qeqeqe ...
ada tutorial nih ...
lumayan sql injection, disebelah kan ada yg pake scemafuzz ...
klo ini beda lagi pake software *.exe ...
jadi tinggal klak-klik doank kelar ...
efek samping : bikin orang jadi males ... ;))
tapi klo udah tau dasarnya yg pake "order+by+ bla .. bla ..." it's ok lah...
yg penting kita tau jalannya klo disuruh manual ...
tool :
SQL I Helper V.2.7
lanjut kita mulai
1. cari target site yg vuln contoh trus masukin ke kolom target (jangan pake ') ...
kaya gini ...
![[Image: 3446x5g.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uuWzW7DtgXYqYs5fTXmKAFO49Nn57FtcuLHyyCSUBt5iptwyAQohpU7hlbale3ewJN4Lq6cypLKVc62rvjmRnWj5Uwr3Y=s0-d)
2. trus klik injek ...
hasilnya nanti kluar kayak gini ...
![[Image: 10rvekz.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sd8U7m5ehfgjPzsHSXEI1VMIIWjka3V1eSjT9jvhYJtU5VmeU0XqXTnB7wVVsfULBkT8F4s9FRy6azSemeIVQeicpuxIQ=s0-d)
3.next, klik "get database" hasilnya kayak gini
![[Image: t8rmmu.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uisRnfdZ-gWLi2Es1ont1DiF2n6VWnboTTdsKL-YETxrM6E__K1AVNE63EWcMHPR_bW_RNiddxACxxRwI0cBID-1IWgg=s0-d)
4.pilih database yg mau kita cek ada di kotak database name & trus klik "get tables"
![[Image: 14e437a.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tSWrLszLYkv19oUGnbY9WtMSaOMogQ820bmhUuhX2P-hNlLQrVeeENybeKkOs3F7BKxVQWwjsOqBiMwQzO77DW4VAXjJ4=s0-d)
5. pilih table yg kira2 kita bisa dapet user & pass contoh: admin, user, staff, moderator dll ...
pada contoh ini kita pilih "user" trus kita klik "get columns"
![[Image: w7n536.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ubdhYqGX6-OVNDyt5E4dB72kg_eMMqRu0I04ApOUttmr2M-2Ec2-5rkjM0kgRzrAcxtL6yAm0WFEARhPOOpq310NtUiw=s0-d)
6. pilih column mana aja yg mau kita intip (ctrl+click) misalnya: usr_login & usr_pass
![[Image: eakw00.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tBKpg038wHAJkGOrzVYiezCmVpdlfFn2ikQK7mBoo1fbQBOO7HRe55rCHvsSPFpDfv1ud_hwfwii16Np4CYdu4aUQsuw=s0-d)
trus klik "dump now"
7.kluar deh username ama passwordnya :wb:
![[Image: 35hiz9k.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tlFYAPA_oQRpInHjyojUQMmTg2lRXT9ZdYS2-6c_60Y-OfIjJVGXEprkmfWQD-Pk_VJp-vgcEgJrVz2BPafbvldGOrEaU=s0-d)
8. klo passwordnya md5 langsung aja buka http://www.md5decrypter.co.uk/ kali aja ketemu ... :))
9. cari admin pagenya klik "admin finder" mudah2an aja ketemu ... ;))
10. login deh ...
ada tutorial nih ...
lumayan sql injection, disebelah kan ada yg pake scemafuzz ...
klo ini beda lagi pake software *.exe ...
jadi tinggal klak-klik doank kelar ...
efek samping : bikin orang jadi males ... ;))
tapi klo udah tau dasarnya yg pake "order+by+ bla .. bla ..." it's ok lah...
yg penting kita tau jalannya klo disuruh manual ...
tool :
SQL I Helper V.2.7
lanjut kita mulai
1. cari target site yg vuln contoh
Code:
http://encycl.anthropology.ru/article.php?id=1'kaya gini ...
2. trus klik injek ...
hasilnya nanti kluar kayak gini ...
3.next, klik "get database" hasilnya kayak gini
4.pilih database yg mau kita cek ada di kotak database name & trus klik "get tables"
5. pilih table yg kira2 kita bisa dapet user & pass contoh: admin, user, staff, moderator dll ...
pada contoh ini kita pilih "user" trus kita klik "get columns"
6. pilih column mana aja yg mau kita intip (ctrl+click) misalnya: usr_login & usr_pass
trus klik "dump now"
7.kluar deh username ama passwordnya :wb:
8. klo passwordnya md5 langsung aja buka http://www.md5decrypter.co.uk/ kali aja ketemu ... :))
9. cari admin pagenya klik "admin finder" mudah2an aja ketemu ... ;))
10. login deh ...
No comments:
Post a Comment