RSS

SQL DARKS [(>} Happy Hacking{<)]


Following are Google Dork queries that can help you find sites that might be vulnerable for SQL injection attacks. Please note that they will not find sites that are vulnerable, they’ll just predict sites that might be vulnerable, and you have to check them for vulnerability. 

Sql Darks

HAPPY HACKING

Advertisements
 
Leave a comment

Posted by on July 13, 2011 in General

 

Google Plus “BIG FLOP”


It’s impossible to talk about Google+ without first mentioning Google’s two failed social products, Buzz and Wave. While the reasons for their failure was different – with Buzz it was privacy and the fact that Twitter simply worked better, with Wave it was a lack of clear value – the fact remains that Google spent a lot of time and money developing products that had no real place in the market. Google+ is the company’s best social product so far, but it has its own set of problems, not the least of which will be getting people to switch.

Part of what makes Google+ so appealing is its focus on privacy. The service allows users to share information with only those users they choose. Users can connect with more people but compartmentalize them and the information those people see. It’s a nice divergence from the Facebook model, but it will take people time to get used to it. With Facebook, I find my own best use of the service is to severely limit the number of people I attach to so that I feel comfortable sharing the things in which I’m interested at will. I use Twitter to connect to a much larger user base. Google+ is somewhere in between the two. It lacks the brevity of Twitter but allows users to engage that (theoretically) large user base when they want. When a user wants that close, personal experience, Circles provide the necessary privacy.

Google’s biggest problem right now is that people that want in on the service can’t get in. With a startup, you’d never see this kind of barrier. It’s also keeping the users inside the service from seeing its value. Circles only matter to me if I have people in them. Right now, I have very few personal friends on Google+ so I haven’t been using it much. Without a significant population with which I can share the service, it’s value completely dissolves. The small user base also limits the ways that Google can draw me into Google+. When I go to create or manage circles, I get a list of seemingly completely random people. Here and there I recognize a name that I have emailed once, maybe twice, but for the most part it’s people I don’t know. That’s not what I want from social media, certainly not at the outset. I want seamless interface with the people I contact most.

One of the coolest parts of Google+ is Hangout, which allows users to jump into text and video chat rooms with customizable accessibility. It’s a product that could easily punch a hole in Skype and become an amazing productivity tool. That’s especially true for the companies that have made the transition to Google’s online products.

Sparks, on the other hand, is the service’s big flop. It’s meant to be some sort of social news feed, but it’s cumbersome instead of sleek, slow instead of fast, and skimpy where it should be overflowing with information. Sparks actually surprises me in its shortcomings. Google has mountains of information about me. I’m always signed in to its email service, I use the search engine exclusively, I have an Android phone, I use Google Reader on a daily basis, and I’m writing this article in Google Docs. Why is it so hard for me to get a decent feed on Sparks?

If Google got one thing right with Google+ it’s the mobile app. The mobile version of the service is greatly simplified, granting quick access to your Stream, Huddles (group conversations), Photos, Circles, and your Profile. The mobile app also allows for Instant Upload, which immediately makes pictures and videos taken from your mobile device available in a private album for later use. It’s a slick app, and once the main service is fleshed out a bit it will get that much better.

For all of the information you’ve read about Google+, are you dying to get into the service? Probably not, and that’s what I see as Google’s greatest threat. The limited release of the service has given the world plenty of time to look it over and breathe a resounding “meh” before they’ve even experienced it. That wouldn’t be such a problem if there weren’t existing services that directly compete with Google+. Unfortunately for Google, those products not only exist, they are also used more than any other web product by millions of people each day. Getting enough people to drop a social service in which they’ve invested hundreds of hours of use, uploaded thousands of pictures, and decided who and how and when to friend will be incredibly difficult. It doesn’t matter how much promise Google+ has if no one uses it.

 
Leave a comment

Posted by on July 12, 2011 in General

 

Aegis traced Blind SQL Vulnarability in SIFY (http://www.sify.com)



Target:         http://www.sify.com/movies/telugu/review.php
Host IP:        123.176.32.146
Web Server:     Apache
Powered-by:     PHP/4.2.3
DB Server:     MySQL
Resp. Time(avg):    91 ms
Sql Version:     4.0.18-log
Current DB:     cms

 
Leave a comment

Posted by on June 29, 2011 in Vulnerable Websites

 

Aegis traced Blind SQL Vulnarability in Planet Bollywood (http://www.planetbollywood.com/)


Vulnerability description

This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn’t properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

This vulnerability affects /xxxx.php.

 

 
Leave a comment

Posted by on June 29, 2011 in Vulnerable Websites

 

Aegis traced Blind SQL Vulnarability in Bihar E-news (http://www.biharenews.com)


Target:         http://www.biharenews.com/index.php
Host IP:        70.86.37.234
Web Server:     Apache
Powered-by:     PHP/5.2.17
DB Server:     MySQL >=5
Resp. Time(avg):    1889 ms
Current User:     kabia_bihare@localhost
Sql Version:     5.0.92-community
Current DB:     kabia_biharenews
System User:     kabia_bihare@localhost
Host Name:     server.hosttrue.info
Installation dir:     /

Vulnerability description

This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn’t properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

This vulnerability affects /xxxx.php.

Discovered by: Scripting (Blind_Sql_Injection.script).

 

 
Leave a comment

Posted by on June 29, 2011 in Vulnerable Websites

 

Aegis traced Blind SQL Vulnarability in Aspiring Minds (http://www.aspiringminds.in)


About Aspiringminds :Aspiringminds conduct a nation-wide Computer Adaptive Test to provide a statistically-valid multi-dimensional skill assessment to judge the employment suitability of a large pool of candidates. The multi-dimensional score coupled with innovative filters and graphical visualization lets you find the most appropriate set of candidates for your job profile instantly.

AMCAT Test Conducted at more than 650 companies
Over 20 States
More than 1.65 lakh people written this test

This big organization website got vulnerable with SQL BLIND INJECTION

Vulnerability description

This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn’t properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

This vulnerability affects /xxxx.php.

Discovered by: Scripting (Blind_Sql_Injection.script).

 
Leave a comment

Posted by on June 29, 2011 in Vulnerable Websites

 

Detected Blind SQl Vulnerabulity in IIT Kharagpur (http://www.iitkgp.ac.in/)


The history of the IIT system dates back to 1946 Embedded With highly talented professors and Students But there website is vulnerable with High threat level Vulnerability Blind SQL Injection.

Vulnerability description

This script is possibly vulnerable to SQL Injection attacks.

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn’t properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

This vulnerability affects /xxxx.php.

Discovered by: Scripting (Blind_Sql_Injection.script).

The impact of this vulnerability

An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.

Target:         http://www.iitkgp.ac.in/
Host IP:        203.110.245.243
Web Server:     Apache/2.2.3 (Red Hat)
Powered-by:     PHP/5.1.6
DB Server:     MySQL >=5
Resp. Time(avg):    107 ms
Current User:     rootrt@localhost
Sql Version:     5.0.45
Current DB:     profiles
System User:     rootrt@localhost
Host Name:     www.iitkgp.ac.in
Installation dir:     /usr/

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
alokes:x:500:500:Alokes Chattopadhyay:/home/alokes:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash

 
1 Comment

Posted by on June 21, 2011 in Hacked Websites