[Security Audit] We provide solutions. NET
On January 20, 2010
, I received through Facebook, a private message sent directly from Oscar Leonardo
Serrano Cadena, who I met through some reports made many months ago.
Exercise ... Message: Hi Alex-indeed gave me a lot of mental laziness, was planning an application for a
... I have a new administrator module with new assurances and implementations that I would try ... I would like to try to hack or whether it is safe or not ...
This is the link:
www.XXX.la
too much to your comments ....
When I received
friend and I got to see it quickly when foreground juaz found a XSS,
, to be honest, I never liked the XSS , but it's something- then when I saw the parameters sent to query and retrieve information for display on the page, I saw that the ID's are sent in Base64 encryptado.
, to be honest, I never liked the XSS , but it's something- then when I saw the parameters sent to query and retrieve information for display on the page, I saw that the ID's are sent in Base64 encryptado.
encoded in Base64 |
I gave encode the single quote at the algorithm and plop, a picture is worth a thousand words:
error caused by the single quote. |
-pfff me never get along with that type of injection-, but obsessed with the challenges, I set bother to study and a few friends who helped me with some dudillas had. ( Gr3ttz for: Dariohxk "On the anti-ethical tutorial that I spent, XD-, Maztor -by- basic explanation, Progressive Death-by sissy: D-)
After about 5 hours I have also
-social life XD
I started to inject in the form to see what was the maximum I could do. First, recalling that he had previously done some reporting for the development company -social life XD
(damossoluciones.net ), I thought I might use the same tables, fields and records that the previous sites. With a little luck, juaz, used the same tables and fields, but unfortunately the records are different, so after I do not play all that easy to say.
Getting information about records,
-taking into account that touched me, try-
character by character, I take about 4 minutes to get the user to remove the password now, it's time that I have not able: D, unfortunately -taking into account that touched me, try-
-password length is 40 characters, PUSSY play automate the task and make a PoCBlind in PHP that I will show later. For now I have a lot of sleep and today is a great day which I take advantage. 'll edit later, continuing the short history of yesterday.
Edited: 01/20/1911 - 21:39, since if I have no sleep, shit ... I could improve a bit the code,
, it is clear that he was elbowed quickly, so it is not so sophisticated that say, but carry out their duty: D, that is the important thing . The code is as follows
, it is clear that he was elbowed quickly, so it is not so sophisticated that say, but carry out their duty: D, that is the important thing . The code is as follows
Code used to automatically extract records from the database. |
Outturn of the code of Figure 3 . |
For now leave it still, to speak directly to the first contact. Explaining a little about how this vulnerability works, and that way you could fix then post something to see that we agree.
Pitter is crap, even if he was in his position would have done it too ... hahahahaa
0 comments:
Post a Comment