Dailydave mailing list archives

Re: Web Hacking!

From: Jonathan Brossard <endrazine () gmail com>
Date: Fri, 30 Sep 2011 18:11:28 +0200

http://www.google.com/search?q=%22Warning%3A+mysql_num_rows%28%29%3A%22&num=100

This is lame and full of false positives. The stackoverflow one doesn't
even have a single parameter in the url !

Webapps hacking these days is mostly depressing : more of the same :(
For some real action, you can come here instead :
http://conference.hitb.org/hitbsecconf2011kul/?page_id=898

Thanks and regards,

endrazine-

On 09/30/11 15:38, Dave Aitel wrote:

This came out last night - http://pastebin.com/LaKrWgXT. Lots of
respectable sites in that (sourceforge/mysql/etc). I don't know if any
of it is true, of course.

"""

   1.

      http://sourceforge.net/apps/trac/gallery/timeline?from=2009-09-24T22%3A19%3A12Z%2B0000&amp;precision=second&apos;
      :  SQLi Vulnerable
   2.
       
   3.
      http://www.love-shop.biz/b/166180/read&apos; :  SQLi Vulnerable
   4.
       
   5.
      
http://stackoverflow.com/questions/3742239/php-mysql-error-warning-mysql-num-rows-expects-parameter-1-to-be-resource&apos;
      :  SQLi Vulnerable
   6. (Be funny to change all the answers to every question to "Minimum
      viable product". :>)
   7.
       


"""
-dave
 
On 9/29/11 4:24 PM, Dave Aitel wrote:

The past of web hacking is here, it's just not evenly distributed. And
by that, I mean that you're going to find a lot of SQL Injection bugs
if in Google you do "inurl:.asp site:myclient.com".

Of course, you would probably say that any site that CAN be hacked by
SQLi is probably already hacked with SQLi and the goal of any good
hacker in the world is to be places no one else can be, right? But,
it's likely that Blind SQLi is still under the radar, since it
normally takes SO LONG to exploit that even the automated worms get
bored and give up. :>

BUT, one thing we're going to teach you in the Web Hacking class at
INFILTRATE <http://infiltratecon.com/training.html> is a new algorithm
that gets twice the performance of SQLMap on Blind SQLi. It's awesome.
You should come. :>

-dave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Web Hacking! Dave Aitel (Sep 29)
- Re: Web Hacking! Dave Aitel (Sep 30)
  - Re: Web Hacking! Isaac Dawson (Sep 30)
  - Re: Web Hacking! Jonathan Brossard (Sep 30)
    - Re: Web Hacking! Tracy Reed (Sep 30)
- <Possible follow-ups>
- Fwd: Re: Web Hacking! Neusbeer (Sep 30)