Everything, Everything

2024: J F M A M J J A S O N
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
February 2016
Using Burp Session Handling With Sqlmap
Thursday 25th February, 2016 16:28
Earlier this month, I used Burp's Session Handling Rules to get around an anti-CSRF token in order to get sqlmap working. Sqlmap does have native support for anti-CSRF tokens, but when the parameter it needs to update is part of a multipart form it appears that sqlmap fails to find the parameter that will be updated and it just gives up with an error message.

By configuring sqlmap to use Burp's proxy, and configuring a session handling rule in Burp to acquire and update the token, sqlmap doesn't even need to know about the CSRF protection. I stumbled across the idea based on this article.

It turns out that none of the fields were vulnerable to SQL injection (which I sort of knew from manual testing), but it was an interesting challenge.
@RobNicholls81
Wednesday 24th February, 2016 21:38
These 6 albums were released almost two decades ago and yet I've already listened to tracks from 5 of them in 2016. https://t.co/aZQUTfNp3X
@RobNicholls81
Friday 19th February, 2016 18:51
Heard extra instruments in the background of Zero 7's Out Of Town. I do love my new headphones.
List Of .NET Framework Versions
Tuesday 16th February, 2016 13:57
I was looking for this the other day and discovered that it had been removed from Wikipedia. Thankfully Jonathan Parker took the time to grab the information from the way back machine so it's not lost forever. It's probably getting out of date now, but it's better than having nothing.
Windows Server 2012 R2 SSTP VPN
Sunday 14th February, 2016 20:56
I tried following a couple of guides on how to setup VPN access using Windows Server 2012 R2. The first guide for PPTP was going well until I logged into the new Azure portal and tried to add the necessary endpoints - you can only add TCP and UDP ports; you can't add protocols! I switched to using SSTP, which means exposing HTTPS with IIS, and got a lot further. I temporarily installed the self-signed certificate as a trusted root certificate on my computer, otherwise Windows 10 complains about it (and Windows won't let you ignore any certificate errors). I initially tried using the default DHCP setting for IPv4 assignment but it seemed happier with a static pool.

Then I realised that nothing was being routed. It turns out neither of the two guides I'd looked at covered installing Routing and enabling NAT on a public interface so that I can use the VPN connection to talk to other hosts on the Internet, which was the point of my little exercise. After adding the extra role and following the second step in a TechNet article, things appear to be working. If I try and access Netflix or Yahoo it thinks I'm in another part of Western Europe. Presumably if I spin up another Azure VM in America I could make them think I'm based there (although they release shows like Better Call Saul, House of Cards, and Love at the same time as the UK so I'm not too concerned). Bandwidth isn't too expensive either, with Tier 1 costing about £5 for 100GB of traffic.
@RobNicholls81
Sunday 14th February, 2016 13:53
YES! F**KING YES! :D #AFC
@RobNicholls81
Sunday 14th February, 2016 13:31
Wow, Drinkwater probably should be off the pitch for that awful foul on Ramsey.
@RobNicholls81
Sunday 14th February, 2016 13:30
Giroud's flick gives Walcott the chance to score without over thinking. Thankfully he does, with our first shot on target.
@RobNicholls81
Sunday 14th February, 2016 12:50
Monreal's leg might have been slightly out, but Vardy ran into him instead of following the ball. Will Arsenal finish with 11 men?
@RobNicholls81
Monday 8th February, 2016 21:27
They're making another Bourne movie with Matt Damon! https://t.co/iaoffMmkZh
@RobNicholls81
Monday 8th February, 2016 18:45
No ticket restrictions today. Also, there are no trains. Okay, maybe a few. You'll all fit on if you squeeze in tight.
@RobNicholls81
Thursday 4th February, 2016 18:36
Mozilla to end development on Firefox OS for smartphones after the version 2.6 release. Not too surprising. https://t.co/i5gJF3rE2N
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3