Hi genius of the year Sometimes when people argue over the definition of '0day', it is important to be clear. Although the bash script made it clear, I have never ever seen someone call 'user enumeration' an 'oracle attack'. Probably because this is 2012 and the Matrix hasn't just come out.
Sorry for not knowing non-industry terms used by 1% of the populous you hipster. Sent from my iPhone On 15 Nov 2012, at 03:45, "Nick FitzGerald" <[email protected]> wrote: > Benji wrote: > >> Oracle attacks? >> >> See into the future? >> Padding oracle attacks? >> Oracle SQL injections? > > You noobs... > > http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917 > > (Don't get too tied up in the crypto stuff in that article.) > > klondike's point is that simply monitoring the response of the "user X > wants to change their password" web-form tells you whether there is, in > fact, a user named "X" on the system. That's kinda obvious from the > bash script klondike provided, and I don't do bash... > > > > Regards, > > Nick FitzGerald > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
