!! > query strings like: ?id=1+0 is enough on numerical values (as well as:
!! > ?id=CONCAT('str','ing') on strings)
!!
!! You are fuc**** right! I never thought about that... hmmm. So what I
!! could do is just:
!!
!! Original: ?id=1
!! Fuzzed: ?id=1-1+1
slightly disagreed.
I often see appplications where
?id=2
?id=3-1
work (return the same result) but
?id=2+0
?id=1+1
fail.
As I've never seen the corresponding source code (wether from the web app
or the SQL), I assume that this is due to some kind of "integer check"
which allows negative numbers but not positive numbers prefixed with +
may be a regex like /^[0-9-]+$/
This is more surprising as 3-1 seems to be realy computed at the end.
Which means that you have an injection, but limited, somehow ...
{-: Achim
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
