Show Posts
1
Hacking and Security / Client JS / SQLI - Worth Trying
« on: September 26, 2012, 04:00:37 AM »
Hello ,
Am trying to figure out this particular login page.
There is Client side JS - salting and character check before submission.
I beleive SQLI may be possible.
Experienced members , please provide your inputs.
Tried a simple attempt to disable JS and login ,
however verify.asp says :
1. Suspected malicious characters in Password (it does not say so if put in the User ID field
2. if quotes (other characters) put in UserID and Password then it returns a html mentioning all fields must be filled - which probable is uid and pwd (two additional fileds which have the username and password after the md5/salt.
Please see the attachments for better understanding.
Awaiting good replies and hopefully a solution soon.
url of verify.asp - from another page which also has login provision
verify.asp?uid=21232f297a57a5a743894a0e4a801fc3&pwd=962cc4e565cc3b14faae41e012e24b78&user=&pass=26201273637&go=Go
Am trying to figure out this particular login page.
There is Client side JS - salting and character check before submission.
I beleive SQLI may be possible.
Experienced members , please provide your inputs.
Tried a simple attempt to disable JS and login ,
however verify.asp says :
1. Suspected malicious characters in Password (it does not say so if put in the User ID field
2. if quotes (other characters) put in UserID and Password then it returns a html mentioning all fields must be filled - which probable is uid and pwd (two additional fileds which have the username and password after the md5/salt.
Please see the attachments for better understanding.
Awaiting good replies and hopefully a solution soon.
url of verify.asp - from another page which also has login provision
verify.asp?uid=21232f297a57a5a743894a0e4a801fc3&pwd=962cc4e565cc3b14faae41e012e24b78&user=&pass=26201273637&go=Go