Re: [sqlmap-users] SQL Query To Retrieve MySQL Server IP Address
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2012-11-28 09:25:33
|
On Wed, Nov 28, 2012 at 10:12 AM, Stephen Shkardoon <ss...@ss...>wrote: > Don't all these current methods rely on either the hostname of the MySQL > server to be something that actually resolves, or a authentication rule > using a public IP? If a server is NAT'd, won't both of these fail? > Could a more reliable way of getting the IP/hostname be make a DNS request > or simliar, that way you'll get the public IP as long as it can make an > outgoing connection (which seems more likely on average than having a rule > for authenticating users with it, or having the hostname be resolvable). > Maybe sqlmap could try a combination of these for an improved hostname > lookup? Or is this more work for a edge case (or possibly what I said above > is wrong and one of the other methods will consistently work). > More work than benefit(s). We won't extend this any further than --hostname switch itself. I just wrote that last method as it could give you a list of IP addresses from where root/admin can connect. Thing is that database administrators tend to put all sorts of IP addresses and a wild guess is that you'll get some interesting ones there (hostname itself, ip addresses coming from a local network,...). > > > On Wed, Nov 28, 2012 at 10:04 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> If you want to get IP addresses of interest you could try something like >> this: >> --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%' >> OR user LIKE '%admin%'" >> >> back-end DBMS: MySQL >= 5.0.0 >> [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT >> host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%'' >> SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE >> '%admin%' [6]: >> [*] 127.0.0.1, root >> [*] 172.16.162.1, root >> [*] 192.168.21.1, root >> [*] debian-5.0-i386, root >> [*] localhost, root >> >> Kind regards, >> Miroslav Stampar >> >> >> On Wed, Nov 28, 2012 at 9:55 AM, Zaki Akhmad <zak...@gm...>wrote: >> >>> On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leo...@gm...> >>> wrote: >>> > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar >>> > <mir...@gm...> wrote: >>> >> >>> >> That proposed solution is equivalent to the SELECT @@hostname (except >>> that >>> >> last one doesn't need that non-query SHOW statement). Only thing is >>> that >>> >> you'll get a same result as in --hostname which is not an IP address >>> that >>> >> your require. Have to seek what can be used here. >>> > >>> > >>> > Yeah this is perfect. And then hopefully getting the IP is as simple as >>> > looking up the hostname, assuming it resolves but that is not >>> guaranteed. =p >>> >>> the --sql-query="select @@hostname" works :-) >>> >>> -- >>> Zaki Akhmad >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> Keep yourself connected to Go Parallel: >> INSIGHTS What's next for parallel hardware, programming and related areas? >> Interviews and blogs by thought leaders keep you ahead of the curve. >> http://goparallel.sourceforge.net >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- Miroslav Stampar http://about.me/stamparm |