Sitio web: http://search.oracle.com/ Descubridor: sh3n URL del aviso: http://www.xssed.com/mirror/69865/ Fecha de descubrimiento: 14 de Octubre del 2010 Fecha de notificación: 14 de Octubre del 2010 Fecha de publicación: 15 de Octubre del 2010 Arreglado : NO, UNFIXED Información adicional:Cross-site scripting poc: http://bit.ly/d56mSZ
Sitio web: http://comunidad.terra.com Descubridor: sh3n URL del aviso: http://www.xssed.com/mirror/69836/ Fecha de descubrimiento: 12 de Octubre del 2010 Fecha de notificación: 12 de Octubre del 2010 Fecha de publicación: 14 de Octubre del 2010 Arreglado : NO, UNFIXED Información adicional:Cross-site scripting poc: http://bit.ly/aWUdux
Saludos Hace unos dias publique otro post pero creo q fue borrado o movido, dejo una copia
Recientemente Comprobe un bug en Flickr mediante el cual permitia a un atacante malicioso enviar codigo sin filtrar a Blogger(Blogspot). Reporte el incidente, obtuve respuesta de Flickr y aun esta pediente el caso en Blogger (Google) Un extracto del email y un poc onlive http://www.youtube.com/watch?v=g1VliAjXVK4
Código:
We greatly appreciate the time that you've taken to help us keep Flickr a community that everyone can enjoy. We will review the URL(s) that you've provided regarding the XSS vulnerability. Please note that in some instances our actions may not be immediately apparent. Thank you again for contacting us. If you have any other questions, please feel free to reply to this email. Regards, Cris
En los ultimos dias las redes Sociales, Facebook, Twitter, la denominada "web2.0" viene siendo vulnerada en distintas partes http://apps.facebook.com/tvshowchat/show.php?id=1'? No deseo salir del tema, pense que seria de interez. Gracias por su Atencion
* Supported on Windows, Unix and Linux operating systems * SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant * SSL support * Load automatically the parameters from a form or a IFrame on a web page (GET or POST) * Detect and browse the framesets * Option that auto detects the language of the web site * Detect and add cookies used during the Load Page process (Set-Cookie
detection) * Find automatically the submit page(s) with its method (GET or POST) displayed in a different color * Can create/modify/delete loaded string and cookies parameters directly in the Datagrids * Single SQL injection * Blind SQL injection - Comparison of true and false response of the page or results in the cookie - Time delay * Response of the SQL injection in a customized browser * Can view the HTML code source of the returned page in HTML contextual colors and search in it * Fine tuning parameters and cookies injection * Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection * Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed * Multithreading (configurable up to 50) * Option to replace space by empty comments /**/ against IDS or filter detection * Automatically encode special characters before sending them * Automatically detect predefined SQL errors in the response page * Automatically detect a predefined word or sentence in the response page * Real time result * Save and load sessions in a XML file * Feature that automatically finds the differences between the response page of a positive answer with a negative one * Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you * Automatic replaying a variable range with a predefined list from a text file * Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies) * Two integrated tools: Hex and Char encoder and MS SQL @options interpreter * Can edit the Referer * Can choose a User-Agent (or even create one in the User-Agent XML file) * Can configure the application with the settings window * Support configurable proxies
Hace unos dias descargue la nueva version 1.2, y me parece un tool muy util, viene con un addon para mozilla firefox lo cual facilita mucho las busquedas Me parecio un tool util y quize compartirlo, espero no romper las reglas del foro Instaladorhttps://sourceforge.net/project/showfiles.php?group_id=159131 Saludos!