TL;DR The goal of this project is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published
On a recent Pen Test project, we encountered a situation where the outbound traffic on the server was not allowed. Only ICMP (and DNS) traffic was allowed. In this blog post Shyam discusses how we manage to ex-filtrate the data over an ICMP tunnel. Just to set the scene, the
Here are my slides and video demonstrations which i presented at Defcon 17. Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm View more documents from guest785f78. There are 3 demos to go with the slides: Demo 1: Exploiting PL/SQL Injection from Web Applications. Demo 2: Exploiting SQL Injection in Oracle Applications with Bsqlbf Demo 3: A proof
A new version of bsqlbf is now available. The following are the new additions: ——————- -type: Type of injection: 3: Type 3 is extracting data with DBA privileges (e.g. Oracle password hashes from sys.user$) 4: Type 4 is O.S code execution(default: ping 127.0.0.1) 5: Type 5 is Reading O.S files(default:
I finally managed to fix a few bugs and release a new version. Other than the bug fixing, the new version also supports blind sql injection in “order by”, “group by” clause. There are currently a few issues with threaded perl. I have tested this under windows using activeperl. As