Kατεβάσετε την εφαρμογή android του blog! DownLoad

FoulsCode: 2011-17

Translate

Πρόσφατα Σχόλια

Σύνολο αναρτήσεων

Συνολικές προβολές σελίδας

Εμφάνιση αναρτήσεων με ετικέτα Injection. Εμφάνιση όλων των αναρτήσεων
Εμφάνιση αναρτήσεων με ετικέτα Injection. Εμφάνιση όλων των αναρτήσεων

SQL Injection Filter Bypassing v0.4

Written By Fouls Code on Πέμπτη, 22 Ιουνίου 2017 | Ιουνίου 22, 2017


Note: This application does not require any database.

Code:

<!DOCTYPE html>
<html>
<head>
<title>SQL Injection Filter Bypassing v0.4</title>
<style>
hr {margin:24px 0;}
</style>
</head>
<body>
<h1>SQL Injection Filter Bypassing v0.4</h1>
<?php
$filter = array(
'syntax' => array(
'union' => array('caption' => 'UNION','filter' => 'union'),
'select' => array('caption' => 'SELECT','filter' => 'select'),
'from' => array('caption' => 'FROM','filter' => 'from'),
'where' => array('caption' => 'WHERE','filter' => 'where'),
'limit' => array('caption' => 'LIMIT','filter' => 'limit'),
'wait_for' => array('caption' => 'WAIT FOR','filter' => 'wait for'),
'group_by' => array('caption' => 'GROUP BY','filter' => 'group by'),
'order_by' => array('caption' => 'ORDER BY','filter' => 'order by'),
'into' => array('caption' => 'INTO', 'filter' => 'into'),
'file' => array('caption' => 'FILE', 'filter' => 'file'),
'outfile' => array('caption' => 'OUTFILE', 'filter' => 'outfile'),
'infile' => array('caption' => 'INFILE', 'filter' => 'infile'),
'having' => array('caption' => 'HAVING', 'filter' => 'having'),
'truncate' => array('caption' => 'TRUNCATE', 'filter' => 'truncate'),
'insert' => array('caption' => 'INSERT','filter' => 'insert'),
'update' => array('caption' => 'UPDATE','filter' => 'update'),
'delete' => array('caption' => 'DELETE','filter' => 'delete'),
'droptable' => array('caption' => 'DROPTABLE','filter' => 'droptable'),
'case' => array('caption' => 'CASE', 'filter' => 'case'),
),
'operators' => array(
'and' => array('caption' => 'AND','filter' => 'and'),
'&&' => array('caption' => '&&','filter' => '&&'),
'or' => array('caption' => 'OR','filter' => 'or'),
'||' => array('caption' => '||','filter' => '\|\|'),
'=' => array('caption' => '=', 'filter' => '='),
'<>' => array('caption' => '<>', 'filter' => '<>'),
'like' => array('caption' => 'LIKE','filter' => 'like'),
'is' => array('caption' => 'IS','filter' => 'is'),
'not' => array('caption' => 'NOT','filter' => 'not'),
'if' => array('caption' => 'IF','filter' => 'if'),
'null' => array('caption' => 'NULL','filter' => 'null')
),
'functions' => array(
'benchmark' => array('caption' => 'BENCHMARK','filter' => 'benchmark'),
'hex' => array('caption' => 'HEX','filter' => 'hex'),
'unhex' => array('caption' => 'UNHEX','filter' => 'unhex'),
'substr' => array('caption' => 'SUBSTR','filter' => 'substr'),
'mid' => array('caption' => 'MID','filter' => 'mid'),
'extractvalue' => array('caption' => 'ExtractValue','filter' => 'extractvalue'),
'concat' => array('caption' => 'CONCAT', 'filter' => 'concat'),
'concat_ws' => array('caption' => 'CONCAT_WS','filter' => 'concat_ws'),
'group_concat' => array('caption' => 'GROUP_CONCAT','filter' => 'group_concat'),
'mod' => array('caption' => 'MOD','filter' => 'mod'),
'load_file' => array('caption' => 'LOAD_FILE','filter' => 'load_file'),
'cast' => array('caption' => 'CAST', 'fitler' => 'cast'),
),
'misc' => array(
'--' => array('caption' => '--','filter' => '--'),
'#' => array('caption' => '#','filter' => '#'),
'/*' => array('caption' => '/*','filter' => '\/\*'),
)
);
if (!empty($_POST)) {
$case = (isset($_POST['case'])) ? $_POST['case'] : 'lower';
$method = (isset($_POST['method'])) ? $_POST['method'] : 'string';
$injection = $_POST['injection'];
$mods = '';
if ($case == 'both') { $mods .= 'i'; }
$parts = array();
if (isset($_POST['filter'])) {
foreach ($_POST['filter'] as $type => $keyword) {
foreach ($keyword as $k => $state) {
$key = $filter[$type][$k]['filter'];
if ($case == 'upper') {
$used[$k] = strtoupper($key);
$parts[] = strtoupper($key);
} elseif ($case == 'lower') {
$used[$k] = strtolower($key);
$parts[] = strtolower($key);
} else {
$used[$k] = $key;
$parts[] = $key;
}
}
}

$filters = implode('|',$parts);

#if ($method == 'integer') { $used['\''] = '\\\''; $used['\"'] = '\\\"'; $filters .= '|\'|\"'; }
if ($method == 'integer') { $used['\''] = '\\\''; $user['\"'] = '\\\"'; $filters .= '|\'|\"'; }

if (preg_match_all("/{$filters}/{$mods}", $injection, $matches)) {
$matched = array();
for ($i = 0;$i <= (sizeof($matches[0])-1);$i++) {
$matched[] = $used[strtolower($matches[0][$i])];
}
$matched = implode('|', $matched);
$injection = preg_replace("/({$matched})/{$mods}", '<span style="color:red;">\1</span>', $injection);
$triggers = array_unique($matches[0]);
$triggers = implode(', ', $triggers);
if ($method == 'string') {
$query = "SELECT * FROM table WHERE column = '{$injection}'";
} else {
$query = "SELECT * FROM table WHERE column = {$injection}";
}
echo "<hr><h2>Result: Filtered</h2><strong>Triggers:</strong> {$triggers}<br /><br />{$query}<hr>";
} else {
if ($method == 'string') {
$query = "SELECT * FROM table WHERE column = '{$injection}'";
} else {
$query = "SELECT * FROM table WHERE column = {$injection}";
}
echo "<hr><h2>Result: Passed</h3>{$query}<hr>";
}
} else {
if ($method == 'integer') {
if (!isset($filters)) { $used['\''] = '\\\''; $user['\"'] = '\\\"'; $filters = '|\'|\"'; }
if (preg_match_all("/{$filters}/{$mods}", $injection, $matches)) {
$matched = array();
for ($i = 0;$i <= (sizeof($matches[0])-1);$i++) {
if (isset($used[strtolower($matches[0][$i])])) {
$matched[] = $used[strtolower($matches[0][$i])];
}
}
$matched = implode('|', $matched);
$triggers = array_unique($matches[0]);
$triggers = implode(', ', $triggers);
$injection = preg_replace("/({$matched})/{$mods}", '<span style="color:red;">\1</span>', $injection);
if ($method == 'string') {
$query = "SELECT * FROM table WHERE column = '{$injection}'";
} else {
$query = "SELECT * FROM table WHERE column = {$injection}";
}
echo "<hr><h2>Result: Filtered</h2><strong>Triggers:</strong> {$triggers}<br /><br />{$query}<hr>";
}
} else {
if ($method == 'string') {
$query = "SELECT * FROM table WHERE column = '{$injection}'";
} else {
$query = "SELECT * FROM table WHERE column = {$injection}";
}
echo "<hr><h2>Result: Passed</h2>{$query}<hr>";
}
}
}
?>
<form name="keywords" method="post" action="">
<input type="text" name="injection" style="width:500px;" autofocus="true" value="<?php echo (isset($_POST['injection'])) ? $_POST['injection'] : ''; ?>">
<input type="submit" value="Execute"><br />
<?php $case = (isset($_POST['case'])) ? $_POST['case'] : 'both'; ?>
<?php $method = (isset($_POST['method'])) ? $_POST['method'] : 'string'; ?>
Case: <input type="radio" name="case" value="both"<?php echo ($case == 'both') ? ' checked' : ''; ?>> Any
<input type="radio" name="case" value="lower"<?php echo ($case == 'lower') ? ' checked' : ''; ?>> Lowecase
<input type="radio" name="case" value="upper"<?php echo ($case == 'upper') ? ' checked' : ''; ?>> Uppercase<br />
Method: <input type="radio" name="method" value="string"<?php echo ($method == 'string') ? ' checked' : ''; ?>> String
<input type="radio" name="method" value="integer"<?php echo ($method == 'integer') ? ' checked' : ''; ?>> Integer<br />
Predefined filters: <select onchange="setPredefined()" id="predefined">
<option>Predefined</option>
<option value="1">AND, OR, NULL, WHERE, WHILE</option>
<option value="2">UNION, SELECT, FROM, HAVING</option>
<option value="5">UNION, SELECT, FROM, WHERE</option>
<option value="3">INTO, FILE, CASE</option>
<option value="4">GROUP BY, ORDER BY, HAVING, LIMIT</option>
</select>
<table border="1" cellpadding="4" cellspacing="0" style="border:1px solid #000000;border-collapse:collapse;width:600px;">
<thead>
<th style="width:25%;">SYNTAX</th>
<th style="width:20%;">OPERATORS</th>
<th style="width:30%;">FUNCTIONS</th>
<th style="width:25%;">MISC</th>
</thead>
<tbody>
<tr>
<td valign="top">
<?php
foreach($filter['syntax'] as $key => $keyword) {
$checked = (isset($_POST['filter']['syntax'][$key])) ? ' checked' : '';
$id = "syntax_{$key}";
echo "<input type=\"checkbox\" id=\"{$id}\" name=\"filter[syntax][{$key}]\"{$checked}> {$keyword['caption']}<br />\n";
}
?>
</td>
<td valign="top">
<?php
foreach($filter['operators'] as $key => $keyword) {
$checked = (isset($_POST['filter']['operators'][$key])) ? ' checked' : '';
$id = "operators_{$key}";
echo "<input type=\"checkbox\" id=\"{$id}\" name=\"filter[operators][{$key}]\"{$checked}> {$keyword['caption']}<br />\n";
}
?>
</td>
<td valign="top">
<?php
foreach($filter['functions'] as $key => $keyword) {
$checked = (isset($_POST['filter']['functions'][$key])) ? ' checked' : '';
$id = "functions_{$key}";
echo "<input type=\"checkbox\" id=\"{$id}\" name=\"filter[functions][{$key}]\"{$checked}> {$keyword['caption']}<br />\n";
}
?>
</td>
<td valign="top">
<?php
foreach($filter['misc'] as $key => $keyword) {
$checked = (isset($_POST['filter']['misc'][$key])) ? ' checked' : '';
$id = "misc_{$key}";
echo "<input type=\"checkbox\" id=\"{$id}\" name=\"filter[misc][{$key}]\"{$checked}> {$keyword['caption']}<br />\n";
}
?>
</td>
</tr>
</tbody>
</table>
</form>
<script language="javascript">
var setPredefined = function() {
e = document.getElementById('predefined')
selected = e.value

uncheckAll();
check = new Array();
switch (e.value) {
case '1':
check = ['syntax_where', 'syntax_limit', 'operators_and', 'operators_or', 'operators_null'];
break;
case '2':
check = ['syntax_union', 'syntax_select', 'syntax_from', 'syntax_having'];
break;
case '3':
check = ['syntax_into', 'syntax_file', 'syntax_case']
break;
case '4':
check = ['syntax_group_by', 'syntax_order_by', 'syntax_having', 'syntax_limit']
break;
case '5':
check = ['syntax_union', 'syntax_select', 'syntax_from', 'syntax_where'];
break;
}

for (var i=0; i < check.length; i++) {
el = document.getElementById(check[i]);
el.checked = true;
}
}

var uncheckAll = function() {
var inputs = new Array();
inputs = document['keywords'].getElementsByTagName('input');

for (var i=0; i < inputs.length; i++) {
if (inputs[i].type == 'checkbox') {
inputs[i].checked = false;
}
}
}
</script>
</body>
</html>



Changelog

v0.4
- Modified the design
- Bug fixes
- Added new filter keywords:
- INTO, FILE, OUTFILE, INFILE, HAVING, NULL, CAST, CASE, TRUNCATE, INSERT, UPDATE, DELETE, DROPTABLE
- Added predefined filters:
- AND, OR, NULL, WHERE, WHILE
- UNION, SELECT, FROM, HAVING
- UNION, SELECT, FROM, WHERE
- INTO, FILE, CASE
- GROUP BY, ORDER BY, HAVING, LIMIT

v0.3
- Added new filter keywords: MOD
- Added separation on string and integer
- Minor bugfix

v0.2
- Cleaned up the design
- Added new filter keywords: <>, IS, NOT, WAIT FOR

v0.1
- Quick draft just to get something working

Enjoy
- Happy Hacking!


Ιουνίου 22, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Λίστα με dorks για sql injection

Written By Fouls Code on Τρίτη, 17 Ιανουαρίου 2017 | Ιανουαρίου 17, 2017



Mερικά dorks τα οποία μπορούμε να τα βάλουμε στο google και να κάνουμε αναζήτηση για ευπαθείς σελίδες στην sql injection.




inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=d=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?av
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl: info.php?id=
inurl : pro.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:shop+php?id+site:fr
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:login.asp
index of:/admin/login.asp
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:produit.php?id=+site:fr
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
 

inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
Ιανουαρίου 17, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Είναι το web site σας ασφαλές σε SQL Injection επιθέσεις;

Written By Fouls Code on Πέμπτη, 28 Ιουλίου 2016 | Ιουλίου 28, 2016




Σύμφωνα με το Wikipedia, το SQL injection είναι μια τεχνική κώδικα injection η οποία ‘εκμεταλλεύεται’ ένα αδύναμο σημείο ασφάλειας που λαμβάνει χώρα στο επίπεδο της βάσης δεδομένων μιας εφαρμογής.


Η ευπάθεια είναι παρούσα όταν η εγγραφή χρήστη έχει φιλτραριστεί λανθασμένα από χαρακτήρες ενσωματωμένους σε SQL statements ή η εγγραφή του χρήστη δεν είναι έντονα δακτυλογραφημένη και έτσι έχουμε ως αποτέλεσμα τη μη σωστή ‘εκτέλεση’ τους. Είναι ένα παράδειγμα μιας περισσότερο γενικότερης κατηγορίας αδύναμων σημείων που μπορεί να συμβεί όταν μια γλώσσα προγραμματισμού είναι μέσα σε μία άλλη. Tα SQL injection attacks είναι γνωστά κ ως SQL insertion attacks. Με απλούς όρους, ο εισβολέας μπορεί να δημιουργήσει μια συγκεκριμένη διεύθυνση URL στο πεδίο ενός website ή web application και να αποσπάσει σημαντικές πληροφορίες από τη βάση δεδομένων όπως το σχέδιο, το σχήμα της βάσης δεδομένων, τις δομές στήλης ή αρχεία τα οποία ενδέχεται να περιέχουν πολύ σημαντικές πληροφορίες, όπως ονόματα χρηστών και κωδικούς. Μια μελέτη δείχνει ότι πάνω από το 60% των web applications που χρησιμοποιούν δυναμικό περιεχόμενο είναι μάλλον ευάλωτα σ’αυτού του είδους την επίθεση. Για να ελέγξετε, αν το website ή το web application σας είναι επιρρεπές στην ‘επίθεση’ αυτή, ακολουθήστε τις απλές οδηγίες παρακάτω:

1. Βρείτε μια διεύθυνση URL στο website ή στο web application σας που μοιάζει με την παρακάτω μορφή:


http://www.yoursite.com/page.php?id=1




2. Έπειτα, τροποποιήστε τη διεύθυνση URL προσθέτοντας το σημείο » ‘ » χωρίς τα εισαγωγικά μπροστά ή πίσω από τον ακέραιο αριθμό. Ελέγξτε το παράδειγμα παρακάτω ως σημείο αναφοράς. Οποιοδήποτε από τα παραδείγματα που περιλαμβάνονται μπορούν να χρησιμοποιηθούν.


http://www.yoursite.com/page.php?id=1'

ή


http://www.yoursite.com/page.php?id='1

3. Τοποθετήστε την τροποποιημένη διεύθυνση URL στο browser σας και ελέγξτε το αποτέλεσμα. Θα υπάρξουν δύο διαφορετικά αποτελέσματα που θα έχουν παραχθεί. Το παραγόμενο αποτέλεσμα θα καθορίσει αν το website ή το web application σας που έχει ελεγχθεί είναι ευάλωτο ή όχι. Αν η σελίδα ‘φορτώσει’ χωρίς κάποιο σφάλμα τότε το website ή το web application σας είναι πιθανό να μην είναι ευάλωτο σε SQL injection attacks. Απ’την άλλη πλευρά, αν η σελίδα δείξει κάποιο σφάλμα όπως αυτό που περιλαμβάνεται ή οποιοδήποτε άλλο, τότε η σελίδα είναι ευάλωτη σ’αυτό το είδος της ‘επίθεσης’.

** SQL query failed ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'something' at line 8

Μόλις βρεθεί η σελίδα που έχει την ευπάθεια, μπορεί να απομονωθεί και να διορθωθεί. Παρακάτω υπάρχουν κάποιες πηγές που δείχνουν πως μπορούμε να αποτρέψουμε το SQL Injection Attack στα web applications.

How To: Protect From SQL Injection in ASP.NET

SQL Injection: How To Prevent Security Flaws In PHP / MySQL

How To Prevent PHP Website From SQL Injection

SQL Injection – How To Avoid It


Σημαντική σημείωση: Τροποποίηση και δοκιμή της διεύθυνσης URL δεν προκαλεί καμιά βλάβη στη βάση δεδομένων σας, αλλά θα πρότεινα να κάνετε ένα backup σ’όλα τα αρχεία και τη βάση δεδομένων σας πριν τη δοκιμή. Σε περίπτωση που κάτι πάει στραβά, θα μπορείτε να ανακτήσετε τις πληροφορίες σας απ’τα backups

via: www.web-resources.eu 
Ιουλίου 28, 2016 | 0 σχόλια | Διαβάστε περισσότερα
 
berita unik