/avg/max/mdev = 0.613/1.150/2.788/0.821 ms
root@kali:~#

não tenho mais opções, em um outro forum vi um comentario sobre 

[00:47:05] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=n8m6mm2nbiu...s6tflb8261;showhints=1'). Do you want to use those [Y/n] Y

onde a resposta foi que estaria batendo em uma parte segura da aplicação... que não tinha seguido as orientações do video... (respostinha furada)

por Tiago Ferreira Rodrigues
| 62.9k xp | 15 posts

Pra minha descepção, mais um curso que não prepara de fato um material descente para que possamos acompanhar e ver funcionar... dificil assim aprender alguma coisa....

solução!
por Tiago Ferreira Rodrigues
| 62.9k xp | 15 posts

Solução encontrada: 1-> Baixei as máquinas do Kali 2020 (conforme ja tinha dito) baixei a Owasp_Broken_web_apps do site original também v1.2

2 -> coloquei ambas VMs no Workstation em modo NAT com DHCP ligado

3 -> liguei o proxy no Kali -> Burp Suite, para interceptar a requisição

4 -> no Firefox do kali, naveguei até o endereço de requisição do video, qual estava testando as informações de usuario, preenchi o username=admin e deixei a password vazia e realizei a request.

5 -> no BurpSuite, na guia Proxy >> Intercept >> Raw, selecionei toda a requisição e com as linhas selecionadas, cliquei com o esquerdo para abrir o menu de contexto, nesse, selecionei a opção "Copy to file", salvando no diretorio Documents com nome reqGet.txt

6 -> executei no terminal do Kali o seguinte comando:

sqlmap -r /root/Documents/reqGet.txt -p username

Com esses passos, consegui realizar os testes conforme esperado, identificando o banco de dados e outros testes posteriores.

Quer mergulhar em tecnologia e aprendizagem?

Receba a newsletter que o nosso CEO escreve pessoalmente, com insights do mercado de trabalho, ciência e desenvolvimento de software