Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 48
4 years ago
oniric
The interesting data are in another table so I must use subselects or union query to get them, but it seems impossible to do because of the filter ( select and union get filtered ), FILE privilege is disabled so I can only get version(), database() and user() information but that's quite useless. @Reiners: I read all your article before posting here, quite interesting but not applicable to my c
Forum: SQL and Code Injection
4 years ago
oniric
xi4oyu Wrote: ------------------------------------------------------- > Well > > Try u''ion this would work for u :) It's not so simple because double and single quotes get encoded by their html entities. Also FILE privilege seems disabled. Stackable queries aren't possible with PHP and MySQL.
Forum: SQL and Code Injection
4 years ago
oniric
Hi all, I've found a vulnerability on a custom IP.Board application but I cannot exploit it because IP.Board MySQL wrapper class has a filter that intercept subselects and union query, defined in the file class_db_mysqli_client.php, query() function. Any idea on how to bypass that? I report the interesting code parts. this is query().. $_tmp = strtolower( $this->remove_all_quotes(
Forum: SQL and Code Injection
4 years ago
oniric
Sorry, no second point; just that.
Forum: SQL and Code Injection
4 years ago
oniric
Yes but I can only SET that data in a field that's not "public" so I can do nothing with it. And yes I can always use Blind SQl Injection but the point here is do some research to find a better exploitation method ;-)
Forum: SQL and Code Injection
4 years ago
oniric
It's an update query. Something like UPDATE table SET first='asd', second = INJECTION, third = 'foo' The filter it's not a true filter, it's a just a function applied to the data to trim the string at the first comma. So if I inject 'bar', password = 'pass' only 'bar' passes the "filter". HPP is not going to help here, and comments neither. Only in MySQL I can substitu
Forum: SQL and Code Injection
5 years ago
oniric
Tell us pls, just for the record :)
Forum: SQL and Code Injection
5 years ago
oniric
Meaning what? Are they wrong for you or for the server admin? XD
Forum: SQL and Code Injection
5 years ago
oniric
Is there some section in the admin panel where you can upload something, like in the emoticons section? I did it this way once with IPB ^^
Forum: SQL and Code Injection
5 years ago
oniric
It's mainly a trial and error matter ;)
Forum: SQL and Code Injection
5 years ago
oniric
admin\' ; -- become admin\'' or 1=1 -- the first quote is escaped and the second one delimits the string so after that you can inject what you want. Seems reasonable to me. Maybe it's a multi-line query so the -- comment doesn't work.
Forum: SQL and Code Injection
5 years ago
oniric
Can't you simply use admin\' or INJECT_HERE_WHAT_YOU_WANT_BUT_DONT_USE_QUOTES -- foo ?
Forum: SQL and Code Injection
5 years ago
oniric
In your second case I think you shouldn't use a quote in your injection. Try &BoardId=4 and 1=0 and see if you get no results, then try &BoardId=4 or 1=1
Forum: SQL and Code Injection
5 years ago
oniric
Maybe in the first example BoardID is used in a IN clause as in SELECT * FROM foo where BoardID IN ($BoardID) Try something like BoardID=50) and 1=1 -- a
Forum: SQL and Code Injection
5 years ago
oniric
Hi all, I'm doing some research for a little vuln I discovered and I need a way to bypass a comma filter. Only the classic comma ( 0x2c )is filtered. The Injection is in an UPDATE statement and all I want to do is add another field to the SET list but I can't use the comma as a separator. I found out that the character 0x82 ( low single comma ) can be used in MySQL 5 ( at least, maybe in 4 too
Forum: SQL and Code Injection
6 years ago
oniric
Mmm, found Freecap, very good functionalities on the paper..too bad I can't test it because Vista launches its DEP ( Data Execution Process ) and terminates it.. I tried to disable DEP through the bcdedit program but that's caused a beautiful 0x7B stop error at every boot..now I've fixed it but I think it's time to install linux on the new latop..Uh I'm so lazy :-P Anyway thank you!
Forum: Privacy
6 years ago
oniric
Hi, I've been searching a tool to chain TOR with an HTTP proxy that need authentication. By now I only found proxychain for Linux operating systems but I would like to find one for Windows too. Do you know of one program like this? Thank you!
Forum: Privacy
6 years ago
oniric
Well, I read some papers related to SQL Injection with Oracle and I can almost say that it's not possible, not 100% sure too.
Forum: SQL and Code Injection
6 years ago
oniric
Hi all, do you know if it is possibile to stack queries for a Oracle DBMS through JSP pages? Thank you!
Forum: SQL and Code Injection
6 years ago
oniric
Wow, that's a pretty large bunch of names! I guess I should take some days to test them out. Thanks for the info!
Forum: Projects
6 years ago
oniric
Thanks nEUrOO for the info, I was looking for software with that feature and I found Pixy and tested it with a large Web Application and it started throwing exceptions ^^, not a good beginning indeed. I found also a php extension named Inclued that you can find on this site http://t3.dotgnu.info/blog/tags/inclued/ I managed to compile it but haven't tried for now. What do you think is the best so
Forum: Projects
6 years ago
oniric
Not too bad but I think this is gonna find a ton of false positive as RSnake said. What about if you could also check if the variable is sanitized in a pre-included file? There would be a tree of that, of course. Thinking a little bit more that could be too expensive to do for the results you obtain but certainly cool!
Forum: Projects
6 years ago
oniric
Hi, today I read the news about Via releasing a new generation of their low-end CPUs, called Isaiah. The most interesting part was about the Padlock technology. That's a set of features that, briefly, consist in an hardware implementation of some of the most used security algos. For example for SHA1/SHA256 VIA site claims an encryption rate of 5 gigabits per second. Just for the sake of curiosity
Forum: Projects
7 years ago
oniric
Hi, I know I can run xp_cmdshell because if i try xp_cmdshell 'ping -n 20 localhost' the page take much longer to load and the time increase with the value of the -n parameter. So I CAN for SURE run commands. Now the problem is that I'm not able to insert the output of the execution in a table such with the statement INSERT back_table EXEC xp_cmdshell 'command' but this works if I try fo
Forum: SQL and Code Injection
7 years ago
oniric
Thank you ioheroin. I have just noticed your SQL Injection Swiss Army Knife. Very handy indeed! It's already in my bookmarks ^^
Forum: SQL and Code Injection
7 years ago
oniric
I wrote a small tool but this is seeeeriously slow ^^ Btw, I'm talking about MySQL. In MSSQL various tricks are possibile like reading files into temporary tables and searching for specific lines using the LIKE operator. I thought I could bruteforce a page like with an injection like this 1' AND 1=(Select 1 from table_name) -- with various table names. But this is nearly impossible wit
Forum: SQL and Code Injection
7 years ago
oniric
That's true, but what if the application is configured to not output errors?
Forum: SQL and Code Injection
7 years ago
oniric
Hi, I'm curious to know about the techniques you use to bruteforce DBs objects names like column names, table names or even db names. Do you use bruteforcing from a small wordlist? Or from a very big wordlist? Or do you try "all" possible combinations? Or you just give up? Obviously only if INFORMATION_SCHEMA or sysobjects are not available..
Forum: SQL and Code Injection
7 years ago
oniric
Just use it as a normal SQL Server function, this way: www.example.com/exploitme.php?id=1 AND sys.fn_varbintohexstr(0x33)='0x33' -- Be creative ^^
Forum: SQL and Code Injection
Pages: 12Next
Current Page: 1 of 2