Inicio Explorar Ayuda
Iniciar sesión
iProspective
/
dolibarr
3
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: c268f07a80
Ramas Etiquetas
dolibarr
/
test
/
sqlmap
/
README

README 2.4 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. To test there is no SQL injection, we can use:
    2. 

  2. 

  3. -- Installation of sqlmap
    4. 

  4. -------------------------
    5. 

  5. 

  6. git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap
    7. 

  7. 

  8. cd sqlmap
    9. 

  9. 

  10. ./sqlmap.py --update
    11. 

  11. 

  12. ./sqlmap.py --purge
    13. 

  13. 

  14. 

  15. Add, into file ~/git/sqlmap/data/xml/payloads/boolean_blind.xml, the custom rule:
    16. 

  16. 

  17.     <!-- Boolean-based blind tests - WHERE/HAVING clause -->
    18. 

  18.     <test>
    19. 

  19.      <title>Our_ORDERBY_Payload</title>
    20. 

  20.         <stype>1</stype>
    21. 

  21.         <level>1</level>
    22. 

  22.         <risk>1</risk>
    23. 

  23.         <clause>1</clause>
    24. 

  24.         <where>1</where>
    25. 

  25.      <vector>,(select * from(select (CASE WHEN ([INFERENCE]) THEN 1 ELSE exp(710) END))a)</vector>
    26. 

  26.      <request>
    27. 

  27.          <payload>,(select * from(select (CASE WHEN (1=1) THEN 1 ELSE exp(710) END))a)</payload>
    28. 

  28.      </request>
    29. 

  29.      <response>
    30. 

  30.          <comparison>,(select * from(select (CASE WHEN (1=2) THEN 1 ELSE exp(710) END))a)</comparison>
    31. 

  31.      </response>
    32. 

  32.      <details>
    33. 

  33.          <dbms>mysql</dbms>
    34. 

  34.          <os>linux</os>
    35. 

  35.      </details>
    36. 

  36.  </test>
    37. 

  37. 

  38. 

  39. 

  40. 

  41. -- Launch sqlmap on a given url/parameter
    42. 

  42. -----------------------------------------
    43. 

  43. 

  44. Introduce a vulnerability by changing the GETPOST on parameter search_status into GETPOST('search_status', 'none') and removing $db->sanitize when parameter is used;
    45. 

  45. 

  46. ./sqlmap.py --fresh-queries -u "http://localhostdev/comm/propal/list.php?search_status=*"
    47. 

  47. 

  48. ./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/comm/propal/list.php?search_status=*" --dbms=mysql --os=linux --technique=B --batch --skip-waf \
    49. 

  49. 	--cookie="DOLSESSID_xxxxxx=yyyyyyyy;" --prefix='1' -v 4 > sqlmap.txt
    50. 

  50. 

  51. Check vulnerability is found into sqlmap.txt. Scanner is working.
    52. 

  52. 

  53. 

  54. 

  55. -- Launch sqlmap on all the application
    56. 

  56. ---------------------------------------
    57. 

  57. 

  58. Set $dolibarr_nocsrfcheck='1' into conf.php file to make access easier.
    59. 

  59. 

  60. With prefix (required to have some rules working)
    61. 

  61. 

  62. ./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
    63. 

  63.   --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
    64. 

  64.   --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" --prefix='1' -v
    65. 

  65. 

  66. Without prefix
    67. 

  67. 

  68. ./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
    69. 

  69.   --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
    70. 

  70.   --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" -v
    71. 

  71. 

  72.