 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Best way? |
 |
 Posted: Fri Mar 25, 2005 8:11 pm |
 |
|
| 700G |
| Active user |
 |
|
| Joined: Mar 25, 2005 |
| Posts: 33 |
|
|
|
 |
|
 |
|
Hello all, I'm new to the forum. Can anyone point me in the irght direction as to get around this?:
| Code: | <form action="default.asp" method="POST" name="TheForm" ID="TheForm">
<h2>Please log in below:</h2>
<p>
<table cellspacing=2 cellpadding=5>
<tr valign=top><td align=right class="LargeHead">User ID:</td>
<td align=left bgcolor="#CBD0DF"><input type="text" name="UserID" ID="UserID" size="15" maxlength="15" value=""></td></tr>
<tr valign=top><td align=right class="LargeHead">Password:</td>
<td align=left bgcolor="#CBD0DF"><input type="password" name="Password" ID="Password" size="15" maxlength="15"></td></tr>
<script type='text/javascript'>
<!--
document.TheForm.UserID.focus();
document.TheForm.UserID.select();
//-->
</script>
<tr><td colspan=2 align=right>
<input type="submit" value="Log In">
</td></tr>
</table>
</p>
<INPUT TYPE="Checkbox" name="SaveLogin">Save Login As Cookie? <a href="javascript:Start('cookies.htm');" class="smallLink">What does this mean?</a>
</form> |
 |
|
|
|
|
|
|
|
|
| Posted: Fri Mar 25, 2005 9:28 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
You can try possible sql injection or xss in this login script, but in most cases login fragments are securely written. I suggest to search for sql injections from all other asp scripts too, because often webmasters and programmers are too lazy to code securely 
And IF you can do sql injection and IF this asp powered site is built on MSSQL, then you are one step away from getting all the usernames and passwords at website  |
|
|
|
|
| Posted: Mon Mar 28, 2005 4:35 am |
|
|
| 700G |
| Active user |
|
|
| Joined: Mar 25, 2005 |
| Posts: 33 |
|
|
|
|
|
|
|
| Thank for the info Waraxe |
|
|
|
|
| Posted: Mon Mar 28, 2005 1:45 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: | You can try possible sql injection or xss in this login script, but in most cases login fragments are securely written. I suggest to search for sql injections from all other asp scripts too, because often webmasters and programmers are too lazy to code securely
And IF you can do sql injection and IF this asp powered site is built on MSSQL, then you are one step away from getting all the usernames and passwords at website |
i forgot about this after answering your comment
so i have to askig u about your project call "sqlaxe" ?
what project is that ?
could u give some explain ? |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Mon Mar 28, 2005 7:13 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| y3dips wrote: | | waraxe wrote: | You can try possible sql injection or xss in this login script, but in most cases login fragments are securely written. I suggest to search for sql injections from all other asp scripts too, because often webmasters and programmers are too lazy to code securely
And IF you can do sql injection and IF this asp powered site is built on MSSQL, then you are one step away from getting all the usernames and passwords at website |
i forgot about this after answering your comment
so i have to askig u about your project call "sqlaxe" ?
what project is that ?
could u give some explain ? |
SqlAxe - it's project, i've started allready some time ago and still there is much to do till first public alpha release will be out. SqlAxe is pentester tool, useful for sql injection exploiting. It will handle Oracle, MySql, MsSql, Access and PostgreSql databases, it can exploit blind and half-blind injections, etc...
SqlAxe will be written in visual c++ for win32 platform. Maybe i will release some opensource version too - in Perl language for example. But first i want to test many things before going public
There is more programs, i want to develope in near future, for example BiosAxe - Win32 utility for Bios/CMOS password resetting and bruteforcing. I know, there are many progs with same functionality, but BiosAxe will work on WinXP (admin privilegedes needed of course) and no command line knowledge needed for using  |
|
|
|
|
|
|
|
|
| Posted: Tue Mar 29, 2005 3:04 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: |
SqlAxe - it's project, i've started allready some time ago and still there is much to do till first public alpha release will be out. SqlAxe is pentester tool, useful for sql injection exploiting. It will handle Oracle, MySql, MsSql, Access and PostgreSql databases, it can exploit blind and half-blind injections, etc...
SqlAxe will be written in visual c++ for win32 platform. Maybe i will release some opensource version too - in Perl language for example. But first i want to test many things before going public
There is more programs, i want to develope in near future, for example BiosAxe - Win32 utility for Bios/CMOS password resetting and bruteforcing. I know, there are many progs with same functionality, but BiosAxe will work on WinXP (admin privilegedes needed of course) and no command line knowledge needed for using |
hum, interesting,
may i have the perl source ?
maybe i can combine it with my project or some refference for me 
or u publish the alpha or beta version so we can help u to tested it |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Tue Mar 29, 2005 8:52 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| y3dips wrote: | | waraxe wrote: |
SqlAxe - it's project, i've started allready some time ago and still there is much to do till first public alpha release will be out. SqlAxe is pentester tool, useful for sql injection exploiting. It will handle Oracle, MySql, MsSql, Access and PostgreSql databases, it can exploit blind and half-blind injections, etc...
SqlAxe will be written in visual c++ for win32 platform. Maybe i will release some opensource version too - in Perl language for example. But first i want to test many things before going public
There is more programs, i want to develope in near future, for example BiosAxe - Win32 utility for Bios/CMOS password resetting and bruteforcing. I know, there are many progs with same functionality, but BiosAxe will work on WinXP (admin privilegedes needed of course) and no command line knowledge needed for using |
hum, interesting,
may i have the perl source ?
maybe i can combine it with my project or some refference for me
or u publish the alpha or beta version so we can help u to tested it |
Well, will see...
First of all, i must put some really hard work to sqlaxe project, because right now its in very early stage. And then it will be interesting to share further ideas about improvements, etc ... |
|
|
|
|
|
|
|
|
| Posted: Wed Mar 30, 2005 1:03 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: |
Well, will see...
First of all, i must put some really hard work to sqlaxe project, because right now its in very early stage. And then it will be interesting to share further ideas about improvements, etc ... |
im waiting |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 74
Members: 0
Total: 74
