first i try to use vulnerable of file inclution. (to collect some user)
and we can see, we got some user (root, msfadmin, user, etc)
then i try to search vulnerability of ssh
after that i use user root and search the ssh key
we can see that we have found the key. now try to connect using ssh
and we have entered as root... :D
second way.
here, i use sqli and file inclution.
first, open dvwa --> sql injection
after that, open burpsuite
and then copy the cookies into sqlmap
here, i want to enter into mysql, so i have to search the password of mysql. so type this.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; tz_offset=25200; PHPSESSID=d2f440d1772f9b9ed69c7a74b926caf9" --level=3 --risk=3 --dbs -D mysql --tables
then dump the table user
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; tz_offset=25200; PHPSESSID=d2f440d1772f9b9ed69c7a74b926caf9" --level=3 --risk=3 --dbs -D mysql -T user --dump
and we can see that there is no password for user root
then enter to mysql command line
root@bt:/pentest/database/sqlmap# mysql -h 192.168.56.101 -u root -p
then load the file inclution. and we can got some user.
after we known the user, using medusa to find out the password
then, connect it using ssh.
here i use user msfadmin because i have tried to use other user but i can't gain the root
alhamdulillah ... :D
note : in second ways, i have tried it on security high and it works ... :D
No comments:
Post a Comment