Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 18 of 18
4 years ago
Perow
Thanks. The version-specific code is exactly what I was looking for.
Forum: SQL and Code Injection
4 years ago
Perow
Hey slackers. I have an injection somewhere that likely accesses different databases (servers). I have reason to assume that not all of these databases have MySQL 5 running. This causes problems when trying to access, say, information_schema. All queries to machines running version 5 will be fine, but the few that go to the version 4 machine(s) will fail, making the output a "database failur
Forum: SQL and Code Injection
4 years ago
Perow
Hey, I'm trying to get a case sensitive LIKE statement to work, but without result. http://dev.mysql.com/doc/refman/5.0/en/case-sensitivity.html That site doesn't seem to help me much. Here are some of the queries I tried to execute, without result. if((select password from users where username = 0x313233) COLLATE latin1_bin like 0x603e23, 1, 0) if((select password from users where
Forum: SQL and Code Injection
4 years ago
Perow
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a PHP/5.1.6 X-Powered-By: PHP/5.1.6 Is that what you were looking for?
Forum: CSRF and Session Info
4 years ago
Perow
Put the keyword "var" in front of the variables.
Forum: XSS Info
4 years ago
Perow
EDIT- So yes, I should do some research before brainlessly asking you guys to solve it for me. I read up on the benchmarking thingy. I'm just a bit cautious about using this in case it's very noticable on their servers...
Forum: SQL and Code Injection
4 years ago
Perow
What you're looking for is the null byte hack. Try appending "filename.txt%00" as the filename. If that has the same effect as "filename", you can start browsing the filesystem.
Forum: SQL and Code Injection
4 years ago
Perow
Here's the deal. The SQL query looks like this: INSERT INTO fback (id, type, rate, fback, user, age, gender, lang, country, timestamp) VALUES (123, 5, 10, 'feedback', 'name', '99', 'M', 'en', 'US', 1261582238) I can tamper with the first three values of the query, as long as they start with a numeric value. For example, I can insert another row with false data by specifying the id as 123,
Forum: SQL and Code Injection
4 years ago
Perow
Thanks for the idea. Below is the output of something I tried: I set up a multi-threaded script to log in several times on three different accounts. This is what I learnt. x - Turns out to be not so random. Every time I ran the program, the values were kind of close together. I'm guessing it might be a number of miliseconds? y - Is definitely a timestamp. In the output below, the timestamps ar
Forum: CSRF and Session Info
4 years ago
Perow
I cannot try to enter the same value multiple times, because this is how it works: 1. log in to website: the site generates the "in" code and stores it on their servers. 2. the site generates the output hash from the input file (and possibly some other data?) 3. a cookie gets stored. it contains the in code, as well as the output hash. 4. I can reduce the cookie to only the part co
Forum: CSRF and Session Info
4 years ago
Perow
Hey all, I've been trying to decipher the cookie structure of a website and am hopeful some of you have more experience in this matter. There is a certain passphrase in the website's cookie that allows the user to be logged in without explicitly entering any user data. The cookie comes with a lot of extra useless data, because I found that it's possible to reduce the complete cookie string to
Forum: CSRF and Session Info
5 years ago
Perow
What we're really looking for are ways to obfuscate certain words in the injected query. Of course, there's the obvious UNI/**/ON But it looks like the asterisk (*) is not allowed, either. Hence the question: are there any other ways to obfuscate keywords or are there any encodings of the words that are interpret correctly by MySQL?
Forum: SQL and Code Injection
5 years ago
Perow
Excuse the double post. Funnily enough, the website I've been trying to exploit upgraded to MySQL 5, enabling me to access the information_schema after all. Hooray! However, I come across a different kind of oddity now. I have found all the tables with their column names, so quite a fair amount of information is within reach, though I'm sure not all tables are available to be seen (e.g. there is
Forum: SQL and Code Injection
5 years ago
Perow
I see. The reason I wanted to know if it were possible, was because I know of some other table names of which I do not know all columns. And seeing as I can only inject SQL on that one particular spot, I'd have to use UNION SELECT in combinatino with PROCEDUE ANALYSE(). Too bad it doesn't seem to be possible. I'll need to move on to other, even more creative ideas, then. :) EDIT- I suddenly
Forum: SQL and Code Injection
5 years ago
Perow
I'm afraid I already tried the PROCEDURE ANALYSE() (thanks to Reiners' blog, indeed), but that only teaches me about the current table of which I already knew the information. Reiners, I put a comment on that article of yours a few days ago (it's still awaiting moderation). Here it is: Quote Thanks for this article (and your others). They’ve taught me a great deal about web app vulnerabiliti
Forum: SQL and Code Injection
5 years ago
Perow
Hey, I'm encountering some difficulties while trying to exploit an SQL injection I found on a site. My goal is to learn more about the table structure of the site. Here's the situation. The website probably uses lots of databases. The SQLi output is visible (not blind). The injection comes after a WHERE clause. Database: MySQL 4.1 (no information_schema) I have got login details for one of
Forum: SQL and Code Injection
5 years ago
Perow
If that fails, you can use hex encoding instead of quotes. WHERE ID='username' would become WHERE ID=0x757365726e616d65
Forum: SQL and Code Injection
5 years ago
Perow
This is indeed very powerful, while not many people know about this. A flash script hosted on DOMAIN41 allows you to send requests to DOMAIN2 and will handle the request using the browser cookies of DOMAIN2. While generally very similar to a simple CSRF, this method will be able to fetch a response from the request, allowing you to view the source of the requested page as if you were using the
Forum: CSRF and Session Info
Current Page: 1 of 1