+++++ Dear ….. Thank you for visiting our booth at the Myanmar Black Hacking. We hope you will have a good time and enjoyed your visit to Underground. In case we won't answer some of your questions about our Real Info, we encourage you to visit our website at www.myanmarblackhacking.com +++++ It will give you a good idea of what we can do for +++++

Aug 6, 2015

0 Sql Injection with Sqlmap (Using Backtrack 5)

 

Backtrack5 R3 ထဲမွ SqlMap ျဖင့္ Vuln ဆိုဒ္တို့ကို Injection လုပ္နည္းကို ျပန္လည္မ်ွေဝလိုက္ပါတယ္
Manual ထိုးသူေတြကေတာ့ ပိုျပီးပညာရေပမယ့္ အျမန္အင္ဂ်က္ထိုးလူေတြအတြက္ကေတာ့ BT5R3 က လူၾကိဳက္မ်ားဆံုးလည္းေျပာရပါတယ္
Beginners ေတြအတြက္လည္း ပညာရတာေပါ့ေနာ္ :p
BT5R3 ကို VMware ေပၚမွာ Install လုပ္နည္းကိုေတာ့ ေနာက္မွပဲ တင္ေပးေတာ့မယ္ဗ်ာ :)


SQL Injection Tutorial 

There are number of tools available to do Sql injection but here we are going to use Backtrack 5.


Since we have amount of tools in backtrack 5 to perform sql injection, we going to use one of them, which is Sqlmap.






First we need to open sqlmap application on Backtrack 5. Before we start, we need to find a vulnerable website to start our injection. To find vulnerable website, we can use download dork list which contain list of website that is vulnerable or we can simply try on our own whether a site is vulnerable or not by adding string quotes (‘) at the end of url of website which look something like the url listed below www.yboaofnc.com/event.php?id=35’.



When you receive the above error, it shows that the website is vulnerable and can be injected with sql code. If you did not get this error and the website refresh to its main page or other page as normal, then this website is not vulnerable and you can start find other website to inject. In this can case, we going to use this www.yboaofnc.com/event.php?id=35 for our demo.


Once you open sqlmap in backtrack, the first step will be to scan the url to see whether it is injectable and at the same time to retrieved the available database in the particular website. To do that we need to enter the following command without the quote (“).
 “python sqlmap.py –u  www.yboaofnc.com/event.php?id=35 --dbs”



Once the scan is complete, it will show the available databases inside the target web. In this case there are 3 databases we found after scanning which is “information schema” , “test”, “yboa”.



Next, we want to view tables of the database. For that, we select one of the databases. In this case, we choose the “yboa” database. Then type this command to view tables:
“python sqlmap.py  –u  www.yboaofnc.com/event.php?id=35  -D  yboa --tables”





Once done it will show all the tables inside the selected database. The above screenshot show a number of tables inside the selected database.




Now , we want to view one of the columns of the tables listed above. In this case, we are going to view the columns of table ‘allowed’. To do so type this command:
 “python sqlmap.py –u www.yboaofnc.com/event.php?id=35  -D yboa  –T  allowed --columns” 




Once the above command is entered , we can view list of columns of the table ‘allowed’. We have three columns which are ‘id’, ’pwd’  & ‘uname’ .




The last of this tutorial is to is to dump the ‘pwd’ columns and the’ uname’ column to get the username and the password . First, let us to dump the password. To do so, enter the following command:
 “python sqlmap.py  –u  www.yboaofnc.com/event.php?id=35  -D  yboa  -T allowed -C pwd  --dump”





Once the above command is executed, the hash value of the password will be shown. Then, we have an option whether to use dictionary attack to retrieved the hash value. Enter ‘Y’ for yes to retrieve the password.

Finally, the login password will be shown. In this case, the password is ‘sha1_generic_passwd.


The same method use to dump password is used to retrieve the user name but instead of dumping ‘pwd’ , now we have to dump the ‘uname’  Once the below command is entered, we will get the username which is ‘admin’ in this case. 

“python sqlmap.py  –u  www.yboaofnc.com/event.php?id=35  -D  yboa  -T allowed -C uname  --dump”

~ Happy Hacking ~ 
 
=====================
Special Thanks To " hackerzzone "
=====================

0 comments:

Post a Comment