|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: natron (natron
invisibledenizen.org)
Date: Tue Sep 02 2008 - 16:29:15 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We can't tell based on the information you've posted. One thing we can
tell, however, is the password for the "u24comph" account you used to
authenticate to that application.
"Authorization: Basic" is a Base64-encoded representation of your
username:password pair, and is completely reversible.
FYI. :)
N
> On Mon, Sep 1, 2008 at 3:35 AM, GT GERONIMO, Frederick Joseph B.
> <fbgeronimoglobetel.com.ph> wrote:
>>
>> Hello,
>>
>> I ran a tool to verify if a website had SQL Injection. The tool detected
>> Blind SQL Injection vulnerability. I have pasted the request and
>> response below.
>>
>> Would you say that the tool's evaluation is accurate?
>>
>> Is there anything that the web application can be doing to make this a
>> false-positive?
>>
>> Thanks.
>>
>>
>> HTTP REQUEST
>> ============
>>
>> GET /prototype03/vulnerable.php?vid=zJrt&act=viewed&page=0.01 HTTP/1.0
>> Accept: */*
>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
>> 1.1.4322)
>> Host: www.victim.com
>> Authorization: Basic dTI0Y29tcGg6PCEzIzw3PjlBQnVu
>> Cookie:
>> PHPSESSID=b4499547c0c4f399ba649181d5e67f5c;vid11=6512bd43d9caa6e02c990b0
>> a82652dca;vid2=c81e728d9d4c2f636f067f89cc14862c;vid4=a87ff679a2f3e71d918
>> 1a67b7542122c;vid8=c9f0f895fb98ab9159f51fd0297e236d;vid9=45c48cce2e2d7fb
>> dea1afc51c7c6ad26;vid7=8f14e45fceea167a5a36dedd4bea2543
>> Connection: Close
>> Pragma: no-cache
>>
>>
>> HTTP RESPONSE
>> =============
>>
>> HTTP/1.1 200 OK
>> Date: Fri, 29 Aug 2008 10:00:08 GMT
>> Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
>> mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
>> PHP/5.2.6
>> X-Powered-By: PHP/5.2.6
>> Expires: Thu, 19 Nov 1981 08:52:00 GMT
>> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0
>> Pragma: no-cache
>> Connection: close
>> Content-Type: text/html
>>
>> This e-mail message (including attachments, if any) is intended for the
>> use of the individual or the entity to whom it is addressed and may contain
>> information that is privileged, proprietary, confidential and exempt from
>> disclosure. If you are not the intended recipient, you are notified that any
>> dissemination, distribution or copying of this communication is strictly
>> prohibited. If you have received this communication in error, please notify
>> the sender and delete this E-mail message immediately.
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Top 5 Common Mistakes in
>> Securing Web Applications
>> Get 45 Min Video and PPT Slides
>>
>> www.cenzic.com/landing/securityfocus/hackinar
>> ------------------------------------------------------------------------
>>
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]