leo26 Posted April 25, 2019 Share Posted April 25, 2019 I use a simple direction scan tool to scan a web-site, and there's an URL exhibited as "http://xxx.com/%23abc.mdb" I wonder the real meaning of %23 in the position, I guess it hide a real path for this database. could you provide a method to exploit this ? thanks Quote Link to comment Share on other sites More sharing options...
ant0ne Posted May 27, 2019 Share Posted May 27, 2019 This just substitutes for the '#' character, which is 0x23 in hex. Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted May 28, 2019 Share Posted May 28, 2019 likly a false positive ... https://websec.ca/kb/sql_injection I like to start with fuzzdb's https://raw.githubusercontent.com/ethicalhack3r/fuzzdb/master/attack-payloads/all-attacks/interesting-metacharacters.txt with ZAP and burp as a proxy for ZAP ;P Quote Link to comment Share on other sites More sharing options...
digip Posted June 3, 2019 Share Posted June 3, 2019 On 4/25/2019 at 3:21 AM, leo26 said: I use a simple direction scan tool to scan a web-site, and there's an URL exhibited as "http://xxx.com/%23abc.mdb" I wonder the real meaning of %23 in the position, I guess it hide a real path for this database. could you provide a method to exploit this ? thanks Nothing to exploit, but if you want to learn search for URL encoding and how it works. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.