|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 49
Members: 0
Total: 49
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
what could i benefit from this? |
|
Posted: Thu Oct 16, 2008 6:50 pm |
|
|
skmpz |
Advanced user |
|
|
Joined: Oct 11, 2008 |
Posts: 169 |
Location: Cyprus |
|
|
|
|
|
|
i tried a sql injection on a phpbb forum and i got a popup saying:
phpbb2mysql_sid=7175378b548564b898503b1c72
584134;
PHPSESSID=d6f09ec325b427303ccebf5ceff0d025;
phpbb2mysql_data=a%3A0%3A%7B%7D
could i benefit anything from these ? |
|
|
|
|
Posted: Thu Oct 16, 2008 7:04 pm |
|
|
WaKo |
Regular user |
|
|
Joined: Jul 27, 2008 |
Posts: 20 |
Location: Austria |
|
|
|
|
|
|
I'm just a n00b at boards but maybe you can try a cookie fake.
greetz WaKo |
|
|
|
|
Posted: Thu Oct 16, 2008 7:14 pm |
|
|
skmpz |
Advanced user |
|
|
Joined: Oct 11, 2008 |
Posts: 169 |
Location: Cyprus |
|
|
|
|
|
|
i'm more noob than any1 else is i believe .. em... cookie fake ?@!#!#! |
|
|
|
|
Posted: Thu Oct 16, 2008 7:26 pm |
|
|
WaKo |
Regular user |
|
|
Joined: Jul 27, 2008 |
Posts: 20 |
Location: Austria |
|
|
|
|
|
|
|
|
|
|
Posted: Thu Oct 16, 2008 7:40 pm |
|
|
skmpz |
Advanced user |
|
|
Joined: Oct 11, 2008 |
Posts: 169 |
Location: Cyprus |
|
|
|
|
|
|
i don't think that the code i pasted includes the admin passwords hash.. or is it? |
|
|
|
|
Posted: Fri Oct 17, 2008 11:06 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
skmpz wrote: | i don't think that the code i pasted includes the admin passwords hash.. or is it? |
No password hash here. Only session ID. Stealing SID can lead to session hijack, but there can be many obstacles - php sessions will last only ~30 minutes after last activity, sessions can be fixated to IP-address/user agent string and other user-specific parameters, etc ...
And one more thing - probably you tried XSS, not Sql Injection, and popup you saw, was javascript alert with your own cookies |
|
|
|
|
Posted: Fri Oct 17, 2008 2:11 pm |
|
|
skmpz |
Advanced user |
|
|
Joined: Oct 11, 2008 |
Posts: 169 |
Location: Cyprus |
|
|
|
|
|
|
trueeeee .. (: .. can i do anything with the sessionid to get admin hash ? |
|
|
|
|
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|