ばぁど・うぉっちんぐ

セキュリティを頑張りたいプログラマ。自由と春を求めて羽ばたく渡り鳥。

もうSQLインジェクションは認めない!!SQL脆弱性を調査できるツール sqlmap を試してみた!!

どーも。ばぁどです。

今回は、SQL脆弱性を調査できるツール、sqlmapを調査して、実際に使ってみました。

今回はsqlmapというツールのご紹介です。 より詳しい使い方などは次以降の記事の予定です。(未定)

! 今回紹介しているツールは、インターネットで公開されているWebページには絶対に使用しないでください。場合によっては不正アクセスとして法律に違反する可能性があります。自分のローカル環境で検査対象を立ち上げて試してください !

sqlmap とは

オープンソースで作られたペネトレーションテストツールです。 SQLインジェクション脆弱性などがあれば検知してくれたり、DBの構造などをコマンドで確認することができます。

動かすにはPythonが必要。 2.7系が必要みたいです。

公式サイト

sqlmap: automatic SQL injection and database takeover tool

GitHub

github.com

GitHubソースコードが公開されているので中身も確認できますね。素敵です。

公式サイトを読めばわかるのですが、DBは豊富な種類をサポートしています。MySQL, Oracle, Postgreなど。

Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.

また、SQLインジェクション脆弱性も6つのパターンを検知できるとのこと。

Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.

実行した時のログ

f:id:UltraBirdTech:20180924152722p:plain

インストール

ローカルのPythonバージョン

一応、ローカルのPythonのバージョンを確認。 mac にはデフォルトで2.7系があるとのこと。

$ python --version
Python 2.7.10

インストール

今回は、git clone しました。

$ git clone https://github.com/sqlmapproject/sqlmap.git
Cloning into 'sqlmap'...
remote: Counting objects: 63046, done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 63046 (delta 23), reused 28 (delta 16), pack-reused 63003
Receiving objects: 100% (63046/63046), 60.75 MiB | 4.26 MiB/s, done.
Resolving deltas: 100% (49365/49365), done.

.zipでも.tar.gzも公式から落とせるので、お好きな方法でインストールしてください。

# ディレクトリへ cd 
$ cd sqlmap/

# ファイル一覧
$ ls -la
total 168
drwxr-xr-x  24 hatoritakuya  staff    768 Sep 24 14:22 .
drwxr-xr-x   3 hatoritakuya  staff     96 Sep 24 14:22 ..
drwxr-xr-x  13 hatoritakuya  staff    416 Sep 24 14:22 .git
-rw-r--r--   1 hatoritakuya  staff    232 Sep 24 14:22 .gitattributes
drwxr-xr-x   5 hatoritakuya  staff    160 Sep 24 14:22 .github
-rw-r--r--   1 hatoritakuya  staff     55 Sep 24 14:22 .gitignore
-rw-r--r--   1 hatoritakuya  staff    137 Sep 24 14:22 .travis.yml
-rw-r--r--   1 hatoritakuya  staff  18886 Sep 24 14:22 LICENSE
-rw-r--r--   1 hatoritakuya  staff   4521 Sep 24 14:22 README.md
drwxr-xr-x   9 hatoritakuya  staff    288 Sep 24 14:22 doc
drwxr-xr-x  14 hatoritakuya  staff    448 Sep 24 14:22 extra
drwxr-xr-x  10 hatoritakuya  staff    320 Sep 24 14:22 lib
drwxr-xr-x   5 hatoritakuya  staff    160 Sep 24 14:22 plugins
drwxr-xr-x   7 hatoritakuya  staff    224 Sep 24 14:22 procs
drwxr-xr-x   5 hatoritakuya  staff    160 Sep 24 14:22 shell
-rw-r--r--   1 hatoritakuya  staff  20512 Sep 24 14:22 sqlmap.conf
-rwxr-xr-x   1 hatoritakuya  staff  15167 Sep 24 14:22 sqlmap.py
-rwxr-xr-x   1 hatoritakuya  staff   2477 Sep 24 14:22 sqlmapapi.py
drwxr-xr-x  60 hatoritakuya  staff   1920 Sep 24 14:22 tamper
drwxr-xr-x  22 hatoritakuya  staff    704 Sep 24 14:22 thirdparty
drwxr-xr-x  10 hatoritakuya  staff    320 Sep 24 14:22 txt
drwxr-xr-x   5 hatoritakuya  staff    160 Sep 24 14:22 udf
drwxr-xr-x  71 hatoritakuya  staff   2272 Sep 24 14:22 waf
drwxr-xr-x   8 hatoritakuya  staff    256 Sep 24 14:22 xml

sqlmap.pyというのが肝。 sqlmap を使う際の基本構文は下記。

python sqlmap.py [option] [引数]

バージョンも表示できたので、インストール完了です。

$ python sqlmap.py --version
1.2.9.36#dev

やってみた

Rails

以前、作成してみたRails5のサンプルアプリケーションに向けて実行してみる。

github.com

sqlmap.py のログ

今回はURLだけを設定して、GETのテストを繰り返してくれています。 DBを指定していないので、一通りのDBを想定してテストしてくれているみたいです。

$ python sqlmap.py -u 'localhost:3000/welcome/index'
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.9.36#dev}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:01:48

[15:01:48] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] 
[15:01:54] [INFO] testing connection to the target URL
[15:01:54] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[15:01:54] [INFO] testing if the target URL content is stable
[15:01:55] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] 
[15:02:04] [INFO] searching for dynamic content
[15:02:04] [INFO] dynamic content marked for removal (1 region)
[15:02:04] [INFO] testing if URI parameter '#1*' is dynamic
[15:02:05] [INFO] confirming that URI parameter '#1*' is dynamic
[15:02:06] [WARNING] URI parameter '#1*' does not appear to be dynamic
[15:02:06] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[15:02:07] [INFO] testing for SQL injection on URI parameter '#1*'
[15:02:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:02:08] [WARNING] reflective value(s) found and filtering out
[15:02:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:02:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:02:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:02:19] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:02:22] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:02:25] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:02:26] [INFO] testing 'MySQL inline queries'
[15:02:26] [INFO] testing 'PostgreSQL inline queries'
[15:02:27] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:02:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:02:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:02:32] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:02:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[15:02:36] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:02:39] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[15:02:42] [INFO] testing 'Oracle AND time-based blind'
[15:02:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:03:24] [WARNING] URI parameter '#1*' does not seem to be injectable
[15:03:24] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~0.89% of page content is text). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment')
[15:03:24] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 127 times

[*] shutting down at 15:03:24

Rails 側のログ

Started GET "/welcome/index" for 127.0.0.1 at 2018-09-24 15:06:16 +0900
Processing by WelcomeController#index as */*
  Rendering welcome/index.html.erb within layouts/application
  Rendered welcome/index.html.erb within layouts/application (0.3ms)
Completed 200 OK in 175ms (Views: 140.7ms)


Started GET "/welcome/index" for 127.0.0.1 at 2018-09-24 15:06:17 +0900
Processing by WelcomeController#index as */*
  Rendering welcome/index.html.erb within layouts/application
  Rendered welcome/index.html.erb within layouts/application (0.4ms)
Completed 200 OK in 68ms (Views: 47.2ms)


Started GET "/welcome/6070" for 127.0.0.1 at 2018-09-24 15:06:19 +0900
  
ActionController::RoutingError (No route matches [GET] "/welcome/6070"):
  
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/debug_exceptions.rb:63:in `call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:135:in `call_app'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:28:in `block in call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `catch'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:36:in `call_app'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `block in call'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:69:in `block in tagged'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:26:in `tagged'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:69:in `tagged'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `call'
vender/bundle/ruby/2.3.0/gems/sprockets-rails-3.2.1/lib/sprockets/rails/quiet_assets.rb:13:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/request_id.rb:25:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/method_override.rb:22:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/runtime.rb:22:in `call'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/cache/strategy/local_cache_middleware.rb:27:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/executor.rb:12:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/static.rb:125:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/sendfile.rb:111:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/engine.rb:522:in `call'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/configuration.rb:225:in `call'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:624:in `handle_request'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:438:in `process_client'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:302:in `block in run'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/thread_pool.rb:120:in `block in spawn_thread'
Started GET "/welcome/7177" for 127.0.0.1 at 2018-09-24 15:06:20 +0900
  
ActionController::RoutingError (No route matches [GET] "/welcome/7177"):
  
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/debug_exceptions.rb:63:in `call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:135:in `call_app'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:28:in `block in call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `catch'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:36:in `call_app'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `block in call'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:69:in `block in tagged'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:26:in `tagged'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:69:in `tagged'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `call'
vender/bundle/ruby/2.3.0/gems/sprockets-rails-3.2.1/lib/sprockets/rails/quiet_assets.rb:13:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/request_id.rb:25:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/method_override.rb:22:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/runtime.rb:22:in `call'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/cache/strategy/local_cache_middleware.rb:27:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/executor.rb:12:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/static.rb:125:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/sendfile.rb:111:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/engine.rb:522:in `call'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/configuration.rb:225:in `call'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:624:in `handle_request'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:438:in `process_client'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:302:in `block in run'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/thread_pool.rb:120:in `block in spawn_thread'
Started GET "/welcome/index%29%22%27%28%28.%28%28%28%2C" for 127.0.0.1 at 2018-09-24 15:06:20 +0900
  
ActionController::RoutingError (No route matches [GET] "/welcome/index%29%22%27%28%28.%28%28%28%2C"):
  
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/debug_exceptions.rb:63:in `call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:135:in `call_app'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:28:in `block in call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `catch'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:36:in `call_app'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `block in call'

~~~~~~~~~~~~~~~~~~~略~~~~~~~~~~~~~~~~~~~

vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:438:in `process_client'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:302:in `block in run'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/thread_pool.rb:120:in `block in spawn_thread'
Started GET "/welcome/index%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20rNei" for 127.0.0.1 at 2018-09-24 15:07:42 +0900
  
ActionController::RoutingError (No route matches [GET] "/welcome/index%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20rNei"):
  
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/debug_exceptions.rb:63:in `call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:135:in `call_app'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:28:in `block in call'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `catch'
vender/bundle/ruby/2.3.0/gems/web-console-3.5.1/lib/web_console/middleware.rb:18:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:36:in `call_app'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `block in call'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:69:in `block in tagged'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:26:in `tagged'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/tagged_logging.rb:69:in `tagged'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/rack/logger.rb:24:in `call'
vender/bundle/ruby/2.3.0/gems/sprockets-rails-3.2.1/lib/sprockets/rails/quiet_assets.rb:13:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/request_id.rb:25:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/method_override.rb:22:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/runtime.rb:22:in `call'
vender/bundle/ruby/2.3.0/gems/activesupport-5.1.6/lib/active_support/cache/strategy/local_cache_middleware.rb:27:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/executor.rb:12:in `call'
vender/bundle/ruby/2.3.0/gems/actionpack-5.1.6/lib/action_dispatch/middleware/static.rb:125:in `call'
vender/bundle/ruby/2.3.0/gems/rack-2.0.4/lib/rack/sendfile.rb:111:in `call'
vender/bundle/ruby/2.3.0/gems/railties-5.1.6/lib/rails/engine.rb:522:in `call'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/configuration.rb:225:in `call'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:624:in `handle_request'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:438:in `process_client'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/server.rb:302:in `block in run'
vender/bundle/ruby/2.3.0/gems/puma-3.11.3/lib/puma/thread_pool.rb:120:in `block in spawn_thread'

色々とパターンを変えて攻撃されている(テストしている)のが分かりますね。

GETのパラメーターにを変更して、どんどん攻撃してきています。

今回は攻撃用のアプリケーションとして、作成していないので脆弱性は出ないのですが今度機会を見て、脆弱性があった場合のソースコードで試してみたいと思います。

Drupal

さて、次はPOSTを試してみようと思います。

今回は立ち上げるだけでログイン機能を兼ね備えている CMS である Drupal を使用してみました。

f:id:UltraBirdTech:20180924152609p:plain

sqlmap.py のログ

今回は、POSTなので--dataを指定しています。 また、DBもMySQLで指定しています。

$ python sqlmap.py -u 'lightning-8-x-3-104.dd:8083/user/login' --data "ID=1&PWD=2" --dbms MySQL
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.2.9.36#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:19:22

[15:19:22] [INFO] testing connection to the target URL
[15:19:22] [INFO] testing if the target URL content is stable
[15:19:23] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[15:19:26] [INFO] testing if POST parameter 'ID' is dynamic
[15:19:26] [WARNING] POST parameter 'ID' does not appear to be dynamic
[15:19:26] [WARNING] heuristic (basic) test shows that POST parameter 'ID' might not be injectable
[15:19:26] [INFO] testing for SQL injection on POST parameter 'ID'
[15:19:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:19:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:19:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:19:30] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:19:30] [INFO] testing 'MySQL inline queries'
[15:19:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[15:19:30] [WARNING] time-based comparison requires larger statistical model, please wait..  (done)                                                          
[15:19:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:19:44] [WARNING] POST parameter 'ID' does not seem to be injectable
[15:19:44] [INFO] testing if POST parameter 'PWD' is dynamic
[15:19:44] [WARNING] POST parameter 'PWD' does not appear to be dynamic
[15:19:44] [WARNING] heuristic (basic) test shows that POST parameter 'PWD' might not be injectable
[15:19:44] [INFO] testing for SQL injection on POST parameter 'PWD'
[15:19:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:19:47] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:19:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:19:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:19:48] [INFO] testing 'MySQL inline queries'
[15:19:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[15:19:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:20:03] [WARNING] POST parameter 'PWD' does not seem to be injectable
[15:20:03] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment')

[*] shutting down at 15:20:03

順調にテストが終わりました。 特に変なことをやっていなければ、押し付けのもので侵入を許すようなことありませんよね。とりあえず一安心。

まとめ

今回はsqlmapを試してみました。

個人的にはWebアプリケーションを作成していた時に知りたかったなと思っています。

開発の時点で、こういうツールを試して脆弱性を事前に潰してみるのもいいですね。

次は、脆弱性があるWebアプリケーションで試すのと、sqlmapの他の機能を試してみようと思います。