• Thanks for the suggestion, I hadn’t thought of that. I just checked though and it’s off. I wonder if there’s some sort of other protection somewhere that I can’t see. If I run the command from the CLI directly it works fine, but when I pass my input as a parameter it does not. I’ll try to dig deeper on it if I can get the time.

  • Sorry for the extremely late reply. Holidays and all that had me spinning in circles. I just got back to this at work today and found that if I edit the PHP and remove the single quotes around $user_input then I can inject a command successfully via that parameter. So I guess those single quotes are protecting the query. I’m not sure if there’s a…[Read more]

  • Total sense. I should have done that earlier! That helped, along with turning on logging in MySQL to see the queries.

    Unfortunately, I realized that magic_quotes is on in PHP(I thought I checked that earlier), so I don’t know if this is even exploitable, since the id parameter is quoted. If it weren’t, it would be fair game, but I don’t see a way…[Read more]

  • Still no luck. I removed the quotes from the ID parameter in the PHP code to test and was able to use some true/false statements to verify that I could inject, but as soon as I add the singe quotes back into the code, it’s no go.

    Any time I provide anything other than an integer in the ID field, I get the “Data truncated” error. If I try to…[Read more]

  • Thanks for the info, guys. I’m gonna look into it this morning and I’ll post back with the outcome. The ID parameter is an integer, so I don’t know why quotes are around it, but it’s not my code. I’ll try changing the code and testing it to see the results, but I’d also like to get it working with how the code is now, if that’s even…[Read more]

  • I was considering buying the bundle, but it seems that you must use the exam vouchers within a certain period, right? I don’t want to buy both and only have 120 days or something to finish both courses and exams. I’ve been unable to get a response from Armando, and don’t know when my 50% coupon code(for being eCCPT silver) runs out. His original…[Read more]

  • You’re probably right. I guess proving the CSPP vulnerability is present will have to be enough for now. Thanks for your help.

  • So, I even emailed Chema and he verified that getting that error is normal, but even though it’s an untrusted domain, you should still be able to grab the hashes before that error is raised. He suggested Cain for sniffing, but Cain isn’t grabbing anything, even when I did a test connection with valid credentials and no error. I have the PCAP with…[Read more]

  • The error in the SQL log says:
    SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed.

    Even though I set this box up as a domain…[Read more]

  • Thanks for the reply. The target server is SQL Server 2012. I’ve set up rogue servers with SQL 2005, 2008, and 2012 Express versions.
    I’m in the process of setting up a SQL instance on a test domain controller with the same domain name as the target domain.

    I wish there was a way to use the CSPP attack to cause the target server to send over it’s…[Read more]

  • Do any of those work with POST requests? I am not aware of any that handle those, but I’d love to hear of something like that if you know of one.

  • Well, I’ve never gone up against urlscan before but I just beat F5’s ASM XSS filter for the first time, so maybe some of the same tricks will work.

    Some of the things I used were:
    1. I ditched using because I couldn’t get it passed. Instead used. Notice it’s not . The WAF would filter tags but not and Firefox would display just fine.
    Try…[Read more]

  • Yeah, that budget range definitely is all over the place. Right now I don’t think there is a defined budget, which is why the plan went from ModSecurity to F5, and may go back to ModSecurity! It’s up in the air right now, but I’m assuming I have budget backing.

    F5 is definitely what I’d like to go with and seems like a mature product. I’m glad…[Read more]

  • Thanks for that info. I looked up v8 and see that you can apparently take the exam but there’s no study material for it? I may grab that All-In-One guide, brush up, and take the exam, unless there’s a big reason to wait for v8. I just want to brush up enough to know that I’ll pass the exam again and can have it on my record, and then move in to a…[Read more]

  • Well, they didn’t know specific vulnerabilities or the extent to which they could be exploited until I took the liberty to show them, so now they are finally getting some attention!
    Thanks again for the help you’ve given.

  • Well, after looking over what’s being done for SQLi, I’m actually pleasantly surprised that it’s more robust than I had anticipated. I’d go into more detail if I could, but I’ve already said too much. I don’t want to get burned for posting company intel!

    Luckily, I’ve been able to sit down with the lead developer and discuss the plan of action on…[Read more]

  • Well, I was asking that question thinking more of some things that are already in place, not necessarily where I want things to go. Just trying to gauge where we stand in terms of SQLi  :-

    This thread has been very helpful and I’m looking forward to implementing some of these suggestions.

  • Definitely some more good information. I’ve also read some of shiflett’s stuff before and it’s really good. One thing he mentioned that I had been thinking about is filtering input and escaping/encoding output. That seems to be the most logical thing and goes along with what we’ve been talking about.

    On a quick side note, is using PHP’s…[Read more]

  • Wow, that was a great and insightful post. Thanks for the info.

    The only special character that this application should let through is an apostrophe for maybe a comment box or a last name. Other than that, it should only be alphanumeric characters.
    I had been thinking of htmlentities or htmlspecialchars for XSS prevention, but a simple regex like…[Read more]

  • That’s a good idea. I hadn’t thought of that. I just tried it out on a few bits of code and it seems to be decent. We do have the full product for one of our other environments, but I’m not sure we have the license for this project as well. I’ll have to look into this.

  • Load More

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?