| |
|
Avidor93
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 31
|
| |
|
|
|
 |
|
|
I can't figure out how to sql inj when updating.
i mean, i got into the newest account and found the sql inj.
i tried to attack it from every angle I could
putting some comments (I know, Comments on ACCESS are different) is not working.
I have tried some more things..
PLEASE give me some hint how should I exploit this
Cuz i'm getting insane!: )
|
|
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
just copy the query, edit it and resend it...
|
|
|
| |
|
|
Hertz
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 116
|
| |
|
|
|
|
|
|
I got the admin password.I'm logged in as a admin,i am in the Proxy Logs directory,i've found the proxy that were used at 16/10/2004 18:53,there are two proxyes and near them are the IP adresses that used that proxyes.I've tryed to submit both of them at submit score but it doesen't work.What it's wrong?:(
|
|
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
it's call proxy strings:
Attacker==>proxy1==>proxy2==>Target.
your luck is that the all of the proxy that the attacker used- appear in this list, just follow after the time and the date and try to find what is the original attacker ip.
|
|
|
| |
|
|
Hertz
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 116
|
| |
|
|
|
|
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
rodmar
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 2
|
| |
|
|
|
|
|
|
Hi,
I can login as Robert but I have no ideia what to do now.
Any hint??
|
|
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
rodmar, exellent, loggin as robbert is the first part, not you need to find the way to log as the admin - and remember, you can't log at the admin while he in the site!
|
|
|
| |
|
|
rodmar
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 2
|
| |
|
|
|
|
|
|
I have tried everything with the Robbert account. I even tryed to change the profile name to BILL an the mail address to my mail, so that, in the forgot.php page I would put the name BILL and receive the email address with BILL password.
The problem is that the profile changes back and I don't understand how he saves the ne information.
Help..
|
|
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
There isanother bug in the form- like the bug that you found in the login page!
|
|
|
| |
|
|
tomer321
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 120
|
| |
|
|
|
|
|
|
i logged in as robert and probably know what to inject where but it doesn't work. can i send some1 who passed it the code to inject and they tell me if its good?
ps i found roberts real password by sending it to my email but i never recieved bills pass
|
|
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
Send it to me, and yo, read the hints!
|
|
|
| |
|
