Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 

Pages: 12345...LastNext
Current Page: 1 of 8
Results 1 - 30 of 218
3 years ago
Matt Presson
The issue is probably a data conversion problem. To figure out what columns you can use to return strings, I suggest iterating over each column and trying to pull out a static string such as "My Test". This would result in queries like this: http://www.thesite.com/index.php?do=show_foundations.php&id=-39+union+select+"My Test",2,3,4,5,6,7,8,9,10,11--%20- http://w
Forum: SQL and Code Injection
4 years ago
Matt Presson
Well that's just stupid, but now that I remember ... I guess that's why the OWASP ESAPI has different codecs implemented for HTML, JavaScript, AND HTMLAttribute contexts. Thanks Gareth. I knew you would know.
Forum: XSS Info
4 years ago
Matt Presson
Can someone please tell me why this crap works? The parens are encoded and everything! By the way, I have verified that this works in Chrome, the latest FF, and IE 8. <HTML> <HEAD> </HEAD> <body onFocus="alert&#40;document.forms[0].pleaseno.value&#41;" > <form> <input type="hidden" value="oh crap" name
Forum: XSS Info
4 years ago
Matt Presson
Try placing the ' or '1' = '1 in the password field instead of the login name. When you try this, use common names such as admin, administrator, etc for the username. If an administrative username is already known, obviously use that instead. In the event that you are just trying to login as anyone, and not necessarily an administrator, use ' or '1' = '1' order by userid ASC -- in the usernam
Forum: SQL and Code Injection
4 years ago
Matt Presson
They make pretty good cars too from what I hear :)
Forum: Obfuscation
4 years ago
Matt Presson
To get the client's IP, call request.getRemoteAddr(). Beware that this may be the IP of a proxy, concentrator or other network level device that the client is going through to access the internet. For an example think AOL.
Forum: XSS Info
4 years ago
Matt Presson
That gets very hard as you cannot really go by IP address or anything like that because users could be coming through proxies, concentrators, or any number of things that make them look the same. As far as I know, it all comes down to the application itself and the architecture supporting it. I have written code to do it, but the only reason it as possible was because I was utilizing a single
Forum: Projects
4 years ago
Matt Presson
For all intents and purposes, the browser used is irrelevant. As long as you have the correct cookie values, you can become that user. -Matt
Forum: XSS Info
4 years ago
Matt Presson
The short answer is this is how things are supposed to work. The short explanation for why is this: When you first visit your website, or for that matter any website on the internet the uses session cookies, the server parses the HTTP request and looks for a valid session cookie. If one is not present in the request, then it generates one for you and sends the id back to the user in the r
Forum: Projects
4 years ago
Matt Presson
Yes. If you are using Firefox you can download Add-N-Edit Cookies, the Web Developer Toolbar or many other plugins that allow you to easily edit your cookies and do what you are looking for. If you are using IE, you can to go into your Temporary Internet Files, locate the cookie file and you can modify it there.
Forum: XSS Info
4 years ago
Matt Presson
Prevent XSS: Validate all input as close to the input source a feasible, AND encode any user controlled output when being included in the JSP. Be sure when you perform your encoding to do it based on the proper context (HTML, JavaScript, URL, HTML Attribute). Session Management: Do not generate your own session identifier. Use the built in session mechanism provided by your JSP container or
Forum: Projects
4 years ago
Matt Presson
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
Forum: SQL and Code Injection
4 years ago
Matt Presson
From the code snippet here, it appears that the salt is static so all I would need to do is login one time and I have the "salt" for every user's cookie (not good). Second I can look at the time the cookie was created and get pretty close to the correct time that the user logged in so that would give me the second part of the cookie (not good). The last part is what really makes the &q
Forum: Projects
4 years ago
Matt Presson
It depends on what you call "useful". Passwords may not be the end goal for a compromise. What about payment information, personally identifiable information (PII), health information, patent pending information, undisclosed financial/earnings information, intellectual property, or a number of other things. My point is that while passwords are nice, but they are far from the only usef
Forum: SQL and Code Injection
4 years ago
Matt Presson
David Litchfield also discussed on his blog a while ago using date fields for SQL injection in oracle if you could manipulate the date format used by the database.
Forum: SQL and Code Injection
4 years ago
Matt Presson
The 00904 error usually only occurs when someone mistyped a column name in a query. At this point I would say that you have proved that the query is injectable, but "may" not be exploitable unless you can get a look at the code to see what is happening on the back end. Just a thought, but the reason you may be getting the "missing right parenthesis" error is because you are
Forum: SQL and Code Injection
4 years ago
Matt Presson
try not using the word 'as' in the test query. in sql you use that to alias columns so try something else along with the query format that returns R.
Forum: SQL and Code Injection
4 years ago
Matt Presson
Try leaving off the quote at all. Try something like page.php?nm=as) union <QUERY HERE> --
Forum: SQL and Code Injection
4 years ago
Matt Presson
That is just too funny. I love how he even found out usernames! -Matt
Forum: News and Links
4 years ago
Matt Presson
Since it appears that the app is trying to convert the entire string to an int, they are probably using ADODB and bindable queries to access the database. What appears to be is failing is that they are letting the set methods of the ADODB Object implicitly convert the input to an int without doing any validation first. -Matt
Forum: SQL and Code Injection
4 years ago
Matt Presson
Try your injection without the single quote. You may be getting the error because you are introducing the extra quote yourself. -Matt
Forum: SQL and Code Injection
4 years ago
Matt Presson
When I first read this all that would come to my mind is 'oh no'. http://arstechnica.com/open-source/news/2009/11/w3c-publishes-draft-of-new-file-api-spec.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
Forum: News and Links
4 years ago
Matt Presson
@thornmaker Thanks. For a second I thought I was loosing it there.
Forum: XSS Info
4 years ago
Matt Presson
@Gareth At first he was inserting the answer into the onLoad attribute of the body element. How would JS encoding help at all in that instance? -- Edit: OK after realizing your example I see how you could still get JS to execute, but JS was still the wrong context that the data was being inserted into. Isn't the rule to always encode for the context that you are inserting the data into
Forum: XSS Info
4 years ago
Matt Presson
Look at the OWASP ESAPI Project, specifically look at the Encoder class and the encodeForHTMLAttribute function. --Matt
Forum: XSS Info
5 years ago
Matt Presson
Ok now we have something to work from. It looks like you are injecting to a function and are at a point in the making the call where you can only provide your input and possibly one more. You are correct that @clientcode and @inetTarget are parameters. Try inputting the following and see if you get any errors: xx', 'xx') -- or xx', 'xx') /* -Matt
Forum: SQL and Code Injection
5 years ago
Matt Presson
Webscarab is, first and foremost, a proxy so the short answer to your question is no. The long nswer is that Webscarab supports the Java BeanShell script so you may be able to script something using beanshell, but out of the box I do not think anything like this exists. -Matt
Forum: XSS Info
5 years ago
Matt Presson
It appears that you are in the middle of a function call, so you first need to figure out the number of arguments the function requires. The easiest way to do this would be to submit "something', 'something else') --" (without doubles) until you complete the function call. Then you can work on union-ing other stuff to extract data. -Matt
Forum: SQL and Code Injection
5 years ago
Matt Presson
Just to be thorough, try what I said before, but instead of /* at the end try -- -Matt
Forum: SQL and Code Injection
5 years ago
Matt Presson
try "anything' OR 'x'='x' /*" (without the double quotes) and see if you get any errors. -Matt
Forum: SQL and Code Injection
Pages: 12345...LastNext
Current Page: 1 of 8