Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. Octavian

    Octavian Elder - Старейшина

    Joined:
    8 Jul 2015
    Messages:
    506
    Likes Received:
    101
    Reputations:
    25
    Чем искать NoSQL Injection сканер бурпа умеет? есть расширения под ним?
     
  2. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    297
    Likes Received:
    89
    Reputations:
    1
    Может кто подскажет по данному вопросу?
    PS: В какой ветке можно разместить пост, из разряда помощь со скулей, скину на пиво(
    А то подобных тем не видел в услугах(
     
  3. hibar1Xs

    hibar1Xs Member

    Joined:
    30 Jan 2019
    Messages:
    15
    Likes Received:
    8
    Reputations:
    3
    • Фрагментированные SQL иньекции
    • HTTP Parameter Pollution
    https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/PT-devteev-CC-WAF.pdf
    https://www.ptsecurity.com/upload/c...s/Ю.Гольцев_Уязвимости_web_сложные_случаи.pdf
     
    kacergei and BillyBons like this.
  4. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    Hi, try this:
    Code:
    /b?n/?s /
    /b?n/un?m?
    /?in/e??o "bHMgLWxh" | /?sr/b?n/b??e64 -d | /b?n/?h
    
     
    dmax0fw likes this.
  5. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    It seems that there are some unknown logic on backend, not traditional WAF. Try to fuzz and detect the white/black sequences and conduct the attack vector in accordance with the circumstances. For example:

    Code:
    ;id;
    `id`
    ;sleep 100;
    `sleep 100`
    uname${IFS}-a
    echo$IFS"bHMgLWxh"|base64$IFS-d|sh
    `echo$IFS"bHMgLWxh"|base64$IFS-d|sh>log.txt`
    
    and so on...
    
    Also check this.
     
    eminlayer7788 and dmax0fw like this.
  6. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    А ты чего ожидал от твоей команды ?
     
  7. xmp

    xmp Member

    Joined:
    14 Dec 2018
    Messages:
    13
    Likes Received:
    9
    Reputations:
    4
    Подскажите как загрузить шелл через SQLi
    union based иньекция
    FILE_PRIV = Y (5.5.60-log)
    Включен --secure-file-priv соответственно into outfile не рабоатет.
     
  8. xmp

    xmp Member

    Joined:
    14 Dec 2018
    Messages:
    13
    Likes Received:
    9
    Reputations:
    4
    Yes i can upload file data to table, but im looking for way write data to file.
    magic_quotes_gpc = off
     
  9. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    попробуй переопределить, но скорее всего никак
     
    xmp likes this.
  10. xmp

    xmp Member

    Joined:
    14 Dec 2018
    Messages:
    13
    Likes Received:
    9
    Reputations:
    4
    Запись на включение находится в /etc/my.cnf
    Верно понимаю что ты имеешь в виду?

     
  11. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    https://bugs.mysql.com/bug.php?id=50373
     
    xmp likes this.
  12. WallHack

    WallHack Elder - Старейшина

    Joined:
    18 Jul 2013
    Messages:
    306
    Likes Received:
    138
    Reputations:
    33
    Есть уязвимость, Cross site scripting в куках
    GET site/eta.php HTTP/1.1
    Referer: https://www.google.com/
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/45.0.2228.0 Safari/537.21
    Cookie: cache=Cross site scripting

    Есть пример эксплуатации такой уязвимости ?
     
  13. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    16
    Likes Received:
    0
    Reputations:
    0
    Может ли кто попробовать раскрутить уязвимость руками, в sqlmap никак не идет, но думаю надо руками. Сайт скину в личку. На пиво скину)
     
  14. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    В чём проблема?
     
  15. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    подробней пиши
     
  16. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,414
    Likes Received:
    911
    Reputations:
    863
    вытаскивать по одному символу через функцию mid() или substring(), а если конкретней пример, то я бы переделал конструкцию запроса
     
    _________________________
  17. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    Я бы убрал бы груп контакт, действитель, еррор вектор не выводит в один запрос длинные пароли, надо использовать функцию
    substring(1,10) дальше substring(11,21) итд
     
  18. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    eminlayer7788 likes this.
  19. Sensoft

    Sensoft Member

    Joined:
    14 Jun 2015
    Messages:
    398
    Likes Received:
    38
    Reputations:
    1
    Если есть XSS куках что можно сделать ?
     
  20. LexProm

    LexProm New Member

    Joined:
    15 May 2019
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
    Ничего , разве что как-то заставить юзера прописать руками туда твой скрипт