first of all, props to eindbazen, i know some of them personally and they are hardcore. The vulnerability is indeed quite simple, but do not forget that the situation has to be just right, you have to actually run PHP in CGI. But still, kudo's to eindbazen for finding it and trying to disclose it responsibly (they discovered this vulnerability in januari and reported it several times), if they only checked the private box...

Now i know i can not be the only one that likes 8bit chiptunes. I do not listen to it all the time, but sometimes it really gets me in the zone, just like watching the movie hackers. At the moment i like wiklund, very good tunes: http://www.myspace.com/alexwiklund Normally i listen to rap/hiphop, even the cheesy kind like souljaboy and nicky minaj. i know this will ruin my rep but so be it.

i would not worry so much about that. there is still a high demand for security specialists in the pentesting and forensic field. Also if you are motivated to get such a job, maybe you should take a step back and take a job that eventually lead you to your ultimate goal. remember that sometimes taking a step back get you to your ultimate goal.

This differs alot per country, heck even per state if you are located in the US. just do some research on different forum's and see if it is equal to other specialized IT jobs. Even if we have a somewhat different occupation, down  the line we are still "just" an specialized IT employee.


This seems about right, but remember because it is such a niche market most organizations use other ways to seek there employees, think of conferences where there are boothstands, a great place is to look for organizations that are specialized in the pentesting or forensic working field and look at there website, if there are any openings they surely will be noted there and ofcourse forums/board like these (see the pentest request in san francisco posted a few days ago). Go ahead and search the web and do not rely on sites like monsterboard or whatever they use most in your country.

hmm, from here you can go two ways: try to guess the correct information.schema tablename (which could be glocken_emil.information_schema) or try to guess other tables like glocken_emil.users.

come to think of it, the error gets me thinking, it looks like the query is being modified to access a table with the tablename 'glocken_emil.*'. again it has been a while but you can try to use the brute forcer in sqlmap (where you define the prefix as glocken_emil) and see if you can get some tablenames.

Well said, if you do not want to drift off from the ethical hacking side OSWP is a good choice.

low hanging fruit refers to easily hackable hosts. Often these hosts can be hacked using automated attacks like DBautopwn or simple password guessing (root/toor) for example. Other hosts that require more skills are considered harder. My advice is look for the low hanging fruit in the labs first, do not worry about skipping a few hosts because they seem too hard, go for the hosts that seem fun/challenging and have a crack at those.

if i had a dollar for everytime i reverted a host in the OSCP labs...

if you only check TCP you are doing a half penetration test. ALWAYS check UDP!

If you want to learn more about the nature of these attacks i suggest you look at the very first disclosure of the vulnerabilitiy. A nice example would be smashing the stack for fun and profit regarding to buffer overflows (http://insecure.org/stf/smashstack.html) which gives great information about how the attack actually works. Now there are several sites and papers that outline these attacks for you. Almost all show you the how, but most are missing the why, which i think you are looking for.

after some googling i saw that even wikipedia has a nice writeup explaining SQL-injection. i guess the underground is not the only place any more to find such information.

Oh and remember that OWASP has alot of information also.

hm, pre-sales sounds to me you will spent more time talking about security than actually doing it. ofcourse sales employee's have to have knowledge of the products they sell, which means they will have some level of technical understanding, but performing for example an security assessment will not happen.

Depending on your goals and experience, landing a job like this could position you in a situation where you are able to grow to your ultimate goal, unless this is it, which i can not imagine because of you being on EH.net. So figure out what options you have within the company which will get you to your goal and base your decision on that. Good luck!

see if you can access the information.schema table, it will save you loads of time and helps you configure your query once you know which tables and columns you want to extract.

hehe, me too, hence the its been a while. i know certain challenges block such tools so being able to do it manually is a plus in that situation, in real life however...

its been a while, but let me try this.

the key is to know which tables and columns are containing the information you want, you can get these by requesting the information.schema database. When you have insufficient rights to access the information.schema database you can try two things, guess the names or brute force them.

in the end you want to inject a request like this:

UNION SELECT password FROM users where login_name='admin'--

there are several good sql injection tutorials out there which you can use for more information. good luck!

Congratulations! it sounds like you had a lot of fun and learned a lot am i right? Good luck with the next certs you have planned!

ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even? Still the problem is fixed, now we just have to wait for the update in backtrack.