http://is.gd/WRTShi that's us! :-)
-
@marcan42 congrats! buster bought you lots of flags. Was it padding oracle + sqli? I have the f*cking exploit coded but it was SLOOOOWWW :(
@esanfelix It was a simplified padding oracle (without the oracle part, really) + SQLi. Just 3 msgs to get all flags.
-
-
@marcan42 uhm i failed to see something then. Sqli on getcoloring, right? Do you flip bits and check output for SQL error, use that as fb? -
@esanfelix No need to flip bits, you can munge the auth to perform the sqli in one shot. We'll write an article :) - Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.