afumat Posted April 9, 2013 Report Share Posted April 9, 2013 (edited) Tinta: http://presseurbaine.com/wp-content/Cerinte: - version, database, user and your nickname.POC: Reguli: Posteaza o poza ca dovada. Trimite-mi syntaxa. Foloseste union select based SQLi.Hint1: Am cenzurat path-ul pentru a face mai dificila gasirea parametrului vulnerabil.Hint2: "Player?" High DefinitionSucces!Solvers: - EterNo - chioara3 - Kwelwild - ajkaro - xarenwo - Renegade Edited April 10, 2013 by afumat Quote Link to comment Share on other sites More sharing options...
EterNo Posted April 9, 2013 Report Share Posted April 9, 2013 (edited) Check PM.Ce ti se pare asa de medium ?! Edited April 9, 2013 by EterNo Quote Link to comment Share on other sites More sharing options...
chioara3 Posted April 9, 2013 Report Share Posted April 9, 2013 (edited) Ai PM.Thank's for challenge. Edited April 9, 2013 by chioara3 Quote Link to comment Share on other sites More sharing options...
Kwelwild Posted April 9, 2013 Report Share Posted April 9, 2013 PM Sent! Quote Link to comment Share on other sites More sharing options...
ajkaro Posted April 9, 2013 Report Share Posted April 9, 2013 Medium? It can't be more basic as this. Lesson 1 in every SQLi tutorial is enough to solve this.Don't take this personally. That is a fact. Thanks for challenge. Quote Link to comment Share on other sites More sharing options...
xarenwo Posted April 9, 2013 Report Share Posted April 9, 2013 (edited) Edited April 10, 2013 by xarenwo Quote Link to comment Share on other sites More sharing options...
Renegade Posted April 9, 2013 Report Share Posted April 9, 2013 (edited) P.S - Am gasit undeva si sintaxa UUID()care se pare ca afiseaza adresa MAC a serverului,si am zis a o testez in aceasta injectie.L.E - o vreme cautam un script php sau ceva care sa detecteze adresa MAC pentru a il folosi la un sistem de voting.Sa schimbe un IP,sa bage alt email sau sa stearga niste placintute stie mai multa lume,insa adresa MAC ar fi mai oky pentru ca nu multa lume stie sa o schimbe. Edited April 9, 2013 by Renegade Quote Link to comment Share on other sites More sharing options...
afumat Posted April 10, 2013 Author Report Share Posted April 10, 2013 Medium deoarece, nu era doar injectia, trebuia gasit si exploit-ul, ca doar nu ati ajuns voi in directorul cu fisierul asa prin incercari si erori! Quote Link to comment Share on other sites More sharing options...
PingLord Posted April 15, 2013 Report Share Posted April 15, 2013 P.S - Am gasit undeva si sintaxa UUID()care se pare ca afiseaza adresa MAC a serverului,si am zis a o testez in aceasta injectie.L.E - o vreme cautam un script php sau ceva care sa detecteze adresa MAC pentru a il folosi la un sistem de voting.Sa schimbe un IP,sa bage alt email sau sa stearga niste placintute stie mai multa lume,insa adresa MAC ar fi mai oky pentru ca nu multa lume stie sa o schimbe.Aia nu e adresa MAC a serverului,este UUID de HDD , adica codul de identificare al hdd-ului creat de Linux. Quote Link to comment Share on other sites More sharing options...
Renegade Posted April 15, 2013 Report Share Posted April 15, 2013 @PingLord - i-mi permit sa te contrazic cu un caz concret.Pe PC meu am creat cu Wamp un server web si am instalat un script vulnerabil SQLi.Dupa injectare am dat comanda UUID() intr-o coloana vulnerabila si a returnat exact adresa mea MAC (ultimele 12 caractere,exact unde am subliniat eu).Informatie luata de aici:The SQL Injection Knowledge Baseinsa si tu ai dreptate,aici:https://help.ubuntu.com/community/UsingUUID Quote Link to comment Share on other sites More sharing options...
PingLord Posted April 15, 2013 Report Share Posted April 15, 2013 Stiu de acea sintaxa dar in cazul de fata nu ai scos niciun mac,este un string aleator din simplu fapt ca nu exista vendor pentru acel MAC Address.In al doilea rand nu te ajuta mai deloc un MAC Address decat la atacuri de tip Layer2+3 .La tine a returnat adresa MAC din cauza ca ai folosit Windows,dar pe multe sisteme face string aleator.Ia primii 24 de biti si baga-i la verificat si o sa vezi ca nu e o adresa MAC valida. Quote Link to comment Share on other sites More sharing options...