Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
hpp http parametrer pollution
Posted by: tascio
Date: November 04, 2013 06:17AM

my acunetix found this vulns in thus url
http://www.sicilcanapa.it/order.php?back=order.php?step=1
but i dont know how it works

Options: ReplyQuote
Re: hpp http parametrer pollution
Posted by: firestorm
Date: November 04, 2013 05:33PM

Looking at the unusual structure of the query part, on first impression I would say its a false positive.
For HPP you need multiple number of params in query part. You got 'step' and 'back' there, but my instincts tell me that they are not connected into one sql query for the attack to work. I might me wrong.
You may read HPP here http://www.andlabs.org/whitepapers/Split_and_Join.pdf

Good Luck.

Options: ReplyQuote
Re: hpp http parametrer pollution
Posted by: tascio
Date: November 05, 2013 05:57AM

ok nice tutorial, i tried but seems to be a false positive cuz dont work

Options: ReplyQuote


Sorry, only registered users may post in this forum.