Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

Delicious injections

Name: Anonymous 2012-02-17 7:35

http://ishygddt.org/ is some shitty babby's first PHP + MySQL minisite, with more holes than a... I'm bad with metaphors.

* any value after / is passed directly to mysql_query without any quotes or escaping
* the query looks like "SELECT * FROM tsia_ishygddt.msgs WHERE id = $input"
* mysql_error() spits out HTML, so HTML injection works
* strip_tags is used on user output
* addslashes is used on query input, but of course this is completely useless as no single quotes were used around input in the query
* runs on a typical ubuntu/mysql/php setup

e.g. http://ishygddt.org/1 OR 1=1

Name: Anonymous 2012-02-17 7:36

U MENA http://ishygddt.org/1%20OR%201=1

Name: Anonymous 2012-02-17 7:37

Who are you quoting?

Name: sage 2012-02-17 8:13

Hey guy from other thread.

Name: Anonymous 2012-02-17 10:18

maybe because the code monkey didn't use mysql_real_escape_string_real_this_time()

Name: sage 2012-02-17 12:03

+_)(*&^#$@$*&()"LKJGH*(P><VCZXC<>http://www.cpcds/cpmUY)*#$FGH<MXCV
36yth"<script>"TRRHJYTK)(^%$#

Name: sage 2012-02-17 12:06

+_)(*&^#$@$*&()"LKJGH*(P><VCZXC<>http://www.cpcds/cpmUY)*#$FGH<MXCV
36yth"<script>"TRRHJYTKhttp://dis.4chan.org/derefer?id='354
68596805
)(^%$#

Name: sage 2012-02-17 12:08

+_)(*&^#$@$*&()"LKJGH*(P><VCZXC<>http://www.cpcds/cpmUY)*#$FGH<MXCV
36yth"<script>"TRRHJYTKhttp://dis.4chan.org/derefer?id='354
68596805<iframe>http://dis.4chan.org/derefer.php?url=%44%45</frame>;;
)(^%$#

Name: Anonymous 2012-02-17 12:25

INJECT MY ANUS
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -