Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 8 of 8
3 years ago
cykyc
Have a blind SQLi in MS SQL but can't break out? Do the following work? -- returns a "true" state xxx'or '1'='1 -- returns a "false" state xxx'or '0'='1 And does the following just not work? -- returns server error xxx'or '1'='1';-- Then try the following :-) -- returns a "true" state xxx'or '1'='1' for xml auto;-- xxx'or '1'='1' for xml raw;-- xxx'
Forum: SQL and Code Injection
3 years ago
cykyc
And it does! I owe you a beverage of your choosing :-)
Forum: XSS Info
3 years ago
cykyc
Thanks for the reply LeverOne! I apologize, forgot to state when ampersand is passed in via a POST as %26, it's returned as & in the context. And, yes, forgot to state that colon : is allowed through. But, the parentheses will get filtered out. I tried double URL encoding (%2528) but that just shows up as %28 in the context. And the last thing I forgot was this JavaScript context was
Forum: XSS Info
3 years ago
cykyc
Hey All, Saw this across the tubes: javascript:window.location.href='some.page?param1=value&param2='; Outside of alphanum, these are allowed: ', ./_%@-^\r\n?& And these are removed: +=;(){}[]#$"`*\ So, I can add parameters and values via URL encoding. I can escape the string but I'm clueless what to do without parentheses or the equal sign. (This is normal since I'm
Forum: XSS Info
4 years ago
cykyc
@icehawk78 - Nintendo DS :-) If it's static, it's more than likely written somewhere that you can access. Is this w/ a specific program on the DS or something you're seeing across programs? If it's a program, can you run it on the DSemu? - http://www.ndsemulator.com/nintendo-ds/dsemu.htm
Forum: Projects
4 years ago
cykyc
Typo above... the echo will append a newline Change this line: output_p=`echo $INPUT | $OPENSSL sha1 -hmac "$secret"` To this: output_p=`printf "%s" "$INPUT" | $OPENSSL sha1 -hmac "$secret"` But, really, there's no way on telling what's going on. We're just guessing...
Forum: Projects
4 years ago
cykyc
My wild ass guess is HMAC-SHA1 since straight SHA1 did not work. Can you power cycle the device? If so, does it shoot out different hashes for the same input? Do you have access to multiple devices? If so, do they have the same outputs for the same inputs? Here's a cheesy script that ran through the ~ 3000 passwords in the included john password.lst file: #!/bin/sh JOHN='/opt/local/bin/jo
Forum: Projects
4 years ago
cykyc
As you noted, you're getting collisions on the hash throughout your testing. I wonder if either the application is having threading issues or if the hash is based on something not fully related to "in" value. Try slowing down your requests a bit and see if you still get collisions.
Forum: CSRF and Session Info
Current Page: 1 of 1