Dailydave mailing list archives
Fwd: Re: Web Hacking!
From: Neusbeer <neusbeer () gmail com>
Date: Fri, 30 Sep 2011 17:52:51 +0200
What a crappy list :-) most don't work (false positives) and the rest are dupes.. mysql was hacked a while ago with Blind sqli. sourceforce and a few others are just the result of a lazy script I think.I think this list is made by scanning the http results (wich includes sql warnings/errors, but if you have something similar in your tekst it will think it's a positive sql injection possibility.) Look at the url: http://stackoverflow.com/questions/3742239/php-mysql-error-warning-mysql-num-rows-expects-parameter-1-to-be-resource' : SQLi Vulnerable
Script/program thinks it's a possitive result bij the string(s) he reads. and yeah well.. got the right string for it.. anyway.. the user who posted this didn't test it at all :-)this one: ttp://baarsjes.amsterdammers.net/nieuws/index.php?topic_id=' : SQLi Vulnerable actualy works. Target: http://baarsjes.amsterdammers.net/nieuws/index.php?topic_id=%Inject_Here%
Host IP: 87.233.180.83 Web Server: Apache/2 Powered-by: PHP/5.2.5 DB Server: MySQL unknown ver Current DB: adamz_production Data Bases: information_schema adamz_POT_prod adamz_prodcopy adamz_production loll Slaintz, Neusbeer Op 30-9-2011 15:38, Dave Aitel schreef:
This came out last night - http://pastebin.com/LaKrWgXT. Lots of respectable sites in that (sourceforge/mysql/etc). I don't know if any of it is true, of course.""" 1. http://sourceforge.net/apps/trac/gallery/timeline?from=2009-09-24T22%3A19%3A12Z%2B0000&precision=second' : SQLi Vulnerable 2. 3. http://www.love-shop.biz/b/166180/read' : SQLi Vulnerable 4. 5. http://stackoverflow.com/questions/3742239/php-mysql-error-warning-mysql-num-rows-expects-parameter-1-to-be-resource' : SQLi Vulnerable 6. (Be funny to change all the answers to every question to "Minimum viable product". :>) 7. """ -dave On 9/29/11 4:24 PM, Dave Aitel wrote:The past of web hacking is here, it's just not evenly distributed. And by that, I mean that you're going to find a lot of SQL Injection bugs if in Google you do "inurl:.asp site:myclient.com".Of course, you would probably say that any site that CAN be hacked by SQLi is probably already hacked with SQLi and the goal of any good hacker in the world is to be places no one else can be, right? But, it's likely that Blind SQLi is still under the radar, since it normally takes SO LONG to exploit that even the automated worms get bored and give up. :>BUT, one thing we're going to teach you in the Web Hacking class at INFILTRATE <http://infiltratecon.com/training.html> is a new algorithm that gets twice the performance of SQLMap on Blind SQLi. It's awesome. You should come. :>-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Web Hacking! Dave Aitel (Sep 29)
- Re: Web Hacking! Dave Aitel (Sep 30)
- Re: Web Hacking! Isaac Dawson (Sep 30)
- Re: Web Hacking! Jonathan Brossard (Sep 30)
- Re: Web Hacking! Tracy Reed (Sep 30)
- <Possible follow-ups>
- Fwd: Re: Web Hacking! Neusbeer (Sep 30)
- Re: Web Hacking! Dave Aitel (Sep 30)