2. Open mutillidae with typing on browser localhost/mutillidae
3. Set up proxy your browser to localhost port 8080
4. Open burp suite and set the tartget as localhost
Then look, what happening when we click login button on mutillidae. Burp suite was succesfully intercept mutillidae activity. View picture below :
This is the result of interception, you will see some information such as post request to localhost like username and password format post
5. Next open sqlmap, and test to know backend database
As result we get some database:
6. We get some database, i tried to get tables from database nowasp
And the result
7. Then i try to get columns on table accounts
result :
8. Finally we get the columns from accounts table, then i'll try to dump the username
as the result :
dump the password
9. Last step i'll go into mysql shell
type #mysql -h [host] -u user -p
I got it !!!
CMIIW
Tidak ada komentar:
Posting Komentar