pierre

Oops Thanks you, by reading these, it appears to me that Apache user must not have root right if we do not want an attacker (through Apache) to read whatever file this attacker wants :)

Hello, I try to execute command on a server from a LFI. According to this article (http://resources.infosecinstitute.com/local-file-inclusion-code-execution/#gref) , I could do it by managing the /proc/self/environ file. But I even can't display his content on the page by requesting: http://192.168.1.1/DVWA/vulnerabilities/fi/?page=/proc/self/environ It appears that the rights associated are : - r-- --- --- 1 test test 0 So it is normal that www-data can't see it, no ?

Hello, I would like to know how you would perform a nmap from a router ? As you may already know, Cisco shell called IOS is very restrictive.. Indeed I don't find a way to perform such network discovery from the router itself.. Have you ever succeed ? Regards,

Thank you, understand well :)

Hello, Recently, Yahoo members were advertised about "forged cookie". The hacker just forged the cookie in his browser to usurp victim session. It work because the cookie value isn't renew and randomize each time another session is established (I may be wrong here, feel free to correct) But originally, how does the hacker get this famous cookie ? Tks

Thank you :)

Hello, Do you know any vulnerable web app to play with configured in Json web techno ? Thanks

For example, the site is like that: @IP/login.php -> nonce protection @IP/wp-admin/admin-ajax.php -> no nonce protection The attacker send this malicious link: http://@IP/wp-admin/admin-ajax.php?password_new=weak&password_conf=weak&Change=Change The admin cliks the link. So even if login.php has nonce-protection, it makes no change because the HTTP request doesn't route throught @IP/login.php but instead goes directly toward @IP/wp-admin/admin-ajax.php, so the request isn't blocked by webserver nonce-protection ?

I didn't read it, thank, Burp normal behaviour so.. Yes I should..

I use the free version I have read bruteforce is slower than the pro version, but here it appears slower and slower as the bruteforce occurs..

Hello, I have follow step by step this documentation to make a bruteforce on a login page: https://support.portswigger.net/customer/portal/articles/1964020-using-burp-to-brute-force-a-login-page I use a 10,000 entries dictionary. At first, brutefroce is very fast (4/5 request/second) But as long as the bruteforce occurs, each request takes more and more time to reach the webserver... I use 2 VirtualBox VM. My host is 8gb, 4gb is dedicated to a guest and 1gb to the other. I would like to know it is normal ? Or is it attacker problem ? Webserver problem ? Host technical configuration problem ? Tks

" An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account. This attack has been demonstrated against Google[9] and Yahoo.[10] " So the main point here is that the victim use the hacker website account ? -The malicious link which contain login.php is sent -Then the victim is redirected toward /wp-admin because she is already logged in -Finally an harmfull action is done on /wp-admin page ?

Ok thank I would think that only -- could comment out the rest of the query. Thank you :)

Hello, I would like to know the impact of the injection : string' /* For example in such a query : "select username,pass from users where username='$uname' and password='$passwrd' limit 0,1" "select username,pass from users where username='admin' /*' and password='$passwrd' limit 0,1" So we only look for the user admin, then we extent que quey by adding ' and finaly /* will bypass the end of the query ?

Hello, I understand how CSRF works. If such a vulnerability is present on a profile.php page, a user could be trick into having his password changed by clicking on a milicious link. But what about the impact on a login.php page with a CSRF vulnerability ? Because there is no action possible on the page apart from fill the credentials.. Thanks

Tks, sound obvious :)

Hello, I achieve uploading a PHP file to a webserver by modifying his Content-Type header but I fail to bypass the filesize limitation.. I try to modify the Content-Length header but no result.. Here is the server size limitation coding : // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {} Here is a BURP screen : I hope I've been well-understand :) Thanks for your answers !

Yes I've found the section able to bypass the hardening : Malformed A tags Skip the HREF attribute and get to the meat of the XXS... Submitted by David Cross ~ Verified on Chrome <a onmouseover="alert(document.cookie)">xxs link</a> or Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script. <a onmouseover=alert(document.cookie)>xxs link</a> Thanks :)

The HIGH level. I think I don't understand how XSS works along HTML event..

No here I can't because of this pattern : /<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i It intercept <script> tag and replace it with a space. So I have to bypass this hardening whit HTML Event which what I describe above. But I don't know how to send the link whith HTML page modified.. Am I more understandable ?

I have ever perform javascript injection by sending a malicious link to a victim like this : http://192.168.1.1/DVWA/vulnerabilities/xss_r/?name=<script>alert(document.cookie);</script> But here I need to remove protection on the page by injecting javascript in HTML events like this : <a href="javascript:alert(document.cookie)">Click me</a> But I have to modify with HTML page code with Firebug. So I where wondering how I could send a link with javascript in HTML event to a victim in order to steal cookies ?

I was just quoting the differents actors......

For XSS reflective, a link has to be send to the victim. I haven't look for XSS stored yet

an intro course : have you got any URL ? But on online videos, there are only attacker-server. For SQLi, it is fine, whereas in XSS or CSRF, the situation is victim-attacker-server which is not present on online videos..

Hello, I know my question is a little bit unclear. But with Firebug, I've find a potential XSS by adding a javascript instruction in an HTML field at URL 192.168.1.1/DVWA/vulnerabilities/xss_r/: <a href='javascript:alert(document.cookie)'>Home</a> Original field was : <a href="../../.">Home</a> My question would be: How does an attacker send a malicious link to a victim with a webpage modification included into the link ?