![[s]](http://www.garage4hackers.com/avatars/%5Bs%5D.gif?dateline=1333021046&type=thumb)
One of the G4H member mandi from Garage4hackers Forums - Home (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is having a cross-site scripting vulnerability and the admin panel has SQL Injection. The page having sql injection in admin panel is only accessible to admin. The question was is it possible to use xss on main site to exploit sql injection on admin panel to get admin account pwned?
Here is my answer with following scenario:
SQL injection is being one of the mostly exploited issues in web application security and has found a place in OWASP Top 10 since 2004. There are many blog posts, papers available on SELECT query injection exploiting WHERE or HAVING clauses. Today I’m going to discuss SQL injection in INSERT query.
Here is PDF of the same.
SQL Injection in INSERT Query.pdf
Any suggestions, comments are welcome.
Cheers,
AMol NAik
This paper is based on the steps I executed to win ClubHack 2011 preCON CTF challenge.
Hope you will like it.
ClubHack 2011, India’s Hacker conference, was held on 3-4 Feb 2011 at Pune, India. They had a pre-conference hacking competition, called as WEBWAR, whose winners can win a free entry to the clubhack event. The winners also qualified to play Treasure Hunt, a physical CTF at clubhack conference.
This post is a walk through for this preCON CTF challenge.
Hello friends, Here I'm posting the process I followed to learn web application security and I thing this will help many new comers who wanted to do their carrier in web application security....
Liked On: 02-24-2013, 12:39 PM
One of the G4H member mandi from Garage4hackers Forums - Home (http://www.garage4hackers.com) (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is...
Liked On: 02-22-2013, 11:10 PM
Welcome to garage .... learn & share the knowledge :)
Liked On: 01-25-2013, 04:40 PM
@karthikp: there is an attack called as Cross-Site Tracing (XST). You should read about this and find out is it still applicable to modern browsers. I'm sure after reading about this attack and...
Liked On: 12-25-2012, 02:16 PM
Hey firesail, Web Application Hackers Handbook is a good start as well but the book is more about testing the web applications. It is necessory to have a web development experience to become a good...
Liked On: 12-13-2012, 04:39 AM
You should check this; JSON Hijacking Demystified - SpiderLabs Anterior (http://blog.spiderlabs.com/2012/09/json-hijacking-demystified.html) AMol NAik
Liked On: 12-11-2012, 06:46 PM
Flash XSS Cheat Sheet: http://demo.testfire.net/vulnerable.swf Amol NAik
Liked On: 12-10-2012, 11:53 PM
You should check this; JSON Hijacking Demystified - SpiderLabs Anterior (http://blog.spiderlabs.com/2012/09/json-hijacking-demystified.html) AMol NAik
Liked On: 12-09-2012, 10:42 PM
Hello friends, Here I'm posting the process I followed to learn web application security and I thing this will help many new comers who wanted to do their carrier in web application security....
Liked On: 12-08-2012, 11:02 PM
Hello friends, Here I'm posting the process I followed to learn web application security and I thing this will help many new comers who wanted to do their carrier in web application security....
Liked On: 12-05-2012, 11:41 PM
Hello All, Here is the write-up for my OSCP experience: Secure Belief: My Journey to OSCP (http://amolnaik4.blogspot.com/2012/11/my-journey-to-oscp.html) AMol NAik
Liked On: 12-03-2012, 02:59 PM
Hello All, Here is the write-up for my OSCP experience: Secure Belief: My Journey to OSCP (http://amolnaik4.blogspot.com/2012/11/my-journey-to-oscp.html) AMol NAik
Liked On: 12-02-2012, 12:38 PM
Hello All, Here is the write-up for my OSCP experience: Secure Belief: My Journey to OSCP (http://amolnaik4.blogspot.com/2012/11/my-journey-to-oscp.html) AMol NAik
Liked On: 11-22-2012, 01:17 PM
THis is a nice presentation by @digininja at BSides London. All your questions are answered here. PPT: http://www.digininja.org/files/breaking_in_bsides_slides.pdf post: Breaking in to...
Liked On: 11-02-2012, 11:21 AM
While preparing for an upcoming presentation, I came across Blind SQL Injection. Following steps I found helpful and you might find it useful. There are 2 types of Blind SQL Injections: 1. Normal...
Liked On: 10-23-2012, 03:30 AM
Forum Threads
Home Page
Find latest posts
View Articles
View Blog Entries
Likes Received (127)
Selective Symbolic Execution(S2E)
Yesterday, 08:33 AM in Reverse Engineering and Application Cracking