Wednesday, May 28, 2014

Hacking Sites for Fun and Profit - Notes

My Notes From: Hacking Sites for Fun and Profit
SQL Injection

?id=5 and 1=1
?id=5 and 1=2
?id=5 and substring(@@version)

XSS send session to another site.

Filter Input. Escape Output.

Command Injection
Escape Shell Arg

Code, Regex, Log, LDAP Injection

Session Puzzling

** Admin Password From the Forgot Password Form
Forgot Password with Username "admin" and email of registered user.
Emailed to the user without any problems.

** Registration Form
username1').('email', 'fist2', 'last2', 'x', 'pw2', 'username2'

** Search Input
Passing the input unescaped into a grep command. *; ls -al
gouda *; cat....

** Dev Mode

Hackathon On Wednesday
Get involved in OpenSource and a Project

No comments:

Post a Comment