Professional Documents
Culture Documents
Võ Đăng Trình - SQL Injection
Võ Đăng Trình - SQL Injection
Web security
1
This is the website after applying those
2
As can be seen from the website, page 16 is the one that can be used for exploiting the
information from the SQL
3
As can be seen from the image, the version of the database is 5.7.37
Database()
4
User()
5
After using those instructions, all the tables’ names of the database have been
extracted through page 16. All the tables’ names are:
tbl_config,tbl_content,tbl_content_category,tbl_product,tbl_product_category,tbl_prod
uct_hot,tbl_product_new,tbl_product_special,tbl_user,tbl_visitor
6
So the columns of the database are id,uid,pwd,cat_id
7
The data in the table user is:
“1/admincp/0a4f59342d128ab612449a75ba121dc0/Admincp,2/coder/ee12026a0b34f0
78925edcb4d85680c8/Subadmin”
Inside this table, there are 2 accounts
+ User1: admincp, Password: 0a4f59342d128ab612449a75ba121dc0
+ User2: coder, Password: ee12026a0b34f078925edcb4d85680c8
8
2nd website: vietfarmsfsf.com
[http://www.vietfarmsfsf.com/?php=product_detail&id=260]
9
This is the website after applying those
10
As can be seen from the website, page 8 is the one that can be used for exploiting the
information from the SQL
11
As can be seen from the image, the version of the database is 5.0.67-community
Database()
13
After using those instructions, all the tables’ names of the database have been
extracted through page 8. All the tables’ names are:
tbl_config,tbl_content,tbl_content_category,tbl_product,tbl_product_category,tbl_prod
uct_new,tbl_product_special,tbl_user,tbl_visitor
14
So the columns of the database are id,uid,pwd
15
The data in the table user is:
1/admincp/31b5d7b1a473763500b9b0d66e1a63c2,2/coder/ee12026a0b34f078925edc
b4d85680c8
Inside this table, there are 2 accounts:
+ User1: admincp, Password: 31b5d7b1a473763500b9b0d66e1a63c2
+ User2: coder, Password: ee12026a0b34f078925edcb4d85680c8
16
3rd website: thepdaitayduong.com.vn
[http://thepdaitayduong.com.vn/?php=product_detail&id=220]
17
This is the website after applying that instruction
18
As can be seen from the website, page 6 is the one that can be used for exploiting the
information from the SQL
19
As can be seen from the image, the version of the database is 5.7.37
Database()
20
user()
21
After using those instructions, all the tables’ names of the database have been
extracted through page 6. All the tables’ names are:
tbl_config,tbl_content,tbl_content_category,tbl_product,tbl_product_category,tbl_prod
uct_new,tbl_product_special,tbl_user,tbl_visitor
22
So the columns of the database are id,uid,pwd,cat_id
23
The data in the table user is:
1/admincp/0a4f59342d128ab612449a75ba121dc0/Admincp,2/coder/ee12026a0b34f0
78925edcb4d85680c8/Subadmin
Inside this table, there are 2 accounts:
+ User1: admincp, Password: 0a4f59342d128ab612449a75ba121dc0
+ User2: coder, Password: ee12026a0b34f078925edcb4d85680c8
24