reconstruct SQL Inj...
 
Notifications
Clear all

reconstruct SQL Injection attack from logs

2 Posts
2 Users
0 Likes
837 Views
mgilhespy
(@mgilhespy)
Posts: 102
Estimable Member
Topic starter
 

Does anyone know of a tool which will assist in the reconstruction of a SQL Injection attack where the only data available is the apache access logs? In this example we have determined that blind boolean based sqli has been used (Using SQLMAP) and the difficulty is that there are tens of thousands of lines in the log as sqlmap gradually builds up queries. The purpose is to discover precisely which information has been gleaned.

 
Posted : 18/12/2019 12:15 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

SQLMAP is an automated tool. One would expect that there was some manual activity, by a human, after the automated attack?

So maybe you can check the timestamps and look for a pause in the automated activity when the human takes over. There might also be a change in the "User Agent" string in the Apache log. The obvious first thing to do once you are in the database is a SQLDUMP. Then see if you could get a shell running, or PHP code running.

 
Posted : 18/12/2019 11:11 pm
Share: