You know what eyenit0, I suggest you start MySQL Workbench (free!) and try to directly write SQL code there first (without going through PHP code). This way, you will be able to test SQL without the PHP layer.

For example, start with something like this:

Then replace the <A comment> (but leave the single quotes there) with what you would normally use for SQL injection. For example:

As you can see:
Would be your SQLi code (including the space at the end)

Then, once it works in SQL Workbench, try to do the same thing through PHP. MySQL will often give you more meaningful error messages and you don't have to worry about PHP...

Does this make sense?

Looking at the audit trail, I see the following message:

Nikto was not found in $PATH

When logged in as root or a normal user Nikto is in my path.  Is there anyway to view the path nessus is using?  Or is there a system path I can change?  Thoughts?

I don't know if this will help you or not, but, I found this thread on the Nessus forum.

http://lmgtfy.com/?q=dns+cache+poisoning+howto

There are several examples of a dns cache poisoning attack...

First hit is a video, using a metasploit module to accomplish the task.

I've been trying to integrate Nessus and Nikto.  I've followed all the instructions on this video:

http://www.youtube.com/watch?v=6kHyAhFv7xg

But when I run the scan nothing seems to happen.  Meaning no new vulnerabilities appear compared to a Nessus scan that doesn't have Nikto enabled.

The only information I was able to find in nessusd.messages was the following:


This seems incredibly fast compared to running Nikto from the command line, which works fine.  Does anyone have any ideas on how to get this working, or where on my system I could check to find additional information on what is happening?

I'm running CentOS 6.4 x64 and Nessus 5.2.

Thanks.

please i need a demonstration tutorial on how to carry out a sucessfull dns cache poisoning attack on a target www.site.com ip:xx.xx.xx.xx,thanks in advance.

Anyone heading there this weekend?  What talks are you looking forward to?  The Walt Williams talk seems interesting, maybe Deral Highland's Embedded devices talk.  There also seem to be a couple talks around malware.  For those always looking to setup a lab, there is a talk on that as well.  They seem to have a good range of material.  Hope to meet some EH netters there and have some cool discussions!

http://www.securitybsides.com/w/page/12194141/BSidesBoston

Doesn't appear sold out yet either.

I can help you there.

I may even have an available position very soon. Shoot me a PM.

In the meantime check out:

http://hackucf.org/blog/ (they welcome non-students and are VERY active and friendly)

https://www.owasp.org/index.php/Orlando (I run the chapter)

http://dc407.com/ (I am fairly active, but this group is floundering a bit due to most of us getting jobs and being busy. it's mostly just a monthly hangout but we are looking for new blood to breathe life into the group)

We recently held http://bsidesorlando.org/ (I'm the primary organizer but have some good friends helping out as well)

Also I believe http://407.binrevmeetings.com/ still meets (407 group for http://www.binrev.com/forums/) but am unsure how active they still are.

And of course the standard ISSA/ISACA/Infragard blah blah.

might be worth checking:

-Local Defcon Groups
-Local CitySec Groups
-Linked in for that area

Still no luck. I removed the quotes from the ID parameter in the PHP code to test and was able to use some true/false statements to verify that I could inject, but as soon as I add the singe quotes back into the code, it's no go.

Any time I provide anything other than an integer in the ID field, I get the "Data truncated" error. If I try to inject anything into the comment field, it gets put into the DB exactly as I typed it. I don't see any escaping in the code, but can't figure out why it won't work with the single quotes on that field.


On a similar note, is it possible to inject into a query that gets provided to the mysql_num_rows function? I haven't been able to get it working. I have some code like this and am wondering it's exploitable as well:
$query=mysql_query("SELECT *  FROM products WHERE id=" . $id);
   $number = mysql_num_rows($query);


Thanks for the help