Dailydave mailing list archives
Re: Web Hacking!
From: Tracy Reed <treed () ultraviolet org>
Date: Fri, 30 Sep 2011 18:10:31 -0700
On Fri, Sep 30, 2011 at 06:11:28PM +0200, Jonathan Brossard spake thusly:
This is lame and full of false positives. The stackoverflow one doesn't even have a single parameter in the url !
It could be a POST or cookie parameter. I am constantly amazed at the very many ways sqli can be implemented. It is impossible to say just from a list of URLs that there isn't any sqli.
Of course, you would probably say that any site that CAN be hacked by SQLi is probably already hacked with SQLi and the goal of any good hacker in the world is to be places no one else can be, right? But, it's likely that Blind SQLi is still under the radar, since it normally takes SO LONG to exploit that even the automated worms get bored and give up. :>
I have recently run into situations where plenty of very interesting data can be obtained in a matter of hours (or a few days) getting data out a bit at a time using blind sqli. I have benchmarked blind sqli at 1MB in 4 days which means only 4 days to pull 65,000 credit card numbers. That would be worth the wait. :) -- Tracy Reed
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Web Hacking! Dave Aitel (Sep 29)
- Re: Web Hacking! Dave Aitel (Sep 30)
- Re: Web Hacking! Isaac Dawson (Sep 30)
- Re: Web Hacking! Jonathan Brossard (Sep 30)
- Re: Web Hacking! Tracy Reed (Sep 30)
- <Possible follow-ups>
- Fwd: Re: Web Hacking! Neusbeer (Sep 30)
- Re: Web Hacking! Dave Aitel (Sep 30)