Collaborate Disseminate
I don’t fully understand how to configure BeEF to run the laptop by using evil.com to forward commands (JavaScript) to the target.
I found many tutorials on the internet, but it seems that most of them cover XSS exploitation… Continue reading XSS exploitation with BeEF
I want to understand the deep theory behind sqlmap – the decision making of the programm – how is it done? Is there any public paper? (There is still an option to read and understand sqlmap code and use -vvv switch).
I’m searching for a v… Continue reading Is there any publicly available information about how sqlmap works?
Is there any way to identify which built-in PHP function is used in some given script only by sending a request and receiving a response from the remote server?
To keep it simple we might assume that it is very simple PHP sc… Continue reading Correlation between server request and response time and built-in php functions
Intro
I’m currently experimenting with PHP black box analysis and couldn’t find any useful information. There are some approaches how to determine e.g. Apache version, but for PHP it seems that internet knows only so called … Continue reading Guessing PHP version and info from phpinfo using black box analysis
I’m currently experimenting with the “Range: bytes=XXX” HTTP header. Regardless the possibility of using it for the so called “Apache Killer” DoS attack (unpatched Apache version, etc), is it possible to misuse it for an XSS attack? My idea is to use lots of ranges to generate a XSS from a given file (if it is big enough and contains all necessary characters).
Request:
...
Range: bytes=x1-x2,x3-x4,x5-x6
...
We take only such ranges which we need to produce a new message.
But the response looks like following:
Response:
--99999999999999999999<br>
Content-Type: application/x-javascript<br>
Content-Range: bytes x1-x2/FILE_SIZE<br>
<script>
--99999999999999999999<br>
Content-Type: application/x-javascript<br>
Content-Range: bytes x3-x4/FILE_SIZE<br>
alert
--99999999999999999999
Content-Type: application/x-javascript
Content-Range: bytes x5-x6/FILE_SIZE
('
--99999999999999999999--
Is it possible to disable (on client side) these additional lines so that the response won’t be splitted as shown above: (?)
--99999999999999999999
Content-Type: application/x-javascript
Content-Range: bytes x5-x6/FILE_SIZE
Some set of byte ranges → <script>alert('XSS');</script>
Continue reading HTTP header: Range: bytes=XXX and possible XSS?